I want to use Owin based SAML2 authentication without "hardcoding" any data. I have metadata file from IdP owner. Is there any way, how to just load this file (or point to url with metadata) and let provider initialize itself?
public void ConfigureAuth(IAppBuilder app)
{
...
app.UseSaml2Authentication(CreateSaml2Options());
}
private static Saml2AuthenticationOptions CreateSaml2Options()
{
var spOptions = CreateSpOptions();
var saml2Options = new Saml2AuthenticationOptions(false)
{
SPOptions = spOptions
};
var idp = new IdentityProvider(new EntityId("XXXXXXXXX"), spOptions)
{
AllowUnsolicitedAuthnResponse = true,
Binding = Saml2BindingType.HttpPost,
SingleSignOnServiceUrl = new Uri("XXXXXXXXX")
};
saml2Options.IdentityProviders.Add(idp);
return saml2Options;
}
How to get XXXXXXXXX values from metadata?
The XXX is the EntityId, it is listed at the top of the metadata. Consider e.g. this metadata excerpt from stubidp.sustainsys.com:
<EntityDescriptor xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
ID="_a1f8bba0-9d9f-4107-bbed-b61cd3d9c67f"
entityID="https://stubidp.sustainsys.com/Metadata" cacheDuration="PT15M"
validUntil="2018-12-19T18:51:08Z">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
The XXX value you are looking for is the entityID attribute. In this case it is https://stubidp.sustainsys.com/Metadata.
In the current version of the library, it is unfortunately not possible to get the EntityID from the metadata. I'm planning to fix that in a future version but it requires quite a lot of work. The reason is that the EntityID is the key in a dictionary and things would get very confusing it would be lazily initialized or changed later.
Related
can someone help me with the following issue?
Scenario. I have a Windows Service running on an Azure VM. Service receives files, modifies them in some way (let's assume that it adds custom properties to Word files) and uses MIP SDK to protect them with template ID.
Issue. IFileHandler.SetProtection(string)+CommitAsync(...) fails with the following exception:
One or more errors occurred. ServiceDiscoveryHelper::GetServiceDetails - Cannot compute domain: license domains, identity, and cloud endpoint base URL are all empty, correlationId:[9add32ba-0cb7-4d31-b9d8-0000b7c694a4]
Other info
RemoveProtection()+CommitAsync(...) work fine.
I registered application in Azure Active Directory tenant.
Generated secret: <CLIENT_SECRET>.
Granted the following permissions
https://api.mipwebservice.com/InformationProtectionPolicy.Read.All
https://psor.o365syncservice.com/UnifiedPolicy.Tenant.Read
https://aadrm.com/Content.SuperUser
https://aadrm.com/Content.Writer
https://aadrm.com/Content.DelegatedWriter
https://aadrm.com/Content.DelegatedReader
IAuthDelegate implementation
uses ADAL to get access token using client_credentials authentication flow, because there is no interacting user (my app is service).
I do not whether I have to use identity parameter in client_credentials flow.
Main Code Snippet
MIP.Initialize(MipComponent.File);
var appInfo = new ApplicationInfo{
ApplicationId = ConfigurationManager.AppSettings["AppPrincipalId"],
ApplicationName = "App name",
ApplicationVersion = "1.0.0",
};
var authDelegate = new AuthDelegateImplementation(appInfo);
var fileProfileSettings = new FileProfileSettings("mip_data", false,
authDelegate, new ConsentDelegateImplementation(), appInfo, LogLevel.Trace);
var fileProfile = MIP.LoadFileProfileAsync(fileProfileSettings).Result;
var engineSettings = new FileEngineSettings("engine-id", "", "en-US"){
Identity = new Identity($"{appInfo.ApplicationId}#<TENANT-NAME>"){
DelegatedEmail = "<OWNER>#<TENANT-NAME>",
},
};
var fileEngine = fileProfile.AddEngineAsync(engineSettings).Result;
var fileHandler = fileEngine.CreateFileHandlerAsync("c:\\sample.docx", "0", true).Result;
fileHandler.SetProtection(new ProtectionDescriptor("<TEMPLATE-ID>"));
var success = fileHandler.CommitAsync("c:\\encrypted.docx").Result;
AuthDelegateImplementation
public string AcquireToken(Identity identity, string authority, string resource)
var authContext = new AuthenticationContext(authority + "/" + "<TENANT_ID>");
var clientCredential = new ClientCredential("<CLENT_ID>", "<CLIENT_SECRET>");
var res = await authContext.AcquireTokenAsync(resource, clientCredential);
return res.AccessToken;
}
ConsentDelegateImplementation
public class ConsentDelegateImplementation : IConsentDelegate {
public Consent GetUserConsent(string url) {
return Consent.Accept;
}
}
It seams that after testing MIP's local persistent state (see FileProfileSettings.Path property when UseInMemoryStorage is flase) was corrupted. After removing "mip_data" folder issue disappeared.
I'm having some trouble getting claims from Google in a ASP.Net Core 2.1 Web API using OpenIdDict.
I've selected "No Authentication" in ASP.Net MVC template since I have no interest in storing usernames / passwords myself. I will be relying on external providers (such as Google) for authentication. The client is a SPA, so I'm using Implicit Flow.
My code is based on following this tutorial (except using Google rather than GitHub):
https://www.jerriepelser.com/blog/implementing-openiddict-authorization-server-part-2/
A Token is being returned from Google - but when I examine the JWT it does not contain any claims information.
What am I missing?
My Startup.cs looks like:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
// Register OpenIdDict database (EF Core)
services.AddDbContext<PD.Server.DataAccess.AuthorizationDbContext>(o =>
{
o.UseSqlServer(Configuration.GetConnectionString("AuthorizationDbContext"));
o.UseOpenIddict();
});
// Authentication
services.AddAuthentication(auth =>
{
auth.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
auth.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
auth.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
}).AddCookie()
.AddGoogle(o =>
{
o.ClientId = Configuration["Authentication:Google:ClientId";
o.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
o.CallbackPath = "/signin-google";
});
services.AddOpenIddict()
.AddCore(o => o.UseEntityFrameworkCore().UseDbContext<AuthorizationDbContext>() )
.AddServer(o =>
{
o.UseMvc(); // Register MVC Binder
o.EnableAuthorizationEndpoint("/connect/authorize")
.EnableLogoutEndpoint("/connect/logout"); // Enable the Authorization end-point
o.RegisterScopes(OpenIddictConstants.Scopes.Email,
OpenIddictConstants.Scopes.Profile,
OpenIddictConstants.Scopes.Roles);
o.AllowImplicitFlow(); // Enable Implicit Flow (i.e. OAuth2 authentication for SPA's)
o.EnableRequestCaching();
o.DisableHttpsRequirement(); // DEV ONLY!
o.AddEphemeralSigningKey(); // DEV ONLY!
})
.AddValidation();
// Cors
services.AddCors();
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseCors(builder =>
{
builder.WithOrigins("https://localhost:5001");
builder.WithMethods("GET");
builder.WithHeaders("Authorization");
});
app.UseAuthentication();
app.UseMvcWithDefaultRoute();
app.MigrateDatabase();
// Configure the OpenIdDict Database (not shown)
InitializeAsync(app.ApplicationServices, CancellationToken.None).GetAwaiter().GetResult();
}
And my Authenticate method:
[HttpGet("~/connect/authorize")]
public IActionResult Authorize(OpenIdConnectRequest request)
{
if (!User.Identity.IsAuthenticated) return Challenge("Google");
var claims = new List<Claim>();
claims.Add(new Claim(OpenIdConnectConstants.Claims.Subject, User.FindFirstValue(ClaimTypes.NameIdentifier), OpenIdConnectConstants.Destinations.IdentityToken));
claims.Add(new Claim(OpenIdConnectConstants.Claims.Name, User.FindFirstValue(ClaimTypes.Name), OpenIdConnectConstants.Destinations.IdentityToken));
claims.Add(new Claim(OpenIdConnectConstants.Claims.Email, User.FindFirstValue(ClaimTypes.Email), OpenIdConnectConstants.Destinations.IdentityToken));
claims.Add(new Claim(OpenIdConnectConstants.Claims.EmailVerified, "true", OpenIdConnectConstants.Destinations.IdentityToken));
var identity = new ClaimsIdentity(claims, "OpenIddict");
var principle = new ClaimsPrincipal(identity);
// Create a new Authentication Ticket
var ticket = new AuthenticationTicket(principle, new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme);
return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);
}
Thanks in advance.
Your claim destinations are not set correctly.
When using the Claim constructor that takes 3 parameter, it's the claim value type that is actually set, not the destination (which is a concept specific to OpenIddict).
Consider using the following syntax:
claims.Add(new Claim(OpenIdConnectConstants.Claims.Email, User.FindFirstValue(ClaimTypes.Email)).SetDestinations(OpenIdConnectConstants.Destinations.IdentityToken));
I am using IdentityServer4 with two external Idp's, one with WSFederation (ADFS) and one with SAML.
For the SAML implementation I use the commercial product ComponentSpace SAML 2 for ASP.Net Core. I use the middleware-based config.
Logging it with both Idp's works perfectly, but now I have the situation where, depending on the client, I need to pass extra parameters to the SAML AuthnRequest. I know how to pass this extra parameter in the request (I can use the OnAuthnRequestCreated from the middleware), but what I don't know is how to test at that point from where the request is coming, i.e. from which client.
I have control of the client so I could also pass extra acr_values (which I think can be used to pass custom data), but again I don't know how to get them in the OnAuthnRequestCreated event as shown in the code below.
Any help would be much appreciated.
services.AddSaml(Configuration.GetSection("SAML"));
services.AddAuthentication()
.AddWsFederation("adfs", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
//...rest of config (SSO is working)
})
.AddSaml("saml", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
//...rest of config (SSO is working)
options.OnAuthnRequestCreated = request =>
{
//Here I would need to know from which client the request is coming (either by client name or url or acr_values or whatever)
//to be able to perform conditional logic. I've checked on the request object itself but the info is not in there
return request;
};
});
The request parameter is the SAML AuthnRequest object. It doesn't include client information etc.
Instead of the OnAuthnRequestCreated event, in your Startup class you can add some middleware as shown below. You can call GetRequiredService to access any additional interfaces (eg IHttpContextAccessor) you need to retrieve the client information.
app.Use((context, next) =>
{
var samlServiceProvider =
context.RequestServices.GetRequiredService<ISamlServiceProvider>();
samlServiceProvider.OnAuthnRequestCreated += authnRequest =>
{
// Update authn request as required.
return authnRequest;
};
return next();
});
Thanks ComponentSpace for the reply. I didn't get it to work directly with your solution by using app.Use((context, next)) => ... but your comment on GetRequiredService pointed me into the direction to find the solution like below. Basically I'm getting the IHttpContextAccessor which I can then use to parse the query string. I then get the ReturnUrl from this query string and use the IIdentityServerInteractionService to get the AuthorizationContext object, which contains what I need to build my custom logic.
So thanks again for pointing me into the right direction.
//build and intermediate service provider so we can get already configured services further down this method
var sp = services.BuildServiceProvider();
services.AddAuthentication()
.AddSaml("SamlIdp", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.OnAuthnRequestCreated = request =>
{
var httpContextAccessor = sp.GetService<IHttpContextAccessor>();
var queryStringValues = HttpUtility.ParseQueryString(httpContextAccessor.HttpContext.Request.QueryString.Value);
var interactionService = sp.GetService<IIdentityServerInteractionService>();
var authContext = interactionService.GetAuthorizationContextAsync(queryStringValues["ReturnUrl"]).Result;
//authContext now contains client info and other useful stuff to help build further logic to customize the request
return request;
};
});
In IdentityServer3 I have configured multiple instances of SAML2 based external providers using SustainSys library as per the documentation.
I got it working, but i have question about SPOptions.EntityID aka Audience Uri. (This is NOT the EntityID that external provider give us, but instead it's the EntityID that i need to provide to external provider)
Should this Audience Uri be unique for each instance?
Lets say, i configured 2 instances of SAML2 providers(Okta and Azure AD) in production, then based on the sample code provided, for particular environment the Audience Uriwill NOT be unique.
Below is my code based on sample code. (For brevity i have removed few lines)
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.Map("/identity", idsrvApp =>
{
var identityServerOptions = new IdentityServerOptions
{
AuthenticationOptions = new AuthenticationOptions()
{
EnableAutoCallbackForFederatedSignout = true,
EnableSignOutPrompt = false
}
.Configure(ConfigureExternalIdentityProviders)
};
idsrvApp.UseIdentityServer(identityServerOptions);
});
}
private void ConfigureExternalIdentityProviders(IAppBuilder app, string signInAsType)
{
// Add okta
AddSAML2Idp(
app,
signInAsType,
"https://id.mydomain.com/identity/Saml2", //audienceURI
"okta", //idpname
"okta", //caption
"https://www.okta.com/exk4yxtgy7ZzSDp8e0h7", // externalEntityID
"https://dev-490944.oktapreview.com/app/exk4yxtgy7ZzSDp8e0h7/sso/saml/metadata"); // metadataLocation
// Add Azure AD
AddSAML2Idp(app,
signInAsType,
"https://id.mydomain.com/identity/Saml2", //audienceURI
"azuread", //idpname
"Azure ad", //caption
"https://sts.windows.net/xxxxx-fb1d-40c4-xxxxx-xxxxxxxx/", //externalEntityID
"https://login.microsoftonline.com/xxxx-fb1d-40c4-40c4-xxxxxxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxxx-xxxx-xxxx-xxxx-xxxxxx"); //metadataLocation
}
private void AddSAML2Idp(IAppBuilder app, string signInAsType,string audienceURI, string idpname, string caption, string externalEntityID, string metadataLocation)
{
var authenticationOptions = new Saml2AuthenticationOptions(false)
{
SPOptions = new SPOptions
{
EntityId = new EntityId(audienceURI),
ModulePath = string.Format("/{0}", idpname)
},
SignInAsAuthenticationType = signInAsType,
AuthenticationType = idpname,
Caption = caption
};
UseIdSrv3LogoutOnFederatedLogout(app, authenticationOptions);
authenticationOptions.SPOptions.ServiceCertificates.Add(LoadCertificateFromWindwosStore());
var identityProvider = new IdentityProvider(new EntityId(externalEntityID), authenticationOptions.SPOptions)
{
MetadataLocation = metadataLocation,
LoadMetadata = true
};
authenticationOptions.IdentityProviders.Add(identityProvider);
app.UseSaml2Authentication(authenticationOptions);
}
So for okata
Audience Uri: https://id.mydomain.com/identity/Saml2
ACS Uri: https://id.mydomain.com/identity/okta/acs
and for Azure AD
Audience Uri: https://id.mydomain.com/identity/Saml2
ACS Uri: https://id.mydomain.com/identity/azuread/acs
Note the audience uri is same for both instances.
Should it be unique for each instances like:
https://id.mydomain.com/identity/okta
https://id.mydomain.com/identity/azuread
Logically the two instances are two different SAML2 Service Providers and should have different Entity IDs. But, as you're not exposing both of them to the same upstream Idp it doesn't matter.
Windows Azure Mobile Services currently doesn't have an option for custom authentication and looking at the feature request
http://feedback.azure.com/forums/216254-mobile-services/suggestions/3313778-custom-user-auth
It isn't coming anytime soon.
With a .NET backend and a .NET application how do you implement custom authentication, so that you don't have to use Facebook, Google or any of their other current providers?
There are plenty of partially completed tutorials on how this this is done with a JS backend and iOS and Android but where are the .NET examples?
I finally worked through the solution, with some help of the articles listed below, some intellisense and some trial and error.
How WAMS Works
First I wanted to describe what WAMS is in a very simple form as this part confused me for a while until it finally clicked. WAMS is just a collection of pre-existing technologies packaged up for rapid deployment. What you need to know for this scenario is:
As you can see WAMS is really just a container for a WebAPI and other things, which I won't go into detail here. When you create a new Mobile Service in Azure you get to download a project that contains the WebAPI. The example they use is the TodoItem, so you will see code for this scenario through the project.
Below is where you download this example from (I was just doing a Windows Phone 8 app)
I could go on further about this but this tutorial will get you started:
http://azure.microsoft.com/en-us/documentation/articles/mobile-services-dotnet-backend-windows-store-dotnet-get-started/
Setup WAMS Project
You will need your MasterKey and ApplicationKey. You can get them from the Azure Portal, clicking on your Mobile Services App and pressing Manage Keys at the bottom
The project you just downloaded, in the Controllers folder I just created a new controller called AccountController.cs and inside I put
public HttpResponseMessage GetLogin(String username, String password)
{
String masterKey = "[enter your master key here]";
bool isValidated = true;
if (isValidated)
return new HttpResponseMessage() { StatusCode = HttpStatusCode.OK, Content = new StringContent("{ 'UserId' : 'F907F58C-09FE-4F25-A26B-3248CD30F835', 'token' : '" + GetSecurityToken(new TimeSpan(1,0, 0), String.Empty, "F907F58C-09FE-4F25-A26B-3248CD30F835", masterKey) + "' }") };
else
return Request.CreateErrorResponse(HttpStatusCode.Unauthorized, "Username and password are incorrect");
}
private static string GetSecurityToken(TimeSpan periodBeforeExpires, string aud, string userId, string masterKey)
{
var now = DateTime.UtcNow;
var utc0 = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
var payload = new
{
exp = (int)now.Add(periodBeforeExpires).Subtract(utc0).TotalSeconds,
iss = "urn:microsoft:windows-azure:zumo",
ver = 2,
aud = "urn:microsoft:windows-azure:zumo",
uid = userId
};
var keyBytes = Encoding.UTF8.GetBytes(masterKey + "JWTSig");
var segments = new List<string>();
//kid changed to a string
var header = new { alg = "HS256", typ = "JWT", kid = "0" };
byte[] headerBytes = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(header, Formatting.None));
byte[] payloadBytes = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(payload, Formatting.None));
segments.Add(Base64UrlEncode(headerBytes));
segments.Add(Base64UrlEncode(payloadBytes));
var stringToSign = string.Join(".", segments.ToArray());
var bytesToSign = Encoding.UTF8.GetBytes(stringToSign);
SHA256Managed hash = new SHA256Managed();
byte[] signingBytes = hash.ComputeHash(keyBytes);
var sha = new HMACSHA256(signingBytes);
byte[] signature = sha.ComputeHash(bytesToSign);
segments.Add(Base64UrlEncode(signature));
return string.Join(".", segments.ToArray());
}
// from JWT spec
private static string Base64UrlEncode(byte[] input)
{
var output = Convert.ToBase64String(input);
output = output.Split('=')[0]; // Remove any trailing '='s
output = output.Replace('+', '-'); // 62nd char of encoding
output = output.Replace('/', '_'); // 63rd char of encoding
return output;
}
You can replace what is in GetLogin, with your own validation code. Once validated, it will return a security token (JWT) that is needed.
If you are testing on you localhost, remember to go into your web.config file and fill in the following keys
<add key="MS_MasterKey" value="Overridden by portal settings" />
<add key="MS_ApplicationKey" value="Overridden by portal settings" />
You need to enter in your Master and Application Keys here. They will be overridden when you upload them but they need to be entered if you are running everything locally.
At the top of the TodoItemController add the AuthorizeLevel attribute as shown below
[AuthorizeLevel(AuthorizationLevel.User)]
public class TodoItemController : TableController<TodoItem>
You will need to modify most of the functions in your TodoItemController but here is an example of the Get All function.
public IQueryable<TodoItem> GetAllTodoItems()
{
var currentUser = User as ServiceUser;
Guid id = new Guid(currentUser.Id);
return Query().Where(todo => todo.UserId == id);
}
Just a side note I am using UserId as Guid (uniqueidentifier) and you need to add this to the todo model definition. You can make the UserId as any type you want, e.g. Int32
Windows Phone/Store App
Please note that this is just an example and you should clean the code up in your main application once you have it working.
On your Client App
Install NuGet Package: Windows Azure Mobile Services
Go into App.xaml.cs and add this to the top
public static MobileServiceClient MobileService = new MobileServiceClient(
"http://localhost:50527/",
"[enter application key here]"
);
In the MainPage.xaml.cs I created
public class Token
{
public Guid UserId { get; set; }
public String token { get; set; }
}
In the main class add an Authenticate function
private bool Authenticate(String username, String password)
{
HttpClient client = new HttpClient();
// Enter your own localhost settings here
client.BaseAddress = new Uri("http://localhost:50527/");
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
HttpResponseMessage response = client.GetAsync(String.Format("api/Account/Login?username={0}&password={1}", username, password)).Result;
if (response.StatusCode == System.Net.HttpStatusCode.OK)
{
var token = Newtonsoft.Json.JsonConvert.DeserializeObject<Token>(response.Content.ReadAsStringAsync().Result);
App.MobileService.CurrentUser = new MobileServiceUser(token.UserId.ToString());
App.MobileService.CurrentUser.MobileServiceAuthenticationToken = token.token;
return true;
}
else
{
//Something has gone wrong, handle it here
return false;
}
}
Then in the Main_Loaded function
private void MainPage_Loaded(object sender, RoutedEventArgs e)
{
Authenticate("test", "test");
RefreshTodoItems();
}
If you have break points in the WebAPI, you will see it come in, get the token, then come back to the ToDoItemController and the currentUser will be filled with the UserId and token.
You will need to create your own login page as with this method you can't use the automatically created one with the other identity providers. However I much prefer creating my own login screen anyway.
Any other questions let me know in the comments and I will help if I can.
Security Note
Remember to use SSL.
References
[] http://www.thejoyofcode.com/Exploring_custom_identity_in_Mobile_Services_Day_12_.aspx
[] http://www.contentmaster.com/azure/creating-a-jwt-token-to-access-windows-azure-mobile-services/
[] http://chrisrisner.com/Custom-Authentication-with-Azure-Mobile-Services-and-LensRocket
This is exactly how you do it. This man needs 10 stars and a 5 crates of beer!
One thing, I used the mobile Service LoginResult for login like:
var token = Newtonsoft.Json.JsonConvert.DeserializeObject(response.Content.ReadAsStringAsync().Result);
Hope to get this into Android now!