understanding how to implement SAML2 SSO to an existing .net web api - asp.net-web-api

I need to implement SAML 2.0 sso authentication to our existing Web API. I am fairly new to the topic so i am not sure where to start. i have been playing around with the dev ADFS server (ADFS 4 - Windows server 2016) and been following tutorials on how to setup Relying Trust Party.I have gotten the gist on how SAML works but still lost on how to implement this one via code in my webapi. I want to know how to begin implementing the SAML 2 auth to connect to the ADFS server, the web app is deployed on a different iis server. I have read https://github.com/Sustainsys/Saml2/tree/master but i am not getting how my web api would connect to the ADFS server to retrieve a SAML token and process it.

The problem you have is that the SAML spec. does not cater for API (either webapi or REST API). It's purely a browser SSO redirect protocol.
In ADFS, API are configured by the Application wizard but that's OpenID Connect with a JWT not an XML token.
Update
If your webapi is a REST API then use OIDC with a JWT.
Just FYI: ADFS also supports WS-Fed. WS-Fed does have an API profile (called the active profile) which is essentially WCF.

Related

What are the possibilities with Spring Authorization Server when using it for authentication (and authorization)?

I'm looking to find a tool that will do the authentication (and authorization) part of the project. For the project, I will be using spring boot and java 8.
I will be working with OAuth2.0, the flow for untrusted client(web-applictation) and trusted client(another server)
I was looking at Keycloak and Spring Authorization Server.
But it's unclear what are all the possibilities with the Spring Authorization Server.
Like with Keycloak you have single sign on, identity brokering, social login, user federation, admin console, account management console, standard protocols etc.
Is this also possible with Spring Authorization Server, or what are the possibilities of Spring Authorization Server?
We're working on reference documentation which will include a feature list. In the meantime, see feature list on the GitHub wiki for the project.
From this PR, a possible short overview/answer to your question would be:
Spring Authorization Server is a framework that provides implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specifications. It is built on top of Spring Security to provide a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.
Update: The reference documentation is now available and contains an Overview page with this information.
You can make custom OAuth resource server implementation or use the SAML standard.
Also, you can implement access by JWT token, which suites well for API-only service.
You can use also "Basic Authentication", but it's too simple for a mature applications.

Extend OAuth2 Authorization Server with OpenID Connect

I'm trying to extend my home made OAuth2 Authorization Server with the OpenID Connect. At the moment, the Server works fine and successfully issues an access token.
What I need is that the token endpoint returns an id_token along with the access_token.
The Authorization Server is a Spring boot (2.5) app, which implements the authorization code flow using following oauth dependencies.
spring-security-oauth2
spring-security-oauth2-autoconfigure
spring-security-jwt
spring-security-oauth2-jose
Is there some standard way to configure an OAuth2 Spring Server so it provides the OpenID Connect features?
Thanks in advance for an example code and/or useful documenation.
The Spring team are working on a new OAuth server, that provides OIDC capability. It's still very early days, but it is useable.
See here for the code, that includes a set of samples:
https://github.com/spring-projects/spring-authorization-server

OAuth/ SAML authentication with ASP .Net Web API framework

I am working with a project where frontend is Angular 4. It consumes Asp.Net WEB API services. I have implemented token based authentication for accessing restricted api calls along with refresh token implementation.
Now i want to implement additional authentication mechanism like Native AD, ADFS and other third party services like OKTA using SAML 2 authentication.
I want to understand flow how it will work with web api along with Angular SPA.
These are the flows you could use. https://developer.okta.com/authentication-guide/implementing-authentication/ and Okta already have SDKs that can help you https://developer.okta.com/quickstart/#/angular/nodejs/generic. <- uses Implicit flow.

ASP.NET Web API 2.2 OWIN with mixed authentication JWT and SAML

We have a WebAPI that needs to service different client apps, each one using different authentication mechanisms. One web app client will authenticate using SAML and then pass a SAML based token to the WebAPI. Another one will be using an OpenID Connect token for authentication.
We need to be able to digest both types of tokens in our WebAPI, validate them and authenticate them. Could anyone shed some light on how this could possibly be achieved? Any advice would be much appreciated.
What IDP are you using?
Some IDP e.g. ADFS can be configured to pass JWT tokens on a SAML connection.
SAML wasn't really meant for web API. You could e.g. authenticate using SAML / OIDC and then use the client credential flow to the web API which simply relies on a secret key. That would not have user context though.

WebApi service call authentication with WS-Federation and SAML

I'm trying to integrate WSFederation into my asp.net web api. I have 2 azure hosted app services one is for webapp and one webApi. Users can access WebApi from WebApp or can make direct calls from the browser.
I looked at azure samples https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect and https://github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation
I am unable to integrate both the samples to have what I need i.e. use WSFederation for web application and webApi.
P.S. I'm getting back SAML token from IdP and we are not using ADFS but Ping.

Resources