Using ACS as a service with custom identity provider - authentication

We are working in an iOS application and we use back-end in azure. We have 2 types of login, one is Facebook login (using Fb as identity provider) and the other will be login directly to our system.
We decided to use ACS but we had a bunch of technical problems. My question is is it possible to create custom identity provider, which will be a service (for example WCF or WEB API) to generate a token that we pass the ACS to get the claim token. Does ACS support that kind of service interface? If so what what is the practice of generating tokens in our custom identity provider?
Thanks in advance,
Deuce

ACS can support any identity provider that speaks a protocol it understands. Depending on the backend behind your identity provider, you can use something like ADFS or write your own identity provider using WIF. ACS doesn't support mixing and matching web-based identity providers with WCF-based ones, which means that you'll need to expose a website that ACS can redirect a browser to using the WS-Federation protocol. The only external contract you have is that ACS will redirect users to you and you need to log them in (what that means for your IdP is up to you) and issue a token back to ACS.
There are literally whole books on how to write your own STS using WIF, to get started there are a number of resources that can help, including the WIF SDK (which provides a template for the STS), this whitepaper (see the section "Using Windows Identity Foundation to Build a Security Token Service"), or this blog post.

Related

How can a federated SAML authentication flow can work?

I'd like to setup an integration with a third party vendor for which I have to provide services, which need to be customer-aware.
The main flow is on the third party, that already have a service provider and an identity provider; the third party service provider then have to call my service, but then I need to check the authentication, for which I would like to rely on their identity provider, gaining so also access to the user identity (name, mail, other data).
basic flow
Does a flow like this can work? Do I have to receive the authentication infos cookie? Are other ways for which I can integrate with the third party identity provider?
Current web standards would likely dictate OIDC, especially if you want your service to be open to direct consumers as opposed to, or in addition to enterprise users. Were I building something today, I would choose to build out only OIDC, because it doesn't limit the Identity Providers I may want to use. In addition to enterprise, you could consider social logins as well, such as Facebook, Google, etc. If your users are ONLY enterprise users, then yes, you could consider SAML.
The identity data is usually returned to you in a JSON Web Token, or JWT.
I would suggest looking at OIDC implementations on your favorite stack, or look to a cloud provider.

Web api 2 security - key for api

I'm building an API that my public mobile app (xamarin forms) will call to get information. However to delimit the users of the API to just my app for security reasons, I want the public mobile app (xamarin forms) to pass a key to be able to call the API. Is basic authentication the best option then ? Or is there another approach ?
You can use any Auth based mechanism in your web api project. The best would be the latest Identity 2.0 using Owin.
OAuth is an open standard for authentication, and enables a resource
owner to notify a resource provider that permission should be granted
to a third party in order to access their information without sharing
the resource owners identity.
In your Xamarin client project (mobile app) use the Xamarin.Auth SDK to authenticate your users. It provides many features and also helps you to scale and use Social authentication as well.
Xamarin.Auth is a cross-platform API for authenticating users and
storing their accounts. It includes OAuth authenticators that provide
support for consuming identity providers such as Google, Microsoft,
Facebook, and Twitter.
The authentication flow when consuming an OAuth identity provider is as follows:
The application redirects a browser to an identity provider URL. The
URL query parameters indicate the type of access being requested.
The identity provider handles user authentication, and returns an
authorization code to the application.
The application exchanges the authorization code, client ID, and
client secret for an access token from the identity provider.
The application uses the access token to access APIs on the identity
provider, such as requesting basic user data.
The application uses the OAuth2Authenticator and OAuth2Request classes, provided by Xamarin.Auth, to implement the application side of the authentication flow.
The detailed explanation of Authenticating Users with an Identity Provider
Using the Xamarin.Auth component for authentication implementing is available here.

.NET plugin - Multiple IDPs for Authentication

We have requirement of build .NET based plugin/component for enabling Authentication against multiple IDP providers like ADFS, Azure AD and Shibboleth based on DB configuration. i.e, depending on the configurable parameter the anonymous user will be authenticated against any one of the IDPs like ADFS, Azure AD or Shibboleth IDP.
Our application URL ("https://www.contoso.com/ProcessToken.aspx") will be registered as RP Identifier in all of the 3 providers.
We won't make any web.config changes for any of the providers.
At run time, User will access common page(Proesstoken.aspx) who needs to get redirected to the any of the Login page URLs at the provider (ADFS, Shibboleth, Azure) for Authentication based on User Organization. (For ex: User A to ADFS, User B to Shibboleth etc)
After Successful authentication at the IDPs the user needs to get redirected by the provider (ADFS/ Shibboleth/ Azure AD) to the RP Url registered.
In the redirected page (ProcessToken.aspx), we are planning to get the security token and decipher the claims required.
The main intention is to decouple authentication away from application logic and it should be extendable to other providers in future.
PS: Considered options like OWIN Authentication Middle Tier, .NET Component etc.
Need guidance on How and where to start.
Have a look at IdentityServer 3 which implements this multi-auth scenario or OWIN : ASP.NET MVC application with multiple authentication options.
The main point is that you use NuGet to download all the protocols you require and than use OWIN to pull them all in via app.use.
You can configure ADFS to have Claims Provider Trust with the other IDP's Owin will acknowledge the authentication. The difficult part will be reading the attributes from the tokens. ADFS under the covers in conjunction with the Owin framework use ws-federation, I have not figured out how to read the SAML.
What gets confusing is that at one time the answer was WIF but now that 4.51 has been released, WIF was moved into Owin. The documentation for a multi-tenant application is sketchy at best.

Can apache Shiro be used to build an Identity Provider?

I am looking with Apache shrio framework. Looking at it authentication and authorization features can i build Identity server provider using shrio framework.
Is it possible to have features like,
Single Sign On
SAML support
Federation based on attributes
Do we need to write everything from scratch or shrio has some API's to handle such kind of features.
I read the documentation where they say about having SSO features based on Sharing of user session with multiple organizations . But i did not see any direct support API's to handle this.
To act as an IDP what shrio gives and what it does not support?
Please suggest.
Thanks,
Sohan
Shiro is a security layer that sits in front of your application. It is a security framework for a (SP) Service Provider that will issue an Authentication Request to your IdP (Identity Provider).
Open source IdP implementations that support SAML:
http://www.gluu.org/docs/
https://shibboleth.net/
This Stack Overflow question covers a way to use SAML to authenticate your user before they reach the application and provide the user's credentials as part of a http header.
Integrating Java Web App with SAML SSO
An alternative to installing and maintaining your own IdP.
https://stormpath.com/
The cost of developing, securing, and maintaining your own identity provider are likely much higher than paying a monthly fee.

Web Services and Azure ACS - Security Token from an Identity Provider (e.g. Facebook)

I'm new to Azure ACS and working with a web site that implements Azure ACS. I need to write a web service that needs to be secured with authentication via an Identity Provider first (e.g. Facebook).
I'm having a hard time finding a simple sample that can help me accomplish basically the 2nd scenario laid out in this article: http://msdn.microsoft.com/en-us/library/gg429784.aspx ("By presenting a security token from another trusted issuer (Identity Provider) that has authenticated that client").
For what it's worth, I was able to find a great example that lets the client authenticate directly with ACS using ACS Service Identity (i.e. username/password) here: http://blog.siliconvalve.com/2013/06/25/protect-your-asp-net-web-api-using-azure-acs-service-identities/, but I need the client to authenticate via FB to identify who that client is.
In case someone else is also looking for this information, here's a sample I finally was able to obtain after contacting Microsoft Azure ACS support: http://code.msdn.microsoft.com/vstudio/AAL-Native-App-to-REST-de57f2cc