We have implemented SSO (Single Sign-On) for a group of websites with different domain names using passive federated identity (C#, ASP.Net MVC 3, WIF). The setup works fine as it follows the standard passive federation with login page hosted on STS.
www.brand1.com
www.brand2.com
...
www.sts.com (login page hosted here)
Now the client wants that login pages are implemented on each relying party so that the user does not get redirected to STS. The reason is that each relying party is a known brand therefore redirecting to a different domain name (hosting STS) is not acceptable for the respective brand. Customizing login pages on STS for each brand is not acceptable either.
Is there a way to move login pages to relying parties?
There are two routes you could go with this:
You can create a login page on each relying party that uses active federation to authenticate your users. This is dependent on the STS offering a WS-Trust endpoint.
If you have control over the STS code, you can simply have your relying parties POST the login credentials (username/password) to the STS, and the STS site would process the authentication request as before. This is an approach I've used successfully in the past.
Hopefully this helps.
Related
I have the below problem I try to solve:
There is an MVC web application (AppA) in domain DomA that is configured to use a CUSTOM STS for authentication/authorization.
On the other hand we have a CRM installation in another domain, the MyCRM domain, that is configured to use ADFS (ADFS is in the same domain as the CRM).
What we want to achieve is the AppA to be able to POST data to the Dynamics CRM Web API but we don’t want the users of AppA to re-enter credentials or have any other kind of interaction regarding authentication/authorization with ADFS.
The AppA should be able to POST data from both Javascript (client side) and the backend (MVC controller)
How could we achieve the above?
What kind of Trust should we establish between the Custom STS of DomA domain and the ADFS of MyCRM domain?
You don't need federated identity for back-end (server-to-server) connections. You might want to use Impersonation which permits you to setup a user account that can act on behalf of another user in the system.
I have asp.net mvc3 application with forms authentication. But the our client request AD authentication as well. But the mvc3 app is hosted outside the clients network. What are the possible solutions for this.
Get permission to access the clients network from remote server.
Get an API to access the active directory data from webserver.
If we choose opt one how could we access active directory for authentication from outside the client network. I anybody have any idea or better options please let me know. Thanks in advance.
My guess is that the Microsoft security products can support this out of the box but I'm not sure how so I suggest that you direct your question to whoever supplies your client with their Microsoft product support.
If you'd rather build a solution so that you've got more control over how it works a quick search found an interesting approach at https://support.freshservice.com/support/solutions/articles/169196-setting-up-active-directory-single-sign-on-sso-for-remote-authentication where they created a simple ASP.Net web site that used AD authentication for sign-on. MVC 5 can build a WebApi site that does that just by creating a new project in Visual Studio with the right options.
That site wouldn't have to do anything except confirm that the credentials supplied were valid or not. Your application would ask the user to enter login / password details, then send a (properly secured) web request to the authentication site to determine whether they're valid. As long as you keep the communication between your server and the client web service tightly secured this should do what you need without much fuss. That approach removes the need for your server to communicate directly with the client's AD server.
Sorry if this is a bit long. Got a requirement to integrate our application with client's main portal site. The portal is maintained with a SAML 2.0 SSO features and as such, we'll need to integrate our login using SAML 2.0 as well.
The integration is done via an iframe, i.e. on the main portal, an iframe with the url pointing to our application. When user is logged in and click on a menu link, he/she will be presented with the iframe page, with our session checking with their IDP to make sure they are valid users. If so, then our application will continue to load as per usual.
The issue is that we'll need to maintain our session on our servers, while they shall maintain the session on their app server. If the user stayed on our site for a while, the session on the client main portal will timeout. And when the user click on the main portal link, they will be required to log in again.
It is suggested that when the user tries to navigate to the main portal pages, it will call a service (for now assuming it's an IDP) on our end to check whether the user session is valid or not. If it is, then we need to return a SAML response to them to validate the user.
We're exploring setting up an IDP service at our end to facilitates this, but it seems to be overkill to me. Is there a way for an IDP to only provides check on a user's session? Or is there a better option for us to achieve this?
Things that could not be changed:
1. SSO language: SAML 2.0
2. Server: Weblogic 10+
3. HTTPS a must.
Appreciate any suggestion or feedback.
Thanks.
Based on the provided information, I assume your application runs on WebLogic 10+. If the remote server too uses WebLogic you might be able to just implement the SAML authentication between the WebLogic federation. This will simplify everything and you don't need to do complicated application customization.
If the remote site does implement SAML and not on WebLogic, you still should be able to implement SAML authentication through the WebLogic configuration. This is straightforward and can be done without much hassle.
However, please be reminded that WebLogic 10+ does not support SAML SSO logout. Therefore, this needs to be handled separately.
I have developed a web application (spring mvc, spring security) which has a its own login.
Now I want to change the application to login with an another web site's (2nd web) credentials and also need to get some user details from 2nd website.eg: username, user role list for create authentication object.
Please help me to choose best way to do this.
Is openID or oauth2 better for my client application?
OpenID and oAuth are 2 different things.
Lately, Google announced it stops supporting OpenID, so maybe oAuth2.0 is a better option for you.
Note that if you choose oAuth of 3rd-party, you force your users to have account there. for example, if your application (the resource server) uses Facebook for authentication/authorization, your users will HAVE TO have account on Facebook (you want that?!).
If you work with OpenID, your users have several options of where to hold their account...
If you have another 3rd party (or in-house, it does not really matter) authentication server and you want to authenticate your users with it - you have to know what specifications it supports. For example, if it supports oAuth2.0, you can pretty easily configure your app to work with it.
Hope that helps...
If I understand you correctly, you are talking about using Social Networks like Google+, Facebook, to be able to login to your application (This is identity services, where you don't have actual password, but rather access token with limited scope).
For that there is a Spring Social, project, that provides set of abstractions, for such kind of integration, including additional Spring MVC Controllers, needed for proper authentication in this Social Networks.
We are having a hosted web application and it uses forms authentication.
This webapplication is accessed by users belong to different partner organizations.
Currently users belong to the partner organizations are accessing the application using the credentials that we give it to them.
Now, some partner organizations wants their users to access the application using their active directory credentials.
We are planning to use ADFS for these partner organizations, so the users will be authenticated using Active Directory within their network and claims will be sent to the webapp via the Authentication token cookie set by the ADFS. From the claims, we map the users to the internal userIds of the web application.
My questions are , if we make the web application ADFS enabled,
1)Is it possible to still allow the other partner organization users(who don't want to use ADFS) to login to the web application using the existing login page(forms authentication)?
2) Should every page in the ADFS enabled webapp be accessed through https?
Any solutions or pointers would be much appreciated.
Thanks
-arul
Your app needs to require claims that describe the user, regardless of where they login from. It should not handle authentication in either case; this should be delegated to a trusted issuer, an STS. This will allow it to interact w/ users in a uniform way irrespective of where and how they authenticate. This means that you're going to need to use ADFS in two roles: that of an Identity Provider (IP) STS and of a Federation Provider (FP) STS. For users of partner companies that don't want to maintain users themselves, you'll be the IP-STS; for those that do, you'll be an FP-STS. In the latter case, ADFS will redirect users from your realm back to the partner's site where their IP-STS will authenticate them and send them to your FP-STS. It will map your partner's user ID and claims into ones that make sense in your realm. This and other information about the user will be included in the set of claims that are issued from your FP-STS. As a result, your app, only trusts your STS regardless of which scenario is appropriate for different users. Note that in this scenerio, there will be two STSs: your ADFS FP-STS and your partner's IP-STS, which may or may not be ADFS. In the other case, there will only be one STS: your IP-STS.
Not every page on your ADFS Web app needs to be accessed via HTTPS; however, everyone that's used in the authentication process should be.
This is really a non-trivial undertaking. If you want to talk about it more, please feel free to get in touch w/ me.