I don't have much experience with CA sitemider so please bear with me, if I am asking silly question.
I am creating a excel add-in which uses win-forms for the interface. I have added a Web reference of a web-service which I need to call to perform operation. The web-service supports the SAML authentication. So my requirement is, I need to validation the user from the Active Directory using CA sitemider and get the token (like access token or auth token) and then pass it to the webservice.
I'm not sure how can I implement this? What should I do to get that token and also do I need to use the web browser control in winform to implement the siteminder authentication flow?
Check the System.IdentityModel namespace for this , you can implement via Windows Identity foundation. The namespace has validators for SAML1/2 tokens. To request a valid SAML token and pass it to your webservice you might need to configure an interface which can get you the token first.
How Siteminder sends the token is same as other Identity providers, the user has to be a valid user of IDP (Siteminder in this case), once the request goes to Siteminder, it shows its login page and once user logs in the server returns a SAML token (try using 'SAML parser' extension of firefox to see how the token looks when its returned). You can extract the token in your interface after request is sent back to your end from Siteminder, then validate it (if needed) and send it to your webservice.
Related
I am wanting to call the UserInfo endpoint, I read this document on UserInfo Endpoint... I noticed that you would just call it by /connect/userinfo. So when I am running the identity project, I type in the browser https://localhost:5443/.well-known/openid-configuration then I see the userinfo_endpoint.
but when I click on it the browser redirects me to a page saying 401
I am assuming its because I need to create a bearer token to allow me access to view it, correct? If I am correct, would I have to implement this inside of the Identity project, or API project, or MVC project? (I have three projects for this). Is there any documentation/tutorials on how I would go about getting the userinfo_endpoint?
The user info endpoint returns information about a user, so you need some kind of credentials to identify yourself, so that the server knows information about which user it should return. You need an access token to do that. To get an access token you need to perform an OAuth authorization flow. If you have your identity server available online you can use OAuth.tools to perform an OAuth flow. If your server is only on localhost you can still use OAuth.tools to build authorization request and token request (and then use your browser and curl to run them).
We are looking into a way to request a JWT token from ADFS 2016 via webservice call by sending a user UID, which is stored in a database or in AD LDS. The token should contain the full domain username as a claim. A C# service would request the token without user GUI interaction (UID provided by an ID card), and then forward it to an intranet web application.
Is this possible with OAuth 2.0 or WS-Trust 1.3 in ADFS 2016, and what steps would be involved?
Right now I have tried using OAuth 2.0 (HTTP POST to /adfs/oauth2/token), but haven't been able to correctly configure ADFS (application groups, relaying parties, ...) and sending the correct HTTP parameters to even get a token by providing username/password.
It would be great if somebody could point me in the right direction.
EDIT
A more detailed description of what we want to achieve:
Goal is to create a windows service which handles NFC card login and sends JWT with user information to arbitrary web applications.
C# windows service reads card UID from a NFC card reader.
Windows service requests JWT from ADFS by providing card UID. That can be OAuth or WS-Trust, whichever works.
ADFS looks up card UID from a confidential database. The database entry also contains the username. It could then further enrich this data by finding the domain user in ADLDS.
ADFS creates token containing at least the domain user name and sends it back to the C# windows service. No user interaction with ADFS login screens required.
Windows service receives token and forwards it to preconfigured web application login handler.
Web application validates token signature and handles login.
The credential in this case would solely be the card UID. Is this possible with ADFS? If not, my backup plan would be to create the token directly in my windows service.
I'm working on implementing ASP.NET C# Single Page Application + Web API with OWIN for Twitter.
So a quick summary:
The SPA client opens a popup window of the Web API that, via the OAuth/Owin-Twitter middleware, redirects the user to Twitter where he enters his username and password. Via back and forth of requests and responses, the Web API receives an authenticated access token from Twitter. The only reliable piece of data I have at this point is the access token.
So the question is:
Is there a way to verify an access token, that it was issued for such user and for such app/consumer?
After days of research, the only thing I have seen so far is:
GET account/verify_credentials
https://dev.twitter.com/rest/reference/get/account/verify_credentials
But thing is it requires a user context. I need a way that is workable with just an access token.
Any help would be greatly appreciated.
I'm implementing some WebApi to upload/convert/return videos.
Another developer will implement a PhoneGap application that will call my WebApi to upload/convert/show videos to users.
The PhoneGap application uses OpenId to allow users to login using google and facebook.
My problem is that I want to make sure the client that is calling my WebApi has been logged in on the PhoneGap app using google or facebook.
I know that all I need is the client to send me a token in the request header that I can "extract" on the web api to validate the user. My question is how can my WebApi know what is the token that has been generated by openId (google/fb) on the PhoneGap app?
Well I am also searching into this and what I have got so far i will share with you in following steps:-
1) Whenever user call my login page I will create the token in response header to make sure that request is coming from legitimate user. just like antiforgery token in mvc.
2) Then upon successful login i will create the authentication cookie and set the current user context value this will Authorize the user and generate another token as mentioned above.
3)Then after this i will use normal Authorise, Roles attribute provided by WEBApi.
Let me know what you think? I am more than happy to contribute.
Another approach is when user login create a hashed token and add it to response header and create custom attribute which grab that token and check it against the database. The problem with this approach is that you will be hammering ur database all the time.
This webservice is written in C#, and I want to use an OpenID to authenticate.
This authentication request will be called by a WPF, and an asp.net applicantion.
the webservice will then try to authenticate in OpenID server, and in this case I use OpenID-LDAP software.
The big problem is how to use OpenID without showing the web page to login (the webservice is who is going to inform user and password)?
Open ID will, by design, not work here ... because it works by delegating the authentication to another party (when it shows the open ID provider's website to let the user log in). What you probably want to do is authenticate the user once in your WPF app, and then set up some sort of authentication token between your app and the webservice.