*Introduction:* Suppose you have an ASP.NET web application or else you are going to create a new one. One of your major concerns would be to provide a secure mechanism of handling user authentication and authorization. With the introduction of this OIDC SSO Agent, you will never have to worry about that at all. Moreover, you can just incorporate this agent to your ASP.NET web application and it will take care of all the things related to OIDC authentication mechanism.
*Architecture:* 2, 3, 7, 8 are related to resolving of the current request. How to incorporate to your asp.net web application? If you plan to use OIDC SSO Agent, all you have to do is following simple steps below and then you have a web application that authenticates users with your favourite Identity Provider ( Wso2 Identity Server). Let’s get started. The process of incorporating SAML authentication with wso2 identity server via SAML agent can be explained in 6 steps. 1. Add the agent.dll reference to your Asp.NET web application(You can get this the git repo) 1. Configure - the mandatory properties in your ASP.NET web application’s web.config file. Following image shows how does it looks like after adding those properties to your web.config file. Property Description Default Value EnableOIDCSSOLogin Enable OIDC authentication false OIDCSSOURL SSO URL oidcsso OIDC.spName Service Provider Identifier null OIDC.ClientId Client key which was generated during OIDC configuration for Service Provider null OIDC.ClientSecret Client Secret which was generated during OIDC configuration for Service Provider null OIDC.CallBackUrl Callback URL null OIDC.GrantType Grant Type code OIDC.AuthorizeEndpoint Authorization Endpoint of the IDP which is used to get an authorization code. https://localhost:9443/oauth2/authorize OIDC.TokenEndpoint Token endpoint of the IDP used to receive an access token https://localhost:9443/oauth2/token OIDC.UserInfoEndpoint User info endpoint of the IDP which is used to fetch user details https://localhost:9443/oauth2/userinfo?schema=openid OIDC.Scope Scope of the request as per the OIDC spec openid OIDC.EnableSLO Enable single logout OIDC.SLOURL Single logout URL oidclogout OIDC.EnableIDTokenValidation Enable ID token validation false OIDC.PostLogoutRedirectUri Post logout redirect URL null OIDC.SessionIFrameEndpoint OP Session IFrame Endpoint null Below is a sample to demonstrate this step. You can edit the values as per needed: <appSettings> <add key="EnableOIDCSSOLogin" value="true" /> <add key="OIDCSSOURL" value="oidcsso" /> <add key="OIDC.spName" value="music-store" /> <add key="OIDC.ClientId" value="6G4s9GSYLd2USGB9f_Bf7kI6RHka" /> <add key="OIDC.ClientSecret" value="_gWqRvvxrcxg_rZgraGX4d0fnS4a" /> <add key="OIDC.CallBackUrl" value=" http://localhost:58521/music-store/callback"; /> <add key="OIDC.GrantType" value="code" /> <add key="OIDC.AuthorizeEndpoint" value=" https://localhost:9443/oauth2/authorize"; /> <add key="OIDC.TokenEndpoint" value="https://localhost:9443/oauth2/token"; /> <add key="OIDC.UserInfoEndpoint" value="https://localhost:9443/oauth2/userinfo?schema=openid"; /> <add key="OIDC.Scope" value="openid" /> <add key="OIDC.IdPEntityId" value="localhost" /> <add key="OIDC.IdPURL" value="https://localhost:9443/"; /> <add key="OIDC.EnableSLO" value="true" /> <add key="OIDC.SLOURL" value="oidclogout" /> <add key="OIDC.EnableIDTokenValidation" value="true" /> <add key="OIDC.PostLogoutRedirectUri" value="http://localhost:58521/music-store/Default"; /> <add key="OIDC.SessionIFrameEndpoint" value="https://localhost:9443/oidc/checksession"; /> </appSettings> 1. Next, if you want to validate ID token signature, you need to have a valid certificate. [Note: It is highly recommended to use your own PKCS12 in your production environment]. For testing purposes you can get the wso2carbon.jks from the wso2 Identity server (<IS_HOME> / repository/ resources/ security/ wso2carbon.jks) and convert it to a PKCS12 using keytool utility. Then, add the .p12 to the Local Machine certificate Store. However, below steps guide you through the process which was described above. - You get keytool by default with java installation and it could be found under the directory: C:\Program Files\Java\jre<Version>\bin , with the name keytool.exe . - You can use the below command to convert the wso2carbon.jks to wso2carbon.p12 keytool -importkeystore -srckeystore wso2carbon.jks -destkeystore wso2carbon.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12] - Then, run microsoft management console( i.e: mmc.exe) as administrator, menu File -> Add/Remove Snap-in.., select "Certificates", press Add, select radio button "Computer account", and then you can install wso2carbon.p12 1. Register the “FilteringHttpModule” in your ASP.NET web application to handle the requests related to OIDC authentication mechanism.[ Note: The above mentioned FilteringHttpModule class is extended from IHttpModule. Click here <https://msdn.microsoft.com/library/ms178468.aspx> for more information on IHttpModules. ] 1. Add the following code to the global.asax of your ASP.NET web application to enable session access from the agent. public override void Init() { MapRequestHandler += EnableSession; base.Init(); } void EnableSession(object sender, EventArgs e) { HttpContext.Current.SetSessionStateBehavior(SessionStateBehavior .Required); } 1. Set your application’s login controls to refer oidc intensive segments. That is suppose you have a login link in your web application. All you have to do is set the attribute href to “oidcsso”. And in the places that you have logout controls, it should be “oidclogout”. [ Note: “oidcsso” and “oidclogout” are values that were configured under Step No: 2 for the properties OIDCSSOURL and OIDC.SLOURL respectively. However, “oidcsso” and “oidclogout” are the default values for those two properties.] Upon successful completion of the 6 steps above, you ASP.NET web application is enabled with OIDC authentication. The $subject has been completed and component 's PR is avaiable at https://github.com/wso2/samples-is/pull/12 Thanks. -- *Chiran Wijesekara* *Software Engineering Intern | WSO2*Email: chir...@wso2.com Mobile: +94712990173web: www.wso2.com [image: https://wso2.com/signature] <https://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
