I'm currently assessing ways to impelement authentication&authorzation in a .NET SOA environment(ASP.NET MVC, WCF).
I have concluded that using Windows Identity Foundation with a STS should fullfill our criteria.
I'm having hard time finding any suitable STS to work with WIF other than ADFS. I know there are multiple options, but there is no documentation/experience available how well these play together with WIF.
Summa summarum, multiple questions:
Is this dumb idea?
Is there any STS product that plays together with WIF smoothly? Any resources on this?
Are there products that allows me to implement centralized(yet scalable) authorization(even with XACML support)?
What is your experience using WSO2 Identity Server with ADFS/WIF?
WSO2 Identity Server has some XACML capabilities but how can these be used in authorization with WCF services?
There is Starter STS
http://startersts.codeplex.com/
which has lately been replaced by the IdentityServer:
http://identityserver.codeplex.com/
It's been for a while and has some features ADFS lacks (like the ability to use a MembershipProvider to authenticate users).
Also, crafting your own STS is relatively easy. There are some good tutorials around, I've also written few posts on this:
http://netpl.blogspot.com/2011/08/quest-for-customizing-adfs-sign-in-web.html
WSO2 Identity Server can be integrated with ADFS. Also it can be run as an XACML engine. XACML engine is exposed to out side as a SOAP end point as well as a Thrift end point.
Disclaimer : I am an architect at WSO2.
No experience of WSO2 but if you don't want to use ADFS you'll have no problems with Identity Server. Both ADFS and Identity Server and more commercial products such as Ping Identity play very nicely with WIF.
Related
this is newbie question about identityServer and windows authentication. The samples provided with IdentityServer3 with windows authentication seem to implement it using WSFederation, like the one provided in this link https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/WebHost%20(Windows%20Auth%20All-in-One).
The newest samples with identityserver4 are using a different approach without Federation. Are these approaches equivalent? Are there benefits in one approach over the other.I can understand using Federation for ADFS, but not for Windows authentication with AD. I know I am missing something can't figure it out. What is it? Thanks.
Identity Server 4 is based on .NET Core which currently does not support WS-Federation so if that is a requirement you should stick to Identity Server 3 on the "standard" framework.
According to the devs there's a "test" version out for WS-Fed but if it will be included in the final release of .NET Core 2.0 is still uncertain.
See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/500
I am reading alot about federated identity management and technologies like SAML, which can be used for implementing SSO for web applications, and Kerberos, which can be used for implementing SSO für desktop applications.
This is how I understood it so far. If we have the case, that we want to have SSO for a set of web applications and desktop applications, what are the technologies that are available for that? Do I have to combine SAML and Kerberos or is there another technology that fits better?
AFAIK, Microsoft ADFS and Oracle Access Manager are SSO products which supports SAML, Kerberos and other related protocols, does Windows based authentication and thus provide SSO access across webapps and desktop.
Check,
http://blogs.technet.com/b/abizerh/archive/2013/04/11/more-information-about-sso-experience-when-authenticating-via-adfs.aspx
https://docs.oracle.com/cd/E29542_01/doc.1111/e15740/wna.htm
We are looking forward to implement ADFS to implement SSO across our organization for various set of web applications such as (SAP, Siebel, Custom java based, Asp.net etc.).
I understand based on my research that ADFS can be used to achieve SSO for third party applications using SAML. It can act as an identity provider for third party applications. Please correct me if I am wrong.
Can we use the ADFS to implement cookie based SSO for the various internal web based apps which I mentioned above?? (For Ex: CA Siteminder, ORacle Access manager can work with almost every internal web based application)
In other words: we have one application using apache webserver, one using IIS webserver, one using IHS webserver; can ADFS be used to achieve Single sign on with all these applications??? If yes, How ???
Thanks in Advance...!!
Ashish
ADFS implements SSO via federation using either WS-Fed or SAML 2.0.
If these applications can support these protocols, then yes just federate these products with ADFS and you will get SSO.
e.g. SalesForce SSO with ADFS.
For Java you need a SAML stack e.g. Spring Security.
For ASP.NET, use OWIN or WIF.
We would like to use SAML 2.0 for a Single Sign On solution. As a typical Microsoft shop, we prefer to use Microsoft components as much as possible. Windows Identity Foundation supports SAML 2.0, but the extension is still in Community Technology Preview (CTP) for more than a year, with no information anywhere on future course. See http://blogs.msdn.com/b/alikl/archive/2011/05/16/windows-identity-foundation-wif-extension-for-saml-2-0-protocol-community-technology-preview-ctp.aspx
I came across an inspiring article by Michèle Bustamante: http://www.devproconnections.com/article/federated-security/generate-saml-tokens-using-windows-identity-foundation She actively promotes WIF + SAML 2.0, but nowhere in the article she talks about CTP or final release. Neither could I reach her for a clarification.
With this background, is it safe to use WIF Community Technology Preview for SAML 2.0 or stick with SAML 1.1? Does SAML 2.0 offer significant advantage over SAML 1.1? Is the future of SAML 1.1 in question?
Any other alternatives?
You should clarify whether you're talking about SAML 2.0 protocol (e.g SAMLP) or just the token type. WIF RTM supports SAML 2.0 tokens, but not SAMLP.
So if it's just SAML 2.0 token support you need, WIF RTM is sufficient, though WIF extensions CTP does add some SAMLP support.
If you're looking for a SAMLP solution and you're a Microsoft shop then you should consider ADFS 2.0.
ADFS 2.0 would do "protocol transition": it will talk SAMLP with the Identity Provider and WS-Federation with your app (both use SAML "Tokens"). WIF supports WS-Federation.
Take a look at Identity Server which is a STS that does use SQL Server for authentication. You can easily federate this with ADFS.
From what I remember about reading the licence agreement for the CTP release, it's just out there for comment - you can't use it e.g. in a Production environment.
As per #Eugenio, WIF only supports WS-Federation.
How were you intending to "stick with SAML 1.1"?
Update: What I suggest is that you use Identity Server to do the authentication against the DB. Your WIF applications are bound using FedUtil to Identity Server. You then federate Identity Server with ADFS. Your external parties use SAML to talk to ADFS and ADFS will handle the plumbing to enable them to authenticate with the Identity Server DB.
Note that WIF doesn't support SAML at all.
We are considering spring-ws as the platform for implementing web services that will be deployed on weblogic. We need to use WS-Security with SAML tokens issued by our identity management platform (TFIM).
The Spring-ws documentation for XwsSecurityInterceptor does not mention SAML, and it is not clear to me if would work in this context.
I guess alternatives could be to do our own interceptor which uses OpenSAML or somehow utilises the SAML support in weblogic.
Does anyone have experience with this? Would be nice to aim for a solution that is known to be workable.
Apache WSS4J does support SAML tokens, and Spring-WS comes with a Wss4jSecurityInterceptor, so I'd guess you could get it working out of the box.