I'm designing a Single Page Application in React + .NET Core and now I'm facing with the concept of visibility related to the application profiles (for example Admin will see all data, Team Leader will see all the data related to his team and so on...).
My solution involves Row Level Security in Azure SQL Server using Azure Active Directory authentication (a AD group containing all the application users), however in this way a smart user can directly connect to the database doing what he prefers (because using this type of connection I must provide Read/Write permissions to the group). I want to avoid this!
So, there is a way to avoid direct connection to the database and limit AAD authentication only through web app? Or I must choose a different approach (using SESSION_CONTEXT for example)?
You can configure firewall rules of the Azure SQL to allow only the single page application (web app) to connect.
The steps are mentioned in the below stack overflow post:
Configure Azure SQL Database Firewall for just my Web App
Related
Import Bulk users from Azure Active Directory to SQL database using ASP.NET MVC.
If a new user added means, it should reflect in SQL database also.
You can use SCIM, an open standard for this scenario. This is taken from the microsoft docs that describes using SCIM with Azure AD
As an application developer, you can use the System for Cross-Domain Identity Management (SCIM) user management API to enable automatic provisioning of users and groups between your application and Azure AD. This article describes how to build a SCIM endpoint and integrate with the Azure AD provisioning service. The SCIM specification provides a common user schema for provisioning. When used in conjunction with federation standards like SAML or OpenID Connect, SCIM gives administrators an end-to-end, standards-based solution for access management.
(source)
Basically you have to implement some well defined endpoints in your MVC app and Azure AD will take care of the syncing (it will call those endpoints).In your implementation you can access your database to store the user data.
Here is a reference implementation using an in memory datastore.
Given there is a requirement from a 3rd party application where LDAP integration is required for authentication, authorization and assignment of users/roles with lookup to directory services or user repository...
When the application environment is Microsoft Server 2012 with WAS to support the application and the server can only access security principals through a web service...
Is there a way to provide LDAP or AD LDS to integrate with the web service or even to sync the local repository with the system of record?
This will probably provide many routes for discussion, but let's assume the application for now can only best subscribe to a LDAP instance for this and AD is not being provided directly to the environment where the application exists AND AD isn't even the system of record - that is exposed from a web service.
This is fundamentally the definition of a meta directory or Virtual directory.
That is, rather than directly contact the directory service for usage, instead there is an abstraction layer, often caching, perhaps uniting data (on the fly per request, or in advance as changes occur).
There are any number of vendors that provide such services in products.
I am new to windows azure development.
I am developing an application for hosting online tests.
This application needs to have multiple authentication options like Windows live ID, Facebook etc.
It also needs to have default form based authentication fed by the database in back end (simple User name and Password match).
Based on the authentication mechanism different permissions will be available to the user.
Can anyone please suggest how i should proceed on this?
Thanks
Do you really need forms authentication, or do you just need an application specific store where people can use a credential specific to your app?
I'd suggest researching Windows Azure Active Directory and Windows Azure Access Control Services together. You may create either an AD tenant for your application store and use it as an Identity Provider for ACS or you could host your own Secure Token Service and Identity Provider which uses your backend database as the user store also registered with ACS. This means that all of your authentication goes through the same process and allows for you to have your own user store, plus the social Identity Provider capability.
The key here is that you want try to avoid having forms authentication AND Social, but rather a mechanism where multiple Identity Providers can be used, including one of your own.
As Gaurav stated there are a ton of resources out there for this:
Understand the difference between WAAD and ACS.
Provisioning an Azure AD Tenant as a Identity Provider in ACS
Windows Azure Identity
There are also many blogs and MSDN documents talking about how to set these up.
If you start with the default "ASP.net MVC4 Web Application" template in Visual Studio you get a web application mini-sample with an AccountController that supports local and 'social' accounts out of the box. See documentation here. It is based on DotNetOpenAuth (a fantastic lib with terrible documentation) and a Microsoft implementation of an special MembershipProvider which lives in WebMatrix.WebData.
Regarding the Azure Access Control Service 2.0: I have no idea what the status of this service is but it looks to me as if MS itself tries to discourage developers form using this service since it was to deeply hidden somewhere under Windows Azure Active Directory in the documentation.
I am writing a desktop WPF application that uses SQL CE as its data store and syncs to a remote SQL Server database via a web service. The desktop application provides the same functionality as an ASP.NET web application I wrote but, provides the functionality for the user when no connectivity is available.
The SQL Server database also provides membership functionality for the Web version of the application.
My question is this...how can I provide the user login functionality for the WPF application when it is in "disconnected" mode? I want the user to have the same login functionality that they would have if they were logging in through the web application. I know how to sync the necesarry aspnet_Membership tables (users, roles, etc) but, how do I create the membership provider for WPF? I haven't been able to find examples.
(The WPF app won't need to create or delete users but, edit functionality would be nice...It is essential that application allows the user login and have their password checked against the one synced from the main database so, I am not sure how that encryption/decryption would work).
Thanks for whatever advice you can give
Membership was built as an ASP.NET feature. The risk I see with a local Membership approach is now those tables with passwords are on the local machine and open to being hacked. The user has to logon at the local machine so the Windows principal is validated. You might be better off mapping the Windows logon to roles and groups to provide Membership type features without MembershipService. You can iterate through the users, roles, and groups in .NET but it is slow. It is not very hard to decipher the Membership SQL tables directly and build a query to get that information and it is much faster. You can even map your MembershipProvider to the domain at IIS but then you cannot use TSQL to get the users, roles, and groups.
We are planning on utilising kerberos in our architecture. I would like to know what perceived or actual advantages this technology has, and if there are any alternatives.
Note that we have a .net client side and java server side. communication will be via messaging bus and SOA
If you are working within a mostly Windows environment (i.e. Windows Server 2k3, a domain controller, Active Directory, etc.) one in particular is that you can use impersonation through .NET with a split web server and database server. Using the older NTLM method, you cannot do a "double-hop".
Let's look at an example:
You have a web server (WEB1)
You have a database server on a separate machine (DB1)
You have a user access your website (USER1)
USER1 hits a page that displays a list of orders. Your WEB1 server has to query DB1 for this info to display on the page. You want to constrain what orders are seen based on the user's credentials and access rights. Thus, you set up active directory groups and assign users accordingly. On your database you give the different groups different security (GROUP1 might have select only and GROUP2 might get select, insert, and update, for example).
NTLM doesn't support the double-hop necessary to do this. WEB1 has to send USER1's credentials to DB1 (otherwise WEB1 must log into DB1 with a known dedicated user id and password hardcoded into the web.config for example that usually has to have full access to support all possible user roles). You can imagine this could be a security hazard should WEB1 be compromised, so you can't do it, otherwise anyone who gains control of WEB1 (via sql injection perhaps) could do anything the dedicated user account could or impersonate whomever they want. Kerberos, through delegation on Windows Server, supports doing this second hop by keeping the encrypted credential key from your domain server intact and passed along, as well as verified that this is allowed (on both ends, see below for setting this up on your servers because it MUST be EXPLICITLY allowed).
It's very useful to do this when developing intranet web apps that have a database back-end (which is 99% of the time the case, right?) and you want to control authorization and authentication through Windows Integrated Security. Kerberos is really your only choice unless your web server and database server are on the same machine, which means there is no transferring of credentials and no impersonation necessary.
See also:
MSDN - How To: Use Impersonation and Delegation in ASP.NET 2.0
Microsoft Help & Support - How to configure an ASP.NET application for a delegation scenario
MSDN Magazine - Security Briefs: Credentials and Delegation