I'm in the process of getting my head round using AD FS to authenticate a user in a .NET 4.5 app. I can't find any examples of requesting/receiving the token from a console app and converting that token into a ClaimsPrinciple. The only examples I can find are WCF configuration based and I would really like to see the actual code that can do this in it's simplest form.
I've installed AD FS and think I've got it configured ready to receive requests. I've created a relying party, given it a key and assigned a couple of claims to it.
Can anyone point me in the right direction or what I need to do now in my console app to send authentication requests to it?
Thanks
The easiest way is to use the WSTrustChannelFactory from .NET 4.5.
See the RequestSecurityToken method here:
http://leastprivilege.com/2012/11/16/wcf-and-identity-in-net-4-5-external-authentication-with-ws-trust/
After you have the token you run it through the corresponding token handler to turn it into a ClaimsPrincipal.
I have helper methods and bindings in my library on github:
https://github.com/thinktecture/Thinktecture.IdentityModel.45
(look for the WCF folder, WSTrustClient and the Extensions folder).
Related
I have a complete working application that is Web based on AspNetCore.
I used the Identity.EntityFramworkCore to provide all the login and user registration on a central SQL database.
Everything is fine and working great.
But now the quandary starts. I am progressing onto the development of supporting apps for android, ios etc.
I am developing these apps using Microsofts Maui.
My thoughts are to write all the http CRUD API’s in the main ASPCore web application.
Then the Maui apps will call these API CRUD operations.
But my quandary arises with user management.
What the best way forward to have for a common User Authorisation access across all solutions. Bearing in mind the current web based Asp EF solution is there and working?
I’ve researched but can’t decide the best solution going forward: -
Using the existing SQL database & provide Authorisation through API’s on web asp application.
Using Active Directory of Azure.
Transferring everything to 3rd party provider such as “okta, OneLogin, etc”
What’s your thoughts for best practice going forward?
I am currently on the same path. Take a look at
TokenServerAuthenticationStateProvider in MAUI app
Basically I added an API controller (UserController) to my Server app that checks for username and password in SQL database and generates JWT token that I use for MAUI app login and also for authentication on Server APIs.
I use claims in token to pass User variables that I use in MAUI to display or hide some forms or controls. Like Roles but much more flexible.
For me it was the best path as I didn't have to change anything in my working web project.
TL;DR: I'd like to make a Moodle installation and an ASP.NET Identity-based site share authentication. If they have a single login page, so much the better, but logging in to one should automatically log into the other; logout should also be shared.
I have a Moodle installation (M) at www.example.com/moodle, and another website (O) at www.example.com.
O is written using .NET 4.5.2 and has areas that require authentication to access, managed using ASP.NET Identity 2.1 with a custom user model. This model is not particularly sophisticated. It is essentially the out-of-the-box model, but with integer IDs rather than GUIDs.
M is version 2.6, with intentions to upgrade to the latest version (currently 3.1) in the near future.
Both are accessible via the public Internet; there is no requirement to be on a private network to access them.
I know of no plans to move either M or O onto a different domain. However, if one or both was to move, I imagine they would move to a subdomain of example.com.
I would like to create a single-sign-on system, allowing a login for M to also log the user into O. As it stands, I am using the external database authentication plugin for Moodle, with M referring to the database for O. While this works, it does require the user to log in twice. I would like to set it up so that logging in to either M or O will also log the user in to the other site.
I am able to create matching hashes from PHP and .NET code. Unless it is particularly relevant to the solution, please consider the creation of hashes out of scope.
Some users of M are using Moodle's built-in authentication. However, unless it is particularly relevant to the solution, please consider the migration of users out of scope.
I'd prefer O to manage users, if possible. M, by nature of being Moodle, will have to have its own records for the users, but I'd like it if they were similar to the records used by the external DB plugin: just saying that the user exists and can be found elsewhere.
Things I have tried, investigated, or considered:
Moodle's external database plugin. This is how it works at the moment. It sort of works, but requires multiple logins.
Automating the multiple logins. I've experimented with taking the posted credentials, making a HTTP request from the server to the sites' respective login forms when logging in, lifting the cookie out of the response, then sending that cookie back to the client. This also works, but it's clunky at best, and is reliant on the cookies not getting out of sync.
Using PHP's DOTNET library and doing...something. All of the documentation that I can find says that DOTNET does not work with anything other than .NET 2.0, 3.0 or 3.5. I'm using 4.5.2, so this seems like a no-go. I don't know what I'd do even if I could get it to work with more recent versions of .NET.
Somehow getting Moodle to accept the ASP.NET Identity cookie in place of its own. This seems like the most fruitful course, given that it is a single cookie to manage.
To wrap up: I'd like to make M and O share authentication. If they have a single login page, so much the better, but logging in to one should automatically log into the other; logout should also be shared. Is this possible, and does anyone know how I should go about it?
Maybe take a look at SAML.
I believe that .NET 4.5 supports SAML?
https://msdn.microsoft.com/en-us/library/ms733083%28v=vs.110%29.aspx
On the server, install simplesamlphp.
https://simplesamlphp.org/docs/stable/simplesamlphp-sp
It can be used both as a service provider and as an identity provider.
Then install this SAML plugin in Moodle :
https://moodle.org/plugins/auth_saml
I'm pretty new with an Ember so for the start I have a noob question - is it possible to use Local Storage and REST adapter at the same time?
For example, if I want to do a login via API, if login is success the server will return an API key which is used for later communication with a service. Is it possible to store that information locally on the client and to retrieve it when necessary but also, for other models, to use REST adapter?
If this is not a good way to handle such case, which one would you propose and is there any kind of example which would me lead me in the right direction?
Thanks to the people from #emberjs, I found out that there is a wonderful ember-auth authentication framework for the Ember.js which does what I need.
here is a old version:https://wiki.jasig.org/display/CAS/Using+CAS+without+the+Login+Screen
I need to do the same with that latest version of CAS i.e. 3.5 . Can anyone provide me the steps for the same
We are doing now basically what you're asking here in my company. We have a Sharepoint website that in background is using the RESTful services for doing the real login. I wrote some posts about them in my blog and recently we used it to get access from a iOS application which contains a link to a sample program.
Important!!! We have a modification in our CAS that offers the possibility to use it for more than one domain. So wherever you find a reference to something called "Domain" in my samples just remove it, as it will not work on standard CASes
Here is a nice solution to your problem.
Just enable restful access.
I am to authenticate username and password credentials to a Active Directory through the iOS App?
I know that this post instructs us to include the openldap in the project, BUT this post here has indicated that there are inbuilt ldap protocol that I can use to connect with the Active Directory using PHP.
Can somebody shed light on both of the topics, and pick one which would be useful for the current version of XCode.
And also, are there any examples of this that any user can share?
P.S: This is my first question in stackoverflow.
Unless you are exposing your domain on the Internet, you'll need some sort of service layer. If you know php, that is probably a good route to go. Then, from the iOS application, you simply call the operations exposed through your php server. For creating the service, you may want to look into an ldap library for php.