I've got two websites on iis website A and webiste B. They are running as identity UserA and UserB both local windows users.
I sent request from website A to website B. I want to authorize is request send by UserA. Can use windows authentication to do that?
I sent request from website A to website B.
Could you please tell me how you send the request from website A to B? Using hyperlink or httprequest library?
As far as I know, if you send the request from website A to website B by using httprequest library it will not auto add the user if you don't write special codes to add the username and password.
If you have enable the windows authentication in the website B, you should firstly write the codes to add the user name and password or auth token in web site A when sending request. Then you could get the user name according to the request.
If you have enabled the SSO for windows auth, you could get the username according to the current token.
About how to enable the SSO, you could refer to below article.
https://active-directory-wp.com/docs/Networking/Single_Sign_On/SSO_with_IIS_on_Windows.html
Related
I'm developing an Enterprise/Internet Application with WebAPI 2 RESTful server and SPA web client (Angular2) —So I have two separated projects created using ASP.NET 4.6 Empty template and both use OWIN and are IIS hosted.
The requirement for Authentication is:
Active Directory user which is logged in to the workstation will authenticated automatically once she opens any page from app in the browser if user id/name found in the database, with no need to enter her user/pass. Let name this as auto-login. Else if it's not found in the DB it will redirected to the login page.
Also there should be a logout option which redirects user to the login page after logging she out.
In the login page any AD user can enter her/his AD user&pass and after successful check against database (existed) and AD (valid credential) she/he will logged in to the system (Obviously it may be different than user currently is logged in to the workstation)
In addition to the web client it will have other clients such mobile apps which will connect and be served by the WebAPI back-end. Users will login there using their AD user & pass too. Let name it manual-login.
According to the REST architecture and having both AD enterprise and internet/mobile users together, the authentication should be token based —this is what I found till now but I'm not sure.
I read about OWIN Authentication architecture and Windows Authentication and I checked MixedAuth, Now I think it is the nearest solution for this requirement as it lets app-defined users to authenticate side by side of windows/AD users. But even after dig into it and its SPA sample I didn't found my way yet and confused.
Anyone can help?
What should I actually do on the WebApi server and SPA Client to accomplish those authentication requirements?
Which middlewares should I add and how should config/manipulate them?
UseCookieAuthentication ?
UseExternalSignInCookie ?
UseOAuthBearerTokens ?
Can I rely just on Bearer tokens (using OAuthBearerTokens MW) and get same token for authenticated windows users to unify authentication model based on bearer tokens? If so, how?
How and where should I put my code for checking that AD user exists in the DB and if not so reject the authentication?
Thanks a lot.
Created a web based application which needs to integrate forms authentication and SSO. Currently forms authentication will validate all the registered users.
What I need is to integrate SSO as well in to the application. ie, If the user not authenticated then redirect to identity server (Okta) configured with WS-Fed and added the application, validate and response to landing page. Please can you help on this. Please let me know if any more information is required.
Can you please explain this statement " If the user not authenticated then redirect to identity server (Okta) configured with WS-Fed and added the application"?
Please see this link https://github.com/okta/okta-music-store. Under section "Adding Single-sign on to your Music Store" you can see how C# sdk can be used to implement single sign on.
Essentially what you need is a cookieToken from Okta. Using cookieToken as one time token and a redirect url (Can be your app url) you can use /login/sessionCookieRedirect?token=&redirectUrl=. This will create active session with Okta and redirect your user to your app or redirect uri.
Cookie token is obtained via series of two calls. Authentication that gives you session token in response. Session token is exchanged for cookie token via create session call.
Basically I just want to know how does StackExchange's single signon system work?
In the SE network you need to login only once in one of the websites to be automatically logged in to the other sites upon visiting.
How should I implement such a feature in my own network of sites?
I assume it uses the cookie which resides on the user's browser and then authenticates it with the originating site. If it is legit then it logs the user in automatically.
You have to implement SAML or oauth2 to allow sso on your network.
In case of SAML your child websites will be service providers or resource servers.
While you need to setup and identity provider.
The sequence of events will be like this.
1. User hits a url of songs website, this site is resource server and does not handle authentication.
2.To authenticate resource server will construct a SAML authrequest and redirects to identity provider after signing it.
Idp verifies the signature after receiving authrequest.
3. User will be presented with a login form, user has to end login credentials.
4. After user authentication idp will generate a SAMl token and redirect back to resource server.
5. Resource server will extract identity information from SAML token, resource server will login the user with session or cookie.
Depends upon which technology you are working in i have implemented it in php using simplesamlphp.
I am trying to build a Salesforce App Integration to a SAAS product we own. (say www.ABC.com). The app would have a simple Apex page to fetch files from Salesforce Objects and upload them on ABC.com.
For this to work, I want the users on salesforce to be registered users on ABC.com. They should be able to login into ABC.com from SFDC. However, I have a few concerns
OAuth - Although SFDC has this capability, I do not want to implement an Oauth Provider service on ABC.com.
Signed Request Authentication - Since, I want SFDC users to have an account on ABC.com, this strategy may not be helpful. Please correct me if you think I am wrong.
There would be a simple login apex page on SFDC which logs them in. ABC.com is then embedded into an iframe in the next view.
Any ideas on managing the session and cookies? Do I have to store the cookies in order to have a long lived connection to ABC.com so that users do not have to login every time they use the app. Thanks!
I had the same requirement and chose to use a signed request when calling my iframe.
When receiving the signed request, I validated that the request came from Salesforce and was signed by the shared secret.
You can then use a convention of mapping between SF users and abc.com users. For example, identical email account.
If so, you log in the user in abc.com.
I have a combination Web API and MVC application that is secured using Azure ACS, Windows Identity and passive redirects. This works well. Now I am adding a mobile application using PhoneGap that makes calls to the existing application's API. I having trouble figuring out how to implement authentication on the mobile client. I've got it mostly working, but I can't get the token to client due to the Return URL setting in ACS. The scenario is:
Mobile client sends get request to API
API responds with 401 if user is unauthorized
Client redirects to ACS login page and user authenticates
Token is sent to the Return URL which is the application running on a web server
For example, if I'm running the client app on localhost:63327, the token is sent to localhost:58392 because that's what is set as the return URL in the ACS configuration.
How do I get the token to my mobile client?
I see that people did not really understood your question.
This solution might work.
In a nutshell, is to add a new protocol to get the authentication token from the server to the app client.
PG App calls a web method registering a request to Auth:
POST BeginGethAuthToken
id = pickup Guid
pswd = pickup Password
BeginGetAuthToken can be a web method in your login page.
Server associates the pickup guid with the pickup password
PG Apps start the authentication flow by opening the log-in page using the InAppBroser
mywebapp.com/AppLogin.aspx?id={pickup guid}
The pickup guid is set as a cookie for your webapp domain.
User completes the authentication using the InAppBrowser.
AppLogin.aspx on successful authentication associates the pickup guid with the authentication tokens and ask the user to close the browser to go back to the app
the PG App picks up the authentication token by providing the pickup password.
note that for security the server needs to add expiration policies of pickup guids such that only one app can use a guid at a time and restart the process in case of collisions.
You effectively need to pre-authenticate your client. See http://blog.siliconvalve.com/2013/06/25/protect-your-asp-net-web-api-using-azure-acs-service-identities/