I am editing a template with authentication enabled in MVC with OWIN. I want to disable the authentication in the template and use an oracle db in the server to login the users. I searched on how to disable the authentication but found no result. I don't have option for registration. The user should be logged in if the user name and password is in the db.
There might be some confusion.As far I can understand from your question you want to remove authentication because you want to use oracle authentication. But, You can keep your authentication module and use oracle db no problem. If you are using Microsoft Identity check here and here. Things might have changed a bit.
You have to implement your for Oracle:
User (Microsoft.AspNet.Identity.IUser),
Role (Microsoft.AspNet.Identity.IRole)
UserStore (Microsoft.AspNet.Identity.IUserStore)
UserManager (Microsoft.AspNet.Identity.UserManager)
RolesStore (Microsoft.AspNet.Identity.IRoleStore)
RoleManager (Microsoft.AspNet.Identity.RoleManager)
Related
I'm planning to perform a two factor authentication in oracle apex with apex authentication,
here the struggling part is Get the user name and password from the APEX_WORKSPACE_APEX_USERS and perform the authentication the rest i can do this part any suggestion would appreciate....
Thanks in advance,...….
Not sure what approach you are using. Are you trying to use a custom authentication scheme that leverages APEX workspace accounts?
Several people have posted on this subject (2FA) and provided end-to-end examples of 2FA in APEX over the last couple of years:
Oracle Apex two factor authentication
https://fuzziebrain.com/content/id/1718/
https://asktom.oracle.com/pls/apex/asktom.search?oh=9281
https://apexutil.blogspot.com/2018/07/two-factor-authentication-with-apex.html
As far as I can tell, using 2FA generally requires a custom authentication scheme. You can get there indirectly if you reconfigure APEX to use something like HTTP Header authentication rather than username and password. Then user credentials can be supplied by an external certificate or smart card, which qualifies as 2FA. I have written on that subject here: https://pmdba.wordpress.com/category/apex/http-header-authentication/
using framework asp.net core - on .net core MVC jquery
In the account controller, I am attempting to obtain the user currently logged in to that machine on an intranet network. ie the windows authenticated user.
If I try WindowsIdentity.GetCurrent() is just returns the identity of the application pool. not what I need.
I have anonymous turned off and windows auth turned on in both the launchsettings.json and the IIS settings.
I understand that the identity middleware for abp framework I'm using is table based so the Controllers 'User' property is not what I need either.
I am wondering whether this is a limitation of the .net core?
You need to disable Anonymous Authentication and enable Windows Authentication for a specific page like Login page. This way, you say the Login page requires NTLM. So browser sends authenticated user information. And you can retrieve it with HttpContext.User.Identity.Name
Then there's next challenge! Authenticating this user with ABP. For this one, you can check out this StackOverflow post.
I have an MVC application (.Net Framework 4.5) which is been there for the last three years and using Forms Authentication mechanism. This application provides different accounts like Personal, freebie, Enterprise etc. For an enterprise account, we are handling everything in the same application. I.e. Suppose an enterprise called “xyz” created an enterprise account with the application, then we are providing a custom URL like “https://application/xyz/login” and from the URL we are identifying that enterprise. I don’t know the exact reason why they implemented like this as I have seen applications that are having enterprise accounts are created as subdomains (e.g. https://xyz.okta.com). Now the client asked to integrate Okta into this application.
So I looked into Okta and found SAML is the right way to do and ends up in KentorIT Authservices. Initially, I was able to integrate this with a sample MVC application and the authentication part was working fine. With some basic idea about SSO, I have started integrating kentor authsevices into my application. The challenges I found in this implementation are:
1) For Enterprise accounts, Okta configuration settings are different for each enterprise and with my current application implementation, it is not possible to set it in from the web.config. So I have tried to set it from code and I was able to integrate those settings by replacing Configuration.Options.FromConfiguration;. I’m planning to store all configuration related things(Single sign-on URL, Audience URI,Identity Provider Issuer" etc.) in the database so that I can get the information whenever I wanted and I’m assuming that “Identity Provider Issuer Id is unique for each Okta account. In an IdP initiated flow, when the user tries to access the application it will redirect to AuthServices\Acs action method and from that, I’m trying to read the configuration settings. From the request is there any way I can identify from which Okta account call came(like Identity Provider Issuer)? Currently, I set the "Identity Provider Issuer" value (and I think which should be unique for okta account) to the Default RelayState field under General SAML settings tab and I was able to retrieve it from AuthServices\Acs action methods. Does it seem to be a good idea? Please advice.
2) The Enterprise accounts are limited based on the number of licenses (say 50). Suppose if the Enterprise Okta admin intentionally added 55 users all those users can successfully authenticate the application based on the default settings. Is there any way I can handle this scenario. Do I need to keep a record of the list of users that came under a particular enterprise account?
3) From the documents I understand that Kentor authentication service is only for authentication and authorization part has to be done from the application itself. The current application implementation consists of a custom authorization attribute which checks for user permissions that are stored in the database. That should be there as it is and we have to do the authorization based on database permissions. Right?
Expecting your valuable suggestions and please correct me if I'm wrong. Thanks in advance.
Don't use the RelayState for sensitive data unless you cryptographically sign it. It is not protected by any signature when using the POST binding, so the user may manipulate it. To get the issuing idp, check the issuer field of any claim generated by AuthServices instead.
Yes.
Yes, that's the whole idea with Kentor.AuthServies: To plug SAML2 authentication into the security model of .NET to allow you to use any current/traditional Authorization setup.
Am I mad?
I can create authentication providers using OWIN and ASP.Net Identity for Facebook, google, etc. But I have a requirement to authenticate my users against Windows. I'd rather not require the configuration of AD, or to tell IIS what Domain to authenticate against; I just want the IIS to authenticate as if the settings was Windows Authentication in the Web config.
But then I want to be able to get roles and user details. I want Roles in SQL Server. I also require the user first and last name, which are not directly available from windows auth).
In the past I have done this with a mixed authentication middleware, and grabbed the user details from the principle context when creating the user, store that in SQL, and in the authentication cookie. but this seems a bit of overkill here.
Has anyone succesfully used basic Windows Authentication but held roles and first/last name in sql?
thanks
Yes, you can use Windows authentication with ASP.NET and IIS.
This article, should be a good start.
You can then store users and their AD groups in the application, and manage access based on that mapping.
I was thinking about writing my own MembershipProvider for my web app. People won't normally register but will be supplied with login info. Will membership then not be the right thing?
I still will have some roles and such as well and I might wan't to be able for people to Authenticate using ClientCertificate instead of normal login. I still wan't them to be membership verified (there is a identifiable field in Certificate and Database I could use) and use roles and such.
Is MembershipProvider perhaps only used with original login Authentication and not authorization?
There doesn't seem to happen anything special when a user is validated so hwo does the authorization atrtibute know who is autorized?
The existing membership works just fine if you want to supply login info. There is no requirement that user registration be initiated by the user. Just take the standard code and let the site administrator run it.
Yes, membership is just for authentication. The out of the box feature for authorization is the roles feature.