Can't we create a nuget package out of this?
-Chintana
On Wed, Feb 28, 2018 at 4:24 AM, Chiran Wijesekara <[email protected]> wrote:
> Architecture Diagram is attached below.
>
>
> On Wed, Feb 28, 2018 at 5:45 PM, Chiran Wijesekara <[email protected]>
> wrote:
>
>> *Introduction:*
>>
>> Suppose you have an ASP.NET web application or else you are going to
>> create a new one. One of your major concerns would be to provide a secure
>> mechanism of handling user authentication and authorization. With the
>> introduction of this OIDC SSO Agent, you will never have to worry about
>> that at all. Moreover, you can just incorporate this agent to your
>> ASP.NET web application and it will take care of all the things related
>> to OIDC authentication mechanism.
>>
>>
>> *Architecture:*
>>
>>
>>
>> 2, 3, 7, 8 are related to resolving of the current request.
>>
>>
>> How to incorporate to your asp.net web application?
>>
>> If you plan to use OIDC SSO Agent, all you have to do is following simple
>> steps below and then you have a web application that authenticates users
>> with your favourite Identity Provider ( Wso2 Identity Server).
>>
>> Let’s get started. The process of incorporating SAML authentication with
>> wso2 identity server via SAML agent can be explained in 6 steps.
>>
>> 1.
>>
>> Add the agent.dll reference to your Asp.NET web application(You can
>> get this the git repo)
>>
>>
>>
>> 1.
>>
>> Configure - the mandatory properties in your ASP.NET web
>> application’s web.config file. Following image shows how does it looks
>> like
>> after adding those properties to your web.config file.
>>
>>
>>
>> Property
>>
>> Description
>>
>> Default Value
>>
>> EnableOIDCSSOLogin
>>
>> Enable OIDC authentication
>>
>> false
>>
>> OIDCSSOURL
>>
>> SSO URL
>>
>> oidcsso
>>
>> OIDC.spName
>>
>> Service Provider Identifier
>>
>> null
>>
>> OIDC.ClientId
>>
>> Client key which was generated during OIDC configuration for Service
>> Provider
>>
>> null
>>
>> OIDC.ClientSecret
>>
>> Client Secret which was generated during OIDC configuration for Service
>> Provider
>>
>> null
>>
>> OIDC.CallBackUrl
>>
>> Callback URL
>>
>> null
>>
>> OIDC.GrantType
>>
>> Grant Type
>>
>> code
>>
>> OIDC.AuthorizeEndpoint
>>
>> Authorization Endpoint of the IDP which is used to get an authorization
>> code.
>>
>> https://localhost:9443/oauth2/authorize
>>
>>
>> OIDC.TokenEndpoint
>>
>> Token endpoint of the IDP used to receive an access token
>>
>> https://localhost:9443/oauth2/token
>>
>>
>> OIDC.UserInfoEndpoint
>>
>> User info endpoint of the IDP which is used to fetch user details
>>
>> https://localhost:9443/oauth2/userinfo?schema=openid
>>
>>
>> OIDC.Scope
>>
>> Scope of the request as per the OIDC spec
>>
>> openid
>>
>> OIDC.EnableSLO
>>
>> Enable single logout
>>
>> OIDC.SLOURL
>>
>> Single logout URL
>>
>> oidclogout
>>
>> OIDC.EnableIDTokenValidation
>>
>> Enable ID token validation
>>
>> false
>>
>> OIDC.PostLogoutRedirectUri
>>
>> Post logout redirect URL
>>
>> null
>>
>> OIDC.SessionIFrameEndpoint
>>
>> OP Session IFrame Endpoint
>>
>> null
>>
>>
>> Below is a sample to demonstrate this step. You can edit the values as
>> per needed:
>>
>> <appSettings>
>> <add key="EnableOIDCSSOLogin" value="true" />
>> <add key="OIDCSSOURL" value="oidcsso" />
>> <add key="OIDC.spName" value="music-store" />
>> <add key="OIDC.ClientId" value="6G4s9GSYLd2USGB9f_Bf7kI6RHka" />
>> <add key="OIDC.ClientSecret" value="_gWqRvvxrcxg_rZgraGX4d0fnS4a" />
>> <add key="OIDC.CallBackUrl" value="http://localhost:58521/
>> music-store/callback" />
>> <add key="OIDC.GrantType" value="code" />
>> <add key="OIDC.AuthorizeEndpoint" value="https://localhost:9443/
>> oauth2/authorize" />
>> <add key="OIDC.TokenEndpoint" value="https://localhost:9443/
>> oauth2/token" />
>> <add key="OIDC.UserInfoEndpoint"
>>
>> value="https://localhost:9443/oauth2/userinfo?schema=openid";
>> />
>> <add key="OIDC.Scope" value="openid" />
>> <add key="OIDC.IdPEntityId" value="localhost" />
>> <add key="OIDC.IdPURL" value="https://localhost:9443/"; />
>> <add key="OIDC.EnableSLO" value="true" />
>> <add key="OIDC.SLOURL" value="oidclogout" />
>> <add key="OIDC.EnableIDTokenValidation" value="true" />
>> <add key="OIDC.PostLogoutRedirectUri"
>>
>> value="http://localhost:58521/music-store/Default"; />
>> <add key="OIDC.SessionIFrameEndpoint"
>>
>> value="https://localhost:9443/oidc/checksession"; />
>> </appSettings>
>>
>>
>> 1.
>>
>> Next, if you want to validate ID token signature, you need to have a
>> valid certificate. [Note: It is highly recommended to use your own
>> PKCS12 in your production environment].
>>
>> For testing purposes you can get the wso2carbon.jks from the wso2
>> Identity server (<IS_HOME> / repository/ resources/ security/
>> wso2carbon.jks) and convert it to a PKCS12 using keytool utility. Then,
>> add the .p12 to the Local Machine certificate Store. However, below steps
>> guide you through the process which was described above.
>>
>> -
>>
>> You get keytool by default with java installation and it could be
>> found under the directory: C:\Program Files\Java\jre<Version>\bin , with
>> the name keytool.exe .
>> -
>>
>> You can use the below command to convert the wso2carbon.jks to
>> wso2carbon.p12
>>
>> keytool -importkeystore -srckeystore wso2carbon.jks -destkeystore
>> wso2carbon.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass
>> [PASSWORD_PKCS12]
>>
>> -
>>
>> Then, run microsoft management console( i.e: mmc.exe) as
>> administrator, menu File -> Add/Remove Snap-in.., select
>> "Certificates", press Add, select radio button "Computer account", and
>> then
>> you can install wso2carbon.p12
>>
>>
>>
>> 1.
>>
>> Register the “FilteringHttpModule” in your ASP.NET web application to
>> handle the requests related to OIDC authentication mechanism.[ Note:
>> The above mentioned FilteringHttpModule class is extended from
>> IHttpModule. Click here
>> <https://msdn.microsoft.com/library/ms178468.aspx> for more
>> information on IHttpModules. ]
>>
>>
>>
>> 1.
>>
>> Add the following code to the global.asax of your ASP.NET web
>> application to enable session access from the agent.
>>
>>
>> public override void Init()
>> {
>> MapRequestHandler += EnableSession;
>> base.Init();
>> }
>>
>> void EnableSession(object sender, EventArgs e)
>> {
>> HttpContext.Current.SetSessionStateBehavior(Sessi
>> onStateBehavior.Required);
>> }
>>
>>
>> 1.
>>
>> Set your application’s login controls to refer oidc intensive
>> segments. That is suppose you have a login link in your web application.
>> All you have to do is set the attribute href to “oidcsso”. And in the
>> places that you have logout controls, it should be “oidclogout”.
>>
>>
>> [ Note: “oidcsso” and “oidclogout” are values that were configured under
>> Step No: 2 for the properties OIDCSSOURL and OIDC.SLOURL respectively.
>> However, “oidcsso” and “oidclogout” are the default values for those two
>> properties.]
>>
>>
>>
>>
>> Upon successful completion of the 6 steps above, you ASP.NET web
>> application is enabled with OIDC authentication.
>>
>>
>>
>> The $subject has been completed and component 's PR is avaiable at
>> https://github.com/wso2/samples-is/pull/12
>>
>> Thanks.
>> --
>> *Chiran Wijesekara*
>>
>>
>> *Software Engineering Intern | WSO2*Email: [email protected]
>> Mobile: +94712990173web: www.wso2.com
>>
>> [image: https://wso2.com/signature] <https://wso2.com/signature>
>>
>
>
>
> --
> *Chiran Wijesekara*
>
>
> *Software Engineering Intern | WSO2*Email: [email protected]
> Mobile: +94712990173web: www.wso2.com
>
> [image: https://wso2.com/signature] <https://wso2.com/signature>
>
> _______________________________________________
> Architecture mailing list
> [email protected]
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>
--
Chintana Wilamuna | Director - Solutions Architecture | WSO2
<http://wso2.com/> Inc.
408 429 3321 | https://medium.com/@chintanaw <http://engwar.com/>
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
