ADFS as OAuth2 provider / Authentication server possible? - authentication

We want to setup ADFS 3.0 to enable OAuth2 based authentication. I have read lots of documentation, but am still unclear if this is supported.
Can ADFS be used as an authorization server for oauth, or is oauth2 support in ADFS only meant to work as a client to another authorization server?
Any help for setting up adfs as oauth provider/server is appreciated.

in ADFS 2012R2 (aka ADFS 3.0), we only support the authorization grant flow. The only scenario is for public clients (say a mobile app on iOS/Android/Windows) to access a RESTful service and authorizing via JWT tokens. You can see this at https://msdn.microsoft.com/en-us/library/dn633593.aspx
With ADFS 2016 (which will release imminently), you have the full Oauth/OIDC support. With this you can build web apps, single page apps, API's, multi-tiered app systems that require On-behalf-of support, confidential clients (with support for windows service accounts acting as confidential clients). You can check this out https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/ad-fs-development

Related

Is it possible not to use Azure ACS authorization server for Sharepoint 2013 apps?

I am new in dealing with Sharepoint Server and other office services. Sorry if my question doesn't make sense. My question is:
Can I use other authorization servers other than azure ACS as an access token issuer for Sharepoint 2013 apps ?
I would like to apply OAuth authentication mechanism to the SharePoint sites which are currently accessible by enabling basic authentication of site properties.
SharePoint 2013 supports for server-to-server authentication and app authentication by utilizing and extending the Open Authorization 2.0 (OAuth 2.0)
I am trying to have app authentication to access sharepoint resources(site users) with OAuth mechanism. Is it necessary to register my app on Azure ACS just to get OAuth tokens. Can I also use other auth server which can generate OAuth access token. If yes, how will they app, custom auth server and sharepoint communicate each other?

Claims based Authorization

Planning to use ADFS to federate. One big challenge that we find is that not all applications are claims aware, also every application has a different role based access. In such a how can we achieve 100% SSO Authentication and Authorization using Identity Claims.
In case ADFS cannot support such a requirement, What other vendor solutions are available which can supports such a requirement.
A claims-aware application in the .NET world uses WIF / WS-Federation to get a set of claims in a SAML token which are then used to control user access and functionality.
ADFS only answers to WS-Federation or SAML requests.
So to get a non claims-aware application to use AFDS, the application needs to be changed to add support for either of these protocols.
Refer: SAML : SAML connectivity / toolkit and the links inside the post.
Or you could go the other way and put something like an OpenAM agent around the applications and then federate OpenAM and ADFS.
ADFS on Server 2012 R2 has a new feature as part of the Web Application proxy, refer Create a Non-Claims-Aware Relying Party Trust.
There's a walkthrough here - Walkthrough Guide: Connect to Applications and Services from Anywhere with Web Application Proxy
and a good example here - First Impressions – AD FS and Window Server 2012 R2 – Part II.

SAML authentication

We are looking at IDaaS offerings (OneLogin, Okta, etc.) When we've asked if they support CloudBees they said they do not, but they said if you support SAML authentication that they can add support for CB very easily. Do you know if you support SAML?
There is no specific support for SAML - however applications that are hosted on the platform would well support it.
CloudBees supports SAML integration with any SAML IdP endpoint. The SAML IdP endpoint could be running on your premises or you can use IdP providers such as OneLogin, Okta, Centrify etc. they also provide CloudBees app that you can configure for SAML. Both flow - SP initiated or IdP initiated flows are supported as well.
See, http://developer-blog.cloudbees.com/2013/09/cloudbees-now-offers-saml-20.html
Centrify definitely has a pre-built SAML app for CloudBees.
You can sign up for free here to test it.
https://www.centrify.com/free-trial/

SAML identity provider interoperability with remote Active Directory domain

We have a SaaS system based on SAML 2.0 authentication using an Identity Provider and we want to provide several ways of logging in, Form Authentication, Facebook, etc. Is it possible to connect the SAML system to a remote application using Active-Directory, ideally to gain access to the API also but most importantly to be able to use their authentication with the remote active directory as a means of logging in to the SaaS system?
Check out PingFederate and PingOne from Ping Identity (note: I work for Ping). We have complete IDP and SP support (SAML1.1, 2.0, WS-Fed (Passive)) as well as support for LDAP, SFDC, OpenID and other Cloud Identity providers (LinkedIn, Facebook, etc). We also have support for Web Services security via Oauth2 and WS-Trust.

How do I authenticate users to Sharepoint 2010 site, using a standard SAML IDP (not an STS)?

The problem is I have an standard SAML 2.0 Web-Profile IDP (a customized Shibboleth) that I can authenticate to Google Apps, nicely, but Microsoft decided to embrace-and-extend again, with WIF, so it seems things doesn't work off-the-shelf to have web SSO (SingleSignOn) with Sharepoint.
At least all the documentation show only how to integrate with AD FS STSs, or how to write your own STS as the protocols around claims exchange aren't standard.
From the overviews it seems feasible to have my IDP being called (redirected to) and returning the SAML response as a forced post, as usual, but it seems hard to tell WIF to just process the simple response we serve.
Thanks,
ADFS v2.0 does support SAML 2.0.
If the SP STS doesn't support this, then simply add ADFS as a trusted provider to the SP STS.
I believe that ADFS 2010 only supports WS-Federation Passive Requester Profile -- ie, no SAML 2.0 Web SSO support.
SAML 2.0 Web Profile support is possible I believe but you'll need to use a 3rd Party product like PingFederate for SAML 2.0 support unless you want to write quite a bit of custom code.
Hope this helps -
Ian