I have a new OpenSearch instance with SAML enabled. I also have the internal user database and basic auth enabled.
My users can log in with SAML as expected - all good. But how do my lambdas authenticate? I was expecting to use username and password as follows:
https://user:password#domain
but this redirects to my SAML IdP as if I hadn't provided a password. What am I missing?
I've checked that both saml_auth_domain and basic_internal_auth_domain authentication methods are enabled.
Related
I have been trying to implement 2fa using OTP. Till now i am successful doing it via browser flow using keycloak interface to login. Keycloak provides an API to give the access token after passing username, password & client-secret,
i.e. http://localhost:8080/realms/SpringBootKeycloak/protocol/openid-connect/token
Is there any any external api available to trigger my custom flow of sending OTP and verifying it, if not how can i implement this?
Keycloak doesn't provide any API to verify the OTP.
Keycloak provides an API to give the access token after passing username,
password & client-secret
Most likely you're talking here about Resource owner password credentials grant (Direct Access Grant).
The latest OAuth 2.0 Security Best Current Practice spec actually recommends against using the Password grant entirely, and it is being removed in the OAuth 2.1 update. (source).
Unless you have more specific requirements rather than just login and OTP, I'd recommend you to use a regular authorization code flow instead as a default way of authorization. Using this flow you'd be redirected to Keycloak login page and configure OTP to be displayed there without using Keycloak APIs.
I am trying to integrate OKTA as service provider to provide access to the custom application for external customers.
External Users login to enterprise Idp to access the custom application
After successful authentication IDP triggers the IDP-Initiated flow and submits the SAML response to OKTA
OKTA checks for the external user information in the SAML assertion and sends these details to Custom API application to identify the user
If the user is found, the API returns the required information to OKTA
OKTA will initiate the PKCE flow to provide access to the custom application
I was success in configuring the OKTA and external customer IDP. But, Can anyone knows how OKTA will call the custom API application to identify the user information? Also, how to configure the redirect URL?
unfortunately I don't have an answer to your question as we use PingFederate but I was curious as to how you setup Okta (as the SP) to accommodate the IdP-Initiated call, without having to call back into the IdP for authentication? I ask because, as the IdP, we are calling Okta (as the SP) and the SAML response but the vendor is stating they cannot setup Okta without the IdP URL to call back into to have us, the IdP, authenticate the user. Seems your setup works how we believe it should so wanted to get more details about this.
I have an ASP.NET Web API (v4, specifically) application that currently authenticates using Forms authentication (through a SQL membership provider (i.e. using aspnet_Membership, aspnet_Users tables and all that)). It's basically the backend API hub for a bunch of other applications.
Alongside that, I have a third-party application, SP (for service provider), which supports SSO and single logout using SAML. My goal is to set up a SAML identity provider that can receive a SAML single logout request, which would in turn send a logout response to SP.
I started out looking at Auth0 to achieve this, but I am confused about what role Auth0 would actually play as the identity provider since all of my user creds are stored in my own database. Is there some way I can supply Auth0 (or any of these identity providers) with my user creds store for it to authenticate my users? Or is this not desirable/possible and I need to make my existing app to be the SAML identity provider?
To use SAML in your client application, you need a SAML stack.
So you could add the stack and it would be self-contained.
Both identityserver and Auth0 can use a SQL DB as the authentication store. They both support the SAML protocol.
Once you have done the SAML configuration, you just need e.g. a login screen where the users decides local authentication or SAML authentication (this invokes the IDP and that would do the SAML side for you).
I am developing some RESTful services for our mobile app using Spring Boot. I succesfully implemented Oauth2 authentication with our registration using username and password. Users can authenticate by using username and password. Also our client want to be authenticated with their custom token. They have a web service that you send token and response is true or false.
My first thought was, I can write a service like /custom-login and that service accepts custom token. In my service I can check this token with external service and if it is valid I call oauth2 authentication and return oauth2 authentication response.
How can I implement custom authentication oauth2 ?
OAuth2.0 spec allows for custom grant types,
So your auth server can create an custom grant type,
for eg: let's assume your wanted to authenticate with Google using Google access token, so you will create new grant_type called google_token
So now when your users wanted to authenticate using Google access token , they will pass like
grant_type=google_token&client_id=clientId&client_secret=secret&google_token=google-access-token
Then your auth server can verify the access token with Google and optionally verify client is issued to, etc and once verified , it can return your own access token
This applies for third party auth severs, so you can create number of custom grant types
I had a requirement to implement spring security saml implementation.
And I want to connect to IDP(Identity Provider) to authenticate without using IDp's login page. In my case, I want to use Service Provider (login page)..
Is this possible? If yes how to achieve this?
You can try with WSO2IS with request path authenticators which validates user credentials comes from SP login request. If you take SAML2 SSO scenario, SP can send SAML2 Auth request using POST binding to IDP. In the same request SP can send the end user's credentials that is retrieved from the login page of SP application. Then you would not see the login page in IDP and credential are retrieved from auth request and validates with IDP's user store. If success SAML2 response is generated. You can take help from this link.
This is not really a good idea since by definition, the service provider is not supposed to authenticate users, that is the IDP's responsibility.
If you are concerned about branding.. you may be able to request the IDP to personalise their login page if your SP has requested authentication although it is slightly unlikely that they will agree to this.