I have configured WSS with OpenID to enable FBA authentication. I have added a custom login page. Im able to authenticate using the OpenID account, however when i return back to the default.aspx page i get the 'Access Denied' page.
The Question is how can i tell WSS to allow OpenID authentication into the web application?
I have used the DotNetOpenId library.
I haven't integrated with WSS myself, but assuming you have it in FormsAuthentication mode, then the only other thing I think that could be blocking you would be that while you are logging the user in (with SetAuthCookie or RedirectFromLoginPage) you need to pass in the roles the user belongs to. If WSS is rigged to only invite users in the "WebUser" role, for example, be user to pass that into the login methods.
You can find out what roles are required and what your Authentication mode is from inspecting your WSS site's web.config file.
If you are using FBA you can add the openid account as an fba account. You can easily do this by using a custom login page. Here is a sample http://blog.xsolon.net/Posts/sharepointopenid.aspx
Related
we are currently developing a new web app with Azure B2C as IDP. The authentication method is SAML2.0, and everything is working well. But when a user wants to login, the web app is redirecting the user to the Microsoft login form, is it possible to use our custom login form?
I know are some possibility to rebrand the login form like logo and background, but it still have the Microsoft look and feel. I tried to create a user flow in Azure B2C, but i don't have the option to choose the authentication method SAML.
No.
This is standard across all Microsoft security products e.g. ADFS.
You always have to use the Microsoft login screen.
We're using Azure Active Directory with Federated Authentication. This is working without a problem - but we need the ability to have users sign in with credentials other than their logged in Windows credentials.
What happens right now is
User navigates to our web app and the Azure ADAL for JavaScript attempts to log in
The user is redirected to https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=xxxx&redirect_uri=xxxx&client-request-id=xxxx&x-client-SKU=Js&x-client-Ver=1.0.2&nonce=xxxx
The user is presented with a username and password box.
Upon entering the username (even if it is someone else's username) (as soon as focus is lost from the username textbox), the page shows
It looks like this email is used with more than one account from
Microsoft. Which one do you want to use? Work or school account Work
or school account Assigned by your work or school
Upon clicking "Work or school account", the user is presented with
Redirecting We're taking you to your organization's sign-in page.
The page redirects to the url
https://ds1.mydomain.com/adfs/ls/auth/integrated/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1
The user is automatically logged in using their active Windows credentials (even if they entered a different username on the previous page).
If I navigate to the URL https://ds1.mydomain.com/adfs/ls/auth/integrated/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1 using a Windows session with a non-domain (local) account, I get a standard Integrated Authentication prompt
So - it seems like our ADFS server is using Integrated Windows Authentication on an IIS Website.
My question is - how can I allow the user to log in as a different domain user for the web app. Is there a special ADFS login URL I can use? And if so, how do I tell the Azure app to use that URL. Or is there a way to disable Integrated Authentication in some other way, on demand?
Thank you.
UPDATE:
I see that if I point the ADFS URL to the basic auth endpoint
https://ds1.mydomain.com/adfs/ls/auth/basic/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1
I am prompted for basic authentication (exactly what I want)...so how do I tell my Azure AD or Azure AD App what login URL to use? And how can I control it conditionally?
You would need to either remove AD FS from the Local Intranet zone on the relevant machines so they prompt, or better, look in to the User Agent based targeting in AD FS and configure those machines to send a User Agent that triggers Forms Based AuthN.
Have a look at https://technet.microsoft.com/en-us/library/dn727110.aspx for more info on this.
Answer is actually pretty simple (with some help from Fiddler):
Add &prompt=login to the query string generated by the ADAL JavaScript when redirecting to login.microsoftonline.com. This causes the MS portal to redirect to the ADFS Forms Auth URL instead of the one using integrated security.
SharePoint 2010 : authenticate the same user using either NTLM or FBA
I have been struggling for weeks now trying to achieve the following :
1- Authenticate user Foo using NTLM (windows authentication) on a SharePoint 2010 web site.
2- Authenticate the same user Foo using FBA and a custom membership provider.
The problem I am facing is that when user Foo is authenticated through NTLM he gets one profile with some permissions, and when logging in through FBA, he gets another profile with different permissions.
Is there a way to have my user Foo seen as one single user, even though he is authenticated by different authentication mechanism (NTLM or FBA)
The business need is the following : I want user Foo to be able to login automatically through NTLM when he connects using IE. The same user should be able to login through FBA if he using in iPad for example (we detect the device and redirect the user to FBA login page instead of NTLM)
Thanks in advance for your help.
Laurent
I think you can follow some steps like below.
Create a User profile service application.
Create custom column to indicate permissions
When a user logins just check, in user profile service apllication about the permission
you can import other user properties from NTML or FBA to User profile application
We have a SharePoint 2010 Web Site with Claim based Authentication configured with ADFS 2.0.
We have customized the SignOut option in Welcome.acx to point SignOut link to ADFS SignOut URL
i.e. https://myadfsserver/adfs/ls/?wa=wsignoutcleanup1.0 which takes care of signing out user from all relying parties. But, if for some reason complete sign out was not done, and user tries to browse the site he does not have access to in that case user is redirected to SharePoint's OOB AccessDenind.aspx page.
This page provides a link to user to sign in as different user, but for some reason clicking on this link does not take user to ADFS sign in page, instead it takes user back to same AccessDenied Page only. Can somebody tell me how do I get this sign in as different user functionality working ?
SharePoint creates a cookie that is stored on the local disk and you have to force it to use a session based cookie.
http://www.shailensukul.com/2010/05/adfs-2-sharepoint-2010-signout.html
how can I let non-domain users username/password login my sharepoint site (is on internet)? I am using Sharepoint 2010 foundation. can I authentic them via Active Directory?
If you want to continue to use Active Directory, you will need to give an AD account to these users. Otherwise, SharePoint also supports Forms Based Authentication and SAML token-based authentication.
Note that these authentication methods are not mutually exclusive. You can use any combination of authentication methods supported by the authentication mode of the Web Application (SAML token-based authentication is only supported when your Web Application is in Claims Based mode).
For more information, see Plan authentication methods.
You can use Form Base Authentication.
Reference: http://blog.morg.nl/2011/08/step-by-step-forms-based-authentication-fba-on-sharepoint-2010/