Please help us on below issues-
We are not able to perform Sigle Signout between our apps -
Angular 13 application (implicit flow) [angular-oauth2-oidc package]
Dot Net Framework Asp.Net MVC application (authorization_code) [Frontend Channel Logout package]
Issue 1:
When sessionChecksEnabled set to true facing continuous session_changed events even no session is changed.
Issue 2
After Logout from angular application, the MVC Frontend Channel Logout URI get Hit and but it is not logging out the application. The session remain valid
Identity Server Startup.cs
Related
I currently have an identity server 4 instance running on my local pc. I have followed the examples (http://docs.identityserver.io/en/latest/quickstarts/1_client_credentials.html#calling-the-api) and have my MVC 5 client set up to redirect to IdentityServer 4. It is working with the Azure Active Directory. I added custom scopes and claims for the MVC 5 client so that MVC 5 client checks the user claims to see if they have permission to perform an action or see a piece of the UI.
I want my MVC 5 client to talk to a Web API. I know this can be done using the client auth flow by passing client + secret (http://docs.identityserver.io/en/latest/topics/grant_types.html#interactive-clients). However I would like to still protect the API by user claims and not the client claims.
I'm not sure if what I am doing is classified as an interactive client (http://docs.identityserver.io/en/latest/topics/grant_types.html#interactive-clients).
I'm finding googling for resources hard, because I'm not sure if there is a name for the flow (if it exists). Any help or reference documents would be great!
How would I call Identity Server 4 for a token to access the API from the MVC 5 client on behave of the user?
I have configured WSO2 Identity Server as IDP and have two applications configured as SP. All working fine, except few things:
when I logged out from one application, another application don't see, that I was logged out
when I login into one application, another application don't see, that I was logged in
IMHO, there is main principles of SSO and SLO.
When I check SecurityContextHolder.getContext().getAuthentication() there is no changes after logout or login in another app.
Maybe I should call WSO2 page /samlsso before every load url?
What can I do wrong? How to retrieve from another app, that user logged out/logged in?
EDIT:
For example, WSO2 API Manager Store have such mechanism:
when I logged out from my application and reload Store page, then going redirection to main not logged page in Store. Same with login.
UPDATE:
I found problem in class org.springframework.security.saml.websso.SingleLogoutProfileImpl. When logout request is coming from WSO2 IS, than objects Authentication and SAMLCredential are nulls and error No user is logged in is occured, but for real user still logged in in Spring SAML application.
Same discussion was here, but with no effect :\
You have to verify whether both apps are calling Identity Server (IS) using the same host name. E.g. https://is.blahblah.com/samlsso.
IS session is based on cookies ('commonAuthId' and 'samlssoTokenId' cookies to be specific). If apps are calling IS using two different host names, there will be two different sessions created at the IS side. For SSO and SLO to happen both apps must share a single IS session.
We are using travelocity.com and avis.com web app for test SAML2 sso. You can found the more details here[1]. Further you can checked this documentation[2] Registering the two service providers in the Identity Server and followed the 1 to 8 steps.
[1] https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0
[2] https://docs.wso2.com/display/IS500/Customizing+Login+Pages
I am building a Spring-MVC-Hibernate back-end with dozens of RESTful web-services. The front-end will probably be an HTML5, CSS3, and JQuery web-app that utilizes back-end web-services I am developing.
We have an OpenAM 10.x SSO system on a Tomcat server, and we want to us that for authentication, no authorization rules are here or groups. All the documentation I have seen has been with an unknown version of OpenAM and Spring Security 3. We have OpenAM 10.x with no known time to upgrade to the latest OpenAM. We plan on using Spring Security 4.0.3, which is the latest at this time.
1) One way we can do this is to establish a Circle Of Trust, and then establish an IDP and a SP, and then we'll have a URL in order to do Federated SSO. I believe this is how our front-end will get authentication and get a token returned to the front-end and may be stored as a cookie.
2) Another way I have seen this done is to simply call the OpenAM restful api, pass in username and password and get a token. That token will then be used to pass into the back-end RESTful api's for security.
We will definitely be using Spring Security for Users, Roles, and Permissions (authorization), so can we do this? Use Spring Security 4.0.3 for users, roles, and permissions, but use OpenAM for authentication???
Any information would be very helpful. Thanks!
We've been doing something similar with one of our applications. We started by using OpenAM 12 and we're now using OpenAM 13 SNAPSHOT.
We've been integrating using OpenID Connect though, not SAML.
This was a good starting point for us: https://github.com/fromi/spring-google-openidconnect.
We used the default header/basic scheme in OAuth2ProtectedResourceDetails as opposed to form as in the sample.
On OpenAM, you'll have to configure OpenID Connect Provider.
Steps in OpenAM 13:
Login as amAdmin.
Select the realm.
The landing page (Dashboard/Realm Overview) will list common tasks.
Choose Configure 'OAuth Provider', then 'Configure OpenID Connect'.
Choose default values and click create.
Then you'll have to add an agent/client.
Steps in OpenAM 13:
From within the realm configuration page, choose agents.
Select OAuth 2.0/OpenID Connect Client.
Click on new button, enter client_id and client_secret values and create the agent.
Click on the newly created agent to further configure parameters such as redirect_uri, scopes etc.
If you cannot chose OpenAM 12 or 13 and are stuck with OpenAM 10, this information may not be useful.
We are building a SPA application using Durandal and we are authenticating the users via Windows ACS in Windows Azure.
We currently have a problem with users who leaves their applications open for a long time. When they come back, the ACS token is expired and the application won't redirect to the ACS login (since it is a SPA application).
Is there a good way to detect on the client side when the Windows ACS session times out?
I don't know Durandal, but I know all Ajax calls feature (optional) error handlers in which you can test whether the server status code is 401 or 403.
(that's usually the case when the user tries to access a secure resource when he is not authenticated).
All you have to do is redirect the user to ACS with the correct parameters when this happens.
I am working on a Windows Phone 8 app and a ASP.NET MVC 5 website and each of these will access a WebApi service (WebApi 2). The website and WebApi are based on the templates provided by VS2013 RTM and have been setup using the "Individual Account" authentication option available in the project template.
The template sets up the WebApi project to enable bearer tokens, application cookies and external login cookies, etc, and the exposed actions have the Authorize attribute on them.
My two questions are:
1) If I were to use Azure Mobile Services to authenticate a user using Google/Twitter on the WP8 application how can I get the WebApi to allow the authenticated user to access the actions?
2) Same as #1, but from a ASP.NET MVC 5 website perspective?
From I what I can see it would appear that each request requires a bearer token. To get this token would I be correct in thinking that I would access the "token" endpoint exposed by the WebApi to get the token and that would need to be passed with each request?
For 1, you can use azure mobile service WP8 sdk to launch a browser control to authorize user from external site. The code should be similar with WebAuthenticationBroker in windows store app.
For 2, the web api template with individual auth is using an implicit flow in OAuth 2.0 to return the application access token back to client. In MVC app, you can redirect user to
http://<web api domain address>/api/account/externallogin?provider=Facebook&redirect_uri=<your callback url in MVC app>&response_type=token&client_id=mvc.
And in your MVC view, you need to use javascript to get access token from url fragment, which won't be sent to server. In your web api server, you need to allow the client id and the callback url in ApplicationOAuthProvider.
For both 1 and 2, you are not using token endpoint to get the token. You are using the authorize endpoint to get token by implicit flow.