Azure AD single sign-on (SSO) integration in .Net core application
What is Single Sign-On (SSO)?
Single sign-on (SSO) is an authentication process that allows a user to sign on with one set of credentials and gain access to multiple applications and services.
From the security perspective, one benefit introduced by Single-Sign-On is that, because it reduces the number of credentials required to sign in to multiple services to a single credential, there are fewer credentials to be lost or stolen. In addition, multi-factor authentication (MFA) or two-factor authentication (2fA) is more likely to be enforced to protect that single, powerful, credential.
How Does Single Sign-on Work?
The service creates an authentication token that remembers that the user is verified, whenever a user signs in to an SSO service. An authentication token is a piece of digital information stored either in the user's browser or within the SSO service's server.
Only when the SSO service stores a user identity, it remembers a user. Most SSO services checks the user credentials against a separate identity management service.
Let us see an example for how SSO works for Google and its other services. For example, when you try to access Gmail without being authenticated, Google redirects you to a central service, hosted at accounts.google.com. There, appears a sign in form where you will have to input your user credentials. Google redirects you to gmail if the authentication process is successful. There you will gain access to your gmail. After authenticating through this central service, if you head to another service (For eg. Youtube), you will see that you are automatically signed in.
Types of SSO
We are going to use ADFS (Active Directory Federation Services), which is a type of Federated Identity Management system. It also provides Single Sign-on capabilities. The below steps use Azure Active Directory Service to implement SSO using ASP.NET CORE 5.0.
How to Implement SSO Using Azure AD in ASP.NET Core Web Application
Before getting into the development you need the following prerequisites.
https://visualstudio.microsoft.com/vs/ - VS 2019 https://code.visualstudio.com/ - VS Code https://dotnet.microsoft.com/download - .NET Core SDK
Setting up your App in Azure AD
Since you will be having knowledge on creating ASP.NET/MVC application using visual studio, I am not going to cover those things.
Conclusion
We just learned how to implement Azure AD authentication in ASP.NET 5.0 web applications. Decentralized systems are becoming more common, and authentication is an essential aspect of all of them. SSO solves a big problem that is to manage the increasing number of users across a whole ecosystem of applications and services. Integration SSO to your new or existing application is much easier with Frameworks such as OpenID Connect or services such as we provide at Auth0. Consider integrating SSO from the get-go, if you are implementing authentication for a new application or service.
References
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-webapp
What is Single Sign-On (SSO)?
Single sign-on (SSO) is an authentication process that allows a user to sign on with one set of credentials and gain access to multiple applications and services.
From the security perspective, one benefit introduced by Single-Sign-On is that, because it reduces the number of credentials required to sign in to multiple services to a single credential, there are fewer credentials to be lost or stolen. In addition, multi-factor authentication (MFA) or two-factor authentication (2fA) is more likely to be enforced to protect that single, powerful, credential.
How Does Single Sign-on Work?
The service creates an authentication token that remembers that the user is verified, whenever a user signs in to an SSO service. An authentication token is a piece of digital information stored either in the user's browser or within the SSO service's server.
Only when the SSO service stores a user identity, it remembers a user. Most SSO services checks the user credentials against a separate identity management service.
Let us see an example for how SSO works for Google and its other services. For example, when you try to access Gmail without being authenticated, Google redirects you to a central service, hosted at accounts.google.com. There, appears a sign in form where you will have to input your user credentials. Google redirects you to gmail if the authentication process is successful. There you will gain access to your gmail. After authenticating through this central service, if you head to another service (For eg. Youtube), you will see that you are automatically signed in.
- Federated Identity Management (FIM) - FIM refers to a trust relationship created between two or more domains or identity management systems. Single Sign-on is often a feature that is available within an FIM architecture
- OAuth (Open Authorization ) - Open standard authorization protocol that transfers identification information between apps and encrypts it into machine code
- OIDC (OpenID Connect) - It sits on top of OAuth 2.0 to add information about the user and enable the SSO process.
- SAML (Security Access Markup Language) - Open standard that encodes text into machine language and enables the exchange of identification information
- Kerberos - Kerberos a protocol that enables mutual authentication. Thus, user and server can verify each other's identity on insecure network connections.
- Smart card authentication - Beyond traditional SSO, there exists hardware that can facilitate the same process as physical smart card devices that users can plug into their computers. Cryptographic keys on the smart card interacts with the computer software to authenticate the user.
- Visual studio 2019 or Visual studio code
- Azure portal account with appropriate rights
- .NET Core SDK 3.1 and above (Recommended to go with the latest version)
https://visualstudio.microsoft.com/vs/ - VS 2019 https://code.visualstudio.com/ - VS Code https://dotnet.microsoft.com/download - .NET Core SDK
Setting up your App in Azure AD
- Log in to the Azure portal using with your account, make sure your account is having administrator permission
- Select Azure AD from the azure service menu or use the search box to find the Azure AD service
- Under manage select App Registration > New Registration
- Enter the Name of your project, select Supported account types as, “Account in this organization only”
- Enter Redirect URL as “https://localhost:44321/signin-oidc”. We can change this URL later. For local debugging, you need to add this URL also make sure you have entered in the right port and controller
- Click on the Register button to complete your registration
- Upon successful registration, it will redirect to the detail page where you will find the Tenant id, client id, etc.,
- Under the Manage, click on “Authentication” and for Front-channel logout URL, enter https://localhost:44321/signout-oidc
- Under Implicit grant and hybrid flows, select ID tokens and hit the save button
- Open/Create new ASP.NET/MVC project
- Open appsettings.json file
- Add the following code
- Install following nuget package Install-package Microsoft.AspNetCore.Authentication.OpenIdConnect install-package Microsoft.Identity.Web
- Open startup.cs file and replace “ConfigureServices” method with below code
- Open index.chtml file and enter the below code
- Save all your files, build and run the application… you are done.
Conclusion
We just learned how to implement Azure AD authentication in ASP.NET 5.0 web applications. Decentralized systems are becoming more common, and authentication is an essential aspect of all of them. SSO solves a big problem that is to manage the increasing number of users across a whole ecosystem of applications and services. Integration SSO to your new or existing application is much easier with Frameworks such as OpenID Connect or services such as we provide at Auth0. Consider integrating SSO from the get-go, if you are implementing authentication for a new application or service.
References
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-webapp
Latest posts by Prakash Bhaskar (see all)