How to secure an existing Asp.Net project with ADFS - single-sign-on

I have a big project in asp.net and I want to embed ADFS in it for authentication purpose.
Please suggest some links.
Thanks

Just to clarify:
You don't embed ADFS in an ASP.NET application. You add WIF or OWIN to the application and bind this with ADFS which sits on a Windows server. The latest version is ADFS 3.0 on Windows Server 2012 R2.
How To: Build Claims-Aware ASP.NET Web Forms Application Using WIF
WS-Federation in Microsoft OWIN Components–a quick start
OWIN is the newer technology.
And then you bind your application to ADFS.
Building a test claims-aware ASP.NET application and integrating it with ADFS 2.0 Security Token Service (STS)

Related

How can we use/integrate keycloak in web application that is built on Java 6, Spring 3.0 and WebSphare Portal 6.1 and LDAP?

We have an existing web applications that uses jdk6, ldap, spring 3.0, Oracle 12c and running on WebSphare Portal 6.1 server.
I have to integrate Keycloak as SSO for our existing web application so please suggest which version of keycloak can be used or supports above mentioned tech stacks?
As I am new to the Keycloack so not able to find out how to start with

ADFS 3.0 works with WS-Federation but fails with SAML

We use ADFS 3.0 (Windows 2012 R2) server to access an ASP.NET browser (.NET 4.5) application, which uses ClaimsPrincipal class (part of the Windows Identity Foundation library). The ADFS servers authenticates to our Active Directory. The ASP.NET application runs properly if we use WS-Federation sign-in protocol but fails if we use SAML sign-in protocol. The error message is not helpful "An error occurred"
The ASP.NET is a web form application, developed using VB.NET
My questions:
1) Does ADFS 3.0 with SAML sign in protocol work with ASP.NET web form application which uses ClaimsPrincipal class, which is part of the Windows Identity Foundation libraries?
2) What are the changes (as compared to WS-Federation) we must make to web config in the ASP.NET application, to us SAML sign in protocol?
Thank you.
Chong Chin
To get WS-Fed to work, you either will be using WIF or the WS-Fed NuGet OWIN package?
There is no Microsoft equivalent for SAML.
You need a SAML stack (in the same way that WIF provides a WS-Fed stack).

ADFS Implementation for Internal Applications

We are looking forward to implement ADFS to implement SSO across our organization for various set of web applications such as (SAP, Siebel, Custom java based, Asp.net etc.).
I understand based on my research that ADFS can be used to achieve SSO for third party applications using SAML. It can act as an identity provider for third party applications. Please correct me if I am wrong.
Can we use the ADFS to implement cookie based SSO for the various internal web based apps which I mentioned above?? (For Ex: CA Siteminder, ORacle Access manager can work with almost every internal web based application)
In other words: we have one application using apache webserver, one using IIS webserver, one using IHS webserver; can ADFS be used to achieve Single sign on with all these applications??? If yes, How ???
Thanks in Advance...!!
Ashish
ADFS implements SSO via federation using either WS-Fed or SAML 2.0.
If these applications can support these protocols, then yes just federate these products with ADFS and you will get SSO.
e.g. SalesForce SSO with ADFS.
For Java you need a SAML stack e.g. Spring Security.
For ASP.NET, use OWIN or WIF.

ADFS 2.0, SSO and SAML 2.0

This is a classic example of too much information = too much confusion.
I have a ASP.NET web application that uses the usual POST form authentication and would like to implement SSO.
Since we're a Microsoft shop we will use the ADFS 2.0. In order to implement SSO I understand that I will need to have also WIF to process SAML requests?
Do I install the WIF under the same server as the ADFS?
I still want to re-direct failed SSO requests or non SSO requests to use the form, how do I handle this?
Can someone please describe the flow?
Thanks!
ADFS Supports two protocol for authenication.
1) WS-Federation Protocol
2) Web SSO SAML Protocol
*In Ws-Federation scenario*
For SSO between your Application and ADFS (Build trust relationship).
1) Install ADFS & WIF on one server , Create some users in AD.
2) Generate Federation Metadata.xml file in ADFS, save it one place for
future need.
3) Use Windows Azure Access Control Service(ACS) for
simplicity. (It will do all heavy lifting of your authentication
process of token coming from ADFS)
4) Generate Federation
Metadata.xml file in ACS and Import in your ADFS server as relying
party. (give some claims as well)
[http://blogs.msdn.com/b/card/archive/2010/06/25/using-federation-metadata-to-establish-a-relying-party-trust-in-ad-fs-2-0.aspx?Redirected=true][1]
5) Import federation metadata.xml
file from ADFS server to ACS and Add it as Identity provider. (add
claim processing rule)
6) Now in your web Application use WIF
FedUtil Tool and import ACS federation metadata.xml file.
That's it.. you are good to go..
For Web SSO SAML protocol you have to do manual job of coding.
UseCase:
User will hit your application.
User is not authenticated so he will go to ACS and ACS will redirect it to ADFS login page.
User enters credentials. ADFS issue token to ACS with some claims. ACS will
transform incoming ADFS claims and give it to your application.
your application is now authenticated so you can use claims and do
authorization stuff.
You can use URL scheme to check where this request should go to your forms authentication or ADFS authentication.
eg. : http://somedomain.com/forms or http://somedomain.com/ADFS
So you are using SAML to some 3rd party STS?
WIF (out the box) does not support SAML.
There is a WIF SAML extension but this is only CTP (Community Technology Preview) at this point.
WIF is integrated with your ASP.NET application. For .NET 4 and below, there is a separate download. For .NET 4.5, it's integrated.
WIF is just a set of .NET classes inside your application.
You integrate WIF with your ASP.NET application using a tool called FedUtil which is part of the WIF SDK download. (Invoked by "Add STS" inside VS).
The ADFS install installs WIF on the server but this is seperate to your application.
The flow is:
.NET Application --> (WIF) --> (WS-Federation) --> ADFS --> (SAML) --> STS

Siteminder SSO not protecting ASP.NET MVC site

I have site minder installed on IIS7 and I am running ASP.NET site on the sever. It appears that Site minder SSO fails to protect ASP.NET MVC requests. It appears that all ASP.NET requests are processed by ASP.NET isapi filter which prevent Siteminder isapi filter from running. How can I make siteminder SSO work for protect my ASP.NET MVC site? Is there a way I can force isapi filter for Siteminder SSO to be loaded before ASP isapi filter?
The solution for us was to list the SiteMinder web agent ISAPI handler followed by the MVC ISAPI handler, in that order, in your web.config file.
I posted the code fragment here.
Have you tried ordering ISAPI filters in IIS? I have not done it with Win2008 IIS7, but with Windows 2003, SiteMinder agent installer reorders the filters. You should be able to check it in IIS Manager and reorder. SiteMinder filter should be on the top.
I had the same problem on my MVC-2 site enenthough the virtual folder was protected by siteminder.
Finally figured out what the issue was.
Changed the Application Pool mode to Classic from Integrated and voila! problem solved.
We have the same problem for MVC3 on IIS7 and we need to use Integrated Mode. Our solution is to use combination IHttpModule and Handler (.axd) but it is now uncessary since the new version of siteminder has IIS7WebAgent.dll which is a integrated MODULE instead of ISAPI filter (ISAPI6WebAgent.dll). I tested this and confirmed its working, it was able to protect all our MVC url and we can also read HTTP Header created by siteminder such as SM_USER from the MVC pipeline.
The siteminder version I tested is R12 SP 3. If your planning to use IIS7WebAgent.dll, you need to remove all occurances of ISAPI6WebAgent.dll on "Handler Mappings", "ISAPI & CGI Restrictions" and "ISAPI Filter" on IIS to make sure its not complicting.