I have two websites:
The first one is an ASP.NET MVC website on .Net framework 4.7.2
The second one is an ASP.NET MVC Core Website on .Net Core 6
Important to note, these 2 websites are on different domains.
Actually, you can sign in on the first one by email, a Google account or a Facebook account.
I need to be able to sign in the second one (these 2 sites share the same client database).
Of course, if I am logged on the first one, I need to be logged on the second one, and vice versa.
I am looking for a free and "simple" solution.
I don't want to use ASP.NET Identity.
I suppose that I need a 3rd website which will manage the login/logout?
I found this interesting article https://www.codeproject.com/Articles/106439/Single-Sign-On-SSO-for-cross-domain-ASP-NET-applic but it's outdated : it uses asp.net webforms.
Any advice?
You can use Token Authorization from one application User being logged in can click on a redirect button to another application
from clicking on link the first application will make a JWT token or any encrypted user values using Symmertic Algo. Then then route on Another (Second) Application
will Verify the JWT token or any encrypted user values to login In the User for Antoher Application and set the desired session in that application. you can also maintain the logs for logining in user in Database.
Related
I have to create an Authentication and Authorization environment for my ASP.NET CORE MVC Identity 2.1 application, with an API backend and IdentityServer4 as Authorization Server).
I have administrators
I have Projects.
Every user has to be in at least one project, except administrators.
I would give users a claim like "Role" and store something like "admin"/"user" in it.
Now it gets more complicated.
In every project, users have different roles, and sub roles and once again sub-roles of sub-roles (so, three tiers).
Currently, I solved the problem by using action filters and write them in front of each controller/method (where I see them fit). I also created tables for these three tiers, so that I can store which user is in which tier (and of course they have different access rights depending on that).
I also want the user to be able to have multiple projects open at the same time (in different browser tabs) so that they can switch between these as they desire. I currently solved this by sending the project id on every request in the URI.
I thought about using claims instead of my current action filter solution. I read a lot into that and watched the Microsoft Virtual Academy videos regarding this topic. But I fail to understand how I could use that in this scenario. Should I do claim requirements and copy the code from my action filters in them because claims identity can't handle my case by default?
Am I doing this completely wrong?
Scenario:
Identityserver4 + aspnet core identity and one aspnet core mvc client
Questions:
How to manage 2 users logging into the same browser at the same time? Do I have to make sure that only one user is logged in at a time or can I use several users at the same time?
you can use Facebook login scenario.
you can save usernames into a cookie and show them a list of logged in users. after clicking on it a password will appear.
We have an application designed 3 years back in ASP.Net & SQL Server 2008.
We designed our own login DB design and forms authentication for the application with the help of ApplicationUser, Role, Then other transaction tables using UserId for getting the corresponding user records, history records.
So far no issues with new user registration and bringing and managing existing user records.
Now our client wants to integrate, Google Account Login for the new customer
and even the existing customer can sign in with the Google account.
We are wondering how it is possible. If you use Google Account to login, how we manage UserId mapping and other tables.
Is it possible to integrate the Google Account Login with the existing Application has designed with its own login implementation?
If yes, what are the things to be followed/considered for implementing this?
Another suggestion might be to use the nuget package SimpleAuthentication.**
Out of the box, it has an MVC controller which means all you need to do is implement the code for checking if the user exists in your system, etc. (ie. when you come back to your website from Google).
If you're on webforms (appologies) then you need to do a bit more work by creating your own form call back and then handling the return from Google.
** Disclosure: I'm one of the 2 main contributors for it.
I would use Windows Identity Foundation. It uses claims based authentication so all a user needs to access your site is a security token with a claim. You could set up a separate Security Token Service that authenticates users based on your own database and users could also retrieve tokens by logging in through Google or with any other party you configure your app to trust.
Ages ago I've created small ASP. NET MVC and if I remember correctly you can find the solution described here and here.
You may be able to find your answer in this Google+ document regarding adding Google+ authentication to existing Facebook implementations:
Adding Google+ to your Facebook Integration: Storing authorization
It talks about migrating from a single User table to a User and Identity table.
You could implement something like this in two ways:
Keep the username/password/email fields on the User table, and attach a Google authentication provider in the Identity table only when necessary.
Include username and password fields on the Identity table which are checked if the provider is "local".
You could use DotNetOpenAuth for that.
This is a "library that adds support for your site visitors to login with their OpenIDs by just dropping an ASP.NET control onto your page. It's that easy. An AJAX-style OpenID Selector control is also included for a slick, streamlined user experience."
This post explains how to work with it for Google account.
Looking for some guidance on using ASP.NET Identity to provide a single location for logon / authentication across a number of sites (that are all subdomains of a common domain).
The current setup is that I have 2 websites:
site1.example.com
site2.example.com
They present different views of the system to users, and they share the same backend database, and therefore the same ASP.NET Identity tables. Logging on via either site logs on via the same db.
What I want to do is unify the logon process via a third site:
auth.example.com
The idea being that the user visits site1.example.com, clicks a login button, is redirected to auth.example.com, performs the log in, and is redirected back to site1.example.com.
If they then navigated to site2.example.com, it would be nice if they were seen to be authenticated already.
What you seem to be looking for is single sign on. https://github.com/thinktecture/Thinktecture.IdentityServer.v3 Is the one that I like and it is open source. I think is supports ASP.NET Identity as a user service as well.
I am currently working on a project that has a requirement that is causing me some issues and I want to know the best way of handling it.
Essentially we would like internal users to be able to access the MVC application and be authenticated through AD, this we want to be pretty much like SSO, they sign on to their computer navigate to the site and they are in.
The second type of users are outside partners that do not exist in our AD and we want to manage through our SQL Server. For these users we want to display a login page and do forms authentication.
My thoughts at first were simple, let IIS try and authenticate with windows authentication and if it fails (401) redirect to a login page. I don't currently have an environment to test this in but from my understanding in IIS7 it is not that simple and requires a little bit of a "hack" to accomplish. I need to avoid anything like that I need a solution that works as the system was designed to work and not by tricking it.
I have looked into ADFS and WIF but ADFS only supports AD not SQL and from what I've seen there is no STS that supports SQL Server. I have contemplated hosting both an internal application that used windows authentication and external application that used forms authentication but I want to avoid this if possible.
Ideally the flow that we want is user navigates to the MVC application IIS tries to do windows authentication, if it fails (401) redirect them to the login page. From there the login page will authenticate the user credentials against the SQL Database. What is the best way of accomplishing this all within 1 MVC application?
Thank you!
I would just implement my own authentication on top of FormsAuthentication or OWIN if you are using ASP.NET MVC 5. It is really simple and you will have full control over where you go to authenticate users. Trust me it isn't as scary as it sounds. I've written a few posts about it that you might find interesting.
MVC 5
http://www.khalidabuhakmeh.com/asp-net-mvc-5-authentication-breakdown-part-deux
MVC 4
http://tech.pro/tutorial/1216/implementing-custom-authentication-for-aspnet
I currently use the MVC 4 method to authenticate against an Active Directory domain with great success. The only thing I would recommend is you Cache your calls to Active Directory as it can be unreliable at times.
There is the STS that supports sql server, it is the IdentityServer.
https://github.com/thinktecture/Thinktecture.IdentityServer.v2
It even supports custom membership providers which give you quite a lot of different possibilities. I am not sure however if it supports automatic fallback to forms when integrated authentication fails. If not, there are two options: a custom sts or two explicit stses and an explicit choice for users. We have implemented the latter scenario once with ADFS - there were two adfses, one with Forms, the other one with integrated auth, first one federated with the other. This gives an explicit choice on the home realm discovery page - ".would you like to log in with username/password or try the integrated authentication"
You could create a project that uses "On-Premises Authentication" which uses ADFS to authenticate users. The on-premises authority URI will be:
https://yourADFSservername/federationmetadata/2007-06/federationmetadata.xml
After your project is loaded, you can to goto your ADFS settings and create a new "Relying Party Trust" and pass on HTTPS URL that your MVC app will be using. Setup to used LDAP attributes as claims and that will sort out AD authentication easily as it will navigate users to organisational sign-in page just like Office 365. Then if authentication fails for certain users, take the user to send the user to normal sign-in/signup page that exists independently of AD and connected to SQL server. You could skip windows authentication altogether by using on-premises authentication.