Is it possible to use IS4 to generate a token and IS3 to validate it?
I'm migrating our STS to .NET Core with IS4 but I have some Web APIs that won't be migrated right now.
When I request my API I get the error: IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
If I use IS3 to generate the token, it works fine!
Does anybody have the same problem?
You can use Identity Server 4 with Identity Server 3 client side components (or even just .NET Framework components). They are communicating at a protocol level (e.g. OAuth or OpenID Connect), not a specific implementation.
Identity Server 4 is still in beta and .NET Core is only a few days old. You're going to have problems for a while...
Related
this is newbie question about identityServer and windows authentication. The samples provided with IdentityServer3 with windows authentication seem to implement it using WSFederation, like the one provided in this link https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/WebHost%20(Windows%20Auth%20All-in-One).
The newest samples with identityserver4 are using a different approach without Federation. Are these approaches equivalent? Are there benefits in one approach over the other.I can understand using Federation for ADFS, but not for Windows authentication with AD. I know I am missing something can't figure it out. What is it? Thanks.
Identity Server 4 is based on .NET Core which currently does not support WS-Federation so if that is a requirement you should stick to Identity Server 3 on the "standard" framework.
According to the devs there's a "test" version out for WS-Fed but if it will be included in the final release of .NET Core 2.0 is still uncertain.
See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/500
I'm working on creating an MVC Web application backed by an API which uses IdentityServer3 and is compatible with Windows Authentication, but I'm losing my custom claims in the process.
To this end, I've deployed this project: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/MVC%20Authentication
When I deploy it to IIS7 I cannot access either of two pages which display claims information until I turn on Windows Authentication. When I do this, I have access to the secure Web Page that shows claims and the API that shows claims. This is promising, but these displayed claims are SidGroups, and Default claims, respectively. I lose my custom claims.
Monitoring traffic in Fiddler, I notice that when hitting the protected claims page, there are two failed attempts which 401 followed by the successful attempt but which displays the wrong claims.
Has anyone encountered this? Does any one know the location of a working example of a Windows Auth compatible IdentityServer? I've looked over several tutorials which imply it's possible but I don't think they are compatible with IdentityServer3.
As a requirement I need to configure 2 enterprise applications using SAML token.
Due to following listed constraints I need to write individual services for token generation and token signing.
The Constraints are:
No IdP(Identity Provider) available. No associated metadata file available.
Need to use SAML 1.1 version
Need to self-sign the SAML Response.
As part of POC I am able to generate SAML Token using 2.0 version by writing a service which is forwarding to Signing service for signing. I am able to sign it by generating certificate\keystore using Windows keytool command.
Although For SAML 1.1 Implementation using OpenSAML library I am unable to generate the SAML request message in proper format. I looked for additional libraries which could help like WSS4J which has SAML Token Profile Generator.
Also some configuration around IBM Websphere Application server (SAML Token Generater) as that is the used for hosting an application. Still could not implement the solution using the above options.
Questions:
Is it possible to do a SAML implementation without using a IdP Server ?
Can I use IBM Websphere Application Server(WAS) as IdP Server?
Can WAS be utilized for generating STS tokens ?
Any library like OpenSAML, WSS4J which can be helpful to generate & Sign SAML Tokens easily for SAML 1.1 version ?
I've seen samples that connect an on premises IdSrv instance to ADFS, but I can't find one that connects to a LDAP IP (AD, not ADFS).
Is there a sample or documentation somewhere on this?
Thanks.
There is a contrib project for IdentityServer v1 here. Maybe you can make it work in v2 (the latest stable version).
I have found an example of using Windows Integrated Authentication in Authorization Server which is an implementation of the OAuth2 authorization framework. It was developed after v2.
But if I were you I would try to persuade your customer to install ADFS. It should be possible. Then you can use it directly as you IdP or you can set it up with IdentityServer.
I have an mvc2 project built for .NET 3.5. I have a library that I wrote in 4.0 that I need for the 3.5 project, so I changed the target framework and now the anywhere the anti-forgery token it throws:
Validation of viewstate MAC failed. If this application is hosted by a
Web Farm or cluster, ensure that configuration specifies
the same validationKey and validation algorithm. AutoGenerate cannot
be used in a cluster.
I found this question but no luck with any of the suggestions. I created a static machine key in my config but it doesn't help. Anybody have any idea what could be the problem. I don't understand why it worked fine before.
You have to close all browser windows to continue.
The AntiForgeryToken cookie is a session-cookie, and is encrypted / decrypted using the machine key. If the machine key changes (or is set to auto-generate), then rendering the AntiForgeryToken will fail.
Restarting your browser windows will clear the cookie, and MVC will create a new, valid cookie next time.