We have a SharePoint 2013 web application using claim based authentication where identity provider is windows. There are some custom web services in a "sub-application" within SharePoint website in IIS. What we want is to make those custom web services claim aware. So that in custom web services we should know that who is the current logged in user in SharePoint, whether he is authenticated SP user or not etc.
When we access the custom web service using an AJAX Web Part then the web service know the current logged in user, but using a content query (XSLT) Web Part the web service shows Application Pool's user as current logged in user, sort of double-hop problem.
Any idea how to fix this issue or how could I use the STS of SharePoint site in my custom web services application?
Related
We have a situation where we are connecting to SharePoint 2019 using the current user logged in to authenticate (so no hard-coded username/password to pass over CSOM). We do not use the SharePoint UI at all, so everything is done from Web App API to SharePoint 2019 API (via CSOM).
Our current Web Application is secured with Identity Server 4. How can we get authentication working from .NET/CSOM in the Web Application's APIs to use the current user's identity to make the call to SharePoint 2019.
Currently, SharePoint's Authentication is just set to Negotiate/Kerberos, but I have a feeling that it needs to use Identity Server as the Trust Provider (as seen here: https://www.scottbrady91.com/Identity-Server/IdentityServer-4-SharePoint-Integration-using-WS-Federation) The only issue is that this example is using the UI of SharePoint to prompt the logins, and isn't solely from API to API connects nor does it reference any examples of doing that via code.
Thanks in advance!
Scenario
There is one user store, namely an on-premises AD. ADFS provides authentication for SharePoint 2013 and Power BI.
The custom web app needs to authenticate users from AD. The web app back-end also requires access to the SharePoint REST API.
The objective is to achieve the above using a single sign on. If singed in to any one of the three applications, the user should not have to input credentials for any of the other two. As well, the custom web app displays content from SharePoint (iFrame and REST API) and Power BI (iFrame).
We have tried the following two solutions but have come across an issue in either case.
Solution 1
User inputs credentials in the web app.
The web app back-end uses these credentials to get a SAML token from ADFS.
The web app back-end uses the SAML token to authenticate the user with SharePoint through forms-based authentication and retrieves a FedAuth cookie.
The web app back-end uses the FedAuth cookie to make REST API requests to SharePoint
The web app front-end uses the SAML token to authenticate the user with SharePoint through forms-based authentication. This allows SharePoint content in iFrames.
What doesn't work: Navigating to Power BI or including it in an iFrame will redirect the user to the ADFS sign in page. This is because the user has not been authenticated with ADFS in the browser yet.
Solution 2
ADFS SSO is used for the custom web app as well.
Navigating to any of the three applications redirects the user to the ADFS sign in page
The user inputs their credentials and get redirected back to the application with a SAML token.
Navigating to any of the other two applications will redirect the user to ADFS, which will redirect back to the application with another SAML token without requiring the user to sign in again.
This allows for both SharePoint and Power BI content to be included in the web app in iFrames.
What doesn't work: The web app can't make REST API request to SharePoint using the SAML token received from ADFS for the web app. We have tried to use that SAML token to request another one from ADFS for SharePoint on behalf of the user signed in. That did not work either. As well, SharePoint 2013 on-premises may not accept an on behalf of request.
Question
Is there a way to have SSO for all three applications while also having REST API access to SharePoint from the web app? The user should have to sign in only once, and preferably only in to the web app.
Registering your applications through Azure Active Directory is probably the best way to achieve what you are looking for. You can register the applications in Azure AD and then grant permissions to users by application, tenant, or policy. https://learn.microsoft.com/en-us/power-bi/developer/embed-sample-for-customers
https://learn.microsoft.com/en-us/power-bi/developer/create-an-azure-active-directory-tenant
I have deployed an asp.net MVC web application under IIS 7.0. and as it is an intranet web application , I have disabled, form authentication, basic authentication and anonymous access services from my web site inside IIS. While I only enabled windows authentication service.
But currently users who are defined inside the same domain which contain the asp.net mvc web application can login to the application, while users who are defined under another trusted domain (inside AD on remote machine) are not able to access the application (they will get a prompted username and password from their web browser, but will fail to authenticate).
So my question is whether I can define which domain And/OR which AD the windows authentication service inside IIS server should use to authenticate the login users ?
What about http://msdn.microsoft.com/en-us/library/ff650307.aspx ?
Did you tried declaring the connectionStrings as specified to the different ADs ?
I have a custom Windows App (needs to be windows as it runs on a users machine and interfaces with TWAIN devices) which needs to communicate to a Claims Based Authenticated site.
What is the best way to achieve this? Each user already has an account on the site which I want to use to authenticate with on the windows app.
Note: the site is actually a CRM2011 IF Deployment.
CRM 2011 setup
Cloud Hosted
Claims Based Authentication for IFD users
Windows (AD) Based Authentication for services (i.e. running on the same box) and workflows
STS setup is out of our control
Is CRM 2011 already configured to use a STS such as ADFS?
If so, you just need to add your app. to the STS as a Relying Party.
There's a white paper.
Also, this gives a good overview of configuring ADFS and WIF in general.
An external hosted app can take the username and password in the querystring and auto login the user. How do I get these details from Sharepoint?
I know you can use SPContext.Current.Web.CurrentUser; if the application is hosted locally however it isn't.
How can we achieve single sign on from Sharepoint to the external 3rd party software?