I have an ASP.NET application with Forms Authentication. There is a users table in the DB with Id, UserName, PasswordHash and PasswordSalt.
Is it possible to migrate these users over to a fresh Thinktecture IdentityServer installation while keeping their existing credentials?
You don't migrate users TO identity server. You would rather implement a user service to connect identity server to your existing user store.
see here:
https://identityserver.github.io/Documentation/docsv2/advanced/userService.html
Related
I have an asp .net core 3.1 web application that uses the MS Identity (for users) and Entity (codefirst) framework to authenticate users stored in database.
All user rights/groups etc. are stored locally and used to allow/deny access to different areas of the application.
So what I think I need is a way to allow users in my web-app to choose to authenticate using AzureAD account, and when the authentication is done, the wep-app will sign-in the local-user somehow linked to the Azure user
Is this how to do this, or can you guide me to how to do this the correct way
To achieve the above requirements, You can use Azure AD authentication & external login in your asp.net application by implementing the code in your appsettings and controller as mentioned here .
As you wanted to implement the application ,
Consider other options before storing users of your Web applications in a local database. Instead of managing users in a local database, it's best practice to store and manage user information outside of the application, such as with Azure Active Directory or Azure Active Directory B2C. Consider Identity Server if the authentication service must run on-premises. Identity Server is a member of the.NET Foundation and is OpenID certified.
To implement from scratch you can refer this blog.
Please refer the below links for the similar discussion & Documentation to get started with :-
MICROSOFT DOCUMENTATION|Secure a hosted ASP.NET Core Blazor WebAssembly app with Identity Server
SO THREAD|Implement both Individual User Accounts and Azure AD Authentication & .NET Core Identity Server 4 Authentication VS Identity Authentication
BLOG| Integrating with External identity Providers
I have a webforms app running on .net 4.7.2, currently being hosted on Azure as a SaaS. It is a single software for multiple clients, each one with its own database.
Currently the user authentication is manually handled by us, but we are trying to implement a multi tenant strategy, using the AzureAD and OWIN tools.
The app service has an Identity Provider configured, from a test AAD. We can login with the provided credentials, but I can only configure a single microsoft identity provider.
I'm not sure where to go from here... After hours reading the multiple docs from microsoft, i'm still stuck.
By default, web app/API registrations in Azure AD are single tenant. You can make your registration multi-tenant by finding the Supported account types switch on the Authentication pane of your application registration in the Azure portal and setting it to Accounts in any organizational directory. So that people from other azure ad tenants will login.
multi-tenant SaaS web application sample
If in case if you want to use other identity providers, You can federate with IdPs that use the SAML protocol. SAML/WS-Fed IdP federation allows external users to redeem invitations from you by signing into your apps with their existing social or enterprise accounts. Federation with SAML/WS-Fed identity providers
And we have azure ADB2C, Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.
Reference Docs:
Sign in any Azure Active Directory user using the multi-tenant application pattern
Azure Active Directory B2C
I have a question regarding authentication in my web-app using Blazor WebAssembly ASP.NET Core hosted. The database used is Azure SQL.
I want to avoid storing passwords in the database and the users are therefore restricted to having a Microsoft-account (relevant to the project).
As of now, the user logs in with Azure AD as the third-party authentication provider. When redirected back to the web-app, a user is created with a claim which only consists of the Email from Azure. The user is directed to a registration page where the Email-input is set to the current user-claim email. When the user clicks the register button, the information provided is now stored in the database.
The problem is that I now have a user in the db, but the claim is still just the Email. I want to be able to use the AuthorizeView role tag on the different pages, and therefore wondered if its possible to update the claim with a role that the user specified in the registration-page? This data is at this point only stored in the database.
If this is a bad practice, is there any other similar way I could make this work?
To use the AuthorizeView role, roles claims should be return by your Identity provider (Azure AD in your case). Your application should ask those claims by asking the corresponding scope.
According to the doc : Permissions and consent in the Microsoft identity platform endpoint, the profile scope should return roles claims.
The doc Secure an ASP.NET Core Blazor WebAssembly standalone app with Azure Active Directory explains how to request scopes from Azure AD
I have two Web API one for each of my two applications. Need my users to be able to log into either. Do I need to add asp.identity to both API projects.i will use a third party identity provider to authenticate the users.
If you are using identity provider like Identity Server ,you can store users in database and use Asp.Net Identity in identity provider's application to manage users .
When you want to authenticate user in your client application , it will redirect user to identity provider application's login page to let user enter their credential , then the identity provider application will validate user's credential in database and issue ID token and access token if you want to access a protected resource .
You doesn't need to add asp.net identity to your client(web app/api) applications unless you want to map/save the users to your local user database . Adding Asp.Net Identity to identity provider application to help manage user is always a good choice .
I have a setup consisting of my relying party app -> thinktecture identity server -> azure ad b2c. This is working as expected for login and signup using a signin or signup policy. The issue I am running into is that the password reset link on azure b2c page is sending back to my thinktecture identity server, instead of to azure b2c where it should go? Has any one encountered this and found a solution? I am also unable to submit a profile edit policy request to azure b2c through thinktecture identity server. My thinktecture identity server instance, just sees that the user is logged in and returns them directly back to my relying party.
So my questions are this...
How do I get the password reset functionality working correctly fron azure b2c?
How can I handle profile edit requests from my relying party and pass it in appropriately in thinktecture identity server?
It was suggested that I use ACR_values, but I don't see how that is going to help any. Any suggestions/ideas would be helpful as I seem to have run up against a brick wall here.