Can I send SAML 2.0 token to SharePoint 2010 for authentication? I found a sample code in MSDN that connect office 365 in the cloud for the authentication, but the sample code uses SAML 1.1 token.
Does SharePoint work with SAML 2.0 token as well?
No, you can't. Sharepoint supports natively SAML 1.1 for claim-based authentication. To handle SAML 2.0 tokens in Sharepoint 2010, you currently have 3 choices:
develop a custom authentication provider using WIF. That shouldn't
be that complex to do as SAML 2.0 was recently integrated in WIF.
You'll find the library and code samples here:
http://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=36088
use Active Directory Federation Services (ADFS). The general idea of
this solution is that Sharepoint delegates authentication to ADFS,
which is configured as a SAML 2.0 Service Provider. Main advantage
of this solution: configuration/installation only, no development.
Obvious downside: much more complex architecture.
wait for Microsoft to implement SAML 2.0 in a future Sharepoint
Service Pack :)
You can create custom Saml2SecurityTokenHandler Class
Related
I am in need of a solution for using ADFS 3.0 identities in a ASP.NET Core 2 Web Api application. The Windows Enterprise Support team at my organization has informed me that they are only familiar with SAML or WS-Fed based relying parties within ADFS, and are not interested in allowing me to help them configure OAuth, which I could consume directly within the application. As far as I am aware, neither SAML nor WS-Fed are compatible with anything currently available targeting netcore or netstandard.
I've been looking at Identity Server 4, and it's so-called "Federation Gateway" functionality, but I can't find much in the way of documentation. Is this something that could be useful for my use case? I'm guessing that it's only set up to interface via OAuth or OpenID, but I could be wrong.
I've also looked at using Amazon Cognito as the middleman to issue JWTs based on the SAML response, but after I got a proof of concept working with this configuration, I realized the cost at $0.45/MAU is prohibitively high, as the application will have around 10-15k regular users.
If Identity Server isn't the solution, are there any other similar "Federation Gateway" type solutions available as preferably open source/free software? Even if the solution wasn't .NET-based, I'd be interested in looking at it. I'm toying with the idea of building something like this in Java or Ruby as a last resort.
As of version 2.0, IDS4 can be a WS-Fed relying party. This would allow it to act as a middleman between ADFS and OIDC/OAuth RPs.
This vid from the IDS4 guys covers the available options: https://vimeo.com/254635632
It's also worth noting that you can run ADFS 2016 servers in a 2008R2 or higher domain and that natively supports OpenID Connect but given what you've said about your internal "support" team, deploying IDS4 may be a better option, although probably more work.
Just for completeness, the issue with WS-Fed was cyptographic support in .NET Core. This is now resolved so WS-Fed is supported.
SAML support is available via Sustainsys or Rock Solid Knowledge.
You can implement SAML 2.0 federation with AD FS 3.0 in ASP.NET Core 2.1 using the ITfoxtec Identity Saml2 package. NuGet package: https://www.nuget.org/packages/ITfoxtec.Identity.Saml2.MvcCore/
Project https://itfoxtec.com/IdentitySaml2 and code samples https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test
I have a MVC web application hosted in IIS and users are stored in Azure AD.
I need to authenticate Azure AD users to access web application.
I am using ADFS for this and installation has been done on Azure.
To authenticate I need to know whether I should go for Window Identity Foundation or OWIN?
In many articles i read WIF has been deprecated and Using OWIN.
Let me know if owin is proper way for my scenario and if some proper examples are available?
Latest version of WIF is 4.5 which is also not available for VS2015
I understood is WS-FED is using SAML Token for this?
Confusion - your MVC application authenticates using Azure AD. Where does ADFS fit in? Have you got a federated tenant?
WIF is still around - people still use it. In VS2015, WIF is built in to .NET. So you can use it.
Yes - WIF (WS-Fed) uses a SAML token.
With OWIN you have a choice - you can use WS-Fed or OpenID Connect (OIDC) or even both.
Unless you are using ADFS 4.0, you need WIF as there is no support for OIDC in the earlier versions.
Why it`s not possible to create Web API project with Individual User Accounts Authorization type?
UPDATE:
All version numbers are updated from v1.2 to v2.0.
Please find the ASP.NET Core Schedule and Roadmap:
Identity Application Services
A service layer will be added ASP.NET Core Identity and included in the project templates using Individual Authentication. This will allow authentication of users by way of JWT tokens such that Web APIs can be secured out of the box, and make it simpler to change authentication systems, e.g. from in-app Identity to Azure AD B2C, or 3rd-party solutions like Identity Server.
Daniel Roth from MS:
Support for individual user accounts with the Web API template in VS is not available yet. We are still looking at providing a supported on premise offering for token issuance in addition to providing integration with Azure AD B2C.
This statement can be found in the comment section under https://channel9.msdn.com/Events/dotnetConf/2016/Building-Secure-Web-APIs-with-ASPNET-Core
This is just disabled in core 1.1.please use core 2.0 to find all authentication.You can download core 2.0 from
here
The Microsoft identity team released a CTP package for WIF back in 2011 adding support for the SAML 2.0 authentication protocol.
http://www.cloudidentity.com/blog/2011/05/16/ATTENTION-ASP-NET-DEVELOPERS-SAML-P-COMES-TO-WIF/
Unfortunately the link to the Microsoft Connect site is dead. Since most WIF functionality has been moved into .NET 4.5 System.IdentityModel namespace, I was hoping to find the Saml2AuthenticationModule class there. However, I cannot find that class anywhere in the identity model assemblies.
Does anyone knows what happened to the SAML 2.0 support classes? Where they migrated to .NET 4.5 System.IdentityModel namespace? If not, is the original CTP package available somewhere?
The WIF SAML stack never made it out of CTP. Had a look around and can't find it anywhere.
It was based on WIF 3.5 so wouldn't run under WIF 4.5 anyway.
My guess it that it was removed because SAML support is non-trivial and you can get the same functionality by federating via ADFS or Azure Active Directory.
There are other libraries available - refer: SAML : SAML connectivity / toolkit.
I have a scenario whereby i need to build a WCF service to provide custom authentication to 3rd parties non-web application connecting in an "Active" mode - i.e. i cannot present a web login page.
The login mechanism is also custom (i.e. not necessarily username/password), and so i cannot use ADFS or ACS.
I have read up on building active STS using WCF, but they mostly relate to .NET 3.5 and not much has been written around using .NET 4.5 since WIF has been integrated into the framework.
I have read Examples of how to a STS in .Net 4.5 using WCF but it doesn't seem to fit my scenario.
Any pointers appreciated.
Maybe you want to have a look at
http://thinktecture.github.com/Thinktecture.IdentityServer.v2/
This is an open source STS that includes active endpoints.