We have an existing MVC application which is used by multiple customers.
Currently, each customer is given a URL to our application e.g. https://myapp/mycustomername.
When they go their, they are presented with a login screen.
For some customers (not all) we want to implement SSO, and authenticate their users against their active directory, so that they never see the login screen (unless the SSO authentication fails).
Most customers won't be using this functionality.
My first question is: is this do-able? Is it possible to have an MVC application which uses both SSO and forms authentication?
If so, can anyone point me to any links explaining the process?
I've seen some good information, such as this tutorial but I can't find anything that matches my scenario.
Thanks.
This is surely a do-able task.
The steps would be
Identify the tenant name from the URL
Get the Identity Setting
If forms authentication, show them the login page
If SSO enabled, redirect to their ADFS URL
When you onboard your tenant, you will have to maintain the following metadata
TenantName
AuthenticationType : {forms / ADFS}
SSO Url
SSO Federation Metadata URL
etc
We did one such implementation that supports ADFS, Social Logins with Forms Authentication too.
Related
I am developing kentico application and i need to used windows authentication or claim based authentication depend on the user. If the user is Active directory user user should be able to login using username and password. If the user is not a Active directory user, user redirect to third party site for claim based authentication.
I wonder it is possible to implement this requirement with Kentico 9 CMS. If possible what is the best approach ?
Based on Kentico documentation claims based authentication with AD would work out of the box with just proper settings.
You can start on the following page and links over there should connect you t configuration as well:
https://docs.kentico.com/display/K9/Claims-based+authentication
Aproach Michal suggested would work for third party authentication.
Here is how you can implement AD authentication (quite easy): https://docs.kentico.com/display/K9/Configuring+mixed-mode+authentication
Unfortunately I'm not sure you can mix them together.
Authentication.Execute custom event handler might be a right place to inject your custom implementation for it.
I am working on a prototype for a site re-architecture using ASP.NET 5 and I am debating using IdentityServer4 for my Authentication and Authorization. I have reviewed a lot of samples and articles about setting up IdentityServer3 and 4 and I am trying to wrap my head around if it can handle my client’s requirements in a proper way. Here are my requirements.
I have 3 sites that need authorization. Site 1 (abc.com) will require windows authentication and will be a combination of mvc and webapi calls using roles (or roles converted to claims) for authorization. Site 2 (def.com) is a trusted site that wants a login widget with a username/password/rememberme text box on their site that when submitted will authenticate the user and redirect them to site 3 (xyz.com). Site 3 will also have its own login page and will be a combination of mvc and webapi calls using claims. Site 2 and 3 will not be using windows authentication and the client does not want them redirecting to the identity server login screen, but rather having their own login screen and calling the identity server from code with the credentials to login.
Here are my questions regarding this scenario and IdentityServer4.
Can Idsvr4 handle one client using windows authentication and
another using username/password authentication?
If so, is there a
reason to have windows auth in idsvr4 or should it just use standard
windows auth within the webapp?
Can idsvr4 be setup to have the client collect the username/password/rememberme values and pass them through code to
get the proper jwt tokens for both mvc and webapi?
If so, can it
log them into both the mvc and webapi applications on another site?
If so, is this circumventing the real purpose of identityserver4
and therefor is a bad idea?
If it can handle this scenario and is a good idea, how would I setup the client, scopes and code to handle the login through code and redirect?
Examples are great and very welcome, but I am not even sure what verbiage to use to search for this scenario so even pointing me in the right direction would be of great help.
Not sure if this question is still active. But yes, i believe you can do all that.
1) You can setup which ldp is available for each client by setting IdentityProviderRestrictions on the client (docs)
1.1) - Not sure what you mean, i believe one of the points of having idsrv is to sentralize you authentication, and it makes it easier for future websites to integrate with the same service.
2) When logging in using a client (application), you also specify which apiResource the client has access to - and the application needs to add this to the requested scopes when signing in. So if your client is the mvc application, you just add the ApiResource in the AllowedScopes - and set the request_type to id_token code - this would then give the user a access_token that is passed with each request to the backend api. (docs)
2.1) - This would basically log the user in on both sites - using an access token that says that the user is authorized to use the backend api.
2.2) - In my opinion this flow is one of the things that makes idsrv great - and they even mention this as a great feature of idsrv themself. You just need 1 trip to the authserver to gain access to all systems.
as for pt. 3 - Take an extra look at the docs, try to setup a blank project following the quickstarts.
For logging in from your own login page, you need to use the grant type Resource Owner password - Altough they dont recommend doing this for security issues (transmitting passwords over the wire) - it is supported.
How to authenticate with liferay by passing the parameters as user email and password. If authentication is success then I will redirect to different web web application.Actually i want to authenticate user without using sign in portlet.Is there any way we can hit a url and it gives a response text so we can identify that user is authenticated. i followed this link but i didn't get proper response.
Liferay integrates with a lot of different SSO (Single-Sign-On) systems on the market. Instead of reinventing the wheel, you should use one of those integrations. This way you're free to use whatever your SSO uses to authenticate the user and it will provide your user's identity to Liferay as well as to any other application.
For Liferay EE, you also have the option to make Liferay your "SSO" by utilizing the SAML plugin and creating Liferay into an IdP (Identity Provider) and by making your other application an SP (Service Provider).
The whole field of forwarding the identity of users has been solved and one shouldn't mock around with redirecting with any self-invented authentication scheme IMHO.
I've a question about oauth2 and its suitability in this case. I've looked at the authorization flow, but that always seems to start the process from the 3rd party web app, not from the portal (auth server)...
My terminology...
1) We have Enterprise Portal system (e.g. SharePoint etc), let's call it portal.com
2) We have a 3rd party hosted web app, let's call it webapp.com
A user, already logged in (authenticated) in portal.com clicks a link on one of the portal pages that opens up webapp.com (my 3rd party, cross domain web app). I want to authorize the user to use webapp.com without the need for supplying any extra login credentials.
Questions:
a) is oauth2 the most common 'standards' based way to do this? Or have I misunderstood something.
b) If it is, what is the authorization flow? (I only seem to find auth flows that start from the user visiting webapp.com FIRST, then directing to portal.com to login, then redirecting back. But in my user story, the user visits portal.com first and is already logged in when they are linked to webapp.com).
Apologies if my terminology is poor - I am new to this area.
Cheers,
Ollie
Technically OAuth 2.0 has been created as Authorization protocol, but it is easily usable for Authentication (Identity Provider) as well and suits your situation rather well. You may however investigate OpenID Connect (OIDC) - which is an extension of the OAuth 2.0 exactly in the area of Authentication / Identity Provider.
If you have got a User Session on your Portal, then it is absolutely fine if you simply redirect to your WebApp and then the WebApp (which has no session yet) requests User Identity from the Portal by the means of OAuth 2.0 / OIDC. User would get extra 2 redirects without noticing anything but this way the login would also work fine if user bookmarks your WebApp and accesses it without first entering portal.com.
It sounds you are looking for a solution of single sign-on. If so, OAuth 2.0 (RFC 6749) cannot help you. OAuth 2.0 is a specification for authorization, not for authentication. It explicitly states as follows.
The way in which the authorization server authenticates the resource owner (e.g., username and password login, session cookies) is beyond the scope of this specification.
Authentication deals with information about "who one is". On the other hand,
authorization deals with information about "who grants what permissions to whom". So, OAuth 2.0 is not the keyword for your case.
Good evening, I must make an intranet with Liferay, the most important is to integrate a web application (or 2) already ready with the portal that I will make . These web applications are made in php, so in order not to make each authentication, wanted the user to authenticate to the portal and click on the link to one of these web applications, it will not have to authenticate again for its apps. For this reason I used SSO CAS and I integrated it with Liferay, I still used an LDAP directory to be related to the CAS server to identify users.
My problem is how is the procedure for other web apps, is that users must have the same login and password for partail (Liferay) with the others two apps php? Or I can let each application with their users without the change (because in each app, the user has a login and password different from other apps), that is how the coordination between different words and LGIN passes the various apps (this is a problem of SSO, I misunderstood the principle of work I should implement it) ??
Some clarifications and assistance please??
The other webapps need to implement a so called CAS Client. The php one is here:
The php apps will typically redirect non authenticated users to CAS, and after they logged in the webapp retreive a saml token. In that token claims are found that uniquely identify the user. application then typically match the provided claim to their own userstore or apply the concept of a virtual user.
But that is up to the implementer of the webapps.