We have two ASP.NET Web API applications (Application1 is where users login and use the AngularUI, Apllication2 is a Shared WebAPI2 backend without UI) that make use of (SAML?) Claims to Authorize users via a IIS WSFederationAuthenticationModule (Ex. STS for localdev and ADFS for production).
We would like to use a HttpClient to passthrough the claims or the SecurityToken from Application1 to
Application2.
How can we pass the authorized claims?
Via Cookies?
Via Headers?
Via a SAML SecurityToken?
Related
Assume we have the following entities:
User Agent (Browser)
IDP
Web Application (SP1)
Resource Portal (SP2)
The goal is to have the Web Application (SP1) being a "Front End" for the User, allowing them to access Resources through the Web Application (SP1) from the Resource Portal (SP2), without the user directly interacting with SP2. SP1 would therefore act as a kind of "Proxy" for SP2 and impersonate the logged-in user for the proxied requests.
Does SAML support this kind of use case? Is there any way to propagate the Security Context which was established on SP1 to SP2 (or any other mechanism that would allow the impersonated requests)? Based on my current understanding, the user would still need to establish a security context for SP2.
SAML doesn't really care what you do with the assertion. As the SP, you can choose how you wish to use that assertion, and how to communicate it further upstream.
If it were me, I would use a standard SP token provider (Ping, Okta, etc.) to consume the IdP's SAML. Switch SP1 and SP2 to use OIDC and OAuth respectively, and then use the access token from the OIDC flow on the backend API calls.
After successfuly authenticated via IDP, you have to perform a local authentication based on the assertions you received.
If you are are working on asp.net core application, you can use shared cookie concept and share the auth cookie which is created by local SP1 login with SP2. You can use Data Protection Service to store the shared key.
We have a microservice based environment running our own authentication server that will produce JWT tokens using the /oauth/token endpoint but this server does not provide a web login page.
For our front end application we have tried the oauth2Login setups but they all want to try and redirect the browser to the authentication server, authenticate and then redirect back to the application. Likewise oauth2Client setups add an AuthenticationProvider but that will only authenticate a OAuth2AuthorizationCodeAuthenticationToken but the user login request will generate a UsernamePasswordAuthenticationToken so oauth2Client provider never gets evaluated.
We were looking for something similar to the ldap authentication providers in that the username and password is collected locally and sent to the authorisation server. While we can write our own custom AuthencationProvider which accepts the UsernamePasswordAuthenticationToken, communicates with the oauth server and return the generated JWT. We were hoping there was something pre-existing that was part of the current spring-boot framework. If our understanding is correct then the oauth2Client setup is what we are after but can't work out how to enable the initial authentication.
We are using spring boot 2.2.5.
I implemented authentication and authorization using Identity server 4 with OIDC to allow clients accessing our application to get the necessary tokens to access our resource server (web APIs). This is the current architecture :
Identity Server 4 using my custom DB to authenticate users
Resource APIs (ASP.NET Core)
Angular 2 front end
I need to implement SSO, where users from other systems will pass SAML2 assertions from their identity providers to allow them to access our resource APIs without logging in to our application.
I have some confusion about where this step will happen, and what will be the workflow, will our identity server be involved in this process and how to implement that using Identity Server 4.
Right now there is no SAML2 support for ASP.NET Core.
If you are using IdentityServer3, you can act as a SAML2 SP via the Kentor authentication middleware. This is not available for ASP.NET Core yet.
Generally speaking - you cannot use SAML2 to secure APIs - it is a protocol for web based SSO - not API access.
The scenario is this: 1. There is a web application with a browser UI. 2. User has to log in to the Web UI. We would use Shibboleth for authentication (SSO) 3. The application connects to various backend components via REST API's 4. We are considering the REST API's are hooked with Shibboleth through the Shibboleth Service Provider
Once logged in the web app should pass the use context (session) to the REST API.
Is this scenario supported by Shibboleth? What is the best way to pass the session context to the REST API so that it validates the session through its service provider?
I want to implement SSO using Thinktecture Identity Server V3. The applications the I want to use this SSO are asp.net MVC apps. I was going through samples provided on the thinktecture wiki and am able to see two approaches:
1- Resource owner(providing credentials through application and calling Identity server using OAuth2Client Apis)
2- Using Owin middleware(Startup class) to call the Identity server.
In my case I wanted to calling Identity server login, but without using Owin. Do you any hints/sample on how to do that.
Thanks
If you don't want to use the Microsoft OpenId Connect middleware (and as a result OWIN) in your clients, you could initiate the login flow yourself by redirecting the user to the authorize endpoint.
Authorize endpoint: http://thinktecture.github.io/Thinktecture.IdentityServer.v3.Documentation/docs/endpoints/authorization.html
They guys behind IdentityServer have a client example showing some of the concepts if you want to handle it all yourself:
https://github.com/thinktecture/Thinktecture.IdentityServer.v3.Samples/blob/master/source/Clients/MvcFormPostClient/Controllers/AccountController.cs