I have a spring application with a login screen that authenticates credentials that the user has entered with users on our Active Ditectory(using LDAP).
However I'd like to add the capability of SSO , specifically with the Windows Credentials that the user has entered upon logging into Windows.
I'm aware that since AD uses Kerberos it wouldn't be such a "hard" task to do and I've found one possible solution as to how to implement it , specifically this guide , with what I want to achieve being on this part of the page.
But honestly I don't seem to be able to understand how to implement it...
I have the following questions:
1)Which parts/classes should I implement for what I actually need , meaning which of the following classes are needed in reality?(AuthProviderConfig , SpnegoConfig , KerberosRestTemplate , KerberosLdapContextSource)
2)If all my users are on a Windows environment do I really need cached tickets(kinit) or keytab? In that case application.yml is also not needed , right?
3)What does the AD admin need to do on his side to configure/enable this SSO with Kerberos?(For the login screen Adapter that works I have the domain, url, rootDn, service user, user searchbase, service user password in my application properties)
Based on this thread , specifically on what the highest scored answer shows , I'm missing only step 1 and 2(I suppose?).
If anyone has maybe a better "guide" or tips that I can follow in order to implement this I'm all ears.
In any case thank you for your time and appreciate any feedback you could give me.
I realised similiar task using tutorial:
https://www.baeldung.com/spring-security-kerberos
You need modificate only WebSecurityConfig extends WebSecurityConfigurerAdapter - Add there Spnego filter from point 6.2 form this tutorial and beans with KerberosAuthenticationProvider. Spring has built-in kerberos machines that generate and decrypt spnego tokens themselves. On this case in filter you should authenticate all paths but In my case I used kerberos authentication on first time, and later I used JWT token what I had implemented before I implemented SSO.
You need keytab file and ServicePrincipalName. You can generate it by kinit with user who have got access to users in AD.
I found something like this:
https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-kcd
Related
I work for a large company (50K+). Some orgs within the company use OKTA for auth on their servers.
I have a valid user login (via OKTA) for the servers, and can log in through a browser without any issues, but want to access this site programatically.
How can I log into these websites using my OKTA credentials?
I've found this doc: https://developer.okta.com/docs/reference/api/oidc/#authorize
that details how to use an OKTA endpoint, but it requires some info that I do not have. Namely, nonce, state, and client_id. I have no clue how to get this info.
I've found another endpoint that allows a similar login method, but only requires username and password (I forget the doc that referenced this):
https://<company>.okta.com/api/v1/authn
I am able to successfully authenticate with OKTA using this endpoint, and receive a session_token. Can I take this session_token and apply it to my arbitrary webpage somehow? I can not find any documentation that says so.
At first glance it appears that many of the API endpoints for OKTA require intimate knowledge of the hosted application (and/or are not meant to be accessed programmatically).
Is it possible to log into an arbitrary webpage that uses OKTA for authentication, with only knowledge that an end user would have (username/password/optional MFA)?
Hi not sure you found the answer yet. from your descriptions i think yours is web app, which is supposed to use authentication code flow. else, you can ask your web developers what authentication flow they use and follow the auth process accordingly.
you need to retrieve id token & access token for authentication.
I try to achieve the following behavior with Spring Boot:
When a user wants to log in to my site he can choose from multiple OAuth2 serves (for example Google, Facebook, GitHub, etc...).
He selects an option (for example google) and logs in with google OAth2.
Then my site takes the e-mail address from OAuth2 and loads the user from a database to use as Principal.
So I basically want the Principal to always be the same (read from database) and do not depend on which OAuth2 server the user uses to log in.
To achieve the behavior, you're looking for, I would suggest you take a look at PrincipalExtractor, here's a blog post about it.
I have an MVC application (.Net Framework 4.5) which is been there for the last three years and using Forms Authentication mechanism. This application provides different accounts like Personal, freebie, Enterprise etc. For an enterprise account, we are handling everything in the same application. I.e. Suppose an enterprise called “xyz” created an enterprise account with the application, then we are providing a custom URL like “https://application/xyz/login” and from the URL we are identifying that enterprise. I don’t know the exact reason why they implemented like this as I have seen applications that are having enterprise accounts are created as subdomains (e.g. https://xyz.okta.com). Now the client asked to integrate Okta into this application.
So I looked into Okta and found SAML is the right way to do and ends up in KentorIT Authservices. Initially, I was able to integrate this with a sample MVC application and the authentication part was working fine. With some basic idea about SSO, I have started integrating kentor authsevices into my application. The challenges I found in this implementation are:
1) For Enterprise accounts, Okta configuration settings are different for each enterprise and with my current application implementation, it is not possible to set it in from the web.config. So I have tried to set it from code and I was able to integrate those settings by replacing Configuration.Options.FromConfiguration;. I’m planning to store all configuration related things(Single sign-on URL, Audience URI,Identity Provider Issuer" etc.) in the database so that I can get the information whenever I wanted and I’m assuming that “Identity Provider Issuer Id is unique for each Okta account. In an IdP initiated flow, when the user tries to access the application it will redirect to AuthServices\Acs action method and from that, I’m trying to read the configuration settings. From the request is there any way I can identify from which Okta account call came(like Identity Provider Issuer)? Currently, I set the "Identity Provider Issuer" value (and I think which should be unique for okta account) to the Default RelayState field under General SAML settings tab and I was able to retrieve it from AuthServices\Acs action methods. Does it seem to be a good idea? Please advice.
2) The Enterprise accounts are limited based on the number of licenses (say 50). Suppose if the Enterprise Okta admin intentionally added 55 users all those users can successfully authenticate the application based on the default settings. Is there any way I can handle this scenario. Do I need to keep a record of the list of users that came under a particular enterprise account?
3) From the documents I understand that Kentor authentication service is only for authentication and authorization part has to be done from the application itself. The current application implementation consists of a custom authorization attribute which checks for user permissions that are stored in the database. That should be there as it is and we have to do the authorization based on database permissions. Right?
Expecting your valuable suggestions and please correct me if I'm wrong. Thanks in advance.
Don't use the RelayState for sensitive data unless you cryptographically sign it. It is not protected by any signature when using the POST binding, so the user may manipulate it. To get the issuing idp, check the issuer field of any claim generated by AuthServices instead.
Yes.
Yes, that's the whole idea with Kentor.AuthServies: To plug SAML2 authentication into the security model of .NET to allow you to use any current/traditional Authorization setup.
I want to integrate Keycloak authentication into a Play2 project. Here is what I did until this point:
I downloaded Keycloak: keycloak-1.6.1.Final.zip, unpacked, run it and set up by creating a test realm and some roles
I downloaded, configured and run the example js-console (https://github.com/keycloak/keycloak/tree/master/examples/js-console)
I was able to create a user and to log in with the js-console. The user show up in the keycloak admin as expected
Now I would like to protect my backend also, which is a Play2 project with maven build (using the play2-maven-plugin: https://code.google.com/p/play2-maven-plugin/)
The backend publishes a REST API, and these calls need to be available only for authenticated users posessing several roles.
Until this point I was unable to find a solution to do this. I came across Deadbolt, which can declaratively express the restrictions that need to be applied to the users and the roles, but I was unable to find an adapter for keycloak to use with Play2.
Is there anybody who did something similar? I guess a solution would be to create a custom adapter, by configuring and then calling the core Keycloak methods.
Does anybody have some thoughts on creating this "Keycloak Standalone Adapter"?
These 2 Blog Entries helped me:
User Authentication with Keycloak
KeyCloak with akka-http
https://blog.scalac.io/user-authentication-with-keycloak-part1.html
https://blog.scalac.io/user-authentication-with-keycloak-part2.html
Build and Secure APIs with Scala and the Play Framework
Auth0 with play framework
https://auth0.com/blog/build-and-secure-a-scala-play-framework-api/
It depends on which authentication mechanism you want to use (openid-connect or SAML). For the application I was working on we chose openid-connect. At the moment, the only play2 library which supported the protocol was https://github.com/pac4j/play-pac4j. The tricky part was figuring out the way keycloak was encoding the information in the token it sent back to the play server. It does it by doing Base64 encoding. We translated the algorithm from the keycloak-js-adapter to extract the user information.
After that, we can use Security trait or create a custom request wrapper which will contain the authorized user information.
I can't find out how to get roles from database (JDBC) for user authorised with Kerberos. Kerberos login works ok but user doesn't have any roles.
I used spnego-r7 to run Kerberos - http://spnego.sourceforge.net/index.html
I can't find any tutorial or advices how to do it.
Do you have any idea or example?
This is your task, not Kerberos'. Kerberos is solely authentication. When the userprincipal is passed from the response look that up in your JDBC realm and retrieve your roles. This means that it is a two step process.
You can (1) handle user groups in a non-container managed way (i.e. in your application) or (2) try to tie into the container specific security mechanism. I haven't successfully tapped into Glassfish security for assigning groups, but it appears you must create at least two classes: one that extends com.sun.appserv.security.AppservRealm, and one that extends com.sun.appserv.security.AppservPasswordLoginModule. The former has a method named getGroupNames which takes a username as a parameter and the later has a method named commitUserAuthentication which takes an array of group names. Unfortunately it isn't clear how it is supposed to work and seems poorly documented. More information here: http://docs.oracle.com/cd/E19226-01/820-7695/beabs/index.html and here: https://blogs.oracle.com/nithya/entry/groups_in_custom_realms