I have a custom STS made in WIF that works as an IDP and now I need to configure SSO to a Service Provider made in SimpleSamlPHP. (The SP only supports Post Binding and Web Browser SSO Profile.)
Any, idea on how should I approach this requirement? Does WIF support Post Binding and SAML 2.0?
Any idea will be greatly appreciated,
Thanks!
As per #Wiktor, there is no SAML support in WIF.
But you need the server side of the SAML stack not the client side.
Your best bet may be to put ADFS v2.0 in the middle and use it as a broker to provide the SAML support.
If you want SAML support, vote here.
WIF has no restrictions on bindings, it is just a set of Apis that makes it easier to develop Idps and Spses. What people usually do is they implement redirect binding on the service provider and post binding on the identity provider - all books and tutorials I've read are like this. This means that the service provider should redirect to the identity provider with wa=wsignin1.0 and the identity provider responds with a form containing the token posted to the service provider.
However, I don't see any obvious reasons you would not be able to implement post bindings for both sides.
As far as I know, there is still no SAML2 protocol support for WIF apart from a ctp that hasn't been updated for ages. If your service needs saml2, you'd have to take a look at some commercial implementations, like the one from componentspace.
Related
Currently we are using ASP.Net membership for providing authentication in our application. Now our client has moved to ping for user store. So we need to modify our application to support SSO and want us to use Saml.
My question is
Other than Saml, is there any other authentication technique I can use for ping?
If Saml is the better option can you give me any links.
Ping supports all the federation standards.
Basically you can use WS-Fed, SAML 2.0 or OpenID Connect.
Whichever protocol you pick, you need a client-side stack that implements it.
The easiest to get working is OpenID Connect.
I have WCF services in need of claims-aware authorization (as in can-create-resource-X, can-edit-resource-Y, etc).
Authorization should be Username/Password based, no Windows identities.
I need to keep authorization logic and data local to server, where WCF services are hosted.
Authorization data should be stored in PostgreSQL and not SQL Server.
At first I was going to implement Claims-Based Security according to "Learning WCF. A Hands-on Guide", employing pgProvider as a PostgreSQL-based replacement for ASP.NET Membership Provider. But I stumbled over ClaimsPrincipal being redefined (along with Claims) in .Net 4.5 that I'm using now.
Then I came across WIF being recommended now as a primary device for authorization purposes. As of now I'm trying to wrap my head around WIF and I cannot find any mentions of a valid STS to be used locally. The only mention I came across is Local Development STS, but as far as I understand it is to be used for development and testing purposes only, not in production.
I considered creating custom STS, but according to google it isn't to be my first choice. And it does indeed seem an overly complicated approach for a seemingly simple purpose of having local username/password authorization.
So how do I go about creating claim-based authorization for my WCF services? Is there a local STS I haven't come across? Am I supposed to forget WIF and write my own authorization logic? Anything else?
VS 2010 and VS 2012 had tools to generate a local STS but yes, not for Production.
The basic problem is that very few people used WCF (the WS-Fed active profile) compared to browser access (the WS-Fed passive profile).
So I don't know of any STS that you can use.
You may consider Give your WCF Security Architecture a Makeover with IdentityServer3?
My mistake.
ClaimsPrincipal mentioned in "Learning WCF. A Hands-on Guide" is not a framework class I thought it to be - it's a custom programmer-created class. I was misguided by a class of the same name in newer .NET framework versions.
We have a WCF service that uses REST. This will contain all the business logic when we will implement several others clients besides using web-clients.
I have used Thinktecture as a STS because we already have a infrastructure for identifying roles in old clients that we would like to reuse.
To test everything I have a MVC application that uses jQuery to call the WCF service. The MVC application displays correctly the claims and authentication but I cannot make the WCF service to reuse this information.
I have succeeded to make MVC consume the WCF over https and on another domain: the MVC uses https://localhost:40321 and WCF uses https://localhost:40033
I have read this How do you pass a (Claims) security Token to a WIF enable WCF service but the accepted answer uses the 3.5 .NET framework and we would like to use 4.5.
So my questions are:
Is there a possibility of using jQuery with WIF together with Thinktecture and CORS? if yes, would you point me in the right direction? All the information that I have read about securing WCF seems to assume that you will use SOAP and not REST.
If point 1 is impossible in jQuery (or javascript) what authentication should I use? oAuth 1.0, 2.0 or something else.
As I see in Thinktecture you can specify the token to be returned to JWT. Is this a better way to use authetication. How do you configure the WCF to accept this token? How do you extract this token with javascript/jQuery? I saw that if you specify that jQuery should use "jsonp" it includes a cookie in requested headers.
I have read this http://msdn.microsoft.com/en-us/library/hh446531.aspx but as far as I see the example is using a WEB service and not a WCF.
thank you in advance.
I have read more and I think that I have the answer for my own questions.
Is there a possibility of using jQuery with WIF together with
Thinktecture and CORS? if yes, would you point me in the right
direction? All the information that I have read about securing WCF
seems to assume that you will use SOAP and not REST.
No you cannot use jQuery to access a WIF enabled WCF directly. It is better to create a WEB.NET api that implements REST and use the WCF as a reference in that project. Consume the WCF in C# code and just add a thin layer for REST calls.
If point 1 is impossible in jQuery (or javascript) what
authentication should I use? oAuth 1.0, 2.0 or something else.
If you want to use WIF I think it is better to use Microsofts stuff for better compatibility. I am NOT saying that one is better than the other.
As I see in Thinktecture you can specify the token to be returned to
JWT. Is this a better way to use authetication. How do you configure
the WCF to accept this token? How do you extract this token with
javascript/jQuery? I saw that if you specify that jQuery should use
"jsonp" it includes a cookie in requested headers.
Se answer 1 and 2.
I want to guard OData service with custom authentication associated to a user table in database. I have been obssessed with this problem and searched solutions for a long time in vain. I mean, yes, there are quite a lot articles on the web but they are just quite trivial, for example implementing IPrincipal or IHttpContext with basic authentication on. Notably, many of them can data back to 2010 where OData is not as mature as today. So I'm wondering if there is any rapid solution to database-based custom authentication.
Any guidance would be greatly appreciated!
OData and authentication (and even authorization for that matter) are unrelated for the most part by design. That doesn't mean that OData stacks can't provide good support for authentication and authorization, just that the OData protocol itself doesn't comment on it. Protocol aside, both Web API and WCF Data Services are working on getting better support here. Speaking as a member of the .NET community (and not as a Microsoft employee), I think it's reasonable to expect that as those stacks implement authorization APIs they will probably be looking to claims-based authorization. Again, I want to state explicitly that I'm not trying to hide or divulge any plans here - I'm merely speculating about where authentication and authorization are going.
In a nutshell, if I were in your shoes I'd find the easiest intersection I could between OAuth2 and claims-based authentication and make that work for now. Working out your claims and authentication now means that you only would need to consider integrating the actual authorization code later.
It should be possible to use SAML to authenticate users for any type of application (according to the spec), but the examples I have seen are cookie-based ASP.NET web-sites.
Does anyone know of an example authenticating users for, say, a Win Forms app (not using cookies)?
Not quite sure what it is you are looking for. If you are looking for SAML based authentication, you can use some combination of Windows Identity Framework and WCF and AD FS. SAML is just the "language" of authentication, but unless you already have an identity provider, you need to start there first.
You can use this article to give you an idea of what the basic infrastructure looks like, and I frequently use the site leastprivilege.com for a deeper reference.
But, if the scope of your application is purely within the desktop (ie, never communicates with any services) you really don't need anything like SAML to achieve your goal. Usage of tokens like SAML are for communicating with web services where the endpoints trust the identity provider.
SAML is a wee complicated beastie. I'm not sure I'd try to roll my own SAML SSO solution.
When we implemented SAML SSO, we used PingFederate from. It's expensive, but good. There's also some open source SAML SSO stuff about, but I can't really speak to it.
PingFederate is pretty dead simple to configure and use, although if you don't speak SAML, the learning curve will be steep until you understand the concepts, the flow and the lingo used.