I am using Windows authentication on a website but want to have levels of access. Currently, I am using the [Authorize(Users = "userA")] syntax.
However, with upwards of twenty Windows accounts accessing a site, I don't want to have to hard-code in twenty users with each Authorize statement. What's more, some of the users need to have different access than others. I thought of having a list of users that a CustomAuthorizationAttribute iterates through to see if the desired user is among them.
Basically, I'm trying to get roles without using Forms authentication.
What is the most effective, most simple way of doing this?
Your answer lies within the ActiveDirectory domain. Since you are using MVC 3 you should have access to the following namespace "Directory Services Account Management":
http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.aspx
You can see this article for describing the whole process underneath, it provides sample code for you to use immediately out of the box:
http://msdn.microsoft.com/en-us/magazine/cc135979.aspx
Forwarning:
You will also have to establish an LDAP connection string. LDAP is a protocol used for retrieving that information from the secured windows database.
http://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx
To see the code being used in action:
http://www.willasrari.com/blog/query-active-directory-users-using-c/000133.aspx
I've done something similar to this in a .NET 3.5 environment using IIS 7.
One of the best articles I've ever read about Role-based Authorization is:
Role-Based Authorization With Forms Authentication (Part 2) By Darren Neimke and Scott Mitchell. They wrote it for ASP.NET 2.0, and no concept has been changed in version 4.0 (and 4.5 as far as I know).
To become a master in this field, read this MSDN and all of it chapters:
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
Related
We have built a portal in PHP(Laravel) + Angular for a client. User Authentication is done through LDAP.
Client also has a SAS solution for Analytics and it also has LDAP Authentication (SAS Viya).
We need to redirect the user from our portal to SAS portal and the user should get logged in automatically as both portals are authenticating the users through same LDAP.
We tried a few things, but it didn't help.
I am looking for some guidance on how to implement this and if there is any programming/configuration required on our side or on SAS side.
Hard to be specific without fully understanding your use case, but you could look to handle authentication to Viya using the SASjs Adapter (disclaimer - my team built it)
https://github.com/sasjs/adapter
Just set the LoginMechanism to REDIRECTED in the config object to support SSO or alternative login flows. If you need help, my team can be contact on https://sasapps.io/contact-us, else just raise an issue on the github.
We have an implementation on Angular that may help: https://github.com/sasjs/angular-seed-app
We have integrated a VIYA Visual Analytics report into a corporate web application, using the SDK (so not realy a redirect) with single sign on.
(I don't know all the details about how we did it. my roll was in the personalization of the report, where we went further than ordinary row level security.)
I have been planning to create a laravel+vuejs apps stretching across subdomains (presentation creator, forms creator, polls creator etc.,each in a subdomain) and will have 2 version of the same web app (indian version with different languages and content and international with different language and content) in 2 different domain say domain.in and domain.com but I want users from any app or domain to login with the single user login say from passport.domain.com we have WAP versions of the websites served from wap.domain.in and wap.domain.com and also mobile apps for both.
Now, normal users based on the userid and password, the user from .com domain will
be able to access apps and content only from .com domain and .in
will be able to access only from .in
Users will be able to login using facebook, linkedin, google, etc.,
We will have only a single app for iOS and Android and based on the username and password the apps will be able to access corresponding domain.
wap sites will login using the same passport.domain.com
mobile app will be able to access data from the domain through an appID and Key.
others will be able to embed the presentations and forms into their website using an api key and secret.
certain users will be able to transfer data created in one domain to another user in the other domain
admin users will be able to transfer data from both domains.
other platforms may be able to login using the user id from this platform.
is all this part of SSO (Single sign on) ?
is this achievable in laravel ?
is it advisable to write the sign in server in a different framework ?
different tech like SAML Outh2.0 and Open ID with terms like Authorization, authentication and id provider make it all confusing and baffling for a start up.
can some one tell me what tech are involved in the above process. and what one should be aware before jumping in to start development.
That's a lot of questions :)
IS IT POSSIBLE?
OAuth 2.0 based technologies will give you the best options, since:
It has the most up to date app security options
It is designed to be web, mobile and API friendly
Access tokens are designed to cross domains
WILL OAUTH DO EVERYTHING?
No it will not - you will need to build most of the above behaviour yourself, and implement a software architecture, as for any other security technology.
An Authorization Server will externalise logins / passwords and issue tokens. Your apps will then need to implement 'flows' including:
Web token based security and session management
Mobile token based security and session management
API token validation and claims handling
Integrating third party security libraries
GUIDANCE
When new to OAuth tech the best choices and design patterns are not clear, as you indicate. If it helps, my blog has some details you may find useful, but it is not a simple journey:
Step by step tutorials and code samples
Design posts on the tricky areas
Blog Index
This is not a Solution but an article I stumbled upon which explain the terminologies involved in user authentication and SSO.
Laravel authentication an overview
Hope this helps others who are looking for an answer like me now or in future.
I have an ASP.NET 5 (RC1) application for which I am trying to set up authentication and authorization. However I am confused and overwhelmed by all the varying authentication and authorization information online in as it pertains to this platform. Much of it seems either hopelessly out of date or simply doesn't seem to apply in this particular usage scenario. Right now, I'm not even sure what the right 'terminology' to use for the question I am trying to ask, but I digress.
What I am trying to accomplish is a system whereby users are authenticated/authorized via Azure AD (B2C?), with additional user profile information stored in a database. However, the user context in the controllers is accessed in a consistent way using what I presume would be a custom ClaimsPrincipal/ClaimsIdentity? I would imagine this should be as simple as adding an 'authorize' attribute or something similar and accessing the ClaimsPrinciple.Current.Claims.
I have used ASP.NET Identity in the past, but many of the examples I have found aren't using that. Most are simply using the UseOpenIdConnectAuthentication middle-ware. I see that ASP.NET Identity is still available but I'm not sure it applies in this scenario. I also found a couple posts on here suggesting using a custom ClaimsIdentity to accomplish this, but I am having trouble finding useful up to date examples. BTW, I realize that much of this "profile" information can be stored as custom attributes in azure ad but the way some of the information is used within the application prohibits all of it from being in azure (i.e. EF linq joins and such).
Please, tell me if I am even close on some of this. I know this is a fairly new platform and the information is sparse, but certainly I'm not the only one asking these questions.
Just calling out an excellent article Identity management for multitenant applications in Microsoft Azure.
A lot of your questions are answered there.
e.g. you can augment the claim in the OWIN middleware AuthenticationValidated event.
ASP.NET Identity is claims-based in that the attributes are delivered as claims but authentication is on the DB, not via external IDP like Azure AD.
B2C is a special case in Azure AD - used for many (millions!) external users who can self-register and self-manage e.g. SSPR.
B2C uses a separate tenant to the normal Azure AD one and the users have no access to things like O365 or any SaaS applications.
We're developing an API and a single page application (that is one of more possible future consumers of it).
We already started on the web API, and basically implemented a system very similar to the one John Papa made in his course on pluralsight, named "Building Single Page Apps (SPA) with HTML5, ASP.NET Web API, Knockout and jQuery".
We now need to implement authentication and user managing in this application and need to find the easy way out to implement this in as little time as possible as we are in a hurry.
We realized the SPA template included in the ASP.NET update had very similar features to our needs, but we wonder what the best approach to implement a similar feature in our existing code.
We are novice developers, as you might figure.
Is it possible nstall some packages using the package manager, and voila, a simple membership and OAuth auth option be readily available?
Our use case is that we need to protect some resources on our API based on roles, and that one should be able to log in using a username and password, but also log in using ones facebook, google, or twitter account.
Found an interesting talk regarding the subject here: https://vimeo.com/43603474 named Dominick Baier - Securing ASP.NET Web APIs.
Synopsis: Microsoft’s new framework for writing RESTful web services and web APIs is appropriately enough called ASP.NET Web API. As the name applies, this technology is part of ASP.NET and also inherits its well-known security architecture. But in addition it also supports a number of new extensibility points and a flexible hosting infrastructure outside of IIS. There are a number of ways how to do authentication and authorization in Web API - from Windows to usernames and passwords up to token based authentication and everything in between. This talk explores the various options, and puts special focus on technologies like claims, SAML, OAuth2, Simple Web Tokens and delegation.
We eventually went with the SPA template, doing authentication on the API (separate MVC part).
Then the API would generate a unique token and redirect the user to the front-end with the token in url parameters.
The front-end then needs to send this token on every subsequent request.
Have a look here - Identity Server done by the security experts. This is all you need in one package.
In terms of OAuth, you would need to use Client-Side Web Application flow which the access token is issue immediately to the client and can be used.
I need an application to run under Forms authentication, but automatically log someone in via their pass-through Windows credentials. So, essentially, I need both -- Forms authentication with no login screen, just pass-through from Windows.
Obviously, I can't run both methods. I had an idea of setting the app to Forms, with a login page that's protected by Windows, then detected their Windows username from there and then manually logging them into Forms behind-the-scenes.
How reasonable is this idea?
Much to my surprise there is no "automatic" support for this "mixed" authentication model in ASP.NET but there are several known work-arounds that you can implement to give you what you need.
Here is a good article that discusses the relevant factors and served as a "guide" for how I recently addressed this same requirement for an MVC 3 application I was writing:
http://www.codeguru.com/csharp/.net/net_security/authentication/article.php/c19559/ASPNET-Mixed-Mode-Authentication.htm
I did not follow this article to the letter as I had slightly different requirements around how I dealt with roles and session timeout management but this article was a great start! Pay close attention to thew configuration of the forms authentication keys in the machine.config and web.config files...
Good luck!