All geek questions in one place

Azure ACS Alternative for ADFS Mobile Authentication

I use azure ACS to authenticate my mobile clients with corporate ADFS in my asp.net server application. I managed not only to work well in a web browser, but also in mobile applications (with a web browser to get the jwt token, which will then be sent to the server to check and generate the application authentication token).

But unfortunately, Azure ACS is ending , so I have to look for an alternative.

Use in this article I was able to directly configure ADFS without any external service, and this is a HUGE plus for me, as some clients may have Internet restrictions on their intranet.

The problem starts when you try to implement this for your own clients (Windows WPF, Android and iOS), since I can not find a solution for these cases.

ADAL for Android and iOS seems to require Windows Server 2012 R2 . This limitation is big, no.

I found a third-party Auth0 authorization provider , but I really want to avoid external services.

Azure B2C authentication also exists, but it has the same external service issue.

Is there a way to implement what I had with Azure ACS directly in ADFS? I need a way to get the jwt token (or even the SAML2 token) directly from ADFS.

+5
source share
2 answers

I created my own solution for my needs. I basically implemented a solution similar to an ACS stream.

Applications download a special web browsing login page that redirects the browser to the ADFS call page with the final callback to my webapp. There, I notify the application with the token by calling javascript notifications such as ACS:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Loading...</title> <script type="text/javascript"> try{ window.external.notify('@ViewBag.Result'); } catch(err){ alert("Error ACS50021: window.external.notify is not registered."); } </script> </head> <body> </body> </html>

Thus, my application will not process user credentials directly, and I no longer need external services :)

And unlike ACS, I have direct control in the last step, and I can export the token through redirection to my own protocol, which helps implement on iOS (in ACS we needed to add javascript to the page in a web browser to achieve this) .

0
source

ACS uses WS-Fed, which uses this sample as a protocol.

Mobile devices use OAuth, so you need ADFS 3.0 (limited support) or ADFS 4.0 (full support plus OpenID Connect).

If you just want ADFS to return a JWT token instead of SAML, see this article.

Set-ADFSRelyingPartyTrust -TargetIdentifier 'urn: MyWebApp -EnableJWT $ True

However, this requires ADFS 3.0.

Another way is to use WCF. This invokes the active WS-Fed profile, which returns the SAML token as a web service in accordance with this article .

0
source

Source: https://habr.com/ru/post/1268321/

More articles:


All Articles