0

We currently have an Asp .Net web application (Framework 4.5) using Forms based authentication. A few of our clients are asking for integration with their applications and does not want to have separate login accounts.

What would be the best way to implement this? The solution should be able to validate against different identity providers.

A consultant has suggested to convert the current web app to be claims-aware but not sure how to proceed with it or where to start .

Thanks for all your help.

a.f
  • 1
  • 1
  • 2
  • 1
    Read the doc yet? https://learn.microsoft.com/en-us/aspnet/core/security/authorization/claims (may only be suitible for .NET core applications) – Meikel Jan 22 '18 at 22:21
  • Thanks for the link. Our app still use web forms though so it may not be applicable. – a.f Jan 22 '18 at 23:53
  • Are all other apps web apps or some are desktop/winforms/wpf apps? – Sunil Jan 23 '18 at 02:05
  • Mix of web and desktop apps. Ideally the solution should be able to support both. – a.f Jan 23 '18 at 03:59
  • This might be meet your requirment http://docs.identityserver.io/en/release/ – Ehasanul Hoque Jan 23 '18 at 04:20
  • The consultant is right though it's not very useful info. The new security model is called 'claims'. Somehow I don't think this is going to be a simple rewrite. I'm guessing you're going to have to rewrite using the new claims security, and make your 'forms authorisation feed into it. In other word you won't use forms authentication anymore, you'll use claims. And a login screen that looks like forms authentication will just happen to feed into it... thats my theory – Nick.Mc Jan 23 '18 at 04:32
  • Here's a similar question: https://stackoverflow.com/questions/36078322/how-to-migrate-from-forms-authentication-to-asp-net-identity which says much the same thing: migrate to claims (somehow) and add you custom (user/pass in a database) authentication to that – Nick.Mc Jan 23 '18 at 04:35
  • This might be what you're after: https://learn.microsoft.com/en-us/dotnet/framework/security/claims-aware-aspnet-app-forms-authentication – Nick.Mc Jan 23 '18 at 04:35

1 Answers1

0

Making an application claims-aware implies adding support for one of:

  • WS-Federation
  • SAML 2.0
  • OpenID Connect / OAuth

This then enables the application to talk to an IDP for SSO e.g. ADFS, Azure AD, identityserver, Auth0.

In the Microsoft world, web apps use the OWIN NuGet packages for WS-Fed (WIF) or OIDC. For SAML, look here.

Desktop apps use ADAL or the later version MSAL.

ADFS e.g. only authenticates against AD. If you want to authenticate against a DB as well, you federate ADFS with e.g. identityserver or Auth0 both of which have that ability.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Thank you @nzpcmad. What would be advantage of using ADFS as IDP? Why not use IdentityServer/Auth0 directly. I'm trying to figure out what would be the best solution architecture moving forward. We currently do not have Active directory and would only require the claims based for certain users. – a.f Jan 25 '18 at 06:09
  • It depends on your use case. Does the IDP have to be on-premises? Are you a Microsoft shop with Sharepoint, O365, Azure, CRM Dynamics? Do you want support? Do you have ADFS already? They all do the same thing. ADFS integrates with all Microsoft products. identityserver is free. Auth0 is SaaS. – rbrayb Jan 25 '18 at 18:03