Jump to content


  • Content count

  • Joined

  • Last visited

  1. ADFS authentication

    Hi Click Studios, You're right, the website has to be in the Local Intranet zone for the Kerberos token to be passed through. Your suggested solution would indeed help users on domain-joined devices outside of the firewall. What AD FS adds is the same type of SSO experience from non-domain joined devices, e.g. at the customer or in a BYOD scenario. Users still have to go through a (multi-factor) authentication at the AD FS STS website, but afterwards they can seamlessly access any application that federates with that service. Having done some more research (figuring that more people are faced with this problem), I initially couldn't find any good information about workarounds for third party or legacy applications. Of course after posting the question here and almost giving up, I found the right phrase to Google and hit some options that we haven't tried yet. One is the Claims to Windows Token Service, which should be able to convert the AD FS claims into a classic Windows token. That process involves some modifications to the Web.config but should otherwise be transparent to Passwordstate. The second is a little more 'Enterprisy' and involves creating something called a Web Application Proxy, which I guess does approximately the same trick. References: - Claims to Windows Token Service: http://www.theidentityguy.com/articles/2010/10/15/access-owa-with-adfs.html - Web Application Proxy: http://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx#wap I'll get back to you to let you know if we were successful. Anyway thanks for the help so far. I hope that posting this here will at least help others to find the workarounds that I looked the better part of an hour for. Meanwhile you might still consider implementing WIF support, because it is the future of authentication for the Microsoft ecosystem. Nowadays you can get the Azure AD and Azure ACS (which includes AD FS) for free and that forms the foundation for most (all?) cloud apps like Office 365 and CRM Online. Once users are spoiled by the SSO experience they never want to go back . Cheers, Wouter
  2. ADFS authentication

    Hi Clickstudios, We've been using Passwordstate in our organisation for a couple of years now (since version 4). We like it so much that we now want to share it with our customers, so we can maintain a common set of account information without the hassle of communicating every change at either side manually. Said customers already exist as users in our domain so it's possible to give them access, but here's the thing: the authentication situation is not ideal. You see, we have several other applications that we share with external users and they all hook into Active Directory Federation Services, to provide a very convenient Single Sign On experience. As far as I can tell, Passwordstate currently only supports basic Windows Authentication, which requires visitors from outside the firewall to enter their username and password. Ideally that step should be redundant if they're already signed into the SSO. Besides being easier for the user, another advantage would be that AD FS can handle multi-factor authentication universally according to the domain policies, rather than having to manage a second authentication factor from inside Passwordstate. Being a developer myself I imagine that it would be difficult for Passwordstate to support truly federated identity (i.e. AD FS endpoints from third parties) but it would be really nice to at least offer AD FS as an authentication option for users in the local domain. Those working inside the firewall will hardly notice the difference, but for those outside it means they no longer have to re-type their password and possibly provide another authentication factor - when they're already logged in. With the latest releases of the Windows Identity Framework, it's become really easy to get the basic concept working. Obviously I can't tell how much impact it would have on the rest of your security code, but I hope you can consider this for a future release. References: - Getting identity from AD FS in the most current version of .NET: http://msdn.microsoft.com/en-us/library/hh987037(v=vs.110).aspx - Older method, but explains setting up AD FS, which the first article skips over: http://blogs.msdn.com/b/alextch/archive/2011/06/27/building-a-test-claims-aware-asp-net-application-and-integrating-it-with-adfs-2-0-security-token-service-sts.aspx Cheers from Holland, Wouter