I am using Salesforce as an IdP for my MVC app. I have multiple communities in my Salesforce instance each with a different signOnUrl. How do I configure multiple communities to use the same Sustainsys Identity Provider?
I have tried using the same community link for the different communities, that gives a privileges error. I've tried setting multiple Identity provider nodes for the different community signOnUrls but it hasn't worked
<identityProviders>
<add entityId="https://{Salesforce}" signOnUrl="https://{Salesforce}/{community1}/idp/login?app={appId}" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
<signingCertificate fileName="~/App_Data/{cert}.crt" />
</add>
<add entityId="https://{Salesforce}" signOnUrl="https://{Salesforce}/{community2}/idp/login?app={appId}" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
<signingCertificate fileName="~/App_Data/{cert}.crt" />
</add>
</identityProviders>
When I try adding multiple entity providers to the same server the error is The entry https://{Salesforce} has already been added.
Found the answer... instead of adding multiple identity providers with different signOnUrl parameters. You can add multiple signOnUrls in the same node.
<identityProviders>
<add entityId="https://{Salesforce}" signOnUrl="https://{Salesforce}/{community1}/idp/login?app={appId}*;https://{Salesforce}/{community2}/idp/login?app={appId}*" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
<signingCertificate fileName="~/App_Data/{cert}.crt">
</add>
</identityProviders>
If you are using owin or asp.net core, a better approach is probably to register one authentication scheme for each Salesforce community. This will make your application work as two virtual service providers to Salesforce, one for each community.
When registering the SAML2 middleware/handler twice, you need to ensure that each instans has a unique EntityId and a unique ModulePath.
Related
I have a rest api which is being called by Azure AD B2C(through technical profile in Custom policy).
I need to secure the api.But as it is being called by Azure BEFORE Authentication(basically it only needs to check if the email already exists in database or not in sign in flow), it doesn't have Authorize attribute.
I have ClientCertificate AuthenticationType, configured in the custom policy for this REST API in the metadata of the technical profile, following this document
https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api
So basically my metadata looks like this:
<Metadata>
<Item Key="ServiceUrl">https://your-account.azurewebsites.net/api/GetProfile?code=your-code</Item>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="AuthenticationType">ClientCertificate</Item>
<Item Key="AllowInsecureAuthInProduction">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="ClientCertificate" StorageReferenceId="B2C_1A_RestApiClientCertificate" />
</CryptographicKeys>
But when I call the rest api from the browser, it is still accessible.
I am not sure if I missed something, but isn't this process supposed to secure your api so only Azure can call it?
The REST API mutually needs to be authenticated with the client certificate. Configuration Client certificate in the custom policy needs to be validated near the REST API also right.
You can secure back-end services using client certificate authentication in Azure API Management or you can configure client certificate authentication in the code
Our Azure DevOps Server infrastructure is behind all behind a HTTP Web Proxy server for all outbound traffic. We want to enable the Upstream Sources feature in Azure Artifacts, so that Azure DevOps downloads packages from nuget.org, etc. when they are requested.
We have however not found any documentation on how to make the Azure DevOps Server Application Tier (which we're assuming is making the outbound connection to the upstream sources). When we enable the upstream sources feature on one of our feeds, and adding nuget.org to it, we get the following error when trying to download any package in our feed:
Response status code does not indicate success: 500 (Internal Server Error - Failed to retrieve data from the upstream package source 'https://api.nuget.org/v3/index.json': An error occurred while sending the request. (DevOps Activity ID: F2C6C7EF-6651-4FB2-B650-5221ABC80F64)
When we disable the upstream sources, this error goes away, and package download succeeds from Azure DevOps cache instead of the upstream source.
Searching through the Application Tier's directories on the server, we saw the that the web.config for the DevOps website already has the following proxy settings applied:
<system.net>
<defaultProxy useDefaultCredentials="true"/>
</system.net>
We've modified this further to explicitly provide our proxy server address as such:
<system.net>
<defaultProxy useDefaultCredentials="true">
<proxy proxyAddress="http://<ourproxyserver>" />
<defaultProxy/>
</system.net>
And then tried again, but received the same Failed to retrieve data from the upstream package source error.
We've tried looking for more detailed error logs from Azure DevOps server but have not found any trace of it in the log files we've found. But we're not exactly sure where Azure DevOps Server writes its error logs too.
Is there something that we're are missing to get Upstream Sources working in our scenario? Is Azure DevOps Server capable of making outbound requests through a HTTP proxy?
It turns at that #Leo Liu-MSFT answer is not quite accurate; Azure DevOps Server can work behind a HTTP proxy server.
The problem in our instance was that the infrastructure team forgot to install the CA certificates for the proxy server on the host which was the actual cause of the HTTP 500 error message we were seeing.
Once the certificates were correctly installed, our best guess of updating the web.config file for the Azure DevOps site to use our proxy server details was correct.
<system.net>
<defaultProxy useDefaultCredentials="true">
<proxy proxyaddress="http://<ourproxyserver>" />
</defaultProxy>
</system.net>
See the following for additional proxy options: https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/network/proxy-element-network-settings
As a good measure, we also set the proxy server settings at the Windows server level too, using the following command in a console session:
netsh winhttp set proxy proxy-server=http://<ourproxyserver>
Once these steps were done, upstream sources started working in our Azure DevOps instance.
Using Upstream Sources on Azure DevOps Server that's behind a HTTP Proxy
I am afraid there is no such out-of-box way to use Upstream Sources on Azure DevOps Server behind a HTTP Proxy at this moment.
As workaround, we could disable the upstream sources, then place the following setting in each project’s nuget.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<config>
<add key="http_proxy" value="http://proxy_hostname_or_ip:xxxx" />
<add key="https_proxy" value="http://proxy_hostname_or_ip:xxx" />
</config>
<packageSources>
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
</packageSources>
</configuration>
Use this nuget.config file when you restore nuget packages.
Hope this helps.
I want to Integrate Windows Identity Framework(WIF) For SSO, Federated Authentication Module of WIF is triggering on every Page of Website sends user to Signin Pgae i want on Some Page of My Website it did not apply Authentication.
You can add the bellow to the web.config and it will allow all users to access the location.
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In the example above I allow all users to access Default.aspx page.
Hope this helps.
So I have an MVC 2 App running on Windows Azure.
Everything works fine, but I want to create a subdomain where I can test some stuff that I need the actual server for, but I don't want anyone to see it. However, if I just put up like www.mywebsite.com/sandbox - anyone COULD technically access it, even though they'd have to know it's there, which I don't want.
Is there anyway I can setup something like that and password protect it or something easily? If so, I would use the same sort of thing for a private administrative URL where team members only could go in and check stuff (with a username/password that I maintain).
As far as I see it, you have two options available.
Create a staging deployment, and make the IIS web site respond to a specific DNS request (e.g. http://sandbox.mywebsite.nothere). Either change your DNS settings, or chane your local hosts file (e.g. in C:\Windows\System32\drivers\etc\hosts). This is security through obscurity, and while it's not effective, it's easy and perhaps a good start.
As suggested by Steve Morgan in a comment, implement authentication in your application. If you have an ASP.NET (MVC or not) application (I'm assuming MVC in my example), you can do with something like this:
Create a MembershipController
Create a Login action accepting username and password, implementation looking like this:
public virtual ActionResult Login(Qinoa.Web.Models.LoginData model)
{
if(model.Username == "myuser" && model.Password == "hardcodedPassword") {
FormsAuthentication.SetAuthCookie("myuser", model.RememberMe);
}
return RedirectToAction(MVC.Home.Index());
}
In your web.config file, set
<authentication mode="Forms">
<forms loginUrl="~/Membership/Login" timeout="2880" />
</authentication>
On all your test containers add an [Authorize] attribute. Your app is now (rudimentary) protected.
On a side note to #1: you can host multiple sites on one web role.
Configure your application using Windows Identity Foundation and the Access Control Service.
You then have a choice of Identity Providers that you can use to secure your application without managing your own users.
Even better, if you have Active Directory is to deploy ADFS 2.0 internally. The beauty of that is that even if someone reaches your application, they can't authenticate if they don't also have access to network on which your ADFS server runs.
I'm securing an Azure application this way and it works very well. I get transparent integrated authentication but it's highly secure.
You don't need to expose AD or ADFS outside your network to do this; there's no communication between Azure and ADFS, it's all done via the browser.
I have an Asp.net MVC Website using Forms authentication.
The site is hosted in IIS using Forms Auth and works fine.
Due to a number of reasons, I want to know if it is possible to do the following:
I want to create a Virtual Directory underneath the main website, a separate application, and secure it using Forms Authentication as well.
The main site, and the site in the child Virtual Directory will be separate applications, and the Forms Auth will be completely independent of each other, and using different databases.
Is it possible to set up in this way?
Forms authentication works by using cookies. So as long as you provide different authentication cookie names for both sites they will be independent.
<authentication mode="Forms">
<forms name=".Auth1" />
</authentication>
But the problem AFAIK is that the <authentication mode="Forms"> tag cannot be redefined in sub web.config files.