What functionality does ADFS provide that is not in ThinkTecture IdentityServer 2? - asp.net-web-api

I'm trying to figure out the right architecture from a mix of current .NET authentication/authorization offerings. One question that I haven't been able to find much online information on: What are the benefits of having ThinkTecture IdentityServer 2.0 federate ADFS 2 (which is authenticating domain users using Active Directory credentials), vs having IdentityServer authenticate users against the domain directly?
For my company, I see only 3 possible requirements for ADFS 2, but I'd prefer to avoid installing it if IdentityServer is sufficient (mainly because it's open-sourced, and therefore more readily debuggable, extensible, and understandable):
Claims-based authentication of corporate (Active Directory) users.
Support for Office365 SSO - there are directions for integrating Office365 with ADFS
Federating external (business partner) ADFS services (we don't currently need this, but I'd like to keep the option open)
Is any of this functionality not provided by, or not easily added to, IdentityServer 2.0?

Well IdSrv does not do Windows authentication out of the box. It would be easy to add forms based authentication for AD users - but Windows integrated (SSO) would be more involved.

IdentityServer is a really good product but:
Only authenticates against SQL not AD
Doesn't have SAML support - useful for third party integration e.g. SalesForce
No rich claims rules language
which ADFS does for you.
#leastprivilege answered the first - the rest are definitely not trivial to add.
Don't have much experience with Office 365 but it sits on top of Azure Active Directory which can be hooked up with IdentityServer - refer Federating IdentityServer with Windows Azure Active Directory.

Related

Centralized Authentication Server OpenAM vs FreeRadius

The basic requirement is to centralize the authentication and authorization of multiple SaaS applications to ease development (each SaaS application using minimal code to authenticate against a single source) and when necessary provide SSO. The authentication mechanism must handle the following options available to the user:
Use Third Party Authentication -- Google
Use our centralized authentication
Use the corporate provided authentication (ADFS)
In my research, I have found many, many ways this can be done and have found OpenAM to be the most complete solution, but then I came across FreeRadius which could also be used.
My Questions are:
There seems to be a plug-in for each tool where one can use the other together (OpenAM - authenticate against radius server), but is there any use case where FreeRadius would be preferred as the SOLE authentication server over OpenAM.
Does OpenAM require that a web agent installed for the server - if all I am doing is serving a Restful Interface (developed in Node.js) - is it possible to authenticate users without installing a web agent (there is no web agent for Node.js).
Can I pass user credentials from Browser -> Server (node.js) -> OpenAM thereby not giving the user the OpenAM login screen. The OpenAM token will be passed from OpenAM -> Server -> Browser (setting the cookies's origin as the SaaS's application.
That is each SaaS application server will serve as a "proxy" for user management (authenticate, authorize, and manage[create|update|delete] users)
Thank you
I'm early to the Open Identity Stack game but I am deploying an OpenAM (and OpenIDM + OpenDJ) based solution to handle exactly the solutions you mention.
direct answers:
As far as handing sole authentication over to FreeRadius I don't see why you would want to but anything is possible. Given your mention of the multiple directories (identity sources - google, ADFS, and your centralized authentication) I would think hooking up OpenAM to provide the RADIUS authentication (i.e. OpenAM RADIUS hook, not FreeRadius) would make sense.
No, a web agent doesn't have to be applied but it may make sense. There are some node.js pieces to help (https://github.com/alesium/node-openam). You just need to talk from your server to the OpenAM side (REST) and that should be good.
You can do that or you can just skin the OpenAM login screen to look like your own. I'd suggest the latter as you're then relying on OpenAM for the login screen security. If you're doing a pure proxy then you take that burden on. Your call as a design decision obviously.
good luck!
you're comparing a RADIUS sever with a Web SSO solution ... I'm not sure if this makes sense.
It seems FreeRadius does not have that many 'auth backends' (like Oauth to leverage Google Auth)
I am looking into the solution for a similar requirement myself, but I am looking to integrate 2FA as well. I have seen so many different solutions, but haven't pinned down the best one yet. Here is what I have come up with so far:
RCDev OpenID seems to be pretty comprehensive, and it is free for cases with less than 40 users.
Green Rocket's GreenRADIUS is expensive, but they have plugins for every scenario and it can work.
Red Hat's KeyCloak could be used in combination with TACACS+ or FreeRADIUS to accomplish this

MVC3 and Active Directory Federation Services

I have a MVC3 application that uses Windows authentication and works great if we deploy it on a server that is in the same domain with the users that access it.
I have a request to deploy the application on a external server, like Amazon, and use ADFS to authenticate users with their domain credentials.
Does anyone have some tutorials how to implement this functionality into a MVC3 application? I didn't find any resources to help me with this issue.
The core technology you need to look at is WIF (Windows Identity Foundation). The WIF SDK has plenty of examples of use, and I would start there.
This exact scenario is described in detail in this chapter:
http://msdn.microsoft.com/en-us/library/ff359102.aspx
I would suggest you should start with the intro sections of the same guide to understand how "claims based identity" works and the components involved.
For ADFS, I would suggest Lab 1 of this:
http://claimsid.codeplex.com/releases/view/68061

What is Shibboleth Service Provider, can & should I install it for a Windows Azure MVC3 web role?

Forgive me I am a Shibboleth / SAML 2 noob. Hopefully these are straightforward questions.
I recently posted asking whether we could do Shib / SAML 2 integration with Azure ACS. The answers led me to believe that we could not use ACS, but implement something using the lower-level WIF + SAML2 Extensions CTP libs.
On a related matter I called one of our affiliates to ask if they could add our app as a Service Provider using their InCommon Federation membership. They asked me if we were going to install the Shibboleth Service Provider on the Azure machine(s) hosting our MVC3 web role.
Until they mentioned this, I had no idea there was a Shibboleth Service Provider installer. I was under the impression, according to everything I've read so far about SAML2, that our mvc3 web role is the service provider.
So, what is the Shibboleth Service Provider? What does it do? What value would be added by installing it on our Azure instances? Do I have to have it in order to SSO against Shibboleth? or can we just do pure saml2?
My preference is to not install it, since it would have to be installed on each role instance, making deployment take longer.
There is some information on using Shibboleth 2 for SSO in front of your web application in this question: In order to implement SAML do I need Shibboleth SP installed on my host?; the answer is linux/Java-centric.
The Shibboleth SP is a product that you can use in front of your existing web application, or even just in front of a particular SSO-login URL that you can add to your existing web application. If your application already has a notion of users, then you can simply figure out how you will map the Identity Provider's user attributes to your application users. You and your affiliated company need to come up with what you want to do to map identities from the Identity Provider to identities on your application. You might have some shared data, or you might be required to set up that data when the the user first uses SSO.
The value that Shibboleth SP provides is that it is a product that implements all of the SAML 2.0 interactions you are likely to need. It's easy to configure SAML 2.0 Web-SSO with Shibboleth and have the Shibboleth module add variables to the HTTP requests that contain all of the Attributes in the SAML 2 Assertions that the Identity Provider will be sending you.
If You can do all of that with Azure ACS, then there's no need to install Shibboleth. My limited understanding is that Azure ACS may already support SAML 2.0 Web SSO: http://saml.xml.org/news/windows-azure-gains-single-sign-on-support

Windows authentication in asp.net mvc 3 hosted on Windows Azure?

I am migrating one ASP.NET MVC 3 intranet Website to the Windows Azure and DB to SQL Azure.
On Premises my site uses Windows Authentication to authenticate and authorize the user(By Placing AUTHORIZE attribute on controllers).
It would be very kind of you If you can let me know How to go about the same.Thank You In Advance !
You have two choices here:
Use federated authentication and something like ACSv2. This requires a bit of work to setup a relying party, install ADFS2, etc. However, it is the most robust and future proof option. It is a very good option.
Use something like Windows Azure Connect. That will bring Windows Authentication to the cloud by joining your running instances to your domain controller on-premises. In effect, you have something of a VPN between your cloud instances and your on-premises domain controller. There are some caveats to this model today (requires installing agent on DC for instance), but it would be from a 'just works' stand point, the easiest. Longer term, this is less attractive I believe than option #1.
You can get more details for each of these by checking out the Windows Azure Platform Training Kit.
I should also add that you have no option (today at least) of using Windows Authentication with SQL Azure. You must use SQL authentication there, so what I am talking about here only applies to the web site itself.
I'm very successfully using Windows Identity Foundation with Azure AppFabric Access Control Service to authenticate using ADFS v2.
As well as straight authentication, it gives you lots of flexibility over other claims, such as roles (which don't need to be based solely on AD group membership).
In my opinion, its biggest strength is that there is no communication channel required between the Azure platform and your on-premise AD. Everything is done via the browser. From a security perspective, this means that although anyone can reach your application, nobody can authenticate to it unless they can also reach your ADFS server. Access to this can be restricted to on-premise clients only or via VPN, greatly reducing the attack surface.
Also, because ADFS does not need to be exposed externally, it can greatly ease the bureaucratic overhead of deploying it, in my experience.
Only configuration is required, which although it can be a bit of a fiddle initially, is pretty straightforward once you've got to grips with it. You configure WIF to use ACS as it's Identity Provider and create a Relying Party in ACS for the application. Then, you configure ACS to use ADFS as its Identity Provider. You could configure WIF to talk directly to ADFS, but the additional level of abstraction of going via ACS can be useful.
Once you've done your configuration, using the [Authorize] attribute 'just works'.
Note that if you're using Ajax calls into your controllers, you'll need to take some precautions, as Ajax calls don't handle the federated authentication redirect (or the ADFS Shuffle, as I like to call it), but it's nothing that's insurmountable.
All in all, I'm very impressed with the combination of WIF+ACS+ADFS for transparent Windows integrated authentication.

Shibboleth integration with my .net website

I need to integrate shibboleth in my application. My application is .net web application. May I know how to do this one? I have a separate server (ubuntu server) in which shibboleth idp and sp installed with apache configuration.
I made lot of search on this. but I can't able to get the correct information for this one Can anyone suggest me some url or point what i need do to get it work?
You could implement (Windows Identity Foundation) WIF in your ASP.NET Web App.
If you have Active Directory Federation Services (which basically make Active Directory speak SAML2 protocol and WS-Federation protocol), you can have ASP.NET with WIF trusting (thru WS-Federation) ADFS V2, trusting (thru SAML 2 protocol) Shibboleth.
You can find additional information in these posts. You can find sample screen shots with SharePoint instead of ASP.NET in this post (sorry it's in French). A white paper explains how to implement.
If you don't have Active Directory and ADFS V2, you may want to use SAML2 protocol extension for WIF and this thread may help.
Similar to : Single Sign on using Shibboleth

Resources