I am developing some angular 2.x based application with Identity Server 4 (in asp.net core) as authentication server. Server setup, application authentication is done but now requirement is to support SSO to avoid login in each application.
To do so I am storing authentication token in local storage and trying to reuse in different angular 2 application but it does not work.
What is the standard way to do SSO here with Identity server 4 and any types of clients with any browser?
Thanks in advance.
You should not reuse same authentication token(access token) from both apps. You need to configure two clients(implicit flow will be suitable for this) in identity server and use those clients in your angular apps(one client for each). Both apps will redirect users to same identity server log-in page. When you signed into identity server(from any app) you do not require to sign-in again from the other app.
Related
I have an asp .net core 3.1 web application that uses the MS Identity (for users) and Entity (codefirst) framework to authenticate users stored in database.
All user rights/groups etc. are stored locally and used to allow/deny access to different areas of the application.
So what I think I need is a way to allow users in my web-app to choose to authenticate using AzureAD account, and when the authentication is done, the wep-app will sign-in the local-user somehow linked to the Azure user
Is this how to do this, or can you guide me to how to do this the correct way
To achieve the above requirements, You can use Azure AD authentication & external login in your asp.net application by implementing the code in your appsettings and controller as mentioned here .
As you wanted to implement the application ,
Consider other options before storing users of your Web applications in a local database. Instead of managing users in a local database, it's best practice to store and manage user information outside of the application, such as with Azure Active Directory or Azure Active Directory B2C. Consider Identity Server if the authentication service must run on-premises. Identity Server is a member of the.NET Foundation and is OpenID certified.
To implement from scratch you can refer this blog.
Please refer the below links for the similar discussion & Documentation to get started with :-
MICROSOFT DOCUMENTATION|Secure a hosted ASP.NET Core Blazor WebAssembly app with Identity Server
SO THREAD|Implement both Individual User Accounts and Azure AD Authentication & .NET Core Identity Server 4 Authentication VS Identity Authentication
BLOG| Integrating with External identity Providers
Most IDAM servers (Identity Server 4, Gluu, Cloud services) provide a way to host a login UI on the actually identity server. This login page can be customized so that it can be branded like your website. This works well for security flows so when you reach an authorization end-point you are redirected to your identityserver/login page.
But can you host the login page on the client application instead?
And if so:
Is this advisable?
Is this more/less secure than hosting the login UI on the Identity Server?
Would this break security flow standards like OIDC / Auth 2.0 authorization code flow?
Would this simply call an API to authenticate against? e.g. one that is hosted on the identity
server. Some appear to support this, but this seems a bit old / insecure compared to existing security flows.
Thanks.
Not really: the point of (federated) Single Sign On (SSO) is that one can use a single credential to login across different domains without divulging that credential to every domain/application.
Users use those credentials in one place against one server only to a trusted party aka. the Identity Provider. The Identity Provider then creates a derived token that is consumed by the 3rd-party application because the latter trusts the former to do so.
In case all applications belong to the same domain as the Identity Provider, the argument above no longer holds, but not using SSO would still mean that you'd have to login to each application separately, one by one.
Is it possible to integrate FIDO2 WebAuthn with Blazor Web Assembly authorization and Identity Server? I am able to use FIDO2 to log in directly to Identity, but I cannot see how to use FIDO2 with my Blazor OIDC connection logic.
Yes, I have gotten everything working well. Basically I use the ASP.NET Core Identity pages - login, Enable2FA, etc. - to manage the registration and login processes. The final step in the login process, once the FIDO2 biometric login has completed successfully, is to from within the FIDO2 controller MakeAssertion call complete the sign-on with SignInManager's SignInAsync.
Biometric login is now working well from iOS, Android, Windows Hello, and using a Yubikey security key.
So we are using IdentityServer4 for our web applications, all is good.
We have a new requirement from a client to allow them to perform SSO via their ADFS system using WsFederations, we already provide this for another one of our older web applications that is not tied into IdentityServer4 yet.
Ideally we would like to tie WsFedereration into IdentityServer4 so it is in one place.
Does anyone know if it possible to use IdentityServer4, so we redirect to IdentityServer4, identity that this particular client (possibly via an alternative URL), then IdentityServer4 authenticates against ADFS, collects the claims (probably basic, e.g. email/username/etc) , and we then supplement them with additional claims for access, and pass back to the web application.
What I'm trying to achieve ideally is to not change the existing Web Application, and to sort the plumbing at IdentityServer4, and the Web Application wouldn't know or care if this user was IdentityServer4 only or
IdentityServer4 + WsFederation. This would be useful for other clients across our applications to easily integrate in the future.
Alternatively I could deploy another version of the Web Application that authenticates directly with my clients ADFS system. However this seems a waste of server resources/maintenance for just one small client.
I had a look at the external options (where you click google on or near the IdentityServer4 Login Screen), is there a way to automatically redirect to the ADFS without event seeing the IdentityServer4 implemented Login screen.
Is this possible?
Thanks,
Jon
This was released 2017, see the example at
https://github.com/IdentityServer/IdentityServer4.WsFederation
I am developing a intranet web application using ASP.NET MVC 4 that uses Windows-Authentication. I have integrated SharpSVN to do some SVN interactions and initially I was planning to use the username and the password from Windows Authentication, to authenticate the user on SVN, but as I found out, you can't get the password of the user when using Windows Authentication.
So is there any way to achieve this? To make SharpSVN use the Windows Authentication from the ASP.NET?
Thank you.
Look into identity inpersonation this will let you run each windows authenticated user in a thread under that user account. This will mean, that your clients must use machines that belong to the same AD domain as the Web server and as the SVN server.