In my company we have a requirement from the client for SSO using ADFS. The client has provided the IDP certificate fingerprint and IDP target URL.
I tried doing some research on how to accomplish this but have not found what exactly is to be done. Can someone please guide me on how to proceed and what other information I should get from the client?
When you say the "client", you mean the client is the one using ADFS?
In which case, you have the URL, just navigate to:
https://IDP URL/FederationMetadata/2007-06/FederationMetadata.xml
and you have the metadata.
In terms of adding support into your application, use the NuGet OWIN package for WS-Fed or WIF as above. (OWIN is the modern way).
Related
This is sorta driving me crazy. We got a Web API that takes a JWT bearer token received via ADFS. Now I have to write a Windows Service that communicates with the API but to do that, I need that JWT token.
I tried looking on the internet but none of the solutions work. Lots of examples use the WSTrustChannelFactory but none of them show how to specify a Client ID for the ADFS application or other relevant information.
Another example is MSAL.NET which supposedly supports ADFS. But all the examples and documentation are about Azure AD, but we have an on-premise AD. Some examples also point to example code that no longer exists on GitHub.
I managed to get a token with the ConfidentialClientApplication from MSAL.NET but it‘s not working, the API says it‘s invalid. And it seems it uses response_type code, rather than id_token which I need, and there apparently is no way to change that.
Other than these two, I can‘t find anything at all about this subject.
So: How can I receive an ADFS JWT bearer token with C# from a Windows Service application using the current user context, rather than requiring a manual username and password entry?
Any pointers would be greatly appreciated.
I'm working on a C# command line tool which automates some deployment tasks by sending requests to the API of an on-premise installation (in this specific case UiPath Orchestrator).
I've used until now bearer token authentication, which is being phased-out and need to move to OAuth 2.0 for authentication on the respective on-premise setup.
So far I've found some examples on how to authenticate using OAuth 2.0 with client_credentials grant flow type and have been able to successfully implement it myself:
How do I get an OAuth 2.0 authentication token in C#
OAuth 2.0 authentication in RestSharp
The problem is that in my specific case client_credentials grant flow type is allowing the user to access too many resources and need to use instead authorization_code grant flow type, which lets the user access only allowed resources.
Would appreciate some simple/basic code snippets for authorization_code grant flow type, since so far found only the following examples, which I'm struggling to fully understand and not sure if those are applicable for my specific case:
https://learn.microsoft.com/en-us/advertising/hotel-service/code-example-code-grant-flow
https://learn.microsoft.com/en-us/advertising/shopping-content/code-example-authentication-oauth
Console apps do interactive logins using the system browser, in the same manner as desktop apps. There are two options to listen for the login response, reflected in these small C# code samples:
Loopback
Private URI Scheme
For further info on concepts, and a couple of Node.js apps you can run locally, see my desktop blog posts, starting here.
I am trying to resolve a problem with Sign-In to ADFS on premise from Angular. We have received a FederationMetadata.xml. However, all examples for angular adal require a clientId. Is that something I can get from there?
I am able to get the login url, when I put the AddWsFederation to my C# Controller and call HttpContext.ChallengeAsync. However I would like to have more clients on one server, so I would prefer something more flexible. MS examples have only one clientId in the web.config and setup them at the start.
Thank you very much for any piece of advice.
The metadata file is for a SAML or WS-Federation connection.
Client_id implies an OpenID Connect connection.
Typically, Angular connections would use OpenID Connect e.g. sample here.
What version of ADFS? If 2019, rather use the MSAL rather than the ADAL sample.
That sample shows the ADFS configuration.
They then need to send you the client_id, redirect_url etc.
This information is not contained in the metadata.
I have a custom STS made in WIF that works as an IDP and now I need to configure SSO to a Service Provider made in SimpleSamlPHP. (The SP only supports Post Binding and Web Browser SSO Profile.)
Any, idea on how should I approach this requirement? Does WIF support Post Binding and SAML 2.0?
Any idea will be greatly appreciated,
Thanks!
As per #Wiktor, there is no SAML support in WIF.
But you need the server side of the SAML stack not the client side.
Your best bet may be to put ADFS v2.0 in the middle and use it as a broker to provide the SAML support.
If you want SAML support, vote here.
WIF has no restrictions on bindings, it is just a set of Apis that makes it easier to develop Idps and Spses. What people usually do is they implement redirect binding on the service provider and post binding on the identity provider - all books and tutorials I've read are like this. This means that the service provider should redirect to the identity provider with wa=wsignin1.0 and the identity provider responds with a form containing the token posted to the service provider.
However, I don't see any obvious reasons you would not be able to implement post bindings for both sides.
As far as I know, there is still no SAML2 protocol support for WIF apart from a ctp that hasn't been updated for ages. If your service needs saml2, you'd have to take a look at some commercial implementations, like the one from componentspace.
all
I successfully can use OAuth to work with GA service, there are a lot of code already written for this. And for security purposes, i can't store user google account credentials.
So, i prefer to use OAuth.
But, i can't found any examples how to use OAuth with Google Adwords / AdSense services.
Because they use SOAP and ClientLogin, but on this page http://code.google.com/apis/accounts/docs/AuthForInstalledApps.html
Google suggest to use OAuth instead of ClientLogin (but at this page http://googlecodesamples.com/oauth_playground/ no AdWords / AdSense scopes defined)
Does anyone have a solution?
Thx
You can leverage Google's OAuth libraries quite easily to accomplish this, but the AdWords API is a little more tightly controlled than other Google API services.
The AdWords SDK includes an AdWordsUser entity which handles OAuthing for you, you just need to configure it properly.
Step 1: Sign up for the AdWords API. Upon approval, you will get a developer token.
https://developers.google.com/adwords/api/docs/signingup
Step 2: Create an application at the Developers API console.
Go to https://console.developers.google.com
Click on Credentials
Create a new "Client ID", which will generate Client ID and Client Secret credentials. Make sure you pick the right application type (native/embedded vs web application). You will need to whitelist the redirect URLs of your own application here to allow the end user to bounce back to the app. If this is a server-side application, choose "Client ID for native application". You will use fancy things like refresh-tokens to gain access.
Step 3: Grab an Adwords SDK in the language of your choosing (https://github.com/googleads) and configure it with the credentials needed.
Note
When requesting scopes in OAuth if you're not using the AdWords API Client SDK, make sure to include the scope "https://www.googleapis.com/auth/adwords" otherwise the credentials you get back won't actually let you do anything against the AdWords API. This is critical! (http://googleadsdeveloper.blogspot.com/2014/07/new-oauth-20-scope-for-adwords-api.html)