Path of least resistance to implement SSO with SAML - iis

Here's the environment:
Existing .NET B2B application with multiple, external corporate customers. The service provider application is hosted in IIS.
Existing non-SSO authentication with user account info stored in a database.
Must have both SSO and non-SSO login capability.
The initial identity provider will be ADFS hosted by a customer.
All options are on the table. I'm open to cloud solutions, open source (Shibboleth et al), local ADFS server, and/or custom implementation. I'm looking for the easiest and fastest way to implement an SSO solution into an existing .NET application.

Lots of things to wheigh in. First strike the custom solution part, hard and unnessecary in this case.
As I understand you are looking for the SP part as IDP will be ADFS at customer.
In this case the product does not even have to talk to the database. Only the IDP needs that.
Some things to think about when choosing the product.
Opensource is cheep in licens cost. enterprise products can be quite expensive.
Enterprise product might have better support then opensource when things doenst work. If your applications ar critical this might be important.
It might be a good idea to consider one of many cloudbased SPs to offload the management of the SP from you.
These are some considerations to take. What you choose will depend on your need and wishes in terms of uptime, support, managements etc.
Most products will have no problem implementing this use case.

Related

Hangfire and Data Privacy

I am working with a developer and creating a Blazor application that will have access to sensitive data. I typically avoid 3rd party add-ins unless they come from vendors with significant security credentials. Are those of you who are using Hangfire and who might have insight to its open source code inner-workings comfortable with this product?

How to enforce Azure AD authentication on IIS server level

Is there any possibility to configure IIS server to enforce Azure Active Directory authentication in hosted application? I don't want to apply any changes to app's code, it would be great to provide this authentication only on server level/layer (configuration IIS). Is this even possible?
EDIT
I have situation like this:
Have many applications from a customers. Have Azure AD and users added there. I need to provide Azure AD authentication to these applications. Moreover, i shouldn't do anything with code of these applications so i thought that i can try to enforce authentication not on application level but on server level. I've been searching informations about possibility of this method but can't find any (only application scenarios supported by Azure AD https://azure.microsoft.com/pl-pl/documentation/articles/active-directory-authentication-scenarios/ ). The only thing i have found is Azure Multi-Factor Authentication but i don't think it is helpful.
We tried to find it, and all that i have found that there is no possibility to enforce AAD authenticatoin on the IIS level and that it should be set up on the application layer which is actually the only one recommended and described process on the sites and in the AAD-related articles. I would say, that it can be even hard from a technological standpoint.
Reference 1
Reference 2

Can you connect to Dynamics GP from an Azure worker role?

I'm looking into the possibility of integrating an Azure hosted .NET solution with Dynamics GP and I'm new to Dynamics. In general it seems like there are two approaches to connecting to GP: 1) web services and 2) eConnect. This article has some good background.
I would think as long as the web services are accessible, that option would work. I see that there are MSMQ and other requirements for eConnect which makes me think that would be a headache if it is even possible without something like Azure Connect. Has anyone has done this one way or the other?
Thanks
Yes you can connect to your Dynamics GP from a Windows Azure Worker role (why Worker, why not web role?) and it's all depend which route your would want to take.
Web Services method is comparatively neat & easier to access your Secure Web Services configured Dynamics GP.
On the other hand, eConnect Integration requires several other configurations so If you decided to use eConnect, I think you are better of using eConnect along with BizTalk Server/Adapter combination set into Service Bus (which is talking directly to eConnect) and your Azure application is talking to BizTalk services directly. This could be much easier to implement but you can not beat web services.

Unique account manager

I've got three different apps, all in GWT, none using Spring. Today, all of them got their own security layer provided by Tomcat. I want to setup a security layer shared by all of them. So that I don't have to deal with changes in the security layer for every app (following the DRY principle). I believe it's something similar to what Google does. Every time I try to login to any Google app, I'm taken to account.google.com.
How can I do that? Maybe setting this webapp Accounts to deal with every aspect of the accounts (log in and out, edit account, etc), and connect the session (or authentication) to my webapps?
You could deploy a Central Authentication Service and use it as an authentication provider for your applications.
Using a library (for example gwt-cas) to call your CAS will reduce your code duplication to a few lines of configuration per project.
You'll want to look into container-managed security. Here's the salient documentation.

Central authentication for Windows, Linux, Google Apps, Web Apps

I am wondering if some authentication can be used to authenticate logins in Windows, Linux, Google Apps and Apache hosted web applications.
Ideally, I would love the authentication to have these features:
The authentication provider should be replicated, maybe one mirror exists online for external applications while an internal mirror is used for intranet/PC logins.
The authentication service should not be hosted on Google Apps or any other service, it should be under my full control.
Fault-tolerant, those mirrors can be specified in some order, if one fails, the next is tried.
I have done a lot of research, it seems Kerberos fits my needs. It seems that a lot of work has to be done.. especially for Google Apps, an SAML authentication service must be written.
I am wondering if there is an easy way, or if Kerberos is really what I am looking for.
RADIUS is another protocol choice. Plenty of providers available.
Just so you understand, what you are asking for is non-trivial, and unless you understand this space well (and I'm guessing you don't seeing as you're asking...), you almost certainly are underestimating the cost and the effort.
Kerberos is a large and complex specification, and getting effective interoperability across systems will cost you $$$$.

Resources