I am very new to the single sign-on options available to me. I currently have a requirement to secure multiple application sets within the same product family and have no idea where to start.
Some of the base requirements would be
User should be able to authenticate once, and based on the credentials user would be redirected to the required application
A central management console should be available for administrators to simplify role assignments as well as grant access to the various applications as required
Users can register for certain applications but certain sensitive applications require administrator approval before the user can successfully log in.
This SSO should also secure an API with some sort of permission logic e.g. only supervisor roles can delete a record
Users should be able to register with OAuth providers such as Facebook, Twitter, Google & Windows live.
The SSO provider should be simple to implement into multitude of platforms such as Windows Apps, Web Apps, Mobile & services
I have no idea where to start, I have done a quick read through of something like ADFS https://msdn.microsoft.com/en-us/library/bb897402.aspx, but NO IDEA if this would meet all the listed requirements above.
Any help of pointing me in the right direction would be greatly appreciated!!
You are confusing two seperate concepts viz:
Authentication
Provisioning
ADFS only does the former. You need an Identity Manager (IM) to do the latter.
So:
User should be able to authenticate once, and based on the credentials user would be redirected to the required application
I'll concentrate on the Microsoft world. ADFS and Azure AD can both do this. User --> application --> IDP - authenticates --> back to application
A central management console should be available for administrators to simplify role assignments as well as grant access to the various applications as required
IM functionality. AAD could do the group assignment but doesn't really have workflows. You can use "Active Directory Users Control" in Windows Server to manually edit AD attributes for use by ADFS.
Users can register for certain applications but certain sensitive applications require administrator approval before the user can successfully log in.
IM - needs workflows
This SSO should also secure an API with some sort of permission logic e.g. only supervisor roles can delete a record
This is both. ADFS 4.0 (Server 2016) can protect web API as can AAD. Deleting roles is IM as above.
Users should be able to register with OAuth providers such as Facebook, Twitter, Google & Windows live.
Microsoft has limited social interaction. You can add some social providers using AAD. I use Auth0 and federate as it has tons of social providers. Azure B2C may be of use here.
The SSO provider should be simple to implement into multitude of platforms such as Windows Apps, Web Apps, Mobile & services
For web apps, you can use SAML, WS-Fed, OpenID Connect & OAuth.
For Windows Apps, you can use OpenID Connect & OAuth.
For Mobile & services, you can use OpenID Connect & OAuth. (Note there are four flows to cater for different scenarios).
ADFS 4.0 (Server 2016) and AAD can support all the above.
Related
We have a SPA(Single Page Application) with a .net core web api backend.
We want to use Azure AD for the authentication and authorisation as we will have at least 3 separate clients using AD, but looking online there is no definitive approach and its like piecing together a 50,000 piece jigsaw!
I have setup the azure api with Authentication and Authorisation, as shown in the image below, but is this the right place? as I believe I want this in the web API code, so I can then get the claims (permissions/roles) specific to the application.
There is mention of Identity but do I want to use Identity? as this sounds like it is your own database and not AD.
Should we be using B2C or B2B authentication? and does this support authorisation, as the end goal is to definer custom claims specific to the application, so we can grant and deny specific actions.
What you are using now is the built-in authentication for Azure App Service. You can sign in users and access data by writing minimal or no code in your web api. But it is not appropriate for complex scenario.
As you want to custom the application permissions/roles to specific users, it is recommended that you protect your webapi with Azure AD yourself. It is more flexible to custom your authentication. You can refer to this sample,the TodoListService part.
Should we be using B2C or B2B authentication?
Azure AD B2B is not a separate service but a feature in Azure AD.
Azure AD B2C is an independent service for building a consumer application identity repository. If you need a service to handle email or Facebook login – it is there for you.
Based on your description, I guess Azure AD is your option.
Reference:
Add authorization using app roles & roles claims to an ASP.NET Core web app thats signs-in users with the Microsoft identity platform
Compare B2B collaboration and B2C in Azure Active Directory
I watched this video on pluralsight
https://app.pluralsight.com/library/courses/authentication-authorization-aspnet-core/table-of-contents
This helped to make a bit more sense of it, actually near the end he shows that you can just create a .net core web app and then change authentication and choose a multi Azure AD option as shown in the below example. This then just works out the box! Not fully for a Vue Single page app though which is still a problem.
I am creating a web application that will authenticate users based on their azure ad / office 365 accounts. To log into their computers they use their ad / office 365 account and they will have access to the web app without signing in based on their AD access.
I have tried to follow tutorials to set up this type of authentication using spring and angular:
https://learn.microsoft.com/en-us/java/azure/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory?view=azure-java-stable
Almost all of these guides or docs require setting up the app on the azure ad site, which produces a client id, key, and tenant id for the web application, which can be used with spring security to authenticate users.
I do not have access / permission to create a app registration, but I still need to get the ad userId of the user attempting to access my web application.
There is an existing web application created using asp.net core and angular which accomplishes what I am trying to achieve in java spring. I have tried to understand how it authenticates users but I am still stumped.
In the .net core project a controller makes a call to HttpContextAccessor.HttpContext.Request.Header to grab the userId of the user logged into their office 365 / ad account. This call is made in a controller class.
I cannot post more of the c# code so it will probably be hard to help me understand how it works in asp.net, but if there is any way to achieve what I described above in Java Spring I would love to know.
There is no way to achieve this without registering your application in these users AAD tenant. That's part of establishing trust between your app and the authority (AAD) which does the work of authenticating users. By registering your app id and reply url(s) you tell AAD that it's OK for it to send you user's info.
I am trying to develop a concept to support multiple authentication methods in an ASP.NET core server environment which should support both Windows (WPF) clients as well as Web clients (Angular). Users should be able to login using three methods:
using username & password, which is checked against database of valid logins
using Windows authentication (i.e. the currently logged in user). This may require user PC and server to be on the same network/domain
using selected external authentication providers, such as Google
Users should have individual rights (claims), which either derive from their individual profile or group membership (e.g. in case of AD).
I am still at the concept phase, trying to figure out the basics here, so no code has been written yet.
My thinking is as follows:
users logging in using username & password receive a token (JWT) of some sort which then authorizes them to access protected/restricted calls.
users logging in using their Windows identity would basically receive the same token
users logging in via external auth-providers would receive the external token from the provider and use that to login and also receive an token from the server
regardless of 1-3, users end up with a server-issued token that gives them access to restricted features
Is that a common/correct approach for mixed authentication? If so, how would this be implemented on the ASP.NET core server side?
I am trialling Azure B2C Customer Preview and have configured a new application, set up policies e.t.c and I now want to write some integration tests that use a non-interactive flow to connect and interact with my protected WebApi services.
However, I have just read the following quote:
Daemons/Server Side Apps
Apps that contain long running processes or that operate without the
presence of a user also need a way to access secured resources, such
as Web APIs. These apps can authenticate and get tokens using the
app's identity (rather than a user's delegated identity) using the
OAuth 2.0 client credentials flow.
This flow is not currently supported by Azure AD B2C - which is to say
that apps can only get tokens after an interactive user flow has
occurred. The client credentials flow will be added in the near
future.
from this link which suggests that what I am trying to do is not yet possible. Can anyone from the Azure team tell me whether this information is up to date, and better yet a rough timescale for delivery on this feature?
I have spent quite some time now looking at the Windows Identity Foundation. I even read a few chapters of a book on it on MSDN.
But I'm still confused about one thing. Is WIF appropriate for a public facing web site authentication or is this mainly targeted towards intranets/sharepoint sites, something that deals with internal domain where users are identified by integrated windows auth/active directory or something like that. Currently, we have many web sites for our company where people log in and are authenticated against a data store using forms authentication/custom asp.net membership provider. Is it possible to replace this mechanism with WIF? if so, does anyone have a link to such a tutorial.
I have tried looking for any information along these lines but it has been hard to find.
In principle, there's nothing about Windows Identity Foundation that makes it inappropriate for use on a "public-facing" website and WIF isn't in-itself tied to a particular authentication mechanism either. However, if you were considering using Active Directory Federated Services as your Identity Provider the problem would be that authenticating users against AD would be your only option since that's all it supports (although you can plug in a custom attribute store that retrieves claim values from some other datastore). Your WIF relying-party (i.e. your website) doesn't necessarily care how the user was authenticated, though, only that they were authenticated by an IDP that it trusts.
So your problem might not be that of "WIF-enabling" the websites as such, it may be more a question of finding a compatible IDP that supports authenticating against something other than Active Directory so that you can use the data store you currently use to authenticate users. It is possible to use ADFS as a "bridge" (a Relying-Party Security Token Server) between your WIF relying party and a SAML2 IDP like Shibboleth which can use a database to authenticate users, but configuring such a system is a significant challenge so you'd have to weigh up the benefits that your users might gain from single sign-on to your applications against the considerable effort it would take to set up and maintain such a system.
Yes - WIF appropriate for public facing web site authentication. ADFS v2.0 only authenticates against AD. However, you can write a custom STS that authenticates against anything you like. In your case, with a data store, have a look at Identity Server which authenticates against a SQL DB.
Have a look at:
http://claimsid.codeplex.com/
Identity Training Kit
How to: Build an ASP.NET STS