I have multiple .NET projects that allow authenticated users to browse html files on another domain via iframe.
I'm struggling with securing these files so that no user can take the link from the iframe and share that link.
The projects are hosted on iis, and users are authenticated with a JWT token.
Any help is appreciated.
I'm afraid it is unavailable to prevent user from getting link from your iframe because they are always able to view the link via developer tool.
But you could create a URL rewrite rule to strict the src link can only be accessed from your website by checking HTTP_REFERR header.
If the referrer domain incorrect or null, then your rule will block it.
Related
I currently have an Azure Blob Storage Account setup with Azure CDN to host a Static Site. This Static Site is connected to an App Service backend and uses frontend-based authentication using Active Directory baked into the application code with MSAL.
When it was initially deployed and running off of the Static Site's URL alone, I was able to authenticate without fail. The auth popup would present itself, I would provide credentials, and the Active Directory sent back a token that I then confirmed with the backend and successfully redirected to the post-auth landing page.
The Problem I'm having now is that when I proceed to the URL provided by the Azure CDN (rather than the Storage Site's URL), the popup for authentication opens and allows me to provide credentials, but instead of closing and redirecting upon token reception, the popup simply hangs there. It's also interesting to note that the popup's URL is listed as the Static Site URL and not the CDN URL. The token comes back and is present in later portions of the URL, so it must be a mis-match between the URLs that's causing the issue.
I've Tried changing out the Static Site's configured Reply URLs to match the CDN, and it didn't make a difference. I've also added the CDN URLs (both the custom one and the endpoint .azureedge.net one) to the Active Directory list of Reply URLs.
The CDN is providing a certificate for the custom URLs to use, so we need that in order for the custom URLs to work properly. To be clear as well, the authentication works when using the Static Site URL, but not the CDN URL.
Has anyone else run into an issue of this nature? If so, have you solved it?
For anyone who may come across this, the solution was much more simple than I had anticipated. The MSAL configs for the frontend needed to be using the new CDN URL (which I figured), but the CDN itself needed to be purged and the changes picked up from the Blob storage.
I have developed a web application written in just pure HTML.
<html>
My code goes here
</html>
And I have deployed it to MS Azure. I'm now looking for a way to authenticate this web application with Active Directory so only my organisation's employees can access it.
I have done tons of research online and it seems like there are many ways to do this. However, I'm looking to do it by "adfs/ls/wia" (correct me if I'm wrong).
The reason why I would like to do it only in that way is because:
I'm going to embed this web application into a dashboard.
In order to view that dashboard, users (employees) need to go to a specific website:
https://<dashboard>.<myorganisation>.com
And then users will be redirected to a sign-in page with this address:
https://fs.<myorganisation>.com/adfs/ls/wia
After signing in (with users' active directory accounts), users will be redirected back to the dashboard's website. The URL is now looking like the following:
https://<dashboard>.<myorganisation>.com/#/site?:isFromSaml=y
And then users can freely browse the dashboards (without having to sign in again) until they close their browsers. So I guess some sort of tokens/sessions are being kept.
My question is:
I would like to authenticate my web application with the same way and since it's only accessed after users have signed in, how do I by-pass this authentication step? What do it need to put on top of my HTML code or is there a way to configure this in MS Azure already?
Thank you so much!
The easiest way is to have two Relying Party in ADFS - one for dashboard - one for web application.
Then you will get SSO across them.
I've created a web application using Node.js that relies on a google API (specifically the DCM/DFA reporting API). It redirects the user to login to their gmail account, and after a successful login redirects back to the web application.
Suddenly my company has told me that this web application needs to be restricted to internal use only, and that they won't host it on a public domain for security reasons.
Is there any way to get Oauth to redirect to the internal domain? When I try to set the redirect domain in the google developers console I get an error message that it is not valid. Is there anyway around this?
The sample redirect url you can add at Console and Code is:
http://localhost:8080/authcallback
(Remember to not add trailing / in url)
I want to create a web page, that will serve to authenticate users based on credentials I give them (user1, pswd1 etc).
Only after a user authenticated, he should have access to a few other web sites,
on different folders of the web server, but which have no server side code(otherwise it would be simple.)
The user should be allowed access to the other sites, e.g. based on his IP,
for 24 hours or another period, or while he has the authentication site open on his browser.
The purpose if that the user will not have to enter credentials on each site,
and will enter his credentials only once, or once a day.
Restrictions:
I don't want to modify the target web site javascript code at all, e.g. to query a web service.
The user should be granted access using any browser,
so I assume I cannot use cookies.
If I would develop such a mechanism on Apache,I could, for example, have the authentication site PHP code add a line "Allow from ip" to the htaccess file of each target web folder, whenever a user authenticated successfully.
The issue is that I don't want to develop it as I am sure a solution already exists, and also I need a similar mechanism for both Apache and node.js (although i can live with two different solutions)
What information does the user have to identify themselves? How do you guarantee the user is who they say they are?
The whole point of authentication is to establish the user is who they say they are and that may create a session so that users need not reauthenticate.
If you want the user to authenticate in a single location and then reuse that "session" or set of credentials elsewhere, what you are looking for is single-sign-on / identity federation.
For instance, take airbnb.com. I do not need to authenticate there. All I have to do is authenticate with a third-party e.g. Google or Facebook. As a matter of fact, SO works in the same way.
One of the standards behind this technique is called Open ID Connect. Look into that. If you are willing to dish out money, you can look into commercial solutions e.g. Ping Identity. There is an open source implementation provided by Mitre / the MIT. It's available here.
In fact it occurs to me I can use simple routing.
In the top level folder have php code that does the authentication.
If the user is authenticated, route/redirect to the requested target site,
based on the requested url.
The url should be for example http://mysite/site1, where the authentication code is in the folder mysite, and site1 is not directly accessible.
Perhaps I can use something like php-express to reuse the same php code on node.js.
We are having some issues getting SharePoint to work as we want it to.
We have an enterprise MOSS configuration on our domain and have the entry http://intranet pointing to it on port 80.
We also have another site collection and have pointed an internet domain name http:/nww.oursector.nhs.uk at it. We have done this to allow those outside our domain but on the same physical network to view it. Our network admin hasd configured the firewall to redirect any requests to this url to our sharepoint server.
The problem with this is that we have had to turn on anonymous access otherwise SharePoint sees this url as external and blocks authenticated access to the site. This means that all users need to manually sign in to the site, which is making working with SharePoint quite problematic.
Is there a way to configure SharePoint to allow the url http:/nww.oursector.nhs.uk to access the site collection without having anonymous access turned on for the site? I want users to be able to browse to the site and if authenticated then fine, if not then prompt them to login.
Can anyone suggest a way to achieve this?
I would say you need to use SharePoint's alternate access mapping to use the correct authentication type depending on the method users are using to access the website.
Basically i think this would work as follows for your situation:
For internal users, use the default zone, using NTLM with SSO configured.
Thus users should be signed in transparently without requiring to login.
For external users, extend the web application, using the extranet zone, using anonymous access.
This will allow external users, to browse the website without signing on.
See:
http://blogs.msdn.com/sharepoint/archive/2007/03/06/what-every-sharepoint-administrator-needs-to-know-about-alternate-access-mappings-part-1.aspx