I am dumb and don't know what these two frameworks provides. I wanted to move to claims based authentication and don't understand what these two frameworks provide to me. Are these two providing the same functionality just named differently or they have a purpose?
Is there a question on SO that will help me getting started with porting existing forms authentication application to "Claims Based Authentication" ?
thank you very very much for your answers
Geneva is now called Active Directory Federation Services (ADFS).
It is a Security Token Service (STS) which issues signed tokens containing attributes about a user (name, email etc.)
WIF is the set of classes you include in a ASP.NET application that provides the plumbing to connect to ADFS.
Have a look at:
A Guide to Claims-Based Identity and Access Control
AD FS 2.0 Content Map
Windows Identity Foundation (WIF) Content Map
Update
The WIF link above contains a link to Get Started with Windows Identity Foundation (WIF) which includes the Identity Training Kit and some "Getting Started" examples.
Related
I'm building a system with 3 projects and I'm struggling with how to implement user management. I have 3 projects, an asp.net core MVC, an asp.net core Web API and an identityserver4. I want to use asp.net core identity for user management because the framework provides a lot, but I don't know where to place it. The system itself is not a big system yet, but I want it to be scalable in the future. I've read that the only thing identityserver is suppose to do is the authentication and authorization and not deal with the user management part(create users, change permission, etc.)
In the system itself, I need to have an admin that has access to the users (through the frontend MVC) and can create new or delete users, etc.
so the question is, Should i implement all the user management functions that asp.net core identity provides in the identityserver4 project or should I build it in the web API and have the two projects access the same database. I don't want the 4th project only for user management, though I know that is the ideal solution.
Currently, the mvc app only connects with the web API with the bearer token that identityserver provided.
Or, should I go in a new direction and use jwt token and asp.net core identity and only have two projects?
I'm very confused about this part, and I want to know what is the best practice.
Only Identity Server project (and any projects that are related to it) should have access to the user database. All user info a client or a API resource needs, it needs to get it from the IS its self. Now, setting up Identity Server properly depends on your needs. If you want a simple one for a few apps to use, go with a single project that can sign in users and register them, and setup your clients and API resources in the config.cs files. This is not a great way to do it though. Generally, you should have a IS project for user sign in and registration, and one more project that manages those users, as well as clients and API resources. You can see a great example of it here, it also uses ASP.NET Identity, and has a STS project(Identity Server), Admin project(User, Client, API manager) and an API project(for all related db access). Hope this helps.
Why it`s not possible to create Web API project with Individual User Accounts Authorization type?
UPDATE:
All version numbers are updated from v1.2 to v2.0.
Please find the ASP.NET Core Schedule and Roadmap:
Identity Application Services
A service layer will be added ASP.NET Core Identity and included in the project templates using Individual Authentication. This will allow authentication of users by way of JWT tokens such that Web APIs can be secured out of the box, and make it simpler to change authentication systems, e.g. from in-app Identity to Azure AD B2C, or 3rd-party solutions like Identity Server.
Daniel Roth from MS:
Support for individual user accounts with the Web API template in VS is not available yet. We are still looking at providing a supported on premise offering for token issuance in addition to providing integration with Azure AD B2C.
This statement can be found in the comment section under https://channel9.msdn.com/Events/dotnetConf/2016/Building-Secure-Web-APIs-with-ASPNET-Core
This is just disabled in core 1.1.please use core 2.0 to find all authentication.You can download core 2.0 from
here
I am getting myself familiar with all the stuff related to authentication using active directory (both Azure AD and Windows Server AD).
Currently I am inspecting MS Katana project which is based on OWIN specification.
There are three libraries and one of them is kind of confusing for me:
Microsoft.Owin.Security.ActiveDirectory
Microsoft.Owin.Security.OpenIdConnect
Microsoft.Owin.Security.WsFederation
As for OpenId and WsFederation I understand what they are for, there are plenty of examples and articles about that.
What confuses me is the purpose of the ActiveDirectory library. I mean is this another way how to authenticate against active directory besides OpenId and WsFederation?
I am unable to find any relevant clear articles and examples about this one. Even on this site is the libraty only listed, but missing example:
Azure Active Directory Authentication Libraries
So my question is what is this library for and what are the use cases for using it over OpenIdConnect and WsFederation ways.
Thanks
That library contains middleware used for securing Web API with Azure AD. Any sample featuring a web API project in https://github.com/AzureADSamples/ uses it.
Since I'm new to WIF.
I want to create a custom STS on WIF, but these document only for .net 3.5:
http://msdn.microsoft.com/en-us/library/ee748498.aspx
and I can't find these template in vs 2012.
So what should I do? Can anybody provide some information to me ?
Thanks !
Writing a custom STS service is still available under WIF in .NET 4.5 or WIF 4.5 for short.
"To create an STS you must derive from the SecurityTokenService class. In your custom class you must, at a minimum, override the GetScope and GetOutputClaimsIdentity methods...", Microsoft 1
You start by deriving a new type from System.IdentityModel.SecurityTokenService.
Note that we now use the SecurityTokenService which is apart of .NET 4.5's System.IdentityModel and not the pre .NET 4.5 Microsoft.IdentityModel.
Please refer to the link below to see an example of a passive STS.
Microsoft's Federation Metadata example is a reasonably complete example of custom STS.
MSDN:
This sample will show you how to dynamically consume WS-Federation metadata at run time in an ASP.NET Web Application. You will also see how to create a basic STS that produces WS-Federation metadata and issues tokens.
In addition this sample shows the basics of how claims have been integrated into the .NET framework. You will learn how a web application is enabled to use WIF. You will see how they are useful from within existing properties and functions, and how you can take the next step to using them directly using the ClaimsPrincipal class in System.Security.Claims. You also will also learn how to work with the local STS that is part of the Identity and Access tool for Visual Studio 2012. Tell me more
[1] System.IdentityModel.SecurityTokenService
The templates have been replaced with the Identity and Access Tool.
Refer Windows Identity Foundation in the .NET Framework 4.5 Beta: Tools, Samples, Claims Everywhere
There is no custom STS facility option anymore in the sense of a wizard as per FedUtil. As other posts allude to, you can still roll your own.
Refer: What's New in Windows Identity Foundation 4.5.
Have a look at Identity Server which is a very good custom STS and alter as required.
If you're completely new then writing a custom STS might not be such a good idea :-) I would suggest having a look at the implementation given in ThinkTecture STS (https://github.com/thinktecture/Thinktecture.IdentityServer.v2) This is a sample STS that handles different tokens types (SAML, SWT and JWT) as well as different procotols (WSFederation, OAuth, ...) There is too much in here for many simple cases but at least the code works.
I have a scenario whereby i need to build a WCF service to provide custom authentication to 3rd parties non-web application connecting in an "Active" mode - i.e. i cannot present a web login page.
The login mechanism is also custom (i.e. not necessarily username/password), and so i cannot use ADFS or ACS.
I have read up on building active STS using WCF, but they mostly relate to .NET 3.5 and not much has been written around using .NET 4.5 since WIF has been integrated into the framework.
I have read Examples of how to a STS in .Net 4.5 using WCF but it doesn't seem to fit my scenario.
Any pointers appreciated.
Maybe you want to have a look at
http://thinktecture.github.com/Thinktecture.IdentityServer.v2/
This is an open source STS that includes active endpoints.