I have an Asp.net MVC Website using Forms authentication.
The site is hosted in IIS using Forms Auth and works fine.
Due to a number of reasons, I want to know if it is possible to do the following:
I want to create a Virtual Directory underneath the main website, a separate application, and secure it using Forms Authentication as well.
The main site, and the site in the child Virtual Directory will be separate applications, and the Forms Auth will be completely independent of each other, and using different databases.
Is it possible to set up in this way?
Forms authentication works by using cookies. So as long as you provide different authentication cookie names for both sites they will be independent.
<authentication mode="Forms">
<forms name=".Auth1" />
</authentication>
But the problem AFAIK is that the <authentication mode="Forms"> tag cannot be redefined in sub web.config files.
Related
I am using Salesforce as an IdP for my MVC app. I have multiple communities in my Salesforce instance each with a different signOnUrl. How do I configure multiple communities to use the same Sustainsys Identity Provider?
I have tried using the same community link for the different communities, that gives a privileges error. I've tried setting multiple Identity provider nodes for the different community signOnUrls but it hasn't worked
<identityProviders>
<add entityId="https://{Salesforce}" signOnUrl="https://{Salesforce}/{community1}/idp/login?app={appId}" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
<signingCertificate fileName="~/App_Data/{cert}.crt" />
</add>
<add entityId="https://{Salesforce}" signOnUrl="https://{Salesforce}/{community2}/idp/login?app={appId}" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
<signingCertificate fileName="~/App_Data/{cert}.crt" />
</add>
</identityProviders>
When I try adding multiple entity providers to the same server the error is The entry https://{Salesforce} has already been added.
Found the answer... instead of adding multiple identity providers with different signOnUrl parameters. You can add multiple signOnUrls in the same node.
<identityProviders>
<add entityId="https://{Salesforce}" signOnUrl="https://{Salesforce}/{community1}/idp/login?app={appId}*;https://{Salesforce}/{community2}/idp/login?app={appId}*" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
<signingCertificate fileName="~/App_Data/{cert}.crt">
</add>
</identityProviders>
If you are using owin or asp.net core, a better approach is probably to register one authentication scheme for each Salesforce community. This will make your application work as two virtual service providers to Salesforce, one for each community.
When registering the SAML2 middleware/handler twice, you need to ensure that each instans has a unique EntityId and a unique ModulePath.
In our ASP.Net project, I am using 'Kentor.AuthServices' as SAML2 Authentication Service. For testing purpose, I am using 'Kentor.AuthServices.StubIDP'.
Currently we gave an anchor tag in the page with href as:
href=#Url.Content("~/AuthServices/SignIn?idp=" + entityId)
This works perfectly fine and once we click the anchor tag, it gets redirected to Identity Provider:
http://localhost:17009//SamplePath/AuthServices/SignIn?idp=http://stubidp.kentor.se/Metadata
But what we need to achieve is without using the anchor tag,where we directly enter our site URL address in the browser, it should automatically redirect to Identity Provider.
When using the HttpModule, you use the forms authentication setup in the web.config to cause unauthenticated requests to be redirected to the sign in sequence.
<authentication mode="Forms">
<forms loginUrl="~/AuthServices/SignIn"></forms>
</authentication>
We have implemented Single Sign-On (SSO) using Kerberos in our production environment.
The configuration of our application is as below.
Operating System: Solaris10
Application Server: WebSphere7.0.0.11
Things are working fine for the Parent domain (MAIL.COM). But the users from child domains (like CO.MAIL.COM, BO.MAIL.COM..) are unable to login to the application.
We have the Kerberos Configuration file with the child domain details also. My doubt is "What are the changes needs to be done at the WAS console (realm related, domain related etc..)"
Thank you very much in advance..!!!
I am building a site using ASP.NET MVC 2. The site itself needs to be public but the admin section should require a windows login and the user logging in needs to have local admin privileges on the server.
i.e. http://server/site should be open, but http://server/site/admin should force an admin login before proceeding.
Can this be done in code or by tweaking the web.config file? If necessary, making configuration changes to IIS is acceptable but I am trying to keep deployment steps down to a minimum.
I don't know if you can do this in web.config, or even if it's possible via IIS in an MVC application (since /site/admin won't exist on the file system), but it is possible to have different permissions for different folders under IIS. You will need to use the IIS manager to configure this.
You may also be able to use an AuthorizeAttribute on your admin controller.
This turned out to be fairly straightforward:
Enable Windows Authentication in IIS.
Enable Windows Authentication in web.config.
Decorate each action that needs to be secure with [Authorize(Roles = "Admin")].
So I have an MVC 2 App running on Windows Azure.
Everything works fine, but I want to create a subdomain where I can test some stuff that I need the actual server for, but I don't want anyone to see it. However, if I just put up like www.mywebsite.com/sandbox - anyone COULD technically access it, even though they'd have to know it's there, which I don't want.
Is there anyway I can setup something like that and password protect it or something easily? If so, I would use the same sort of thing for a private administrative URL where team members only could go in and check stuff (with a username/password that I maintain).
As far as I see it, you have two options available.
Create a staging deployment, and make the IIS web site respond to a specific DNS request (e.g. http://sandbox.mywebsite.nothere). Either change your DNS settings, or chane your local hosts file (e.g. in C:\Windows\System32\drivers\etc\hosts). This is security through obscurity, and while it's not effective, it's easy and perhaps a good start.
As suggested by Steve Morgan in a comment, implement authentication in your application. If you have an ASP.NET (MVC or not) application (I'm assuming MVC in my example), you can do with something like this:
Create a MembershipController
Create a Login action accepting username and password, implementation looking like this:
public virtual ActionResult Login(Qinoa.Web.Models.LoginData model)
{
if(model.Username == "myuser" && model.Password == "hardcodedPassword") {
FormsAuthentication.SetAuthCookie("myuser", model.RememberMe);
}
return RedirectToAction(MVC.Home.Index());
}
In your web.config file, set
<authentication mode="Forms">
<forms loginUrl="~/Membership/Login" timeout="2880" />
</authentication>
On all your test containers add an [Authorize] attribute. Your app is now (rudimentary) protected.
On a side note to #1: you can host multiple sites on one web role.
Configure your application using Windows Identity Foundation and the Access Control Service.
You then have a choice of Identity Providers that you can use to secure your application without managing your own users.
Even better, if you have Active Directory is to deploy ADFS 2.0 internally. The beauty of that is that even if someone reaches your application, they can't authenticate if they don't also have access to network on which your ADFS server runs.
I'm securing an Azure application this way and it works very well. I get transparent integrated authentication but it's highly secure.
You don't need to expose AD or ADFS outside your network to do this; there's no communication between Azure and ADFS, it's all done via the browser.