Thinktecture Identity server vs Authorization server - thinktecture-ident-server

I am researching on this topic last weeks and unfortunately I can't figure out. I understand the difference between authentication and authorization.
I will appreciate any guidance on the topic.
What I need as general is to implement single sign on for several web sites which are driven with apis which also should handle authentication. The users should be able to register/login with username/pass or respectively through any third party service like facebook, google+, twitter etc.
In the scenario above what is the better approach? Should I use only identity server, or only authorization server or both?
Thank you in advance.

Start with IdentityServer - this is your identity management system.
AuthorizationServer in addition is a full featured OAuth2 implementation that can use IdentityServer as a user store.
http://leastprivilege.com/2013/06/16/relationship-between-identityserver-and-authorizationserver/

Your scenario is more like Authentication which is confirming the identity of the user. On the other hand Authorization is if a person or if a role can execute some operation.

When Identity Server 3 was launched, it deprecated AS: The Future of AuthorizationServer, because all the AS features ase now included in IS.

Related

Saml overview and implementations

I am a beginner for saml authentication. I can understand the concepts and theme. But in real time, I do not know how to implement and code it.
What are all needed? How to code for the saml authentication? What technology needed? How many servers/websites needed? Which will be the service provider and identity provider. I do not know the procedure to code.
What are the prerequisites should i know?
I referred http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#1.Introduction|outline. But it is quite confusing. I could not get a clear idea to implement for my own.
What are the series of instructions to implement SAML authentication
for my own sever/website?
Which will be the IDENTITY provider(Authorization server) and
SERVICE provider?
How websites put it in service provider(Resource server) and saml authentication given?
How credentials stored and token response generated in the identity
provider.
How to implement as a code and what are needed to create?
Please help me.. Thanks in advance...
You haven't specified the language but on the client side, you need a SAML stack.
Refer SAML : SAML connectivity / toolkit.
On the server side, you need an IDP.
This could be ADFS, shibboleth, identityserver or an IDaaS product like Auth0 or Okta.

OAuth vs OpenID: confused about when to use one of these and why

So these days I was reading about OpenID and OAuth2. I've seen some questions (this and this), but from what I've read you can use OAuth and for authentication, not just for authorization. On the second question, I've read this:
If you have an account (with some private resources) in a website, you
can log in with username/password couple. If an application would like
to get some private resources, and if you don't want to give them your
username/password, use OAuth.
But if you want to log in into multiple websites with a unique
account, use OpenID.
This raised more confusions (Dominick Baier said in one of his presentation that if you haven't heared about OAuth2 these years, you were living in a cave for the last years, so it seems this was my case): If I have many webservices (API's) and if I have an STS service to request tokens for all the API's then I am using OpenID? Is OAuth is not scalable to extend the authorization to multiple sites using a single STS service?
When you try to explain me, please consider that I haven't implemented an authentication or authorization process before.
You are right: lot of authorization servers based on OAuth2 provides a way to authenticate. But OAuth2 is not designed for that purpose.
In an OAuth2 context, the client has just an access token to retrieve/manage resources on a resource server. It knows nothing about the resource owner.
That is why the OpenID Connect protocol has been created. It works on top of the OAuth2 Framework protocol and allows the client to get information about the resource owner.
I recommend you to look at this very interesting talk (start at 4:44). This video helped me a lot to understand the purpose of each token. I hope it will help you too.

Authenticate against client Active Directories in a Web Single Sign On

I've been scratching my head over this issue for over a week. We have a web app that we would like to implement SSO for. SSO with windows active directories of our clients (i.e. we essentially need to authenticate against our clients' active directories without much trouble)
The only thing I am 100% sure about is that I will needed a security token service that will have to communicate with an Identity Provider. My question:
Which service is most suitable for the above scenario (AD FS? OpenID & OAuth 2.0? SAML 2.0 and shibboleth?)
How will I connect to the active directories of the clients? Maybe I'm not understanding how the STS is to be used, could anyone clarify? I'm working with an Azure Web App
Will there have to be a different IdP for each client? Will the client have to do more than just give us standard information? What would this info be?
...should I be using Windows Identity Foundation?
HELP :( ... this is an SOS
If anyone could clarify at all, I will forever be grateful. I normally upvote anything I find helpful and accept whichever answer is the best so feel free to answer with what you think might be useful in helping me understand how I can achieve what I am after.
These are the three options I know:
As you mention one option is ADFS this solution means that your customers should install and expose Adfs. ADFS means Active directory-Federation Services, so in this case your application needs to speak WS-Fed (not oauth). Typically if the user is inside the LAN adfs uses integrated auth, if not it will prompt credentials.
WAAD is a new service from Azure, it allows companies to expose their directories to use in cloud applications. With this approach your customers need an account in Azure, create a directory and use the dir sync agent. Your application will talk SAMLP with WAAD.
Auth0 is an authentication broker that allows developers to use social but also enterprise identity providers like AD but also google apps, waad, adfs, salesforce, etc. if your customer only has AD you will provide him an msi for a windows service, that will bridge the company AD with your auth0 account, you can have as many AD as you want. Your application speak oauth with Auth0. This agent supports kerberos authentication as well. The following graph explains this solution:
Disclaimer: I work for Auth0.
WIF doesn't support SAML or OAuth.
Your application is in Azure.
Suggest add WIF to the application and then "bind" to Azure Active Directory. In VS 2013, use the "Change Authentication" feature for this.
Make the application multi-tenanted.
Each customer has their own tenant. User DirSync to sync. each customer AD with their AAD tenant. (That gives same sign-on). Adding ADFS to each customer gives single sign-on.
However, the customers will probably push back on this because of perceptions around security.

ACS Federation question

I'm building an Azure-hosted WCF service that I'd like to secure with ACS using credentials stored in an SQL Server database. I've looked at a bunch of ADFS2 examples but have yet to figure out how to do this. I'm sure I'm missing something obvious here so any advice would be greatly appreciated. Thanks...
You should be able to create your own STS, like this:
http://dotnet.dzone.com/news/5-minutes-wif-make-your-aspnet
Just add in the code to look your user up.
This post discusses how to create the federation metadata required to add the STS to the Azure Access Control Service:
WIF manually generate federationmetadata.xml
In your original project, you should then be able to add the Access Control Service as the STS, and if everything is set up correctly, you'll see your new STS.
If you want to use ACS (not clear in your post why you need it though), you need to have your WCF service trust ACS and then configure ACS to trust an STS that can authenticate users agaist SQL. You cannot use ADFS for that as it currently only supports authentication with AD.
Your options are varied, but the simplest would be to create your own STS as Richard mentions, or use one that already does that like StarterSTS or the more moder Identity Server in CodePlex (both open source and contributed by Dominick Baier from Thinktecture).
The question though remains: why you need ACS? The simplest solution would be to have your WCF service trust the (SQL backed) STS directly.
Here are some examples of when ACS would be useful:
You need to trust eventually more than 1 Identity provider
The claims your service expects are not supplied by the identity provider (you need transformation/augmentation of claims).
You need token translation (e.g. SWT -> SAML)

Creating a custom STS-IP with WIF and why not

I have a need to implement a STS-IP server for our web applications and services. The server will need to issue SAML tokens for the following scenarios:
Business partner submits their SAML token which is converted to a SAML token with the claims required for our applications. This token is used to access our Web Applications and Services.
Our public facing applications need to have a user sign in (via forms authentication) and then access our web applications and services with a SAML token.
Our clients (without a STS trust) needs to authenticate with our STS-IP server, get a SAML token, and use that token to access our WCF services.
In all 3 scenarios, we need to have custom claims on the SAML token that our applications and services use. The thought is once we identify the user, we would look up their authorization in our back-end systems and attach claims.
In these scenarios, you can assume the back-end authentication store is a custom implementation with authentication stored in Active Directory and authorization stored in a database.
So my thought has been, we need to create a custom STS-IP server using something like Windows Identity Framework. But I have also been reading that you should not do this because it can take some time.
Can I use an off-the-shelf STS-IP server? Everything I've seen is a mapping between one system to another (SAML to SAML or AD to SAML).
Why will it "take a long time" to build a production ready STS-IP ? I built one using WIF very easily, but I guess I don't understand the risks in doing this.
In terms of "It will take a long time", the documentation showing how to do this is very poor. See here: http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/257d93be-165e-45a6-a277-fc7ed2286e7d/
Anyhow, you'll simply need to look over the code samples that Microsoft provides: Google for Identity Developer Training Kit. That should help you get started.
Why are you not considering using ADFS? If the backing store for authentication is AD, then ADFS is probably a good candidate to evaluate.
Before writing you own STS, you may want to check out this blog and closely review the features that you may need in the STS. Just because you can build one yourself, doesn't always mean you should.
extending adfs to multiple identity and attribute stores
They "why not" is relatively simple: Why take weeks to build something that will probably only handle a single use-case when you can put in off-the-shelf STS in a day that will cover all sorts of things your company may come up with? Building it yourself will also require you to become an expert in SAML (which is probably not the best us of your company's time).
Check out --
http://www.pingidentity.com/our-solutions/pingfederate.cfm
Good luck -- Ian
Agree with #eugenio - why not use ADFS?
ADFS can only authenticate against AD as discussed but it can derive authorisation attributes from AD / LDAP / SQL server
The nuts and bolts for an STS are available in VS 2010 plus the identity tool kits. A simple STS can be quickly prototyped.
There are some examples available. StarterSTS is already mentioned plus SelfSTS.
The hard part is getting the security right especially if this will be part of a production system. As per "Steve on Security" Build your own Directory Federation Service:
It may sound like I think it’ll be a
synch to develop this system and have
it work securely, but in reality there
is a lot that will need to go into it
to protect the network, the employees,
and the data this could possibly
interact with. It is tough to develop
applications securely. It is far
harder to develop secure applications
whose sole responsibility is security
related.
That's the reason that all the samples on the Internet have disclaimers in bold:
Do not use in a Production environment