We are trying to configure and develop a solution to properly brand the login site accordingly to where the user is coming from. The users are coming from relying parties, but they all use the same login site (STS).
Is there any way I can set a property from the RP that will be accessible from the STS? The wtrealm property is changed once it passes through the ADFS webservice. The RU parameter of the wctx is relative to the site it is redirected to, so it wont help.
I just need the STS to be aware of where the user is coming from, that way I add the necessary style sheets necessary.
Ended up baking an additional parameter into the query string via the ADFS webservice. Just edited the global.asax file and added the necessary parameter from there, then told the STS to pick up on this variable.
Related
The front end is already authenticated with Google/Facebook/Twitter.
I just need to use the id token from the front end to get the user profile info in the WebApi, check if we already have an account with that email etc. and if not then add the external login key to the Identity data (by calling AddLoginAsync on the Microsoft.AspNetCore.Identity.UserManager).
I don't want to hardcode the user profile endpoints for Google, Facebook etc. as they might change. I'd like to use something like a NuGet package that has these values and just update it when/if they change.
I've read a lot of examples but they're for whole authentication flows, using redirects and cookies in Asp.Net MVC... Although it seems basic, I didn't find an example where the external login is already done on the client and the backend just needs to use the resulting token to validate that login and get the user profile info.
Anyone else ran into this? Thanks!
For my application I want the user to be able to store files on Google Drive and for my service to have access to these same files created with the application.
I created a Client ID for web application and was able to upload/list/download files from JavaScript (client side) with drive.appfolder scope. This is good, this is half of what I want to do.
Now I want to access the same files from Node.js (server side). I am lost as to how to do this. Do I create a new Client ID for the server? (if so, how will the user authenticate?) Do I pass the AuthToken my user got client-side and try to use that on the server? I don't think this will work as the AuthToke is time-sensitive (and probably not intended to be used from multiple IPs).
Any direction or example server-side code will be helpful. Again, all I want is to access these same files the user created with my application, not any other files in the user's Google Drive.
CLARIFICATION: I think my question boils down to: "Is it possible to access the same Application Data on Google Drive both client-side and server-side?"
Do I create a new Client ID for the server?
Up to you. You don't need to, but you can. See below.
if so, how will the user authenticate?
Up to you. OAuth is about authorisation, not authentication.
Just in case you meant authorisation, the user authorises the Project, which may contain multiple client IDs.
Do I pass the AuthToken my user got client-side and try to use that on the server?
You can do, but not a good idea for the reason you state. The preferred approach is to have a separate server Client ID, and use that to request offline access, which returns (eventually) a Refresh Token, which you store in your server. You then use that Refresh Token to request Access Tokens whenever you need them.
AuthToken is ... (and probably not intended to be used from multiple IPs).
It is not bound to a specific IP address
Is it possible to access the same Application Data on Google Drive both client-side and server-side?"
Yes
Most of what you need is at https://developers.google.com/accounts/docs/OAuth2WebServer
What is the best way to customize ADFS to use a specific, configurable home realm if one was not provided?
My current method is to perform an HTTP redirect from the ADFS WebForms aspx file, but that seems a bit hackish.
I don't want my Relying Parties to be concerned with the home realms.
I think that a good approach would be to add a few lines within the ADFS HomeRealmDiscovery page in order to read the "DefaultHomeRealm" setting from the ADFS web.config file.
Steps
Go to C:\inetpub\adfs\ls
Open the HomeRealmDiscovery.aspx.cs
In the Page_Init method, add something like:
if (ConfigurationManager.AppSettings["DefaultHomeRealm"] != null)
{
SelectHomeRealm(ConfigurationManager.AppSettings["DefaultHomeRealm"]);
}
Open the web.config file
On the appSettings section, add:
add key="DefaultHomeRealm" value="Default ADFS Federation Service Identifier"
Do not forget to replace the service URI that you want to be defaulted.
For more information you can check:
SelectHomeRealm method
ADFS pages customization
I have successfully used this approach.
I hope it helps :)
Seba
Have a look at:
Windows Identity Foundation (WIF): How to Utilize the WS-Federation WHR Parameter to Bypass Home Realm Discovery (HRD).
The WS-Federation passive WHR parameter is used to bypass home realm discovery (HRD)
I'm using CAS (Central Authentication Service) from Jasig in a client JSF app running on tomcat 6 server. I would like to limit the access to the app just for the users specified in my database rather than all the users which can be authenticated using that CAS service. When the user attempts to log in, I need to check if his username is also in my database's table user and if it is - allow the access to the app. Otherwise, I would like to redirect user to a page "You don't have permission to access this part of the application". So I need authorization as well. Is there a good way to authorize the users in jsf 2.0? Thanks in advance for any help/suggestions.
Sounds like you need to design a custom Authentication Handler class in CAS. In theory, your handler would extend this [1], perform all the necessary checks and database look ups and will then be able to return a signal that indicates whether or not the user could authN.
You should then reference your custom handler in the deploerConfigContext.xml file.
For displaying the message, you could either throw an exception with the proper messages code, such that the message would appear above the login form, or you could alter the spring webflow and generate a new view-state which the user would be redirected to, if they fail to get access. The first approach is much easier to implement.
Another approach would be to take advantage of the isUserInRole() method [2] using the persondir api.
[1] http://developer.jasig.org/projects/cas/cas-server-core/cas-server/cas-server-core/apidocs/org/jasig/cas/authentication/handler/support/AbstractUsernamePasswordAuthenticationHandler.html
[2] https://wiki.jasig.org/pages/viewpage.action?pageId=47874068
We have our own web server hosting our website that is open to the public outside of our network.
I have a request to make our "Internal Postings" link on our Careers page to authenticate the user against our network's Active Directory list.
I currently have it setup so the link hits a page inside the directory structure of the website, and this page's folder is set to "Integrated Windows Authentication". Anonymous access is turned off for this page. If the user is authenticated (ie: logged into our network or supplies proper credentials) it passes them on to an external careers website which hosts our job postings. If they fail to authenticate, it displays a custom 401 error page.
This works fine, but there is a problem with it. Using IE, people cannot just enter their username. They (of course) are required to enter the domain name as well. Unfortunately the default 'domain' is set to the URL of our website (www.xyz.com/username). I would like it to automatically choose the name of our internal domain (aaa/username) but am unsure of how to do this.
Another option would be to use LDAP and a little ASP scripting to authenticate the user. I have this code already, but am unsure of the security consequences of doing so. Basically, the page will be setup for anonymous authentication, and if the user isn't logged into our network, they will be prompted for a username/password using standard textboxes. This is then passed to an ASP script that does an LDAP lookup against our Active Directory. Is there any security issues with this method?
Which method would you choose to do?
Thanks.
EDIT: It seems I cannot authenticate to ActiveD via LDAP using a username/password combo. So forget about that option.
My question now is, how can I change the default 'domain' that IWA uses? Is that at all possible? IE seems to default to 'www.xyz.com\username' (my website) rather than 'aaa\username' (my domain name). Of course, www.xyz.com\username fails because that is not where our ActiveD resides... Is this possible? I want to make it as simple as possible for our employees.
You cannot authenticate an user with a script that looks up the user in LDAP. You need to know that the user is who it claims it is, and the only way to do that is to let NTLM/Kerberos authenticate the user (ie. establish proof that the user knows a secret stored in the AD, the password).
The URL of the web site to the set of sites considered be in the local intranet zone for IE browsers running on the internal network. By default sites consider to local intranet will be sent the current logged on users credentials when challanged with NTLM/Kerberos. Hence your internal users shouldn't even see a network logon box.
I hate to dredge up an old thread, but the answers are a bit misleading, if I understand the question. The thread Remus refers to is about authenticating via LDAP with a username only. As he points out, that isn't possible. But it looks like what Kolten has in mind is authenticating via LDAP with a username and password both. That's a standard practice called binding.