I have an asp .net core 3.1 web application that uses the MS Identity (for users) and Entity (codefirst) framework to authenticate users stored in database.
All user rights/groups etc. are stored locally and used to allow/deny access to different areas of the application.
So what I think I need is a way to allow users in my web-app to choose to authenticate using AzureAD account, and when the authentication is done, the wep-app will sign-in the local-user somehow linked to the Azure user
Is this how to do this, or can you guide me to how to do this the correct way
To achieve the above requirements, You can use Azure AD authentication & external login in your asp.net application by implementing the code in your appsettings and controller as mentioned here .
As you wanted to implement the application ,
Consider other options before storing users of your Web applications in a local database. Instead of managing users in a local database, it's best practice to store and manage user information outside of the application, such as with Azure Active Directory or Azure Active Directory B2C. Consider Identity Server if the authentication service must run on-premises. Identity Server is a member of the.NET Foundation and is OpenID certified.
To implement from scratch you can refer this blog.
Please refer the below links for the similar discussion & Documentation to get started with :-
MICROSOFT DOCUMENTATION|Secure a hosted ASP.NET Core Blazor WebAssembly app with Identity Server
SO THREAD|Implement both Individual User Accounts and Azure AD Authentication & .NET Core Identity Server 4 Authentication VS Identity Authentication
BLOG| Integrating with External identity Providers
Related
I have a webforms app running on .net 4.7.2, currently being hosted on Azure as a SaaS. It is a single software for multiple clients, each one with its own database.
Currently the user authentication is manually handled by us, but we are trying to implement a multi tenant strategy, using the AzureAD and OWIN tools.
The app service has an Identity Provider configured, from a test AAD. We can login with the provided credentials, but I can only configure a single microsoft identity provider.
I'm not sure where to go from here... After hours reading the multiple docs from microsoft, i'm still stuck.
By default, web app/API registrations in Azure AD are single tenant. You can make your registration multi-tenant by finding the Supported account types switch on the Authentication pane of your application registration in the Azure portal and setting it to Accounts in any organizational directory. So that people from other azure ad tenants will login.
multi-tenant SaaS web application sample
If in case if you want to use other identity providers, You can federate with IdPs that use the SAML protocol. SAML/WS-Fed IdP federation allows external users to redeem invitations from you by signing into your apps with their existing social or enterprise accounts. Federation with SAML/WS-Fed identity providers
And we have azure ADB2C, Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.
Reference Docs:
Sign in any Azure Active Directory user using the multi-tenant application pattern
Azure Active Directory B2C
I'm working on a blazor web assembly, core hosted project.
The users must have a local account to use the website. For that I use default blazor authentication provider with IdentityServer.
I have a calendar page, where users can add and watch some events.
I would like to offer them the possibility to log in their google or microsoft account in order to see their personnal events in the same place.
But the google or microsoft authentication can't replace the local authentication. It must be a secondary option.
I can't find out how to manage this. All exemples I see use the RemoteAuthenticatorView.
You need to add external provider authentication to your server project by following steps described in Facebook, Google, and external provider authentication in ASP.NET Core
I have a ASP.NET CORE 3.1 application with an authentication module connected to an Azure Active Directory Tenant, and in want to add a second authentication against a B2C Tenant.
Do you think it is possible to have two way for connect a user in the application ?
I have a question regarding authentication in my web-app using Blazor WebAssembly ASP.NET Core hosted. The database used is Azure SQL.
I want to avoid storing passwords in the database and the users are therefore restricted to having a Microsoft-account (relevant to the project).
As of now, the user logs in with Azure AD as the third-party authentication provider. When redirected back to the web-app, a user is created with a claim which only consists of the Email from Azure. The user is directed to a registration page where the Email-input is set to the current user-claim email. When the user clicks the register button, the information provided is now stored in the database.
The problem is that I now have a user in the db, but the claim is still just the Email. I want to be able to use the AuthorizeView role tag on the different pages, and therefore wondered if its possible to update the claim with a role that the user specified in the registration-page? This data is at this point only stored in the database.
If this is a bad practice, is there any other similar way I could make this work?
To use the AuthorizeView role, roles claims should be return by your Identity provider (Azure AD in your case). Your application should ask those claims by asking the corresponding scope.
According to the doc : Permissions and consent in the Microsoft identity platform endpoint, the profile scope should return roles claims.
The doc Secure an ASP.NET Core Blazor WebAssembly standalone app with Azure Active Directory explains how to request scopes from Azure AD
I am new to windows azure development.
I am developing an application for hosting online tests.
This application needs to have multiple authentication options like Windows live ID, Facebook etc.
It also needs to have default form based authentication fed by the database in back end (simple User name and Password match).
Based on the authentication mechanism different permissions will be available to the user.
Can anyone please suggest how i should proceed on this?
Thanks
Do you really need forms authentication, or do you just need an application specific store where people can use a credential specific to your app?
I'd suggest researching Windows Azure Active Directory and Windows Azure Access Control Services together. You may create either an AD tenant for your application store and use it as an Identity Provider for ACS or you could host your own Secure Token Service and Identity Provider which uses your backend database as the user store also registered with ACS. This means that all of your authentication goes through the same process and allows for you to have your own user store, plus the social Identity Provider capability.
The key here is that you want try to avoid having forms authentication AND Social, but rather a mechanism where multiple Identity Providers can be used, including one of your own.
As Gaurav stated there are a ton of resources out there for this:
Understand the difference between WAAD and ACS.
Provisioning an Azure AD Tenant as a Identity Provider in ACS
Windows Azure Identity
There are also many blogs and MSDN documents talking about how to set these up.
If you start with the default "ASP.net MVC4 Web Application" template in Visual Studio you get a web application mini-sample with an AccountController that supports local and 'social' accounts out of the box. See documentation here. It is based on DotNetOpenAuth (a fantastic lib with terrible documentation) and a Microsoft implementation of an special MembershipProvider which lives in WebMatrix.WebData.
Regarding the Azure Access Control Service 2.0: I have no idea what the status of this service is but it looks to me as if MS itself tries to discourage developers form using this service since it was to deeply hidden somewhere under Windows Azure Active Directory in the documentation.