Accessing to AD FS 2.0 Claims through wcf - wcf

Currently I'm developing a WCF Service that act as inter-mediator between ASP application and AD FS 2.0, because the architech don't want that ASP app talk directly with AD FS 2.0.
He want that any app to use the WCF Service and this service will provide the information (Claims) without using the STS configuration of Visual Studio.
So, I found this code: https://stackoverflow.com/a/10992474/516715
This work fine to get claims, but I have questions about this:
How create Authentication, session and persistent cookies of ADFS in ASP app?
How close the session through the WCF service.
Exists more details to keep in mind about this case?
Exists security problems with this?
Could anybody have suggestions on this?
Thanks!

I would say you are opening yourself up to a whole world of pain.
There is an established, security reviewed, gold standard pattern for applications to communicate via a browser to ADFS using WIF.
So what you are essentially trying to do is re-invent the wheel by writing a web service that implements all the browser functionality e.g cookies. Your solution loses all the advantages that ADFS provides e.g. SSO, Federation, HRD etc.
And now you want to dig the hole deeper by writing your own STS.
The browser pattern is exactly what Microsoft use for Windows Live, Office 365 and Azure Active Directory.
So if it's good enough for Microsoft, why does your architect not want it?

Related

Windows Authentication in Blazor WASM

I am implementing a WebApp in our company's intranet with Blazor WebAssembly. I need to make API-Calls to our DevOps Server hosted in our intranet and need to use Windows Authentication to access the API. In the former used WPF Client it was enough to just add the UseDefaultCredentials-Flag on the HttpClient, but that does not work in WebAssembly anymore since the App is running in the browser. The Microsoft Docs state We don't recommend using Windows Authentication with Blazor Webassembly, but not recommend does not mean not support, so it has to be possible somehow, to attach the current App-User's Windows Credentials(Token) to the API Call. Unfortunately there exists no example on the docs page on how to implement this and I have not found any code on how to tackle this, although on some forums people wrote that it is possible, but did not include the How in their comments.
I am using .NET5 for both Server and Client and need to make the Api-Call with Windows Authentication from the Client, not the Server as most examples are using it, as my Server-Project uses the same User for all Requests but I need the User of the Client-Project.
Any kind of help is appreciated.

ASP.NET Client Application Services Authentication and WCF

I have a WPF application that uses Client Application Services to allow authentication (username/password logon) against a related web application that uses Forms authentication and the SqlMembershipProvider/SqlProfileProvider/SqlRoleProvider. This all works and I can reliably validate a user/password combination.
The WPF application also calls a number of WCF services that are exposed by the same web application as is used for the CAS authentication. I now want to be able to pass through the authentication details (from Client Application Services) to the WCF services in order that I can identify the user that was authenticated within those services. I also need to be able to prevent the WCF services from being used if no authentication has taken place.
I have found a couple of .NET 3.5 examples where CAS authentication is used against .asmx web services, or authentication is provided against WCF Data Services which does not use ClientBase and has authentication facilities built in, but I cannot find any examples with pure WCF. Can anybody point me toward instruction that will enable this scenario? I am using .NET 4.0 for this project.
I have also found this stackoverflow question but again this is answered for .asmx web services and not for WCF.
The closest I have gotten involves the creation of an OperationContextScope and then copying the cookie header from the ClientFormsIdentity object to an HttpRequestMessageProperty and adding this to the OutgoingMessageProperties of the current OperationContext. I then call one or more methods of the service within the lifespan of the OperationContextScope. Thing is, when I then get to the WCF service, I still cannot see anything that resembles authentication in such a way as I can identify the original user. This methodology has been taken from various examples but I am obviously missing a step at the WCF end.
I think you need to switch to the Web API that Microsoft is now having people use for WCF Services. Check out Using Forms Authentication with Web API and http://aamirposwal.blogspot.com/2012/05/aspnet-web-api-custom-authorize-and.html
Found it.
In my binding, I specified allowCookies="true".
According to Wiktor Zychla, "setting the AllowCookies property on a BasicHttpBinding to true turns on the automatic cookie management" - this means that any attempt to set a cookie in code will be ignored and this is what I was doing.

Securing WCF Services across multiple projects

I'm having a hard time wrapping my head around some architectural elements to securing a core WCF service that is consumed by many different applications.
Internally, we have an application that allows HR folks to update a peron's details. This is contained in a WPF app. Externally, we have a website that would allow individual people to authenticate (throuh an AD Membership provider) and update their details.
We don't want users to be able to see other user's information (for obvious reasons). But we don't want to host this service inside the same web application that the users would log into. Here is how the architecture would look from a visual studio perspective:
ServiceApplication
WpfApplication
MVCWebApplication
They don't exist inside the same domains, for example, the service application would be hosted at http://www.service1.com/Service.svc and the mvc application would be hosted at http://www.updateyourprofile.com . So a user logs into http://www.updateyourprofile.com and we'd like to hit a Wcf service via JSON. Both the service application, wpf application, and mvc web application would use AD credentials to authenticate. But how do we secure the service so that users who log into the mvc web application can only see their information?
Most of the examples I see say to use the HttpContext.Current.User check inside the service. But since the user authenticated at a different site, how does the cookie transfer? Do you end up having to publish your service inside the same web application that you want to consume so that the cookies travel transparently?
Or is it just not possible to have a centrally located service with disparate applications that use the same authentication store to determine who has access to what on the service?
What you are looking for is some kind of federated authentication system which is used by all the entry points. That is what Windows Identity Foundation can help you to build.
Inside each application, access control would be claims-based, according to the claims embedded in each user's security token issued by the authentication system.
There's an entire book on the subject on MSDN.

WCF service with WIF AD Single sign on

I have an Excel add-on which connects to a WCF endpoint located in our network to collect data. We're considering moving the application out to Windows Azure.
Currently the users are authenticated using their windows log on. I know that WIF, ACS and ADFS can allow us to authenticate on a web app but wondered if this would be possible with the WCF client.
Thanks
See here: Securing WCF Services with ACS
Also ACS and the code samples within.
If you are looking for delegation i.e. sign on using WIF and use that token for WCF, there's a delegation scenario and sample in the WIF SDK.

iPad to WCF Services authentication

I am currently working on a project that has an iPad application that uses JSON to call WCF services hosted with IIS. One of the requirements is that the WCF services needs to use IIS Basic Authentication to login. Once the user has been authenticated from the database, a few values need to set to a cookie for return trips to other WCF functions (similar to asp.net session variables). Is this possible with WCF and using cookies to hold state? If not, any recommended method?
Thank you.
WCF absolutely supports basic authentication. http://msdn.microsoft.com/en-us/library/ms733775.aspx has details on this. WCF will then identify this user on all messages that come through.
If you want to implement a customer authorization mechanic, you will need to implement ServiceAuthorizationManager. I've recently done something similar where I have iOS clients that use OAuth to authenticate with our services. I have this implemented a ServiceAuthorizationManager to determine who they are and what privileges that they have. Might be worth looking into.