I have begun to work with Microsoft Azure Access Control Services. I would like to create a custom identity provider which would authenticate against our back end CRM system. In the past, I had created a prototype Secure Token Service website which allowed me to do this. However, that was a few years ago. I found
https://blogs.msdn.microsoft.com/mcsuksoldev/2012/11/02/azure-access-control-services-creating-a-custom-identity-provider/
which describes how to create a custom identity provider using WIF to be used within Azure but the site is dated from 2012. I had also looked at IdentityServer3 which I thought may be a replacement for WIF.
Do I use the WIF Secure Token Service approach? Is this obsolete? Is Identity Server the new way to accomplish the same thing?
Thanks.
First of all : Windows azure ACS will probably be discontinued (https://blogs.technet.microsoft.com/ad/2015/02/12/the-future-of-azure-acs-is-azure-active-directory/). We had a contact with Microsoft on this and they said it would be deprecated "two years from now" (not official). This being said, to integrate your custom STS in windows azure ACS is "easy". ACS just needs a pointer to your metadata document. Normally if you have an STS that follows the WS-Federation standards it lives at https://yourSTS/FederationMetadata/2007-06/FederationMetadata.xml. If your meta data is correct, ACS will expose you STS as another identity provider (just like Google, Yahoo etc..). It will do so by offering a "choice screen" that allows an end user to choose the identity provider of her choice. You identity provider will then show up among them. If the end user clicks the link for you identity provider the browser will be redirected to your STS (passive login). If she logs in, a token will be issued to ACS. ACS will them "transform" you security token and issue a new one to the final relying party.
Bon, answer is that you have to expose a meta data document and import it in acs https://yournamespace.accesscontrol.windows.net/v2/mgmt/web/IdentityProvider.
ACS is being discontinued but who knows when.
ACS was originally introduced to provide social logins but has been used for many things e.g. changing token types from SAML 1.1 to SAML 2.0 and vice versa.
The "new" way to integrate social logins in Azure is Azure B2C but that is a completely different type of Azure tenant and has no SaaS integration.
Refer: Azure B2C : Differences with Azure Active Directory (AAD) and Azure B2C : Differences with Access Control Services (ACS).
Identity Server 3 is open source, can do pretty much everything ACS can do plus you can add your own social logins and SAML 2.0 protocol and OpenID Connect / OAuth.
Another good option is Auth0 but that is commercial (and no I don't work for them :-) ).
Regarding WIF, it is still supported but no new features are being added. Rather migrate to OWIN.
Thank you all for your comments and suggestions. Well, a few years ago I had purchased the book - Programming Windows Identity Foundation by Vittorio Bertocci which I used to begin prototyping an SSO solution using the WS-Federation approach which uses a Security Token Service. That project was put on hold and I had not begun to look at this until recently. I purchased Vittorio's new book a few months ago - Modern Authentication with Azure Active Directory for Web Applications. I had only browsed the book but decided to take a it home with me this past weekend and read it thoroughly. The book describes the history of pre-claims authentication techniques to SAML to WS-Federation to OAuth to OpenID Connect. It has a great deal of code examples as well as detailed architectural information. This has cleared up the confusion of the different protocols and I now know in which direction to go.
Related
I'm currently on a project where there is an existing angular 1.3 app with a couple of API's. These are secured via Azure Active Directory.
The customer has asked for a new tool to be developed that uses these same api's but they want to get rid of the AAD because it's tokens are only valid for 1h and I've been told that refresh tokens and AAD are not working according to those that made the current setup.
I've been reading up a lot on IdentityServer4 and I was hoping to leverage the middleware in order to
a) start using an STS
b) prepare for the future and make the STS a central part to the whole installation.
I've been hoping that I could use IdentityServer4 with a new to be developed Angular4 app with an Asp .NET Core 2.0 WebApi.
The question that I have is: can I do Active Directory based auth (the users are logging in through some citrix alike product) and thus are authenticated because of that. Yet somehow still calling the existing api's with some token that is valid in their context.
And can I use IdentityServer4 to pull this off? Is it a good idea? I'm open for suggestions
Edit
After careful delibiration with the client we've agreed to remove AAD and the token security that currently is in place.
The reasoning:
All installations are done in a DMZ
It's not Azure
The customer isn't willing to change that
This way everything can be secured using Windows Authentication
Time constraints
IS is on the planning for when (5) loosens up
A lot of new tech is going to go in the new client which enforces (5)
I have a REST service implemented by ASP.Net WebApi, a WPF client application that consume this service.
Every user have a UserName/Password in stored in Azure Table storage. Now I want to implement an OAuth authorization server "Resource Owner Password Flow".
Now my question is: How can I implement an OAuth 2.0 "authorization server" in .net?
I found that DotNetOpenAuth and thinktecture can help, but I'm not sure about any of them.
The DotNetOpenAuth has a WPF example among many other helpful examples. The only disadvantage of the library is the lack of comprehensive documentation, however samples are great and easy to follow.
at the moment I have a single active sts. The sts validates the user with a custom user/password validator. The sts is used for different windows services. Now I'd like to write a asp.net application that uses the sts for login. Later I'd like to change the sts authentication method(e.g. to windows authentication).
What is the best solution for connecting a asp.net site to an active sts. Do I need a passive sts? Do you have an easy example for me?(example code?)
thank you
Yes - you would normally use a passive STS. Refer Get Started with Windows Identity Foundation. There is a ton of stuff in the Identity Training Kit mentioned here.
You could also have a look at Identity Server which is open source and implements the passive profile.
Update:
If you are talking about two different STS, you just federate them.
If you are talking about one STS, they can support both. The only difference is the endpoints for the active and passive connections. "Identity Server" and ADFS both allow this.
If you are talking about "Identity delegation" see Identity Delegation with AD FS 2.0 Step-by-Step Guide. There is an example in the WIF SDK under Samples / End-to-end.
Currently I'm developing some infrastructure and I've implemented my own RESTful authentication mechanism.
Now I've in mind that maybe I shouldn't go this way and use an industry standard so interoperability with my project could be trivial and easier to understand in terms of authentication and authorization.
After checking some articles googling everywhere and reading some Q&A here in Stackoverflow, I don't find how to be an OpenID provider - I'm not talking about authenticate users using Google, Windows Live, Facebook Connect and so, I want to develop an OpenID-enabled system so if some want to register into my services, they'll do in my own domain -.
Actually my question is: can anyone become an OpenID provider and is DotNetOpenAuth a library to develop this protocol in your own infrastructure?
Thank you.
Developing an OpenID Provider as a means of Single-Sign-On (SSO) within an organizations ring of web sites is a very valid scenario. DotNetOpenAuth comes with a pair of sample web sites (a Provider and a Relying Party) that demonstrate a single-sign-on relationship. They're called OpenIdWebRingSsoProvider and OpenIdWebRingSsoRelyingParty.
Please do not attempt to implement OpenID by yourself any more than you'd implement SSL by yourself. Getting OpenID security and interoperability just right takes a very long time and a deep level of domain knowledge. DotNetOpenAuth in particular gives you programmatic access to do just about anything you'd want to with OpenID, and since it's free, it's hard to go wrong.
Disclosure: I am a developer behind DotNetOpenAuth.
Actually my question is: can anyone become an OpenID provider and is DotNetOpenAuth a library to develop this protocol in your own infrastructure?
How to become an OpenID Provider
DotNetOpenAuth has some hiccups but all-in-all is a good tool to use it under .NET
if you're think you can do it, you can follow this:
Lastly, and most challenging, is implementing custom support for OpenID in your software and account management tools. While this approach of course affords the greatest degree of control over the user experience, it is also the most risky and only for developers experienced with web security. Start by reviewing the specs and documentation.
But my question would always be:
Why one more provider? Facebook, Google, MyOpenID, ... already have it, and with them, plenty of users have (even without them knowing) an OpenID login...
StackExchange is an OpenID provider since a while ago, but... there's so much users cross StackExchange platform. Are you developing such a big community so it will be reasonable to create and implement your own provider?
I see the answers are couple of years old. If you are looking for the latest solution to build an OpenID provider using Microsoft technology stack, IdentityServer is the open source option. One can use this and build an Open ID connect Identity provider.
Documentation on how to use and build : https://identityserver4.readthedocs.io/en/latest/
IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core 2.
It enables the following features in your applications:
Authentication as a Service
Centralized login logic and workflow for all of your applications (web, native, mobile, services). IdentityServer is an officially certified implementation of OpenID Connect.
Single Sign-on / Sign-out
Single sign-on (and out) over multiple application types.
Access Control for APIs
Issue access tokens for APIs for various types of clients, e.g. server to server, web applications, SPAs and native/mobile apps.
Federation Gateway
Support for external identity providers like Azure Active Directory, Google, Facebook etc. This shields your applications from the details of how to connect to these external providers.
Focus on Customization
The most important part - many aspects of IdentityServer can be customized to fit your needs. Since IdentityServer is a framework and not a boxed product or a SaaS, you can write code to adapt the system the way it makes sense for your scenarios.
Mature Open Source
IdentityServer uses the permissive Apache 2 license that allows building commercial products on top of it. It is also part of the .NET Foundation which provides governance and legal backing.
I have spent quite some time now looking at the Windows Identity Foundation. I even read a few chapters of a book on it on MSDN.
But I'm still confused about one thing. Is WIF appropriate for a public facing web site authentication or is this mainly targeted towards intranets/sharepoint sites, something that deals with internal domain where users are identified by integrated windows auth/active directory or something like that. Currently, we have many web sites for our company where people log in and are authenticated against a data store using forms authentication/custom asp.net membership provider. Is it possible to replace this mechanism with WIF? if so, does anyone have a link to such a tutorial.
I have tried looking for any information along these lines but it has been hard to find.
In principle, there's nothing about Windows Identity Foundation that makes it inappropriate for use on a "public-facing" website and WIF isn't in-itself tied to a particular authentication mechanism either. However, if you were considering using Active Directory Federated Services as your Identity Provider the problem would be that authenticating users against AD would be your only option since that's all it supports (although you can plug in a custom attribute store that retrieves claim values from some other datastore). Your WIF relying-party (i.e. your website) doesn't necessarily care how the user was authenticated, though, only that they were authenticated by an IDP that it trusts.
So your problem might not be that of "WIF-enabling" the websites as such, it may be more a question of finding a compatible IDP that supports authenticating against something other than Active Directory so that you can use the data store you currently use to authenticate users. It is possible to use ADFS as a "bridge" (a Relying-Party Security Token Server) between your WIF relying party and a SAML2 IDP like Shibboleth which can use a database to authenticate users, but configuring such a system is a significant challenge so you'd have to weigh up the benefits that your users might gain from single sign-on to your applications against the considerable effort it would take to set up and maintain such a system.
Yes - WIF appropriate for public facing web site authentication. ADFS v2.0 only authenticates against AD. However, you can write a custom STS that authenticates against anything you like. In your case, with a data store, have a look at Identity Server which authenticates against a SQL DB.
Have a look at:
http://claimsid.codeplex.com/
Identity Training Kit
How to: Build an ASP.NET STS