.NET Maui using Apple's Kerberos SSO Extension - single-sign-on

My .Net MAUI/.NET 7 app runs on company iOS/iPad devices, via VPN back to the company, and talks to on-prem SharePoint's API. SharePoint requires authentication.
The only way I know how to do this is to collect a user's Active Directory username and password into a NetworkCredential and attach that to HttpClient. Our internal security group demands that we stop using username/password.
It seems like Apple's Kerberos SSO Extension, and maybe Microsoft's Enterprise SSO plug-in are the correct replacement.
There are scant resources out there that show how to use these components in .Net, let alone Maui or Xamarin.
I know I'll need to ask my company to deploy both components to our MDM. What is it exactly that I need to tell them? Secondly, what do I add to my Maui app to enable it to work? Such as a device certificate, how does Maui know about it? Or Authentication endpoints (the example uses http), and how does Maui know about them? What kind of person do I look for in my (very large) company that knows the configuration values?
Sorry if every developer except me already is already fluent in all aspects of authentication.

Related

Looking for advice & direction from an existing web based MVC EF Login Authorisation; to authorisation for an additional new Maui based project

I have a complete working application that is Web based on AspNetCore.
I used the Identity.EntityFramworkCore to provide all the login and user registration on a central SQL database.
Everything is fine and working great.
But now the quandary starts. I am progressing onto the development of supporting apps for android, ios etc.
I am developing these apps using Microsofts Maui.
My thoughts are to write all the http CRUD API’s in the main ASPCore web application.
Then the Maui apps will call these API CRUD operations.
But my quandary arises with user management.
What the best way forward to have for a common User Authorisation access across all solutions. Bearing in mind the current web based Asp EF solution is there and working?
I’ve researched but can’t decide the best solution going forward: -
Using the existing SQL database & provide Authorisation through API’s on web asp application.
Using Active Directory of Azure.
Transferring everything to 3rd party provider such as “okta, OneLogin, etc”
What’s your thoughts for best practice going forward?
I am currently on the same path. Take a look at
TokenServerAuthenticationStateProvider in MAUI app
Basically I added an API controller (UserController) to my Server app that checks for username and password in SQL database and generates JWT token that I use for MAUI app login and also for authentication on Server APIs.
I use claims in token to pass User variables that I use in MAUI to display or hide some forms or controls. Like Roles but much more flexible.
For me it was the best path as I didn't have to change anything in my working web project.

How to authenticate to microsoft active directory through iOS App?

I am to authenticate username and password credentials to a Active Directory through the iOS App?
I know that this post instructs us to include the openldap in the project, BUT this post here has indicated that there are inbuilt ldap protocol that I can use to connect with the Active Directory using PHP.
Can somebody shed light on both of the topics, and pick one which would be useful for the current version of XCode.
And also, are there any examples of this that any user can share?
P.S: This is my first question in stackoverflow.
Unless you are exposing your domain on the Internet, you'll need some sort of service layer. If you know php, that is probably a good route to go. Then, from the iOS application, you simply call the operations exposed through your php server. For creating the service, you may want to look into an ldap library for php.

Single sign on solution

Hi I am using CAS for SSO. But problem is that i want reset password,register new user on CAS login screen.Does CAS provide these services or i have to implement?
Or Any other SSO solution exist which fulfill my requirement.
CAS is just a SSO frontend to your existing identity management solution (database, LDAP etc). It does not include any identity management features itself (create user account, reset password etc). I have recently been using the Cloudseal platform which is a full identity management solution and so far I am pretty impressed. I believe Atlassians Crowd also includes this although I have not used it. There are probably other products out there as well.
Both of these are commercial products although they are both free for the first 50 users. Crowd is a traditional standalone platform which you download, install and configure but Cloudseal is a hosted service so there is no installation and less config.
You can certainly modify the spring weblog and login page to allow for the functionality that of course you'd have to implement. You should also ask the question on #cas-user mailing list to see if a similar need in the community has been implemented by other users which you may be able to take advantage of. I remember only recently someone raised the same question to the list and there was a bit of interest in getting this feature developed and integrated. You may want to revisit the topic on the mailing list.
Hope this helps.

IBM Portal Database and Authentication

I have a couple of questions regarding IBM Portal Portlets.
I have just stumbled into the realm of Portlets - and as far as I am concerned was dropped into the deep end. Having to work on a IBM WebSphere Portal 6.1
We are still in the evaluation stage - and three things that I haven't been able to find clear answers to yet.
Database - is there one single Database that also gets used by the installed Portlets - or do you configure DB individually on a per Portlet Basis?
Authorization and Authentication - how can a Portlet get hold of the User and the rights the user has?
Are there any known constraints in using JSR-301 compliant JSF Bridges instead of bog standard Portlets?
Thanks in advanced.
I haven't used Portal 7 yet, but I have used pretty much every other version, so my apologies if you are using 7 and this information doesn't fit exactly.
1) Database: when you install portal, you configure a database it uses to store portal configuration (and sometimes user rights as well, although this aspect can be set up using a custom user registry like LDAP). If you don't have an already dedicated DB, Portal will use its packaged DB, Cloudscape/Derby. This DB can be completely separate from the DB that the portlets use to manipulate data unrelated to configuration. E.g. if your portlet is displaying inventory for a bike shop, the DB holding that info can be accessed in the normal web application way through a datasource set up in the WAS GUI.
2) For a lot of scenarios, your portlet doesn't need to know the user's rights, it won't render the portlet unless the user has been assigned the correct rights via Portal Administration. But in the cases in which you would need to know the user's rights, they can be accessed via the Portal User Management Architecture. Here's a good whitepaper on the subject: http://public.dhe.ibm.com/software/dw/websphere/PUMA_scenarios.pdf
3) Known constraints? You may have to google for that specifically, but I will say that unless you use IBM's custom JSF bridge, there may not be a lot of support from IBM's technical issue team if you come up against a problem. However, the support guys are usually pretty helpful, I find. Don't let that stop you from trying though :)
The two resources that I use pretty exhaustively are the InfoCenter http://publib.boulder.ibm.com/infocenter/wpdoc/v6r1/index.jsp and the developer forums on IBM Developerworks.
Best of luck, and welcome to the dark side!

Minimum overhead for ASP.NET MVC authentication

I want to keep things as simple as possible and I don't want a complicated security mechanism. Basically I need for a user an ID and an e-mail address and I really don't want to bother about other things. Also, I was a minimum overhead in terms of security (if there is anoter provider who can do it for me, that's even better).
What is the simplest way to do this? I was thinking about incorporating LiveID or OpenID by I don't know what are the advantages/disadvantages.
I am working with the Azure SDK.
If you use the Windows Azure Access Control Service, you can basically outsource all identity management. Take a look at the Windows Azure Platform Training Kit - there's a lab called "Introduction to the AppFabric Access Control Service 2.0" that will get you up and running quickly. Currently, you can choose any combination of the following identity providers:
WS-Federation
Facebook
Windows Live ID
Google
Yahoo!
"Simple" for whom?
The simplest strategy for you would probably be to use ASP.NET's standard SQL-based authentication provider. You just run a script against your database to set up all the tables, and then you use ASP.NET's built-in utility methods to authenticate. Give your user-specific tables a foreign key reference to that user's ID, and you're good to go. We've done this, and never had any trouble with it. It's a tried and well-used system, so you know you won't be introducing any security invulnerabilities by hacking your own solution together. (see SqlMembershipProvider vs a custom solutions)
If you want something simple for the user, then an OpenId solution would be my pick. Set up something like StackOverflow has, where you can let users choose an account from a number of trusted providers to allow them to log in. From the user's perspective, it's really nice not to have to remember one more username and password for one more site.