Entitlement Web Service Authentication - authentication

I was tasked with implementing either a SAML authentication service, or a EWS (Entitlement Web Service Authentication) service, and I was wondering if anyone has any samples or documentation on such options. I am almost 100% sure that SAML is out of the question due to the time frame of the project.
EWS has been difficult to find online, I can't seem to find any good samples or documentation on implementing such service.

You have not stated which platform you are using, but there are open source SAML implementations that you can use. In php there is SimpleSAMLphp and for java there's Shibboleth.

Related

If Web API can be used just for Authentication using OAuth 2 in ASP.NET MVC4

I'm working on segregating the authentication part of my ASP.net MVC4 application using DotNetOAuth 2.0, Which will means that one project will do only authentication and send out response,based on response it will have access to other application.
The Idea is to get any application or project added later on use one common authentication process.
First thing came to my mind was building a service, in the process a read a lot about Web API and think it can help to achieve what I'm looking for.
Please suggest if you guys have implemented something like this or whats's the best practice.
Should i go with API or service, any link or sample to direct is appreciated
ASP.NET Web API is also a service - a RESTful service. The choice of using a "Service" although is good your underlying authentication platform will define what you should be using.
WCF is much more than a web service where as a Web API is pure HTTP service.
If you expect all your "applications" to be web based then there is no reason why this cannot be a Web API.
This article might be something that should help you decide on your authentication model: http://www.asp.net/web-api/overview/security/external-authentication-services

Securing RESTful web service using Apache Shiro

I am currently in the process of building RESTful web services using Jersey framework as a backend (for an Ipad\Iphone application) using Java, at the POINT I was trying to figure out a security( Authentication and Authorization) implementation of my the API, I came across Basic, digest and Oauth but at the point as my APIs are still not fully developed so I think Oauth seems to be a bit of an overkill to me...
My question is though Apache Shiro looks easy to grasp and start with is something that can usedfor securing RESTful web services like in the long run as my APIs logic grows?
Shiro is very customizable. It provides interfaces for doing your Authentication and Authorization. If you ever need to change your authentication from Basic to Oauth, all you have to do is implement a new class and plug it in.
The interfaces to look into are Realm, AuthenticatingRealm, AuthorizingRealm, Subject, AuthenticationToken and SimpleAuthorizationInfo.

ASP.NET Client Application Services Authentication and WCF

I have a WPF application that uses Client Application Services to allow authentication (username/password logon) against a related web application that uses Forms authentication and the SqlMembershipProvider/SqlProfileProvider/SqlRoleProvider. This all works and I can reliably validate a user/password combination.
The WPF application also calls a number of WCF services that are exposed by the same web application as is used for the CAS authentication. I now want to be able to pass through the authentication details (from Client Application Services) to the WCF services in order that I can identify the user that was authenticated within those services. I also need to be able to prevent the WCF services from being used if no authentication has taken place.
I have found a couple of .NET 3.5 examples where CAS authentication is used against .asmx web services, or authentication is provided against WCF Data Services which does not use ClientBase and has authentication facilities built in, but I cannot find any examples with pure WCF. Can anybody point me toward instruction that will enable this scenario? I am using .NET 4.0 for this project.
I have also found this stackoverflow question but again this is answered for .asmx web services and not for WCF.
The closest I have gotten involves the creation of an OperationContextScope and then copying the cookie header from the ClientFormsIdentity object to an HttpRequestMessageProperty and adding this to the OutgoingMessageProperties of the current OperationContext. I then call one or more methods of the service within the lifespan of the OperationContextScope. Thing is, when I then get to the WCF service, I still cannot see anything that resembles authentication in such a way as I can identify the original user. This methodology has been taken from various examples but I am obviously missing a step at the WCF end.
I think you need to switch to the Web API that Microsoft is now having people use for WCF Services. Check out Using Forms Authentication with Web API and http://aamirposwal.blogspot.com/2012/05/aspnet-web-api-custom-authorize-and.html
Found it.
In my binding, I specified allowCookies="true".
According to Wiktor Zychla, "setting the AllowCookies property on a BasicHttpBinding to true turns on the automatic cookie management" - this means that any attempt to set a cookie in code will be ignored and this is what I was doing.

Integration testing of a CAS secured web service

I have a web service that accepts CAS proxy tickets over HTTP Basic authentication headers via Spring Security. How do I perform integration testing with my client since there seems to be no programmatic way to fetch CAS tickets?
Since the CAS setup is one of the more tricky aspects of the project configuration I really need that to be part of our automated integration tests but I have hit a roadblock.
You be interested in the CAS RESTful API: https://wiki.jasig.org/display/CASUM/RESTful+API
The RESTful API follows the same basic protocol as the original CAS2 protocol, augmented with some additional well-defined resource urls. This is particularly helpful for applications that need to programmatically access CAS.
Hope this helps.

How do I implement SAML 2.0 in a WCF Client?

I need to implement SAML 2.0 for a WCF client that is talking to a java web service (Glassfish). I know very little about SAML, and after a bit of searching here (and elsewhere) I do not find much about how to implement with WCF. Since WCF abstracts you away from the SOAP layer how can I add SAML assertions to the SOAP header? Will a 3rd party tool like ComponentSpace work best? Or should I roll my own? Other advice?
You may need to use this SAML Toolkit for ASP.NET. The setup package includes several sample projects which help you to get started quickly.