What is the status of XACML/SAML .NET Framwork Classesd/Methods?
Will Microsoft provide an .NET XACML/SAML stack/framework now or in the near future?
Can MSDN provide today working examples that demonstrates how to use or implement an XACML/SAML environemtn, those securing a typical WCF client / WCF Service environment?
Given the Microsoft .NET Framwork does not have today (25. february 2014) a XACML/SAML implementation, what third party vendor products would Microsoft recommend to use joint with .NET Framework Classes in a WCF .NET environemnt?
Yes I've googled around, and no, not much helpful comes up.
There is a severe lacking of useful info on this subject out there.
Any of the following information you could share would be helpful:
1. Can anyone in this Forum or at MSDN Help Desk explain or lead me to documentation explaining the basic protocol flow used when securing a WCF client servevice with XACML? I hope this question fits MSDN Help DESK ;-)
2a). How do I setup a proper formatted XACML/SAML request at the client?
2b). How do I intercept and extract a properly formatted XACML/SAML request at the service?
2c). How do I pass itto the XACML/SAML processing framwork of .NET (if any) or
2d). any recommended XACML/SAML third party framework?
In general: How do I write an message interceptor and retrieve the SAML part in the header to be treated by the XACML service side implementation to receive a permission true/fals value based on policies?
What .NET Framework/Classes/Methods will help me to inject XACML/SAML data into a request/message
What .NET Framework/Classes/Methods will help me to retriev XACML/SAML data from a request/message
There are multiple locations where you could write a policy enforcement point (PEP) in C# .NET. Possible locations include:
HttpModule
WCF Web Service - Custom ServiceAuthorizationManager
REST API (ASP.NET Web API) - Custom AuthorizationFilter
ASP.NET MVC - Custom AuthorizationFilter
Axiomatics (disclaimer: I work for Axiomatics) provides all these integration points along with a XACML 3.0 PDP written in .NET and a .NET PEP SDK so that you can write your own PEPs.
Related
There is a project I am working on using asp.netcore 3.1. d app is a web API and will b consumed by multiple clients(web browser, android and Windows forms). How can I build the OAuth2 server in c# to protect my API.
Most companies don't build their own Authorization Server, since it is a job for security experts. Instead they use a cloud provider, and these are often very low cost or free.
In the early days this is a good learning guide and will save you a lot of time. You can then focus on OAuth integration into your UIs and APIs.
As long as you keep security in your UI and API standards based you will then be able to easily swap between providers later - or use an open source one perhaps.
Here are a couple of resources of mine that you might find useful. My early code is in NodeJS, but based on OAuth messages, so easily translatable to .Net Core:
Setting up an Authorization Server
Initial Tutorial
OAuth Messages - see Step 16 for API Integration
I have been asked to implement a Single Sign On solution to enable our users to connect to a 3rd party service without logging on again.
As I understand it the requirement is:
User logs in to our web server using Active Directory
Server constructs a SAML 2 response
This is then seamlessly posted to the third party app which should now allow them in.
I am totally new to SAML and a little confused by all the terminology. Can someone possibly point me in the direction of some example code that does this, ideally using the .Net4.5 (or greater) libraries.
Thanks in advance for any help.
You need a SAML stack.
Refer : SAML : SAML connectivity / toolkit
There's a lot of documentation in the links.
Just to call out from the post:
"There is NO official Microsoft C# client-side SAML protocol stack."
First time poster so please take it a bit easy on me if I break any posting rules - I have read them and I think I'm right.
I've been searching for a while before posting and can't seem to find a guide on what I am trying to do so I thought I would post here.
I need to write a C# .NET 3.5 program to consume a web service developed in Java. I have practice consuming ASMX web services in .NET using Web References from my experience writing Dynamics CRM plugins and software but this has me stumped.
My first attempt was to use a Web Reference (yes, I know - not WCF) however the web service requires a PasswordDigest (SHA-1 with nonce and created), a username token and timestamp token in the SOAP header and I couldn't find a way to add these to the SOAP header using the Web Reference.
My second attempt was to use a Service Reference (I believe, but I am probably wrong haha, that this is WCF) however I don't have much practice with this and any tutorials I found online were not much help.
Each time when I try to use the WS, I get a rejection from the server for being unable to authenticate.
My question is how do I consume a Web Service with these requirements in C# .NET 3.5?
Thanks.
IIRC, Microsoft WSE (either 2.0 or 3.0) had something called UsernameToken, which you need to stuff somewhere in the outgoing SOAP message and you're all set. Granted, this answer leaves a lot to be desired, so I'll throw a couple links at you and hope you'll wade through:
http://www.codeproject.com/KB/webservices/WS-Security.aspx
http://www.reliablesoftware.com/articles/WSESecurity.html
http://www.devx.com/security/Article/15634
(And this all shows yet again how flawed SOAP and WSDL actually are).
Our organization uses IBM FileNet as document management system. FileNet P8 comes with a web services API which can be used in .net
Has anyone of you guys tried this? If yes could you please direct me to any resources to kick start?
Thanks a ton in advance.
http://publib.boulder.ibm.com/infocenter/p8docs/v4r5m1/index.jsp?topic=/com.ibm.p8.doc/developer_help/content_engine_api/guide/gs_procedures.htm
The FileNet API comes in 5 flavors:
Java - jar reference, configure to use either http or iiop transport
.NET - .NET dll reference, configure for http transport
CEWS - Content Engine Web Services. Use only if you can't use the Java or .NET API
CMIS - web service conforming to the CMIS spec
COM - semi-legacy, not discussed in the docs, but it does exist
Although the .NET API uses web services in the background, your .NET project reference is to FileNet.Api.dll, rather than directly to the WSDL. So if you're a .NET shop, you want the .NET API, not the "Web Services API" (2012-02-03 edit: unless you opt for CMIS)
The best place to get started is the "Bulk Loader Sample Code" here: http://www-01.ibm.com/support/docview.wss?rs=3278&uid=swg27010422
You're in the right place for documentation related to the P8 .Net API. The only other "kick-start" link I can think of is http://www.ecmplace.com/.
I know how to create a session using the Java API for the CE, but I'm sorry to say that I haven't done it with the .Net API. However, I'm fairly certain that you'll find helpful examples on the ECM Place forum.
HTH!
Tom Purl
I'm using a library to get an 'oAuth_token' and 'oAuth_token_secret'.
If I make a request to a REST web service how are those two keys leveraged to verify authentication?
Providing a C# example is a little difficult because there are a number of variables i.e. the signature method being used, additional parameters the service might be expecting etc. which would affect the complexity of the example.
I've developed an open source OAuth library for .Net and posted an article on beginning to use OAuth that might help to get you started - I tried to find a developers page / API specification to brightkite - but because it's a beta service I don't have access - so perhaps post me a invite to this service via my blog and I can have a go at developing an example brightkite client at which point this answer can be revisited with some concrete example code useful to others.