Build Security Token Service (STS) application in ASP.NET for SSO - single-sign-on

I have created a new ASP.NET web site using VS 2017 and changed the Authentication mechanism to use "Individual User Accounts". This adds the Claims Principal or WIF class support.I can click on register / log in, and set up user emails and then check for the claims for that user. I will also be using Server Session Authentication Management (SAM) to save claims on the server and do some claims transformation as well.
After Login, this site calls a winform application, and after some activity I return back to the above website.
I want to know how can I use SSO logic here and check if I am already Authenticated and access my claims saved at the server side / website and authenticate the user based on the saved claims.
Is there some project or code example anyone can give which i can use as a start to develop such a STS service (in VS 2017) with SSO and access my claims on website after coming from another domain?
The identity and access tools used to work only with VS 2012, so any way to replicate the above scenario and check for my saved claims after I hit my website from the winform application.

There's a good example here of using WS-Fed with Azure AD.
This is easily adaptable to ADFS.
Your other choice is to use ADAL.

Related

On Premise Active Directory Federation Server - Application Groups

I do not see [Application Groups] folder in my ADFS. How can I install it to see it in my AD FS Management?
I want my WEB API(REST) project to connect to ADFS for authentication. Additionally, I want to test my REST API Authentication without a login screen, please help in this as well. My API will be consumed by CRM users, who are already connected to ADFS. Now the requirement is to create an REST API which will be hit by CRM users and CRM user will pass a userid and password which will be authenticated by ADFS internally without login screen. How can I do that?
Any help please.
Thanks
Application Groups are only available in Server 2016 and 2019. They are available in the ADFS wizard by default.
In terms of sample code for calling API, have a look here.

Access/use roles and custom info from OpenId Connect profile within Dynamics 365 Portal?

I am starting to work with Dynamics 365 Portal add-on (Online, not on-prem), which I've configured to use an external authentication provider in the form of Identity Server with OpenId Connect. The problem with this is that I don't have access to the under-the-hood portal authentication process, there's just a few basic config settings and users can authenticate using the external IdP. I can't access roles, claims, or any custom info that might come back as part of the OpenId Connect user's profile (userinfo object response). I need to get at that data to customize the portal user experience. I've looked through whatever documentation I could find on the portal but can't find anything. Am I missing something or is it just not possible to access that info and customize the portal login process? Since it doesn't seem possible to do anything server-side within the portal because it's Online, can I do anything client-side within the portal to get the OpenID access token and call the UserInfo endpoint with that?
I had a case open with Microsoft and finally got an answer from them: In Dynamics CRM Online with the Online Portal add-on, there is currently no way to access anything coming back from an external identity provider. So for example, if you've configured the portal to use an external identity provider such Google, Facebook, etc, or like in my case an Identity Server instance with OpenId Connect, you can't access the claims or any other info coming back from the provider.
UPDATE:
I got another response from Microsoft support: they have confirmed their dev teams are working on making this available but don't have an ETA yet. At least it's on their radar.

Enterprise Single Sign On

Am searching for Desktop application manage Enterprise
Single Sign On
(SAML v2, Identity Provider , Service Provider )
Here is how i achieved in my enterprise:
There could be 2 approaches
Use "windows authentication" which can give you actual user trying to access website. Any enterprise application ( assuming it being hosted on Intranet) has integration to Active Directory. This User identity can be authenticated using LDAP server
Use OAuth way and use Third party which provide Identity management. Front End calls their services to generate token. This token can be sent to backend which will authenticate this token against the validator service.
I have used ADFS 2.0 as RSTS for SSO where in we have all the IdentityProviders and the Relying parties are configured. You can use the active end point of the STS (in case you want to authenticate against external sources like web api/ web service/ AD/ Database then prefer writing you own custom STS as the IDP).
Firstly you will get the boot strap token from the IDP and then get the Relying party token from the RSTS. In both the calls you need to communicate against the active end point (a wcf end point which implements WS Trust protocol).
Passive end points/ passive calls are used for thin clients.
You can try using ADFS 3.0 which even supports JOT (JSON) tokens (a very light weight token) along with SAML 2.0.

Connect Identity server V3 with Sharepoint 2016 - Single sign on

We have identity server V3 used inside my web application. We would like to use same identities to communicate with sharepoint 2016. Any repository or doc available on how to implement single sign on for sharepoint 2016 and Identity server V3 ?
You'd have to research how to get sharepoint to use IdentityServer as its identity provider.
I prototyped SSO in a test SharePoint 2010 environment a few years and used the links below for assistance. Some of the information may be outdated but I think the relationship between the STS (which in this case would be Identity Server V3 - Thinktecture) and SharePoint has not changed.
I am currently setting up SSO with our SharePoint application as well as other applications. I am using Azure Access Control Service (ACS) to act as a repository for all of the Identity Providers we would like to use. The providers are Facebook,Google,Windows Live ID and LinkedIn. ACS allows you to add custom Identity Providers as well. We have a CRM application that we currently authenticate against within our SharePoint application using claims and forms based authentication. This will be a custom identity provider defined in ACS. I am beginning to work with Thinktecture to be the identity provider that will sit on top of our CRM application. Users will then be able to login to SharePoint with any of the identity providers specified in ACS. We will see how it goes but I believe this will work. I would start with the General HowTos to using STS in SharePoint link.
FederationMetaData.xml editing
http://stsmetadataeditor.codeplex.com/documentation
http://social.msdn.microsoft.com/Forums/is/Geneva/thread/c0791595-2e0d-48cb-82f0-8e0f0bc1809a
http://jefferytay.wordpress.com/2012/05/03/windows-identity-foundationupdating-an-expired-issuer-certificate/
Regarding the "The issuer of the token is not a trusted issuer" error message.
search string - sharepoint 2010 The issuer of the token is not a trusted issuer
http://social.msdn.microsoft.com/Forums/en-ZA/sharepoint2010general/thread/f7dbbf1b-f616-4b24-ae0c-e8c76aa300d5
FedUtil.exe Information
http://msdn.microsoft.com/en-us/library/ee517284.aspx
General HowTos to using STS in SharePoint
http://msdn.microsoft.com/en-us/library/ff955607.aspx

ADFS and Form Authentication

I have an ADFS single sign on application. Can we also have form authentication using login credential from a database on the same application? In other words, I need single-sign-on for people who have windows account and form authentication for people who do not have windows account. I did some research on this topic but I have no lead. Is there any suggestion?
Out of the box ADFS can only authenticate against Active Directory (The latest version of ADFS (vNext) do supports LDAP v3-compliant directories).
You need to build your own Custom Authentication Provider for ADFS if you would like to plugin your custom code.
Some pointers for further reading:
Understanding WIF 4.5
Create a Custom Authentication Provider for Active Directory Federation Services