I am using Aspnet Boilerplate to manage a multi-tenant system. I am currently attempting to turn on 2-factor authentication, which is baked into the boilerplate. I have logged into the host and turned on 2FA (because I understand that it can't be on in the tenanats unless it's on in the host first).
Host 2-factor settings
Once I do this, I can now see the settings to turn 2FA on in each tenant (which I have). My problem is that, while the host users are indeed asked for a code as expected, no tenant users ever are. This line of code:
var signInResult = await _signInManager.SignInOrTwoFactorAsync(loginResult, loginModel.RememberMe);
never returns RequiresTwoFactor == true for tenant users. I can't dig into that that call, so I don't know exactly what's happening, but I'm wondering if someone can tell me something I'm missing about turning on 2FA for tenants.
Related
I work for a large company (50K+). Some orgs within the company use OKTA for auth on their servers.
I have a valid user login (via OKTA) for the servers, and can log in through a browser without any issues, but want to access this site programatically.
How can I log into these websites using my OKTA credentials?
I've found this doc: https://developer.okta.com/docs/reference/api/oidc/#authorize
that details how to use an OKTA endpoint, but it requires some info that I do not have. Namely, nonce, state, and client_id. I have no clue how to get this info.
I've found another endpoint that allows a similar login method, but only requires username and password (I forget the doc that referenced this):
https://<company>.okta.com/api/v1/authn
I am able to successfully authenticate with OKTA using this endpoint, and receive a session_token. Can I take this session_token and apply it to my arbitrary webpage somehow? I can not find any documentation that says so.
At first glance it appears that many of the API endpoints for OKTA require intimate knowledge of the hosted application (and/or are not meant to be accessed programmatically).
Is it possible to log into an arbitrary webpage that uses OKTA for authentication, with only knowledge that an end user would have (username/password/optional MFA)?
Hi not sure you found the answer yet. from your descriptions i think yours is web app, which is supposed to use authentication code flow. else, you can ask your web developers what authentication flow they use and follow the auth process accordingly.
you need to retrieve id token & access token for authentication.
I have an application on windows azure where users are authenticating by using ACS ( with ADFS 2.0).
There is a requirement that before certain actions, the user must confirm his identity by retyping his password.
Is there some way to ask ACS to check for credentials when a user is already signed in?
For a moment I thought about checking against the cookies created for the authentication, but I am not really sure that is possible. Besides, this feels just wrong.
Any ideas? I have been trying to search for REST apis of azure's ACS but it seems there are only management api calls for ACS.
There's no way to do this other than signing the user out and making them sign back in again. Even that, though, won't guarantee a password entry in all cases. If ADFS is configured for integrated auth (Kerberos), and the user is on a domain joined machine, they may never have entered their credentials and there's nothing you can do to force them to.
We're about to start allowing our users to point their own domains at their profile pages on our website, but I've run into a problem that I can't seem to get around.
We need to make sure that when any user who is logged into the main domain visits one of these custom domains that they are going to be logged in on this site too. I've been reading about a few different approaches. SSO, CAS, OAuth... but I'm not really sure if any of these fits what I need.
I'd love to hear some opinions on it.
CAS is a SSO, it means that you will authenticate only once (just for the first app) and then you will access all app without re-authenticating.
For every app in the "CAS galaxy", you'll get the profile of the authenticated user (a set of user attributes defined according to the app).
The main advantages of CAS are its simplicity and its efficiency.
I think it meets your needs.
OAuth is about authorization : it means you will need to authenticate and authorize, which generally leads to login page for authentication and confirmation screen for authorization.
I've have some authentication scenario that I'm not sure how to approach. I'll appreciate any advice on the subject.
Requirement:
Website will contain one section
that will be only available to
specific computers.
Website needs to be aware which PC is currently making request (I need to be able to tie this PC to other tables in Database)
We have full access to PCs that will be accessing website
Website cannot require login, user should be just presented with content pages without need for logging in.
Solution needs to be secure since, it will have to pass security audit
Assume that every PC is on different network.
My ideas so far:
use client certificates but I'm
not sure whether you can issue
different certificate per client? If
the answer is 'you don't know who is
making the request' than it's failing
requirement number 2 and therefore is
not an option.
Windows
Authentication with impersonation so
I can have different users logged in
on PC (I'm in control what will be
the user name/account logged in on
the machine)
Basic Authentication and set PC to remember username/password first time. I'm a bit afraid that this "remember me" can expire which would cause big chaos since someone would have to setup this PC(s) again...
Windows Identity
Foundation - never tried but if I can
implement this scenario here in some
nice way I appreciate if you can
point me in the right direction.
Thanks in advance for your help.
EDIT:
I would prefer not to use SSL if possible... (performance consideration)
EDIT2:
Currently I think that the best option would be to check whether PC is authenticated (whether it contains Forms Authentication cookie) and if it is not then redirect him to some https:// page that will check client certificate, set cookie if cert exists and redirect back to target page.
This shouldn't be slow since SSL will be used only in rare cases when cookie expires.
Please let me know if you see any flaws in this solution. If you know how to create server certificate and later generate different client certificates from it I would be grateful for guidelines.
I'm working on a web application that uses the ASP.NET 2.0 Membership and Roles providers with Forms Authentication. There are various roles in the system. I need to have a user role that is essentially a super-user that can "login" as any user account (in effect impersonating the user).
Does anyone know if this is possible using the providers? Any ideas?
One approach I was thinking of was to logout the super-user and sign them in as the desired user with
FormsAuthentication.SetAuthCookie(username, false);
And adding a variable to their Session to flag them as a super-user. I think this would work, but I was just wondering if there's a smarter way to do it without directly using the Session object?
Asp.net approach doesn't support the concept, so you are right on trying to find an alternate way.
Something that you can do is add the IsSuperUser info to the authentication ticket UserData property.
Why don't you have a SuperUser role that can do anything? Then the user can be just part of that role.
If what you really need to have is an ability for an administrator to impersonate someone else, I don't know what is the additional flag for? If it marks the currently logged in user giving him super powers the same will be achieved by setting up a role. If you, however, need to just impersonate someone else (e.g. this is help desk and you need to see exactly the same as the end user sees) - I would just check the credentials normally, then check if a superuser is logging in and who they want to impersonate and based on that just authenticate the logging in user as the one that he's willing to impersonate.
I hope what I wrote makes sense...
Here is what I would do. Sorry no graphics, on ipad here in bed...
1) use claims based architecture. Its easy to implement, see my project.
2) essentially impersonated user will have a second identity on the claims principal object, but will have different realm (realm may be wrong word, the string you use to create the identity)
3) You can construct the identity of the impersonated user and manually build their claims.... They should get written to the token immediately. I would look at a generic Claims Transformer class to do this.
4) You may need to adjust the way the site behaves, based on the presence of a impersonated identity, but thats the fun part.
Working WIF implementation
https://github.com/wcpro/scaffr-generated