how to access subject element from the saml request URL? - websphere

I would like to access the query parameter from the SAML request from IBM ISAM? how can I access that parameter? any suggestions are appreciated?
is it from LOGIN.html or access policy?
as of now, have not done anything as my dev environment is not working..

Related

Passing and retrieving RelayState in SP initiated SSO with Okta IDP

I am trying to pass on a URL as RelayState in the SAML request from SP to IDP so that I get it back once the authentication is complete. But, I am not able to figure out how to do so. I am using sustainsys.saml2 for the saml configuration in my ASP.NET WebApi application.
Question 1: Currently, I have a URL something like this: http://example.com/tmwebapi/saml2/signin?http://www.okta.com/hgdhsg324234jhsdf. When I enter this in address bar, it redirects me to the IDP interface. How to pass the RelayState here?
Question 2: Once the RelayState is passed successfully, I want to be able to extract it in the ACS endpoint. How can I do that?
Please let me know if anyother information is required.
Thanks in advance.
Using the /Saml2/Signin endpoint it is not possible to preserve custom information across the authentication call. You can preserve a return url by adding a ReturnUrl parameter to the query string.
If you use the API instead, you can put any state you want to preserve in the AuthenticationProperties dictionary. It will then be available after the authentication is completed. This is how the ReturnUrl is implemented.

Can stormpath access token be deleted without knowing the secret api key?

I am able to delete stormpath user access token(using access token href) using "rest client" without passing in authorization header, is this intended behaviour?
Sorry for asking this one. Seems like my rest client was caching the authentication headers, stormpath seems to be working as intended.

Spring Security to Validate login RestAPI

I know this question asked many times but I did not get answer that I required.
I want link that can help me to create a spring security framework, In which I donot whant login form validation.
It should be done by login RestAPI. I just hit url like-
http://localhost:8080/login
post request containing username and password and it return json response with sucess or failure status
if sucess I would be able to hit secure API Requests.
I am using spring and spring security since 1 and half year with spring security to develop rest API I use below technique for user authentication
Follow below steps
Allow to access http:// localhost:8080/login for all user
User will pass username and password in body
Authenticate user with database entry
create access token and send back to response
using this access token user with interact with secure API.
I will provide source code if you need.
I suggest you to try with Basic Authentication. I believe Rest services are mutual contract between the consumer and provider, so re design your service to access the basic auth header. Your client need to pass the base64 encoded value of username:password, Your service should get the header value and decode you will get the original data back, Check against your backend storage (Ldap or DB).
More about basic authentication . BasicAuthentication

Laravel: API with OAuth 2.0

I am currently developing an API that I plan to secure using oauth2.
I have chosen: https://github.com/lucadegasperi/oauth2-server-laravel/
I have managed to secure the endpoint (using before=>oauth in my api routes) by following the installation guide but I am at a loss as to how am I gonna be able to authenticate and access the endpoint.
I do understand that you will first need to request an access_token by sending a client_id and client_secret but what I don't get is where do I set those on the oauth server?
I see the oauth controller has endpoints for these like:
http://somedomain.com/oauth/authorize
http://somedomain.com/oauth/access_token
But I am clueless with what to do with them. I only managed to arrive at the conclusion that it needs a client_id, client_secret, and stuff about scopes.
Where can I set these values for the api client to use?
Thank you for your help in advance.
I don't know Laravel, but in general, the authorization endpoint (in your case, http://somedomain.com/oauth/authorize) behaves as described in RFC 6749.
The specification defines four flows. If you use Authorization Code Flow among the flows, you should access the authorization endpoint with the following request parameters.
response_type=code (required)
client_id={your-client-id} (required)
scope={space-delimited-scope-names} (optional)
redirect_uri={your-redirect-uri} (conditionally optional)
state={any-arbitrary-string} (optional)
For example,
http://somedomain.com/oauth/authorize?response_type=code&client_id=your-client-id&scope=profile+email
The authorization endpoint generates an authorization code and returns it to your browser.
The next step is to access the token endpoint (in your case, http://somedomain.com/oauth/access_token) with the authorization code which has been issued from the authorization endpoint. Like this,
POST
http://somedomain.com/oauth/access_token?grant_type=authorization_code&code=issued-authorization-code&client_id=your-client-id&client_secret=your-client-secret
Anyway, I recommend you read RFC 6749.

uploading data into ibm connection with oAuth

We want Socialite (web-application name) user data to upload on IBM-Connections per user active stream.
It requires proper OAuth mechanism. To achieve this, we are working on OAuth to get OAuth Token and OAuth Secrete per IBM Connections user wise.
We created the AppID, Appkey and AppSecrete with the help of commands mention in IBM documents. http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+4.0+documentation#action=openDocument&res_title=Registering_an_OAuth_client_with_a_provider_ic40&content=pdcontent
Now we need requestTokenURL, authorizationURL, accessTokenURL to get the access token and access secret per IBM Connection user wise.
Please advise me.
The authorization URL should be
https://:/oauth2/endpoint/connectionsProvider/authorize
The access token URL should be
https://:/oauth2/endpoint/connectionsProvider/token
oAuth2.0 does't have the requestToken anymore. There are only to token uri's
for our test connections environment the endpoint are
https://connections4.e-office.com/oauth2/endpoint/connectionsProvider/authorize
https://connections4.e-office.com/oauth2/endpoint/connectionsProvider/token
More details you can find here, it's about smartcloud but you can find some good information
http://www-10.lotus.com/ldd/appdevwiki.nsf/xpViewTags.xsp?categoryFilter=OAuth%202.0

Resources