I have a custom Windows App (needs to be windows as it runs on a users machine and interfaces with TWAIN devices) which needs to communicate to a Claims Based Authenticated site.
What is the best way to achieve this? Each user already has an account on the site which I want to use to authenticate with on the windows app.
Note: the site is actually a CRM2011 IF Deployment.
CRM 2011 setup
Cloud Hosted
Claims Based Authentication for IFD users
Windows (AD) Based Authentication for services (i.e. running on the same box) and workflows
STS setup is out of our control
Is CRM 2011 already configured to use a STS such as ADFS?
If so, you just need to add your app. to the STS as a Relying Party.
There's a white paper.
Also, this gives a good overview of configuring ADFS and WIF in general.
Related
We have a situation where we are connecting to SharePoint 2019 using the current user logged in to authenticate (so no hard-coded username/password to pass over CSOM). We do not use the SharePoint UI at all, so everything is done from Web App API to SharePoint 2019 API (via CSOM).
Our current Web Application is secured with Identity Server 4. How can we get authentication working from .NET/CSOM in the Web Application's APIs to use the current user's identity to make the call to SharePoint 2019.
Currently, SharePoint's Authentication is just set to Negotiate/Kerberos, but I have a feeling that it needs to use Identity Server as the Trust Provider (as seen here: https://www.scottbrady91.com/Identity-Server/IdentityServer-4-SharePoint-Integration-using-WS-Federation) The only issue is that this example is using the UI of SharePoint to prompt the logins, and isn't solely from API to API connects nor does it reference any examples of doing that via code.
Thanks in advance!
I need to configure OpenID Connect using a Spring Security filter to authorize the consumption of my Rest API Web. I found a Google Login Example, but in my case I need it for Office365. I created my app in Azure and I have configured the corresponding properties. When I try to access my REST API it redirects me to the office login and when I enter the correct credentials this exception is thrown:
I don't know the cause for this particular exception, but generally there is a good tutorial at Microsoft Azure developer pages that explains how to use Spring Boot, Spring Security for authentication at Microsoft Azure Active Directory:
https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory
With this implemented you can login at your web application with a Microsoft account.
In section "Add an application registration for your Spring Boot app" at step 2 you can choose whether you (or your app) want to support accounts single tenant, multi tenant or even personal Microsoft accounts (Skype, Xbox, ...).
There are only three two differences (in 08/2020) between tutorial and my working test-application:
you've got to set both properties "oauth2AllowImplicitFlow" AND "oauth2AllowIdTokenImplicitFlow" to "true".
the property in application.properties seems to be "azure.activedirectory.active-directory-groups" instead of "azure.activedirectory.user-group.allowed-groups"
Canb anyone provide documentation or a high level approach for using identity server 3 with on-premise SharePoint 2013.
Currently windows active directory is integrated with SharePoint and basic FBA (form based authentication) is being used.
SharePoint 2013 natively supports claims based authentication via WS-Federation but not via OpenID Connect. This is typically used within the enterprise for federated authentication from ADFS into SharePoint.
IdentityServer 2 does support WS-Fed, whereas IdentityServer 3 does not straight out of the box. There is a WS-Fed plugin however - this should be considered option #1.
https://github.com/IdentityServer/IdentityServer3.WsFederation
Another option might be to wire up ADFS v3 between IdentityServer3 and SharePoint.
As a third alternative, I've set up our IdentityServer v2 instance as an IDP for SharePoint for a few customers - it's a pretty easy process following the Microsoft recipe, replacing the word "ADFS" for "IdSvr2" :)
https://technet.microsoft.com/en-us/library/hh305235.aspx?f=255&MSPPError=-2147217396
I am trying to build a cross platform (Android, iOS, Windows) mobile application using Xamarin Forms PCL project library. My requirements are simple yet involves a lot of services which I find to tie together.
Here is the mix of services that I want to use
Xamarin Forms
Azure AD to Authenticate against (Office 365 tenant)
Mobile Services Client with offline sync capablity
Azure Mobile AppService .NET backend
SharePoint Online to perform CRUD operations on List on behalf of the user
I want to look at some samples or reference implementation with this combination.
I have been struggling with this combination, in fact I got AD Auth to work with Xamarin forms PCL using some pre-release version of ADAL NuGet package, the latest stable version does not work. Similarly I also for the App directly communicate with SharePoint REST APIs but now that the Auth is broken I am not able to proceed.
Then I thought of using Azure Mobile App .NET Backend, now I got Auth working there but when a call is made to the mobile backend I am not able to access SharePoint list (CSOM) since the Auth is only to access the backend service, unable to impersonate as the user to access SP. I guess I need to use AppAuth but that too not working.
I realise that instead of focusing on my actual problem of building the App I am not exploring different ways to get the AD Auth and SharePoint Access working. Can anyone point to any reference to help me out here.
I suspect you have a problem in your AAD setup. I assume you're using ADAL to do client-directed login on your Xamarin forms client. If so, then what you need to do is set up 2 Active Directory apps, one for the native client, and one for the web backend.
Here's a sample that's for mobile services that shows a similar setup, but for Dynamics CRM: Mobile Services Dynamics Connector Setup
The main point is that you need to set up your client app registration with the following permissions. Assuming your backend registration is MobileBackend:
Client app permissions:
Azure Active Directory: Enable sign-on and read users' profiles
MobileBackend: Access MobileBackend
MobileBackend will have the following permissions:
Azure Active Directory: Enable sign-on and read users' profiles
Sharepoint: The sharepoint permissions you need
Once you've done all this, use this article for Xamarin authentication: Authenticate users with the Active Directory Authentication Library.
We have to HNSC https://division1.corp.com https://division2.corp.com on the same SPWebApplication using Claims and Forms Authentication. When logging in to https://division1.corp.com we should have access to https://division2.corp, but we get the logon dialog box again. The UserInformationList are synchronized between this HNSC. By looking at the cookie, they are different.
How shall we solve this?
SharePoint 2010 out of the box does not provide a way to share authentication between its own web applications. This is primarily because each application authenticates users independently and the cookies that it issues are marked with the HTTP Only flag. This means the cookie cannot be accessed by other applications on different DNS names (even if they are part of the same SharePoint farm).
The most common resolution to this is to set up an external federated trusted identity provider (such as ADFS) and have each of your web applications trust it. Then you can configure your federated identity provider to authenticate against your forms provider.
Here's some more detailed info about how the authentication structure in SharePoint works and how you can develop against it: http://msdn.microsoft.com/en-us/library/gg430136.aspx
is it possible to configure federated trust without using ADFS. This article "Claims-Based Single Sign-On for Microsoft SharePoint 2010" link walks you through an example of integrating two web applications into a sso environment for intranet and extranet web users. The article describes how to configure a New-SPTrustedIdentityTokenIssuer where you can add ProviderRealms to SPTrustedIdentityTokenIssuer. In our scenario we set -SignInUrl https://division.corp.com/_layouts/fba/fbalogin.aspx. But I cant find out how to configure the section federatedAuthentication.