We have SharePoint on-prem using Kerberos and want to enable external users to connect to our system through WAP.
We like to avoid exposing our SharePoint "directly" to the outside network (pass-through) and not connect WAP in the DMZ with our internal AD domain (Kerberos delegation).
What are our remaining options?
Is ADFS capable of passing a Kerberos token? (it's on the internal network side)
Br,
Tom
The Kerberos protocol is a part of AD. ADFS converts the Kerberos token into a SAML token so you can pass it this way. ADFS provides either a SAML 1.1 or 2.0 token that contains the claims.
The ADFS server turns the Kerberos ticket into a SAML token which gets sent to whoever started the federation flow.
There is a guide for configuring Kerberos with ADFS 2.0 that may be helpful. https://www.cisco.com/c/en/us/support/docs/security-vpn/kerberos/118841-configure-kerberos-00.html
This is not possible. ADFS is only capable of doing Kerberos delegation (turning a saml token into a Kerberos token for the backend) if it's part of the domain.
Related
Can someone tell me if it's possible with the "Microsoft.Identity.Client" to do OpenIdConnect and get an access token which doesn't come from Microsoft/Azure but from another Identity Provider.
Thanks in advance.
Can someone tell me if it's possible with the "Microsoft.Identity.Client" to do OpenIdConnect and get an access token which doesn't come from Microsoft/Azure but from another Identity Provider
No, it's not possible to get an access token from third party identity provider if you are using Microsoft.Identity.Client with OpenIdConnect.
As per documentation:
With OIDC, this flow does authentication and authorization for most app types. These types include single page apps, web apps, and natively installed apps. The flow enables apps to securely acquire an access_token that can be used to access resources secured by the Microsoft identity platform.
All confidential clients have a choice of using client secrets or certificate credentials. Symmetric shared secrets are generated by the Microsoft identity platform.
You can refer to Microsoft identity platform and OpenID Connect protocol, Validating access tokens and Request an access token with a client_secret
On this Microsoft documentation on Azure AD B2C, I read
OpenID Connect is recommended if you're building a web application that's hosted on a server and accessed through a browser. If you want to add identity management to your mobile or desktop applications using Azure AD B2C, you should use OAuth 2.0 rather than OpenID Connect.
What are the roles of OpenID Connect and OAuth 2.0 in Azure AD B2C and what features they separately support?
The question is not quite correct. On the same page you can read
OpenID Connect extends the OAuth 2.0 authorization protocol for use as
an authentication protocol. This authentication protocol allows you to
perform single sign-on. It introduces the concept of an ID token,
which allows the client to verify the identity of the user and obtain
basic profile information about the user.
OpenID Connect (OIDC) is an extension or superset standard/RFC for OAuth 2.0. Both protocols define authentication flows, while OAuth2 is a bit generic, a general framework, that gives a lot of freedom of choice, OIDC specifies important aspects in detail. OIDC adds id_token in JWT format in addition to access token, flows like Hybrid flow, token introspection endpoints etc to OAuth2.
Usually OAuth2 comes together with OIDC. If you want to know difference in detail then there are RFCs for OIDC and OAuth2
So your questions is about protocol difference, you can find a lot of information in addition to RFCs. Here is IMO good article link.
In short:
OAuth2
access token use but not format specified
Authorization Code Grant
Implicit Grant
Resource Owner Password Credential Grant
Client Credential Grant
OIDC
extension of access token by id_token use. id_token in JWT format
token endpoints, self issued token, offline access
Authorization Code Flow (extension to Authorization Code Grant)
Implicit Flow (extension Authorization Code Grant)
Hybrid Flow
B2C is focused on use from client application side from consumer applications. When you will be creating IdP provider Azure B2C support already existing social providers (Facebook, Microsoft etc), which in fact are OIDC with proprietary extensions, or custom OIDC IdP provider. In terms of API and authentication flows, and it is very typical for any IdP provider, it supports both, so you can use HTTP API for OAuth2 or OIDC, and OIDC is recommended.
There is a requirement in my project to Authenticate user using ADFS at back end without user interaction with ADFS Login Page.Any possible way to achieve it(maybe by Certificate Authentication only)
You could use the WS-Fed active profile (ala WCF).
Or for ADFS 4.0, with OpenID Connect / OAuth you could use client credential flow (typically server to server) where authentication is via knowledge of a secret key.
If from client, use resource owner password flow.
I'm new to work with NodeJS and was asked to configure SSO to the website I build using SAML with ADFS authentication, considering the fact my company is using AD for our system management. Considering the fact I use nodeJS,
I found that work with passport-saml module will be best for me. I'm looking for
help with the creating of federation metadata xml to send it to my ADFS IDP.
thanks in advance,
DLGM
You don't need metadata - you can configure it manually.
Choose the SAML RP option.
Refer: Configure strategy for ADFS (SAMLp).
So the "realm" is the ADFS RP identifier.
The thumbprint is for the ADFS token signing certificate.
Under "Advanced", set SHA-1.
As far as my understanding goes, OpenID uses accounts made on other websites to sign in to the website, so that user won't have to create multiple username and password.
Does OPENAM not to do the same thing? It uses providers like Facebook google in order to authenticate the user.
Please correct me if I am wrong.
OpenID Connect is a standard.
OpenAM is a product that amongst many other things, implements the OpenID Connect standard (both as a client/relying party and as a server/provider).
So, yes, you can configure your OpenAM to work with external OpenID Connect providers to establish sessions at OpenAM, but you can just as well configure your OpenAM to perform authentication against a local directory server and act as an OpenID Connect provider (like Facebook/Google/etc).
Above you mention scenario is Single Sign On (SSO). It provide OpenID-Connect with Oauth.
OpenID is a protocol(Standard).
OpenID Connect is a simple identity layer on top of the OAuth 2.0
protocol.
OAuth only provide authorization using an access token. OpenID-Connect is built on top of OAuth2, in order to provide user authentication information.
Not only OpenID Connect whether we can used SAML(Security Assertion Markup Language) for Single Sign On.Name it
SAML SSO.
OpenAM is a product and below Link you can read OpenAM feature Wikipedia OpenAM page and additionally you can used another open source Identity Server Name WSO2 Identity Server for implement this feature and there are more additional features as well.