Currently we are using ASP.Net membership for providing authentication in our application. Now our client has moved to ping for user store. So we need to modify our application to support SSO and want us to use Saml.
My question is
Other than Saml, is there any other authentication technique I can use for ping?
If Saml is the better option can you give me any links.
Ping supports all the federation standards.
Basically you can use WS-Fed, SAML 2.0 or OpenID Connect.
Whichever protocol you pick, you need a client-side stack that implements it.
The easiest to get working is OpenID Connect.
Related
I'm trying to get information how to authenticate and authorize a user from a backend WCF service using OpenID Connect configuration rather than using a client application (like Angular / .Net MVC web application).
Can this be achieved using "Authorization Code Flow"?
If yes, could one please guide me, how this can be achieved as we will not be able to configure the re-direction URL for a backend service to get the access token.
If not, could one please tell me how this can be achieved? I did read that this can be achieved by back channel communication (i.e. https://openid.net/specs/openid-connect-backchannel-1_0.html. If one can help me with the tutorial document that is available in internet that would be really helpful.
The link you mention is about back-channel logout: a communication from your OpenID provider toward your backend to notify your backend of a user ending her/his session at the OpenID provider. I do not see how this could be used to authenticate a user.
It feels somewhat odd that you are trying to authenticate a user from a backend service. The whole idea behind OAuth and OpenID is to pass a credential allow with your request to the backend. The backend must verify that credential but should not involve in gathering and issuing that credential, it should rely on a trusted party (the OpenID provider) to issue those credentials.
We have a webforms (.net 4.5) application which uses membership for user authentication which we host ourselves. Our clients have Active Directory and ADFS which they host in their own networks, they require our software to use single sign on authenticating against their ADFS server. I'm looking for steps on how to implement this so we can continue to use our normal membership login but use SSO where available.
There's a lot of info out there and I honestly don't know where to start. Cheers.
I wrote up something very similar to this:
OWIN : ASP.NET MVC application with multiple authentication options
Basically, use the OWIN Identity stacks to support whatever protocols you want.
Note that this application (RP in ADFS speak) still needs to be configured on the ADFS side.
We have several Intranet websites that use MVC + .NET windows authentication. And then we have some Java based apps developed by 3rd party - which can be configured to use LDAP authentication. Both sets of apps use the same company URL, for instance, dotnet-app.company.org and java-app.company.org, and both sets use the same username.
Once a user has been authenticated against a .NET app, is there any way I can "post" that user information to Tomcat which can then generate a cookie for the user so they don't have to authenticate twice?
I have authorization to modify code on the .NET app only not on the Java app.
You are probably looking for a one sign-in option like on gmail and other google services. And yes, cookies are what you must be looking at.
I don't know how java authentication works(I assume it is Session based), and there is where you must read in user cookie information to get authentication details. On .NET, you will have to write custom logic in FormsAuthentication_OnAuthenticate in Global.asax file.
We have started looking at this tutorial to use the new notifications hub in Windows Azure:
http://www.windowsazure.com/en-us/manage/services/notification-hubs/notify-users-aspnet/
At one point it specifies a warning stating:
"SECURITY NOTE
The AuthenticationTestHandler class does not provide true authentication. It is used only to mimic basic authentication and return a principle. The user name is required to create Notification Hub registrations. The above implementation is not secure. You must implement a secure authentication mechanism in your production applications and services."
Can anyone suggest a good way to secure this that will work from windows phone, android and iOS. We can't use the built in authentication such as facebook, google, twitter, etc. as it needs to use our own authentication backend.
Many thanks for any help.
To implement cross platform authentication it's best to use a standard like OAuth2.
OAuth2 allows you to
Handle logins in one place on server side.
Your clients only get as few account informations as needed. It's possible to hide the password from clients (whereas not common in mobile apps). Each client gets it's own unique access token.
Remove access remotely by revoking access tokens on server side.
For implementation:
Apache Oltu is a Java Framework for OAuth2 authentication (server and client support).
Udi wrote a very good tutorial for Android authentication.
I have a custom STS made in WIF that works as an IDP and now I need to configure SSO to a Service Provider made in SimpleSamlPHP. (The SP only supports Post Binding and Web Browser SSO Profile.)
Any, idea on how should I approach this requirement? Does WIF support Post Binding and SAML 2.0?
Any idea will be greatly appreciated,
Thanks!
As per #Wiktor, there is no SAML support in WIF.
But you need the server side of the SAML stack not the client side.
Your best bet may be to put ADFS v2.0 in the middle and use it as a broker to provide the SAML support.
If you want SAML support, vote here.
WIF has no restrictions on bindings, it is just a set of Apis that makes it easier to develop Idps and Spses. What people usually do is they implement redirect binding on the service provider and post binding on the identity provider - all books and tutorials I've read are like this. This means that the service provider should redirect to the identity provider with wa=wsignin1.0 and the identity provider responds with a form containing the token posted to the service provider.
However, I don't see any obvious reasons you would not be able to implement post bindings for both sides.
As far as I know, there is still no SAML2 protocol support for WIF apart from a ctp that hasn't been updated for ages. If your service needs saml2, you'd have to take a look at some commercial implementations, like the one from componentspace.