I have been asked to implement a Single Sign On solution to enable our users to connect to a 3rd party service without logging on again.
As I understand it the requirement is:
User logs in to our web server using Active Directory
Server constructs a SAML 2 response
This is then seamlessly posted to the third party app which should now allow them in.
I am totally new to SAML and a little confused by all the terminology. Can someone possibly point me in the direction of some example code that does this, ideally using the .Net4.5 (or greater) libraries.
Thanks in advance for any help.
You need a SAML stack.
Refer : SAML : SAML connectivity / toolkit
There's a lot of documentation in the links.
Just to call out from the post:
"There is NO official Microsoft C# client-side SAML protocol stack."
Related
I am attempting to connect to Yammer using their .NET SDK but I am having a hell of a time managing this... The point of this exercise is to create an application in Azure which periodically - and AUTONOMOUSLY - contacts Yammer and fetches the latest messages from a specific Yammer group.
Does anyone know of the correct way to use the Yammer .NET SDK from, let's say, a console application, which does not rely on a browser (a.k.a. direct user interaction) to successfully connect via OAuth authentication?
What I have tried:
Trying to suss out what to do from the example given on .NET SDK page on developer.yammer.com, you can see under "Standard Process" an example which shows the LaunchSignIn() function with an incorrect signature! The example shows the usage as:
var authResponse = await OAuthUtils.LaunchSignIn(_clientConfig.ClientId, _clientConfig.RedirectUri, ssoEnabled);
whereas the actually signature I get from the dll is:
void OAuthUtils.LaunchSignIn(string clientId, string RedirectUri)
I'll forgive the missing ssoEnabled parameter... but the example claims the function receives a response, from which a Code is then extracted. This is, of course, the piece missing from my attempt to call:
(awaitable) Task<AuthEnvelope> AuthClient.AuthenticateAppAsync(string code)
I have scoured Google for information on the use of the Yammer .NET SDK but have come up empty handed. All manner of examples of connecting to Yammer but none are in any way relevant to the .NET API. The only thing in any way relevant that I have seen is the Yammer .NET API example uploaded, apparently, by the person who developed it, who posted the code on GitHub. I have checked this example but the two parts in it - one for Windows Phone and one for Windows "Modern App" - both rely on a Browser object being available, or something to that effect anyway. There are redirects, I'm supposed to have a RedirectUri for Yammer to direct me... So does this other example - which was the ONLY other example of using the .NET SDK that I could find.
I imagine that the reason the signature is different is because this isn't actually the same function at all. The one I am trying to use is in Yammer.Oss.Api.Utils whereas the example application doesn't even have the letters Utils together other than in the name of the class OAuthUtils... which leads me to believe that it is possibly under Yammer.Oss.Core.WinRT which, as luck would have it, I cannot reference at all... Yammer.Oss.Core only contains Collections, Constants, Extensions and Serialization.
By the way, in the announcement of the .NET SDK (see first link above), the link to documentation for the SDK leads to the Yammer Support page.
Skip the .NET SDK and just do the authorization yourself using the server-side flow. Then make the requests with HttpClient and add the Authorization header. The SDK might be helpful with some Modern Apps but it's overkill for most people. When working with the API manually the worst thing you'll have to deal with is deserializing the JSON responses with JSON.NET, or other JSON library.
You don't say what you are trying to build, but AFAIK WebJobs don't have a UI so you'll need to do the authorization from a console app or website. Then store the resulting OAuth token somewhere that the WebJob can access it. If you have need an OAuth token per user you'll need to store those in a database, but make efforts to protect them because each OAuth token provides access to their Yammer account.
I am looking to write an auth service using Web Api, and SQL Server for authenticating and authorizing users on my .net site, but ios and Android apps as well. I'm speculating that basic authentication over SSL is the easiest way to go, but I'm pretty new to this whole section of .net. I'm having trouble finding some clear tutorials that explain how to write such a service. Can anyone point me to some resources on how to do this? I'd appreciate it.
I think you need to look OAuth implementation in .NET.
Here is a video to give you some background on Web API security.
I also suggest getting a trial subscription to Pluralsight training and check out the courses on Web API security.
You may want to target the latest release of Web API 2.0 from Microsoft, it has the most features you'll need.
I think this might be useful for you:
http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
I have an application running on a server that periodically extracts data from Google Analytics. It doesn't issue many queries so I don't think any limit would be a problem.
I have a prototype running, however I had to provide a login a password for the authentication (in code).
I see that I can generate API keys and other kind of authentication bits and pieces in the Google APIs Console, however I am not sure how to use them and whether they can be used in place of the login/password.
It just doesn't seem right to use a user login/password to authenticate a server application.
Is there another way?
(I am using the C# client library)
You should be using OAuth 2.0. See:
http://code.google.com/p/google-gdata/source/browse/trunk/clients/cs/samples/oauth2_sample/oauth2demo.cs
for a sample OAuth workflow.
The best way to do this is with Google Service Accounts
https://developers.google.com/accounts/docs/OAuth2ServiceAccount
However, I don't know off the top of my head the best library for c#, but there does appear to be support for it in the Google library. http://code.google.com/p/google-api-dotnet-client/wiki/OAuth2#Service_Accounts
Here's a answer specifically about the PHP client.
Service Applications and Google Analytics API V3: Server-to-server OAuth2 authentication?
I'd like to write a console program in C# that posts a Tweet to Twitter. I've never used the Twitter APIs before and don't know anything about how their authentication works. I found an API library called Twitterizer, but it seems geared towards web applications and wants the user to logon with a web browser. All the API docs on Twitter's website seems geared around this scenario as well.
Is it possible to access the Twitter APIs using a console app with no web browser access? I'm perfectly fine hard coding in the name and password for the Twitter user I want to post under as well. Thanks!
Mike
You'll need to use OAuth for authenticating in twitter.
Then use regular HTTP Request to use the twitter JSON-based API.
Here you can find a good article about OAuth, Twitter and console applications.
Also take a loot at linq2twitter lib. From it's documentation;
The Twitter API is built using
Representable State Transfer (REST).
Wikipaedia defines REST as "...a style
of software architecture for
distributed hypermedia systems...",
but I'm going to be so bold as to try
to simplify what that means. In
practice, REST is a Web service
protocol built upon Hypertext Transfer
Protocol (HTTP). You use the REST Web
service by making an HTTP call with a
URL and getting text back in some
form, which is often XML or JSON. So,
if you were to write code that made an
HTTP request with the following URL:
http://api.twitter.com/1/statuses/public_timeline.xml
You would get back an XML document
with all of the Twitter statuses from
the public timeline, which is a
snapshot in time of the last 20 tweets
at the time of your request. Go ahead
and open your browser, copy and paste
the URL above into the address bar,
and see what you get back.
I couldn't find any decent information on the web on how to do this, so I decided to write my own blog post with all the details.. Enjoy!
http://blog.kitchenpc.com/2011/01/22/rise-of-the-twitterbot/
of course you can use anything to connect to Twitter via RESTful api.
you should use oauth, and set up your application in http://dev.twitter.com, then you should read all articles listed in documents, you must specify your app as Client but not Browser so user input a number to get through authentication.
you can use many libraries so that you can save your time, all are listed in the documents
and be CAREFUL, you should not use Twitter's own api console which is buggy (as i know parameters somtimes can't be parsed), you should use APIgee instead which is powerful and stable.
if you want use basic authentication, you should use api proxy (one famous is twip), if you just need only one single C# apps, you must code by yourself:
you should use given username and password to login twitter, parse cookies passed
use normal oauth to get temporaly access token url.
use cookies got from step 1, emulates form submit to allow your apps, capture PIN code
use pin code to finish oauth.
MOST IMPORTANT, you must store access token in client's machine so next time you can bypass above steps
Just wrote a Twitter Bot in C#. This is currently posting tweets to #valuetraderteam.
https://gist.github.com/sdesalas/c82b92200816ecc83af1
The API component in the GIST below is less than 500 lines, only dependency is Json.NET, you'll need to download the latest DLL for either x64 or x86 (depending on what platform you are targetting) and include as a reference in your project.
There is an example at the bottom of the page of how you can make a tweet from a console application
Hopefully this is useful to some other people out there.
I'm looking for some guidance on the best way to authenticate to my WebService. Right now, I have a standard WebService on .NET 3.5, and a MVC website that sits on top of this WebService.
The MVC website uses OpenID to authenticate users, and during the development phase, we have simply been passing the user's OpenID Claimed Identifier to the WebService to authenticate. Obviously this is not what we will be releasing to the customer when we go live.
So my question is this: What's the best way to authenticate to the WebService?
Some of the API's I've played around with use Authentication Tokens. Another idea we had was to, upon connection to the WebService, pass the client an encryption key which they could use for all transfers.
I'm thinking out loud here, and again, any help is greatly appreciated! Thanks!
...
UPDATE: Right now I have created a custom SoapAuthenticationHeader which has an OpenIdURL property. This is used on all service calls to authenticate the user. The problem is two-fold:
If a hacker know's a user's OpenIdURL, they can easily gain access to the WebService.
The OpenIdURL is currently passed in plain-text.
So I could pass an encryption key to the client upon connection to the WebService, and have the client encrypt the OpenIdURL in the SoapAuthentication header. But I'm not sure about how to best go about that...
You might want to take a look at OAuth:
http://oauth.net/
(Use http://oauth.net/code/ for coding.)
As it is geared specifically for this scenario (Open ID isn't, really).
There is another question on SA which asks about the best way to secure a web service, and Open ID and OAuth are both discussed:
Web Service Authentication using OpenID
ASMX web services (which Microsoft now considers to be "legacy") have no ability to use OpenID for authentication. They can only use what IIS provides to them. You could possibly add a SoapExtension that would do OpenID authentication for them, but I wouldn't spend time there.
I don't know enough about OpenID to be certain, but I suspect it can integrate with WCF through federated security. I'm sure someone else will answer with details on that.
This isn't really an answer, but I can't leave comments...
You say "I have a standard WebService on .NET 3.5, and a MVC website that sits on top of this WebService".
I might be way off base here, but the language implies that these two sit on the same server. If so, why can't you just share the users database and the cookie token?
James