I would like to authenticate users against Active Directory using LDAP. Is it possible with OpenIddict ?
Currently, I have Front end (Angularjs) + Back end (Web.API with ASP.NET Core and OpenIddict) which works perfect. Part of users use individual user accounts and they will continue. Another part of users should use AD accounts. It is inside internal network and would like to use already existing Active Directory for that.
Please suggest any solutions for that.
Thanks.
Please suggest any solutions for that.
OpenIddict is never responsible of the login/authentication part, so you can freely implement it to use LDAP with both interactive flows like the code flow and with non-interactive flows like the password flow.
If your AD servers can run Active Directory Federation Services, I'd recommend using it, as it's the best way to achieve what you want.
Depending on the version you're using, you'll be able to integrate with any ASP.NET Core app quite easily (the 2016 version supports OpenID Connect while the previous one supports OAuth2: both can be used with the OAuth2/OIDC middleware developed by the ASP.NET team).
If you can't use ADFS, another option is to use Integrated Windows Authentication. It's currently only supported when hosting your application behind IIS or when using WebListener.
If none of these options work for your scenario, you can opt for the "low-level LDAP validation" route. Though it's not officially supported by .NET Core, there are a few libraries developed by the community that you can use: https://github.com/dotnet/corefx/issues/2089#issuecomment-231994908.
Related
I have tried to find but without any success on how to use Windows authentication that is implemented in IdentityServer4 samples (Quickstart6: AspNetIdentity).
What I managed to find out is that I can use http://localhost:5000/connect/token to POST client_id, client_secret, scope and grant_type in order to get token. The issue is next. From what I have managed to find out in order to use Windows authentication, I need to use "hybrid" for grant_type, but I always get "unsupported_grant_type".
Since I want to avoid default MVC client that is in that example to work with Windows authentication, how can I use Windows authentication trough rest with provided username/email and password, so I can make my own login page for Windows authentication in for example React application?
I have also found http://localhost:5000/connect/authorize endpoint, but I don't know if I can use it for this and how to even work with that endpoint.
I'd suggest reading more about OpenID connect in general to familiarise yourself with the various flows.
When working in a Windows context I'd recommend using ADFS. The latest version supports OpenID Connect out of the box so is a doddle to integrate with from ASP.Net Core whereas the other options (direct LDAP calls or IIS integration) are more complex and/or restrictive.
That said, this article covers how to use integrated Windows auth when running in IIS on Windows: https://docs.identityserver.io/en/release/topics/windows.html
So we are using IdentityServer4 for our web applications, all is good.
We have a new requirement from a client to allow them to perform SSO via their ADFS system using WsFederations, we already provide this for another one of our older web applications that is not tied into IdentityServer4 yet.
Ideally we would like to tie WsFedereration into IdentityServer4 so it is in one place.
Does anyone know if it possible to use IdentityServer4, so we redirect to IdentityServer4, identity that this particular client (possibly via an alternative URL), then IdentityServer4 authenticates against ADFS, collects the claims (probably basic, e.g. email/username/etc) , and we then supplement them with additional claims for access, and pass back to the web application.
What I'm trying to achieve ideally is to not change the existing Web Application, and to sort the plumbing at IdentityServer4, and the Web Application wouldn't know or care if this user was IdentityServer4 only or
IdentityServer4 + WsFederation. This would be useful for other clients across our applications to easily integrate in the future.
Alternatively I could deploy another version of the Web Application that authenticates directly with my clients ADFS system. However this seems a waste of server resources/maintenance for just one small client.
I had a look at the external options (where you click google on or near the IdentityServer4 Login Screen), is there a way to automatically redirect to the ADFS without event seeing the IdentityServer4 implemented Login screen.
Is this possible?
Thanks,
Jon
This was released 2017, see the example at
https://github.com/IdentityServer/IdentityServer4.WsFederation
I am working on an application which has an azure asp.net mvc website and an azure mobile service. Both will be using the same azure sql database.
I understand that I can use custom or Microsoft, Facebook based authentication using my mobile service. The website and the mobile app that I will be building though will have different features in the website and on the mobile app based on the role of the user.
How should I go about implementing user roles? If this was just an asp.net application, I would have just used ASP.NET Identity but not sure how to do this with Mobile Services.
I found a similar question asked a year ago with no resolution - Using ASP.NET 4.0 membership provider with Azure Mobile Services
If there is an existing implementation or guidance out there, please point me in that direction. Thanks.
As of today, there isn't a super easy way to handle this no matter how you slice it. You can take a look at this post (there is another dealing with the JavaScript backend that is linked from this) http://www.acupofcode.com/2014/04/general-roles-based-access-control-in-the-net-backend/ that talks about role based access control using Azure Active Directory. AAD may not be the option you want to go with. In which case, you'd need to implement the roles and checks in your Mobile Service yourself. If you only have two levels such as "normal user" and "admin" you COULD dictate everything based off of the user.level property and if they are "authenticated" they only have basic user access but if they're "admin" they have admin functionality. You'd still need to do the role based logic in your backend but I think you'll need to handle that no matter what.
Alternatively, what I think you could look at doing, is using the ASP.NET Identity system. Then from your Mobile Service, you can use the same type of custom auth I've documented here (http://chrisrisner.com/Custom-Authentication-with-Azure-Mobile-Services-and-LensRocket) but instead of checking against and storing a username/password in your Mobile Service like that sample is doing, when the user goes to register / login, you could check against the user backend created by the ASP.NET identity system. I don't have a sample off hand of that working but it sounds doable in my head.
I've been scratching my head over this issue for over a week. We have a web app that we would like to implement SSO for. SSO with windows active directories of our clients (i.e. we essentially need to authenticate against our clients' active directories without much trouble)
The only thing I am 100% sure about is that I will needed a security token service that will have to communicate with an Identity Provider. My question:
Which service is most suitable for the above scenario (AD FS? OpenID & OAuth 2.0? SAML 2.0 and shibboleth?)
How will I connect to the active directories of the clients? Maybe I'm not understanding how the STS is to be used, could anyone clarify? I'm working with an Azure Web App
Will there have to be a different IdP for each client? Will the client have to do more than just give us standard information? What would this info be?
...should I be using Windows Identity Foundation?
HELP :( ... this is an SOS
If anyone could clarify at all, I will forever be grateful. I normally upvote anything I find helpful and accept whichever answer is the best so feel free to answer with what you think might be useful in helping me understand how I can achieve what I am after.
These are the three options I know:
As you mention one option is ADFS this solution means that your customers should install and expose Adfs. ADFS means Active directory-Federation Services, so in this case your application needs to speak WS-Fed (not oauth). Typically if the user is inside the LAN adfs uses integrated auth, if not it will prompt credentials.
WAAD is a new service from Azure, it allows companies to expose their directories to use in cloud applications. With this approach your customers need an account in Azure, create a directory and use the dir sync agent. Your application will talk SAMLP with WAAD.
Auth0 is an authentication broker that allows developers to use social but also enterprise identity providers like AD but also google apps, waad, adfs, salesforce, etc. if your customer only has AD you will provide him an msi for a windows service, that will bridge the company AD with your auth0 account, you can have as many AD as you want. Your application speak oauth with Auth0. This agent supports kerberos authentication as well. The following graph explains this solution:
Disclaimer: I work for Auth0.
WIF doesn't support SAML or OAuth.
Your application is in Azure.
Suggest add WIF to the application and then "bind" to Azure Active Directory. In VS 2013, use the "Change Authentication" feature for this.
Make the application multi-tenanted.
Each customer has their own tenant. User DirSync to sync. each customer AD with their AAD tenant. (That gives same sign-on). Adding ADFS to each customer gives single sign-on.
However, the customers will probably push back on this because of perceptions around security.
I'm writing an application, and I've only had experience using a custom login module with Glassfish fo handling user login. If deploying in the Cloudbees cloud, I'm assuming that providing a custom login module is not a possibility, correct? And even if it is, I don't think I really want to use that method. What mechanisms do you use to secure you application, having user accounts, etc? If you use an OAuth provider, did you write one yourself? If so, can you point me to an example so I can do the same?
Thanks.
John - I have used openid in several places - that seems to work well. I expect a similar solution exists for oauth using servlet filters or similar.
The cloudbees "grandcentral" service is an openid and oauth (I think) provider - for cloudbees accounts.
In theory you should be able to do the same - even if you have to run an embedded glassfish as a zip of jar files with a main launch class.