I want to use SAML authentication in my web application.
This application is for some reasons not hosted in IIS, but runs as standalone WCF service. Http request are handled within wcf, and all files of the website are returned by wcf
With IIS, i would use the modules WSFederationAuthenticationModule and SessionAuthenticationModule in order to bootstrap the SAML support.
Is it possible to support SAML authentication without IIS?
How can i setup WCF in order to support SAML authentication without IIS?
if you use owin to self-host your wcf service then yes you can. Just look at the examples of setting up saml using owin
http://leastprivilege.com/2013/10/31/adding-saml11-and-saml2-support-to-katanaowin/
Related
How Passive adfs 2.0 authenitcation for Web application can consume WCF Restful Services?
I am using ASP.NET 4.0, C# to develop web application and WCF Rest Service.....
So could you please help me to understand how to secure Restful service using claim based authentication
Here is what I need: -
I have a Web App and WCF Rest service with webhttpbinding gets called from ajax jquery.
Now the user logs into the Web App which is relying party, he is redirected to the adfs login page.
Once logged in, he is redirected back to the Web app.
This web app invokes the wcf Service.
Passive authentication is working fine but issue is when calling WCF service.
In ajax call for wcf service get undefined error. (namespace attribute is not getting added example
var svc = project.services.AjaxService()
where project does not include services and namespace attribute is missing which is present when same code is getting called from form authentication.
Where project.services is namespace for service class AjaxService.
And also same service is getting called using Telerik controls WebServiceSettings.
Can anyone please help me in this. what configuration setting is required and anything else need to be added?
How can i achieve both using ajax and telerik.
I got lots of articles and SO question based on Claim based authentication for WCF Restful Services, but I am using MVC Web API to develop RESTful Service (Not WCF Rest Service)...
So could you please help me to understand how to secure RESTful service using claim based authentication?
Here is what I need:
I have a Web App and MVC4 Web-API service
We have STS
The MVC Web App trusts the STS
Now the user logs into the Web App, he is redirected to the STS login page.
Once logged in, he is redirected back to the MVC Web Site.
This web app invokes the web-API Service.
Now, I have been stuck at point #4. We have a RESTful service, but need to implement WIF.
Can anyone please help me with this.
Note: I am NOT using WCF Restservice but using MVC Web API
From your description, it sounds like you are using a delegated identity model. That is, the user signs in to the web application and when the web application invokes the Web API service, it uses the identity of the currently logged in user.
If that is the case, then you need to configure WIF to save the "bootstrap tokens". The effect of this is that the original security token is available as a property on the current ClaimsIdentity. you can then use that to set the Authorize header of he request to the Web API service call.
To turn this on in .Net 4.5 you set the saveBootstrapContext attribute on the WIF element to true:
<system.identityModel>
<identityConfiguration saveBootstrapContext="true">
...
For .Net 4, the config looks lke this:
<microsoft.identityModel>
<service saveBootstrapTokens="true">
...
Then to access it from the web application you do something like (depending on how many identities you have) this in the controller that is going to call the Web API. For .Net 4.5:
SecurityToken token = (User as ClaimsPrincipal).Identities[0].BootstrapContext;
For .Net 4:
SecurityToken token = (User as ClaimsPrincipal).Identities[0].BootstrapToken;
Having obtained the original security token, you can now attach it to the calls to the Web API as an Authorize header. Generally this will be attached as a Bearer token, which is just a fancy way of saying that you append the word "bearer" to the start of the header value. To attach the token, do something like this:
WebClient request = new WebClient();
request.Headers.Add("Authorization","bearer " + tokenAsString);
Note: Generally you will encrypt or base64 encode the token value in transit rather than attach the raw string, especially if it is XML, since some frameworks will mangle the XML in transit.
To convert the token to a string, you should user a class derived from SecurityTokenHandler There are a number of these included in the standard framework assemblies for handling some standard token types. For REST services, the JSON Web Token is a popular format and there is a NuGet package containing a handler for that here
https://www.nuget.org/packages/System.IdentityModel.Tokens.Jwt/
If you are using some other token type, you can write your own handler (it is not difficult in fact) or try to find on on the web.
In .Net 4.5 the SecurityTokenHandler class has a WriteToken(SecurityToken) method that returns the token as a string. In earlier versions of WIF only the XML version of WriteToken was supported.
There are several samples showing how to use the SecurityTokenHandler for REST services on the server side. A good example is here
http://code.msdn.microsoft.com/AAL-Native-App-to-REST-de57f2cc/view/Discussions#content
All the relevant code is contained in the global.asax.cs file.
If your client is not authenticated the your Web Api service should return a 401 Unauthorized response.
It will then be your clients responsibly to seek authentication and gain a new token. You should return the link to your log in form in the WWW-authenticate header
This video might help - Securing ASP.NET Web APIs http://vimeo.com/43603474
I am very very new to ADFS 2.0, i have been using Domain trust and i am doing some research on ADFS 2.0 to convert my current web app to ADFS 2.0, question i have is
Does the Web server needs to be on a perimeter network facing internet? or i can use web proxy or if federation proxy supports that built in for web server too.
Does my SSL cert needs to be on my IIS or i can host it on my load balancer?
Also do i need to have .net 3.0 and above to use adfs with asp.net?
For ADFS, you can install an ADFS proxy that is accessible to the Internet. This communicates with an instance of ADFS which can be behind a firewall.
ADFS requires a "Service communications" certificate which typically uses the SSL certificate of the IIS that hosts ADFS.
I detailed the WIF requirements in my other answer to you.
ADFS requires Microsoft .NET Framework 3.5 together with Service Pack 1.
I have Active Directory Federation Services 2.0 all setup and ready to work, but I have a scenario that falls outside pretty much everything I've read on enabling a relying party application. The 2 scenarios that are well documented involve A) Passive authentication for a web site or B) Using a thick client that's authenticated for calling web services.
My scenario is as follows: I have a web application that calls WCF services via Net.TCP for data access. I need to use ADFS 2.0 to secure each WCF call with a secure token.
I also can't use use the passive method of authenticating with ADFS from the web site (security restrictions outside my control).
So my question is, is it possible to manually request a secure token from ADFS via a web site, then use that same token to call my WFC service methods?
Have a look at http://travisspencer.com/blog/2009/03/caching-tokens-to-avoid-calls.html.
In this blog post it is described how to cache security tokens for wcf service calls.
I think it should also be possible to "inject" an already fetched token in the described "CacheSecurityTokenProvider".
Is it possible to use Brokered Kerberos Authentication for web services over the Internet? I'm looking at web services security for an environment which already has Active Directory. Due to the existing architecture the web services will be quite chatty and I have no control over this architecture. It may take up to 6 web service calls to perform one business process .
There is concern over authenticating multiple times and the overhead this will incur. From my initial reading of brokered kerberos authentication, once the user credentials are provided then a Kerberos security token will be returned and authentication is not required for each web service call.
I'm envisaging a system where the user credentials are passed to Active Directory via a web service call and the Kerberos token is returned. This token is then used for all subsequent web service calls.
Is this possible or am I heading off on a tangent? If I am heading off on a tangent is there a preferred approach for this? I've finished reading the Microsoft Web Service Security: Scenarios, Patterns and Implementation Guidance for WSE 3.0 and still a little unclear.
Consider leveraging the SAML protocol as a way to exchange assertions via WS-Security.