I'm trying to integrate WSFederation into my asp.net web api. I have 2 azure hosted app services one is for webapp and one webApi. Users can access WebApi from WebApp or can make direct calls from the browser.
I looked at azure samples https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect and https://github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation
I am unable to integrate both the samples to have what I need i.e. use WSFederation for web application and webApi.
P.S. I'm getting back SAML token from IdP and we are not using ADFS but Ping.
Related
I need to implement SAML 2.0 sso authentication to our existing Web API. I am fairly new to the topic so i am not sure where to start. i have been playing around with the dev ADFS server (ADFS 4 - Windows server 2016) and been following tutorials on how to setup Relying Trust Party.I have gotten the gist on how SAML works but still lost on how to implement this one via code in my webapi. I want to know how to begin implementing the SAML 2 auth to connect to the ADFS server, the web app is deployed on a different iis server. I have read https://github.com/Sustainsys/Saml2/tree/master but i am not getting how my web api would connect to the ADFS server to retrieve a SAML token and process it.
The problem you have is that the SAML spec. does not cater for API (either webapi or REST API). It's purely a browser SSO redirect protocol.
In ADFS, API are configured by the Application wizard but that's OpenID Connect with a JWT not an XML token.
Update
If your webapi is a REST API then use OIDC with a JWT.
Just FYI: ADFS also supports WS-Fed. WS-Fed does have an API profile (called the active profile) which is essentially WCF.
I have developed an intermediate API layer (acts like a Gateway) for mobile clients using WebClient with spring boot. My application retrieves the data from a third party application using REST API. The third party REST API authenticates the requests using the session token. My application has no authentication or authorization layer, it just authenticates the requests from a mobile device using the third party authentication. The mobile device passes the userid and password of My question is
How do we configure WebSecurityConfigurerAdapter for this usecase?
What are the best security practices in this scenario?
Work on ASP.NET Core with Angular project it's based on aspnetboilerplate framework, need to authenticate. Looking document Authorization but failed to configure the application for authenticating and authorized on role base.
Need guideline/example how to implement the authenticate process in aspnetboilerplate framework project.
I am working with a project where frontend is Angular 4. It consumes Asp.Net WEB API services. I have implemented token based authentication for accessing restricted api calls along with refresh token implementation.
Now i want to implement additional authentication mechanism like Native AD, ADFS and other third party services like OKTA using SAML 2 authentication.
I want to understand flow how it will work with web api along with Angular SPA.
These are the flows you could use. https://developer.okta.com/authentication-guide/implementing-authentication/ and Okta already have SDKs that can help you https://developer.okta.com/quickstart/#/angular/nodejs/generic. <- uses Implicit flow.
I've implemented an ASP.NET Web API application having one regular controller (HomeController) and several other Web API controllers. I have already the handled authentication for the API controllers (using anonymous authentication together with custom authorization attributes), but i want to restrict the access to the MVC controller and all its actions using Windows Authentication, without affecting the rest of the controllers.
Is it possible to achieve this? Can Windows and Anonymous authentication be mixed is such a way in a Web API application?
Note: the application will be hosted in IIS.