Federated Security/STS - asp.net-mvc-3

I have a asp.net site that uses federated security for authenticating the user. Therefore a user navigates to the url which is redirected to a login page and if successful gets routed back to the main application. What I need to do is somehow have the main application allow some code to be ran before being redirected to the login page. This is because the intial request may have some query string parameters that I need to store in the users session as the request back to the main application is dropping them.
Is this possible... any thoughts or examples would be greatly appreciated!

I am not sure whether this may help:
You can turn off the WIF’s built-in redirection of unauthenticated sessions by modifying web.config file:
<microsoft.identityModel>
<service>
......
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="false"
......
and once your reconstruct your query string, you can update audienceUri and realm.

Related

asp.net core 3.1 Identity - redirecting to login after SignInAsync() when referrer is Stripe

We have an issue with a asp.net core 3.1 MVC application. The application is using the built in asp.net Identity feature. The application is working well for existing users. If you hit any [Authorized] route, you are redirected to the login page as expected.
However, rather than have a registration process in our app, for new users, we onboard them via Stripe Checkout. Upon successful payment, stripe redirects to a specific route in our application /conversion/success/{sessionid} where sessionid is the Stripe session. This action is marked as [AllowAnonymous].
We then pull the necessary customer details from Stripe, create a user in our repository via UserManager<T>. We then call SignInManager<T>.SignInAsync() to sign in the new user, before redirecting the new user to the [Authorized] home page.
This process works perfectly when running locally on our test machines. Also, when running on our production server (Azure App Service) it also works perfectly when we hit the route manually through the browser.
However, when we actually run the process through Stripe, complete a payment and let Stripe redirect the customer, we get a strange behaviour.
The conversion route is hit, the user record is created, the sign in process completes but upon redirection to home page, the authentication middleware takes over, says it's not authenticated and redirects to the login page.
Just to compound matters further, if you then simply type in the home page route in the browser, the user is in fact logged in exactly as expected and the application works perfectly.
Using Fiddler to intercept the calls and look at headers, etc. we can't see why there would be a different behaviour when coming from Stripe as opposed to typing directly. We've even tried redirecting from a different website to our registration process and that works as expected too.
Any idea why we are seeing this behaviour?
---- Update ---
If, rather than redirect to home page at the end of the onboarding process, we simply show a simple View with an anchor link to home page, the user can then go to home page as expected.
Is it possible that you're rendering the page before authentication has been completed? Since UserManager uses a cookie to establish the user's session, authentication needs to complete before any response headers or body is set so that the Set-Cookie header can be sent in the response.
Based on what you described it sounds like the user is hitting the homepage after the redirect without having the authentication cookie. Where I'd start debugging this is by using your web inspector with "Preserve log" turned on and going through the Stripe Checkout process. Then, inspect the headers sent to the browser when you land on the redirect page & make sure the authentication cookie is set.
Between requests to Stripe and SignInAsync it seems possible that there might be a missing await, so the redirect is happening before the authentication context is updated. Hard to say more without seeing your code!

Jmeter: To login multiple times and hitting multiple URLS

I am novice in Jmeter, just started to know its inner functionality. I am stuck in a problem. I have to hit multiple urls (only search id) is changed so in "HTTP Request" i have placed "/build-4.4.10.0/?earchId=${ID}&Application=sc&IsSearchLink=TRUE"
I am providing session key and that search id through csv file. Problem is though its going to the link but redirecting it to login page, and i do not know how to create users on run time and assign to that each URL.
I have 200+ URLS, what should i do, please guide
Thanks
If your application needs any login authentication and/or cookies, then you will need to add the Cookie manager for maintaining the session, else application will not be able to maintain a session and it will throw the user out of the application, then redirecting it to the login page.
You can refer to the below mentioned links for more information about cookie manager.
https://sqa.stackexchange.com/questions/13966/jmeter-http-cookie-manager/13975#13975
http://jmeter.apache.org/usermanual/component_reference.html#HTTP_Cookie_Manager

Host name issue with WSFederated Authentication

I have configured Local STS with my web application (which is hosted in IIS 7 and has the host name as www.abc.com) and it can receive the claims from the STS and it can login. Now I have added another host name (www.xyz.com) to my web application. If user a login to a page in the application using www.abc.com/page1 and it redirects to local STS and it authenticates the user and adds the security token. Now if the user visits www.xyz.com/page2 it also redirects to the STS for authentication.
If a user either logged in www.abc.com or www.xyz.com they need to access the other domain page with out login. Is it possible? How do we achieve this?
In broad strokes, if you have two different relying parties, each needs to route the user to the IDP. If the IDP is configured for single sign on, the user will only notice the routing to the IDP the first time. On the second routing, (assuming same browser session and that the routing is within the lifetime supported by the IDP) the user will be authenticated without seeing a page at the IDP and being required to present credentials.
So, part of your answer hinges around what you mean by login: if you mean "experience a challenge and enter credentials" by log in, you should be able to enable this by simply ensuring that the IDP is configured for single sign on.
On the other hand, if by login you mean the redirect to the IDP, then you need to make sure the application is able to share state across the different page names. Note that usual management of state is via cookies, and note that a cookie for abc.com will not be returned to a web page named xyz.com. There are a number of clever ways to resolve this, although i am not aware of any simple application configuration solutions. One example is to have some part of both the abc.com page and the xyz.com page accessed by the url shared.com. State cookies can then be set by the shared.com transaction when logging into abc.com and read by the shared.com transaction when subsequently accessing xyz.com.
I've never had to implement such a cross domain cookie solution and have only had off-hand conversations with colleagues about it: we've always found the silent redirect of single sign on to meet our requirements. Careful research into the privacy impact of such a solution and the likelihood that such cookies might be blocked should be considered before development.

how to set cross domain session

i'm trying to create a web app with back and front end separated, so there is two project here. The reason is there is a plan in the future to create mobile version as well, so i made it decoupled.
Just FYI the back are created with PHP using laravel4 and barryvdh CORS
and the front end are created purely with angularjs and bootstrap.
The current situation is that i create a rest API in my back end app to do login, auth, and logout.and in the front end i have 2 pages, which is login and index page.
Login page are composed of username, password input field and submit button,
when user click submit button, it will call the login rest API from the back end and i expect it would persist cookie to the front end page if login success, but it doesn't (because of cross origin policy, i've research as much).
The question is, is there any way to set sessions across domains now it is 2014, where any article i found are from 2012 older. If it's not possible, what's the easiest way to persist session across domain besides OAUTH2 and openID (because their learning curve are just too steep, the application i'm creating are just small app)
Thanks for your assistance.
what I have done so far to work with cross-domain sessions is to create a "passport" service on a another domain and validate & handle the session from the there.
For example...
domain1.com has webserver1
domain2.com has webserver2
passport.com has webserver3
Whenever I connect either to domain1.com or domain2.com I'm including a line at the very top of the script index checking on passport.com/check.php whether there's a browser session already initialized under the name of "PASSPORT", if so, I finish the checking on passport.com and let the script on domain1.com or domain2.com to do their stuff.
In case the browser session wasn't initialized, the check.php will redirect the index via header() to the login.php page. This will validate against LDAP and if binding the user is OK then the browser session is initialized with the name of "PASSPORT" and including all the fields I need furthermore to validate the user and its accesses. Ref back to the index once is done.
When the user goes from domain1.com to domain2.com (or the other way around) the script included at the top of each index will check the session again all the time, taking the user to the login script or letting him access the required site.
As additional checking you can create the session and add variables such as "valid until", "access level", etc.
Hope this helps and if you need further clarification let me know.
Best,
Emiliano.

Enter in to a particular page through the browser after I login to the system

Need some idea on the process to land in a page after I login to my web portal. My requirement is I will enter Url of a particular page in to the browser, then system will check is the user is login to the system, if yes it will land on the page I have entered but if not then system will take me to the login page and after successful login I will be landed in to the page I have entered in the browser.
So, please tell me how to do it in plain servlet/Jsp model, Spring and Struts 1 and Struts 2.
Any post will be helpful
I know about basic jsp/servlet model.
Write a Servlet filter which will intercept every request from the brwoser, there check is the user is logged in or not. If logged in your normal flow will continue but if not then redirect to the login page. When you are redirecting to the login page, make sure you send the url hit by browser in the response. Now in client side hold the url send in response and after eneter credentials in login page when user will submit the record send the url (Hold in the client side from response) in the request and after successful login use Servelet Request dispatcher to land in the url.
I am not sure but spring-security has this feature and struts 2. But implementation process can be share by others who are familiar on this technologies. But in struts 1 it's not available and you have to do it manually.
it will very easy with spring security you just need to secure some path pattern. you doesn't need to add some code in your jsp or controller, example
for url /admin/* need administrator role
for url /user/* need user role
for url /public/* no need login (anynomous)
it just need configure at your spring-security.xml
you can start here

Resources