PingFedrate SSO with WCF REST API - wcf

I am creating a WCF REST API to be consumed by a ASP.NET web application and mobile applications and an outlook add-in. The current infrastructure is hosted on premise but we plan to take it to the cloud soon.
The API needs to authenticate AD users via PingFedrate SSO. The current classic ASP application integrates PingFedrate and throws a challenge window to the user for authentication. I need to get the same via the API but stuck as to how to begin and where shall it lead.
Any pointers of suggestion from you experts?

This sounds like something you could use PingFederate's OAuth support for.
We (Ping Identity - my employer) have more information on how to authenticate using PingFederate SSO to get OAuth API Access Tokens (to secure your API and tie identity to it) on our Developer Portal.
Please see the follow links/articles:
https://www.pingidentity.com/content/developer/en/learn.html
https://www.pingidentity.com/content/developer/en/resources/oauth-2-0-developers-guide.html
https://www.pingidentity.com/content/developer/en/resources/openid-connect-developers-guide.html

Related

How do I Authenticate and get tokens for ASP .NET CORE WEB API Application With On-Premisis ADFS?

I am having a web application which is using ADFS for authentication this application is done in .net framework. I have written services in ASP.NET Core as of now there is no authentication for web api requests i want to to add ADFS authentication to web api how can i access this web api? how do i talk to this api after configuring it to adfs? what is the best way to access web api as they both were ADFS applications
To issue the token for the web API, we need to make the ADFS to aware it by creating a relying party trust for the web API. And when we add a replying party we need to specify the identifiers for the replying party:
And then we can use this identifiers as the reosurce URI to acquire the token for this replying party.
Please ensure that the resource URI is correct as you config.
here is a very nice article about developing with ADFS using OAuth:
https://msdn.microsoft.com/en-us/library/dn633593.aspx
Check this thread too
https://www.scottbrady91.com/Identity-Server/Identity-Server-3-using-WS-Federation
Hope it helps.

Azure AD or IdentityServer with Web API, understanding the concepts

Be warned possibly noob question ahead.
I'm a little unsure where exactly Azure AD or IdentityServer is supposed to fit in in the overall communication flow.
Here is a scenario that I often face.
Some "dumb" client (e.g. a Windows App that can't use external assemblies or some JavaScript in a web app) has to contact my Web API which will then contact other APIs or other resources.
If I want to try and implement either Azure AD or IdentityServer as a means of authentication and authorization in the Web API, I don't see that this can be done in any other way, than it has to be the Web API that communicates with Azure AD or IdentityServer as the client doesn't have the ability to do so due to the lack of required assemblies.
If this assumption is not correct, then how would I do this?
If it is correct however, then what means of security is there between the client and the Web API other than communicating over HTTPS when the client has to send it's credentials to the Web API, so the Web API can authenticate and authorize the user against either Azure AD or IdentityServer?
If I understand your requirements correctly, then you are able to change the client Windows app, but unable to add external assemblies to it? So you would not be able to add the ADAL NuGet package to it.
You can still use Azure AD authentication - it is possible, but not trivial, to implement the client code yourself.
Or you can, as you already mentioned, pass the user's credentials to the Web API somehow, and then use that to have the Web API do authentication towards Azure AD on behalf of the user. There is a sample app which shows how to use username/password credentials.
This however, goes against the whole OAuth/OpenIdConnect mindset, where your app should never know the user's credentials.
Here:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/develop/active-directory-v2-protocols-oidc.md
Be careful with trying to use the most recent version of the Azure AD endpoint (just don't use version 2.0, they shot themselves in the foot by excluding all Azure AD webapp registrations & by "securing" web APIs by making them only available to apps with the same appid - as far as I'm concerned, it's unusable until they fix those two issues) - see the "[!NOTE]" near the top of that linked page for the v2.0 limitations.

IdentityServer4 with optional External ADFS for some client configurations

So we are using IdentityServer4 for our web applications, all is good.
We have a new requirement from a client to allow them to perform SSO via their ADFS system using WsFederations, we already provide this for another one of our older web applications that is not tied into IdentityServer4 yet.
Ideally we would like to tie WsFedereration into IdentityServer4 so it is in one place.
Does anyone know if it possible to use IdentityServer4, so we redirect to IdentityServer4, identity that this particular client (possibly via an alternative URL), then IdentityServer4 authenticates against ADFS, collects the claims (probably basic, e.g. email/username/etc) , and we then supplement them with additional claims for access, and pass back to the web application.
What I'm trying to achieve ideally is to not change the existing Web Application, and to sort the plumbing at IdentityServer4, and the Web Application wouldn't know or care if this user was IdentityServer4 only or
IdentityServer4 + WsFederation. This would be useful for other clients across our applications to easily integrate in the future.
Alternatively I could deploy another version of the Web Application that authenticates directly with my clients ADFS system. However this seems a waste of server resources/maintenance for just one small client.
I had a look at the external options (where you click google on or near the IdentityServer4 Login Screen), is there a way to automatically redirect to the ADFS without event seeing the IdentityServer4 implemented Login screen.
Is this possible?
Thanks,
Jon
This was released 2017, see the example at
https://github.com/IdentityServer/IdentityServer4.WsFederation

Accessing a WCF Service secured by ACS from javascript

I am looking to create a WCF (possibly WebApi) web service that sits on top of some of our existing code. Eventually this service will be used by external clients but we are going to start using it with our own mobile app.
As some clients will want to use Gmail and ADFS authentication it seems to make sense to use Azure ACS (this is where our webservices are hosted). However we won't need multiple providers for a while and we will start by using a custom STS that authenticates users against our existing authentication logic.
We already have a rough prototype of the above working using a MVC web application acting as the client.
My problem is how do I integrate this with a mobile application? It looks as if the mobile app will be written using AppCelerator which means I need to authenticate using javascript. We only want users to authenticate to our custom STS so would I need to use Active Authentication? I.e.
Ask user to enter username and password
Directly authenticate with custom STS and retrieve token
Pass STS token to ACS and retrieve ACS token
Pass ACS token to wcf service for each request.
I guess my questions are: am I on the right track and if so how would I achieve this in javascript?
If you want to support mobile devices, it is recommended to provide a web based login interface in your STS. In most cases, a mobile device will navigate to your STS’s sign in page in a web browser. After your STS authenticates the user, it sends claims to ACS. ACS in turn uses JavaScript notification to notify the host application.
You can refer to http://msdn.microsoft.com/en-us/WAZPlatformTrainingCourse_ACSAndWindowsPhone7 for a tutorial about working with ACS in Windows Phone. Similar process can be used for other mobile devices.
Hope this helps.
I think it is possible to issue SAML over Https request. As a starting point Id suggest to look at Thinktecture IdentityServer sources by Dominick Baier. This will help to understand different strategies and how you can use em(there are some goodies for WebApi on Github also):
http://identityserver.codeplex.com/

Facebook-style API access scenario with Azure ACS and OAuth 2.0: how to implement app authorization?

I am building a social website that will expose REST API (WCF WebAPI) to the world so any developer would be able to create a client application for the website, integrate it with other services, etc.
I would like to implement Facebook/Twitter-style access control mechanism for the API. So that developers will register their apps on the developer section on the site, create a key and use that app key in OAuth workflow to get access to the API.
Since I use Azure in this project, I consider leveraging Azure ACS to facilitate OAuth processes. However, I am unable to find any code sample or manual for app authorization with ACS.
Can someone share such example or at least give me a direction for my own research? If I can achieve Facebook/Twitter behavior with another OAuth library (e.g. DotNetOpenAuth), that would be cool, too.
Thank you in advance.
ACS is a good choice for this sort of thing. Your scenario is pretty much OAuth Delegation, which ACS supports.
You should look into ACS with OAuth 2 Delegation sample in:
https://connect.microsoft.com/site1168/Downloads (It is called Wif Oauth CTP version)
Note that in this sample custom authentication is used for autheticating the user. Since ACS provides Single Sign On with Idps, you can instead use ACS here (e.g with Facebook).
If you go this path, you can find more information on how to use a custom home realm discovery page in the following sample:
http://msdn.microsoft.com/en-us/library/hh127794.aspx
Finally, you will neeed to have a web page where your client apps will manage their settings. For this you will be required to use ACS management service. You can find detailed information on using ACS management service in:
http://msdn.microsoft.com/en-us/library/gg185970.aspx