Kentico claim based authentication with windows authenticaion - authentication

I am developing kentico application and i need to used windows authentication or claim based authentication depend on the user. If the user is Active directory user user should be able to login using username and password. If the user is not a Active directory user, user redirect to third party site for claim based authentication.
I wonder it is possible to implement this requirement with Kentico 9 CMS. If possible what is the best approach ?

Based on Kentico documentation claims based authentication with AD would work out of the box with just proper settings.
You can start on the following page and links over there should connect you t configuration as well:
https://docs.kentico.com/display/K9/Claims-based+authentication

Aproach Michal suggested would work for third party authentication.
Here is how you can implement AD authentication (quite easy): https://docs.kentico.com/display/K9/Configuring+mixed-mode+authentication
Unfortunately I'm not sure you can mix them together.
Authentication.Execute custom event handler might be a right place to inject your custom implementation for it.

Related

MVC authorize not authenticate using AD

I have scoured this and many other sites to find an answer but have come up short every single time. If this is a duplicate, I am very happy to accept direction to the original question with an answer:
I have built an MVC 4 site and I am using the Authorize tag where needed and this is working as expected.
My issue is that I require a mechanism by which to prompt the user (already logged in or some other valid user in the domain) to enter their windows credentials on one page in order to confirm/authorize that user. This is not what the authorize filter is doing. The authorize filter is actually authenticating the user. Thus changing the User.Identity information accordingly.
Is it possible to just authorize a user (not authenticate) without actually changing the User object?
Just returning the 401 response forces the windows prompt but that, in turn, does an authentication, not an authorize.
While a solution could be achieved with a custom action that accepts username/password input, my requirement specifically calls for the native browser windows prompt to be displayed.
The site is using IIS Express and is set up for windows authentication and every aspect of this does what I need. Except for the issue of "true" authorization mentioned above. The browser has to be IE9. Currently running on Windows 10.
No. You're currently using Windows Authentication, and this is how it works. There is no need to login because the user is already logged into Windows, that's the point.
To do what you want, you would need to use an individual auth library like Identity. Which will give you the login capability. However, that doesn't work with AD out of the box, but you can add that in yourself. In otherwords, instead of using the Identity functionality to look a user up by username and password to authenticate, you'd connect to AD over LDAP, and verify the credentials there. You'd also need to use the LDAP connection to add the user's groups in AD to the their roles in Identity. Then, you can utilize the Authorize attribute as normal.
Long and short, if you want to actually allow the user to login as any AD user, then you're pretty much on your own. There's no builtin functionality for that. It's relatively straight-forward, if not entirely easy, to set something up yourself for that that, but again, that's on you.

Wix - are there any authentication and authorization apps?

I'm building a fairly simple Wix website.
I want a members app that can do the following:
Have a sign up page that sends an email to the site administrator. Once the site administrator approves they are approved and can log in.
Give users the option to sign up as either a standard or advanced access user. If they are an advanced user, then they can access different pages to the standard user.
aka. authorization and authentication
I looked at using the Wix members app, but this does not seem to include authorization.
Perhaps there is no Wix solution and I would be better off creating the site from scratch, with something like ASP.NET user account authentication?
The answer I received from the Wix team is:
"I believe the best way to achieve what you are trying to achieve is password protect all of your site pages except the home page.
You can add a contact form so users can contact you and ask for the password to access the rest of your site pages.
Then, as you mentioned, you can add a Member Login App to allow your visitors to sign up for the other restricted part of the site (authorization), and add a PayPal button so they can pay for their subscription (if needed). Then you can approve members who have paid for their subscription."
I will be using forms based auth with an MVC app instead to overcome this issue as the Wix solution I do not believe would provide a good user experience.

Adding SSO to an existing MVC application

We have an existing MVC application which is used by multiple customers.
Currently, each customer is given a URL to our application e.g. https://myapp/mycustomername.
When they go their, they are presented with a login screen.
For some customers (not all) we want to implement SSO, and authenticate their users against their active directory, so that they never see the login screen (unless the SSO authentication fails).
Most customers won't be using this functionality.
My first question is: is this do-able? Is it possible to have an MVC application which uses both SSO and forms authentication?
If so, can anyone point me to any links explaining the process?
I've seen some good information, such as this tutorial but I can't find anything that matches my scenario.
Thanks.
This is surely a do-able task.
The steps would be
Identify the tenant name from the URL
Get the Identity Setting
If forms authentication, show them the login page
If SSO enabled, redirect to their ADFS URL
When you onboard your tenant, you will have to maintain the following metadata
TenantName
AuthenticationType : {forms / ADFS}
SSO Url
SSO Federation Metadata URL
etc
We did one such implementation that supports ADFS, Social Logins with Forms Authentication too.

Single Sign-on with Sharepoint 2010 from 3rd party application without password

Overview
Our SharePoint 2010 application will be launched from a 3rd party application, let's call it HealthApp, via an embedded URL. Much of the time the user will be logged into HealthApp from a shared workstation. As a result, SharePoint will not sign in automatically using the Active Directory credentials.
Requirements
We need single sign-on.
We need to continue to use Active Directory as the STS for various reasons.
Authentication from a stand-alone browser on the user's workstation will need to work as it does now.
Authentication Info
HealthApp can pass a username and any other custom identifier information we want as URL parameters.
The username will match the users Active Directory username.
We will not have a password.
We need some way to authenticate the user based only on the username/identifier.
Possible Solutions
Is there any way to bypass the password check in Active Directory?
This would appear to be the simplest solution if possible.
Can we
extend the Active Directory provider to authenticate using a generic
user and then log into SharePoint with the username passed on the
URL?
Any other suggestions?
I would think there would have to be some way to do this but have not had much experience with claims based authentication with SharePoint.
Thanks for any insight.
Me also facing same issue for authenticating users over share point site that uses claims authentication.As per requirements my app needs to access share point data. So to authenticate
over share point server from an app we need to provide some authenticated claims with the request so that share point STS can issue an authorization ticket to access the share point site resources. after spending more than 2 days in googling i found some interested article that may help to authenticate users from client app against identity provider systems.
OAuth library
this resides between app and identity provider system. using this you get an authenticated claims that will further use to authorize over share point server with the help of Share point STS.

Liferay SSO CAS LDAP

Good evening, I must make an intranet with Liferay, the most important is to integrate a web application (or 2) already ready with the portal that I will make . These web applications are made ​​in php, so in order not to make each authentication, wanted the user to authenticate to the portal and click on the link to one of these web applications, it will not have to authenticate again for its apps. For this reason I used SSO CAS and I integrated it with Liferay, I still used an LDAP directory to be related to the CAS server to identify users.
My problem is how is the procedure for other web apps, is that users must have the same login and password for partail (Liferay) with the others two apps php? Or I can let each application with their users without the change (because in each app, the user has a login and password different from other apps), that is how the coordination between different words and LGIN passes the various apps (this is a problem of SSO, I misunderstood the principle of work I should implement it) ??
Some clarifications and assistance please??
The other webapps need to implement a so called CAS Client. The php one is here:
The php apps will typically redirect non authenticated users to CAS, and after they logged in the webapp retreive a saml token. In that token claims are found that uniquely identify the user. application then typically match the provided claim to their own userstore or apply the concept of a virtual user.
But that is up to the implementer of the webapps.