I need to implement a web application hosted on sharepoint. This is a client requirement. So I cannot create a standard asp.net web application. Another client requirement is that the authentication is not an active directory one but they want to use an existing database of users.
I am a bit concerned how this would work on sharepoint because users would need to log-in onto sharepoint. Would it make sense that users log into sharepoint as anonymous and then we use our custom controls for log-in. How does sharepoint handle anonymous users?
Any assistance would be greatly appreciated
When building apps over SharePoint, you use the SharePoint authentication mechanism, whatever it is.
Does the SharePoint farm is already in place ? Or do you have to also build the farm ?
In the former case, probably the authentication mechanism is already in place and you just have to build a "standard" sharepoint application.
In the later case, you will have to carefully plan your authentication. SharePoint can use a combination of AD authentication, Forms authentication (over a DB in your case if you want) or a Claims authentication pattern. My guess is that a Forms authentication with a custom Membership/role provider is the way to go.
Related
I am working on an application which has an azure asp.net mvc website and an azure mobile service. Both will be using the same azure sql database.
I understand that I can use custom or Microsoft, Facebook based authentication using my mobile service. The website and the mobile app that I will be building though will have different features in the website and on the mobile app based on the role of the user.
How should I go about implementing user roles? If this was just an asp.net application, I would have just used ASP.NET Identity but not sure how to do this with Mobile Services.
I found a similar question asked a year ago with no resolution - Using ASP.NET 4.0 membership provider with Azure Mobile Services
If there is an existing implementation or guidance out there, please point me in that direction. Thanks.
As of today, there isn't a super easy way to handle this no matter how you slice it. You can take a look at this post (there is another dealing with the JavaScript backend that is linked from this) http://www.acupofcode.com/2014/04/general-roles-based-access-control-in-the-net-backend/ that talks about role based access control using Azure Active Directory. AAD may not be the option you want to go with. In which case, you'd need to implement the roles and checks in your Mobile Service yourself. If you only have two levels such as "normal user" and "admin" you COULD dictate everything based off of the user.level property and if they are "authenticated" they only have basic user access but if they're "admin" they have admin functionality. You'd still need to do the role based logic in your backend but I think you'll need to handle that no matter what.
Alternatively, what I think you could look at doing, is using the ASP.NET Identity system. Then from your Mobile Service, you can use the same type of custom auth I've documented here (http://chrisrisner.com/Custom-Authentication-with-Azure-Mobile-Services-and-LensRocket) but instead of checking against and storing a username/password in your Mobile Service like that sample is doing, when the user goes to register / login, you could check against the user backend created by the ASP.NET identity system. I don't have a sample off hand of that working but it sounds doable in my head.
I am new to windows azure development.
I am developing an application for hosting online tests.
This application needs to have multiple authentication options like Windows live ID, Facebook etc.
It also needs to have default form based authentication fed by the database in back end (simple User name and Password match).
Based on the authentication mechanism different permissions will be available to the user.
Can anyone please suggest how i should proceed on this?
Thanks
Do you really need forms authentication, or do you just need an application specific store where people can use a credential specific to your app?
I'd suggest researching Windows Azure Active Directory and Windows Azure Access Control Services together. You may create either an AD tenant for your application store and use it as an Identity Provider for ACS or you could host your own Secure Token Service and Identity Provider which uses your backend database as the user store also registered with ACS. This means that all of your authentication goes through the same process and allows for you to have your own user store, plus the social Identity Provider capability.
The key here is that you want try to avoid having forms authentication AND Social, but rather a mechanism where multiple Identity Providers can be used, including one of your own.
As Gaurav stated there are a ton of resources out there for this:
Understand the difference between WAAD and ACS.
Provisioning an Azure AD Tenant as a Identity Provider in ACS
Windows Azure Identity
There are also many blogs and MSDN documents talking about how to set these up.
If you start with the default "ASP.net MVC4 Web Application" template in Visual Studio you get a web application mini-sample with an AccountController that supports local and 'social' accounts out of the box. See documentation here. It is based on DotNetOpenAuth (a fantastic lib with terrible documentation) and a Microsoft implementation of an special MembershipProvider which lives in WebMatrix.WebData.
Regarding the Azure Access Control Service 2.0: I have no idea what the status of this service is but it looks to me as if MS itself tries to discourage developers form using this service since it was to deeply hidden somewhere under Windows Azure Active Directory in the documentation.
I'm working on a WCF project that will be our new service layer.
These services will be called by 2 separate clients, the first of which is a WPF application and the other is an ASP.Net web application. The WPF client will be run by internal users and will authenticate with the service via domain authentication and run under the context of that user. The other will be used by external users and needs to authenticate using some separate mechanism then impersonate a "WebUser" account on our domain.
I'm reading a bit about Windows Identity Foundation and it sounds like this might be a good fit. Am I right in thinking I could have 2 token services, one for domain authentication and one for something like ASP.Net membership authentication (Or some similar equivalent) and have each client get it's token from the relevant STS and pass that along to the WCF service?
I'm assuming there is an STS I can use out of the box for domain authentication, but will I have to implement the second one myself to authenticate web users? I can't find a lot of information on this.
Am I thinking along the right lines or should I just be creating duel endpoints for each service each with a different authentication mechanism? Or should I be doing something completely different?
Thanks
The big advantage of using Claims-Based authentication / WIF is that both the task of authenticating the user AND the administration of the user's properties are moved way from the applications to the STS/Identity provider.
You are developing a service layer but the true benefits of using WIF will be for the applications written on top of your layer. The WPF application will no longer need to connect to the AD and fetch the user's groups to figure out what they are allowed to do. The groups will already be visible as claims in the token the user/WIF provides.
The web application (is it just one web application or more?) will no longer need the ASP.Net Membership database with accompanying user administration. This functionality gets moved to the STS.
There is a cost. (There always is, somehow...) Claims-Based authentication has a rather steep learning curve. It takes a while for the quarter to drop for all people involved.
So the answer to your question depends on what kind of users the web application(s?) built upon your service layer have and how many. And how much they wish to know about them. Can you perhaps trust Google / Facebook / Windows Live for authentication? Are the users already in an existing database within your domain? How much work will it take to maintain the user directories? Do your marketing people wish to send them emails regularly? Et cetera.
This is probably not just for the service layer's developers to decide, but something to discuss with people in the rest of your organisation.
If the benefits are not particularly big, the alternative is to simply keep these responsibilities at the web application's server. Each web application will have a good old ASP.Net membership database, it'll authenticate the user all by itself. When asking queries from the service layer, it'll present its web server certificate plus specify the user's name and type.
If the benefits are big enough, you can in principle use ADFS 2.0 for everything. It can also store external users nowadays and it's free if you already have Active Directory. Or the ThinkTecture 2.0 server that Ross recommends. It's easier to customize and perhaps your systems administrators and security folks will not be too enthusiastic about opening the firewall to the ADFS server.
Microsoft has some good reads on WIF, in particular an Overview of Claims-Based Architecture.
You should take a look at identity server as it can indeed handle this scenario.
The person who leads the project above has a great pluralsight video on this exact scenario! You need to sign up to watch it, but they offer a free trial.
Basically you get a token from the identity provider (windows ADFS for the internal client, and what ever you decide for the external users). You will give this token to the federated gateway (identity server probably, but it could be Azure ACS). This will return an authentication token that you can then use with your service.
I am trying to evaluate a strategy where I can integrate our Azure based application to SharePoint Online.
The idea is to provide seamless UI so that they are able to use the best of the features from both these applications without having to navigate away from our application.
We would like to bundle the application with Sharepoint online so that if a user comes to our application they will see another tab for collaboration which will open SharePoint online in a seperate iFrame or something like that.
However the issue here is that we do not want the user to keep another set of user credentials for SharePoint online. Is there a way where we can provide some kind of single sign on here.
Our application uses forms based authentication.
I could verify that you sure can use ClaimBased SSO with Azure and SPOnline. Look for the following:
Claims-Based Single Sign-On for the Web and Windows Azure
Remote Authentication in SharePoint Online Using Claims-Based Authentication
So using Claim Based Authentication (Use Windows Azure ACS) you can merge SP online and Azure Web Role together.
I want to create the sharepoint 2010 site on SahrePoint 2010 server. I want to make it available in intranet as well as internet. what exactly i need to do ? is i need to configure mix mode authentication ? how ?
Look at Alternate Access Mappings:
How Do I: Configure an Alternate Access Mapping in SharePoint 2010?
Server Name Mapping and Alternate Access Mapping (AAM)
Making a SharePoint 2010 site externally available
Regarding authentication, you can use Classic Mode Authentication for externally available sites, but all users will need an Active Directory account. Otherwise, you might want to use a web application with Claims Based Authentication that uses a mix of Windows Authentication and Forms Based Authentication.
Note that externally available sites that require authentication are technically extranet sites. An internet site usually means that anonymous access is allowed (at least in part). In the case of SharePoint internet sites, special licensing might be required.