I'm reading up on SSO with WIF STS and so on. Im ended up in this tutorial http://chris.59north.com/post/2013/04/09/Building-a-simple-custom-STS-using-VS2012-ASPNET-MVC.aspx .
I wonder how I can recive some custom data which I would like to send from the custom STS?
The Relying Party in this tutorial has no code which is evalulating the response from the STS. If I'm correct this is done by the Idendity.Model.Service.
How can I send data from the IdP and recive them in the RP? Is it also possible to send some custom information on the SSO from RP to IdP?
As per the article: "The second method, the GetOutputClaimsIdentity(), is just as simple. All that is need here, is to create a new ClaimsIdentity and add the required claims. In this case, I only set the Name and NameIdentifier claims."
So you can set any claims you want using this method - normally you would get the attributes from a repository like AD.
The RP is built using WIF so you have a bunch of built-in methods. Refer: WIF Claims Programming Model
Related
I'm developing an .NET Web API and using JWT tokens to secure it. In my research of the best way to implement it, i decided to use the jwt claims to also limit the access to content, depending on specific claims present on the token. I can now manually verify if for example, a userId matches with the userId of a record's userId and return it if it's a match, but this is very tedious and not quickly adds up the amount of code just to do the same task...
Is there a way to implement something like an action filter to apply the claims to every request and return only the records that match the information in the token?
Thanks everyone in advance
See this implementation on this project.
https://github.com/cuongle/WebApi.Jwt/blob/master/WebApi.Jwt/Filters/JwtAuthenticationAttribute.cs
It's a simple scenario.
JWT contains a user's id or some claims.
You have a WEB API endpoint like ("GetCurrentUserData()") decorated with your custom ActionFilterAttribute.
Within that method you will call a helper function that will read the current request user claims and return them in a simple form (like user id).
See: Get claims from a WebAPI Controller - JWT Token,
Then within the method you can query/filter your returned data based on the Id/Claims of the current user of the request.
I am trying to use SAML sso with pingidentiy (pingone) and componentspace SAML library. Currently what I have to initiate the SSO is
SAMLIdentityProvider.InitiateSSO(
Response,
"testuser", //username
attributes,
"https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=xxxx-xxxx-xxxx-xxxx-xxxx&idpid=xxxx",
"PingConnect"
);
When this runs it returns an error in relay state. I've figured out that I don't have a relay state to use, but I am not sure where to specify my Initiate Single Sign-On (SSO) URL from my pingone web portal (thats the sso.connect url in the code). This is my first time doing SSO with SAML and using componentspace so I am completely lost.
I have my XML service provider setup as such
<PartnerServiceProvider Name="PingConnect"
WantAuthnRequestSigned="false"
SignSAMLResponse="true"
SignAssertion="false"
EncryptAssertion="false"
AssertionConsumerServiceUrl="https://sso.connect.pingidentity.com/sso/sp/ACS.saml2"
SingleLogoutServiceUrl="http://localhost:50839/"
PartnerCertificateFile="sp.cer"
SignatureMethod="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
Just to confirm, PingIdentity is the identity provider and your application is the service provider? Assuming so, you should be calling SAMLServiceProvider.InitiateSSO and you should have a PartnerIdentityProvider rather than a PartnerServiceProvider configuration.
Have you taken a look at the PingOne Integration Guide? This describes both the configuration at PingOne and your application.
If you need further assistance, I suggest emailing ComponentSpace support.
Let's say I have to integrate with a legacy enterprise system which maintains users. Assume this enterprise system provides a C# SDK with two methods as follows:
Authentication:
sdk.Authenticate("Region", "Username", "Password")
Note that Region is an additional parameter selected by the user at login. So I need to be able to read this custom parameter in addition to the user credentials too. (Yes login would be interactive).
Profile Retrieval:
sdk.GetProfile(UserId)
I want to use IdentityServer to generate tokens in the usual manner but use these two methods to implement custom authentication and profile retrieval.
I can see that extending the IProfileService I should be able to integrate profile retrieval and population of custom claims. However I see the following multiple extensibility points in the docs but not sure what the best way would be;
Quick Start UI's Account Controller's Login(LoginInputModel model, string button) method: I should be able to place the sdk.Authenticate("Region", "Username", "Password") logic here and just call _signInManager.SignInAsync to sign in the user. But it does not feel as if I'm directly extending IdentityServer4 to add support for another custom authentication provider.
IExtensionGrantValidator:
This answer and IdentityServer Docs explain a way to do a custom grant which I should be able to use to call sdk.Authenticate("Region", "Username", "Password"). But this would mean I'd be using a custom grant type. I need to be able to support existing grant types such as Hybrid. I see support for custom parameters via context parameter in the ValidateAsync(ExtensionGrantValidationContext context) method
IResourceOwnerPasswordValidator:
This IdentityServer doc explains how to implement a custom password validator for the Resource Owner flow. But I need to be able to support existing grant types such as Hybrid. I see support for custom parameters via context parameter in the ValidateAsync(ResourceOwnerPasswordValidationContext context) method
External Authenticators:
This IdentityServer doc explains how to add external authenticators. But I see no .AddCustom method for non-standard authenticators. I only see support for popular authenticators such as Google.
What am I missing?
I chose to go with the first option mentioned in the question which is: Quick Start UI's Account Controller's Login(LoginInputModel model, string button) method
I'm trying to create something like: Client authenticates and gets token from custom STS1, next client authorizes with machine key and is issued token on custom STS2 and gets another token. With last token, client requests methods on RP service.
All services are hosted on IIS and are using active federation scenario.
Both STS's have endpoints with ws2007Federation and ws2007Http bindings, and RP use ws2007FederationBinding with STS2 as an issuer.
If I create channel with CreateChannelWithIssuedToken I can see only token from STS1 and can't get token from STS2.
So I decided to pass token from STS1 as ActAs RST's property on request to STS2 token. And that failed - cannot decrypt token.
How can I pass both tokens to STS2 and merge up claims in them?
Is it a bad idea - to send with RST just extracted claims from STS1 token?
Generally you will only want to utilize one token at each step. So if you need to merge up claims, you will want to do that at the claims transformation step of the second STS.
So the flow would be authenticate with STS1, then authenticate with STS2 with the token from STS1. At that point you would pass through the claims and transform to add additional claims as needed. Then the resulting Token would be ready to consume from the RP application.
I have actually started a blog series about a really similar scenario that we recently architected. Not to be overly self promoting, but it doesn't make me any money, so I'll post it in case it is helpful.
http://www.livingthearchitecture.com/mixing-sso-with-existing-technologies/
I would be glad to go more in depth, but depending on the specifics of your scenario, the specifics of the solution will change greatly. I think the above expresses the general approach you will want. Let me know if I can help any more.
I am using Access Control Service (ACS). I configure my MVC-4 application to use ACS. I put the return url to my controller, which is http://127.0.0.1:81/ACS/LogOn and after logon with any identity provider we are successfully return to the controller. But now can anybody please tell me how i can access the issued token in the controller ?
Assuming that you've used the normal WIF-based mechanisms to configure your app to use ACS, everything you need should be accessible via Thread.CurrentPrincipal. In most cases, you don't want the token itself but instead you want the claims within it. See this example.
If you actually need the underlying token in XML/string form rather than the claims (I wouldn't recommend this most of the time) then you can get it by setting SaveBoostrapContext in your service configuration to true and accessing it via the BootstrapContext property on the claims identity.
Thread.CurrentPrincipal.Identity.BootstrapContext;