SSO Using Duende Identity Server - duende-identity-server

How to implement SSO using Duende Identity Server. I have two client applications in IdentityClients Table. If the user logs into Client 1, the User should be automatically given access to Client 2 like Single Sign On.

Related

Spring Boot - Generate JWT on one server and authenticate on another server

I have a distributed system, a user will connect to a server and that server will assign them to a specific node/server to make their API calls.
I want to generate a JWT token on the first server that the client connects to and when the user is redirected to the new server it will authorize them based on their username and password that is pulled from a local database and check the JWT if it is correct (i.e to make sure they're redirected from the first server and no where else).
This might be a bad question but I can't find any resources regarding something like this, how can I generate a JWT token from one server and authenticate it on another server?

In OAuth2 flow, can we delegate authentication to Windows SSO

We have an in-house OAuth2 server used by our applications. Now we want to use Windows SSO for our applications but without them to change anything: they'll still reach our OAuth2 server for an access token and the authentication part will be delegated to Kerberos (which Windows use, if I understood properly).
Is there a way to do that?
That is a standard setup and should just require configuration changes in the Authorization Server (AS) - with zero code changes in applications.
Most commonly:
The AS might be hosted in the cloud
It will redirect browsers to an on premise Identity Provider (IDP)
The IDP can connect to Active Directory
You may also need a fallback option for when users are not joined to the work domain. See this Curity guide for an example and some infrastructure factors to think about.
If the AS is in house it may even be able to make a direct Kerberos connection via an LDAP data source, though the preferred architecture is a separate IDP.
Of course you need an AS that supports the ability to make this type of connection, so would need to check the vendor docs.
REQUEST FLOW
Kerberos has always been the simplest protocol conceptually but the deepest to understand - here is a bit of a summary:
Your apps will make a standard OpenID Connect authorization redirect to the AS
The AS may then present an authentication selection screen to the user, unless there is only a single option
Alternatively an app can send the acr_values query parameter to say which authentication method to use
The AS will then redirect the browser to the next stage of processing, that uses a 'Windows SSO authenticator'
The redirect to the Windows SSO authenticator does not have to use OpenID Connect - it could be any vendor specific HTTP request
The browser will send an encrypted Kerberos ticket automatically by connecting to AD - a prerequisite for this to work might be that the domain in the URL is in the Local Intranet zone on end user computers
The Windows SSO authenticator will need to be able to decrypt this credential, which typically requires a Service Principal Name to be configured
Once the Kerberos ticket is decrypted, the authenticator will make an LDAP connection to an Active Directory data source via its standard LDAP endpoints, to verify the received ticket

Implement personal access token in aspnet zero application using IdentitySever 4

I am implementing personal access token in my aspnet zero application. I came across some challenges while implementing this. I am working with multi-tenant application where each tenant will get an access token to access the system.
It will basically store the client Id and client secret for each tenant into the database and based on this, personal access token is generated. For this, I have created the identity server Client entity and its related entities , I referred this link : https://github.com/IdentityServer/IdentityServer4.EntityFramework/tree/dev/src/IdentityServer4.EntityFramework
I am able to generate the client keys and also stored these keys into the database.
After this, we need to configure identity server, I followed above link to configure identity server in startup file. But, things are not seem to be working for me. Is there any sample implementation to get clients from database and configure identity server for personal access token?
Thanks.

What's the meaning of Realm in spring security

In my application, I use spring security, and I just want to know what's the meaning of "realm" in HTTP config.
A realm is a credential store that enables identity or role based access control.
Java Documentation
What is a realm?
For a web application, a realm is a complete database of users and groups that identify valid users of a web application (or a set of web applications) and are controlled by the same authentication policy.
The Java EE server authentication service can govern users in multiple realms. In this release of the Application Server, the file, admin-realm, and certificate realms come preconfigured for the Application Server.
In the file realm, the server stores user credentials locally in a file named keyfile. You can use the Admin Console to manage users in the file realm.
When using the file realm, the server authentication service verifies user identity by checking the file realm. This realm is used for the authentication of all clients except for web browser clients that use the HTTPS protocol and certificates.
In the certificate realm, the server stores user credentials in a certificate database. When using the certificate realm, the server uses certificates with the HTTPS protocol to authenticate web clients. To verify the identity of a user in the certificate realm, the authentication service verifies an X.509 certificate. For step-by-step instructions for creating this type of certificate, see Working with Digital Certificates. The common name field of the X.509 certificate is used as the principal name.
The admin-realm is also a FileRealm and stores administrator user credentials locally in a file named admin-keyfile. You can use the Admin Console to manage users in this realm in the same way you manage users in the file realm. For more information, see Managing Users and Groups on the Application Server.
A realm is a security policy domain defined for a web or application server. A realm contains a collection of users, who may or may not be assigned to a group.
A realm is a security policy domain defined for a web or application
server. The protected resources on a server can be partitioned into a
set of protection spaces, each with its own authentication scheme
and/or authorization database containing a collection of users and
groups. For a web application, a realm is a complete database of users
and groups identified as valid users of a web application or a set of
web applications and controlled by the same authentication policy.
The Java EE server authentication service can govern users in multiple
realms.
https://docs.oracle.com/cd/E19798-01/821-1841/bnbxk/index.html

Single Sign-On between 2 different platforms but on the same domain

I'm in the process of rearranging our web-based systems, so that users will be able to log on to our systems through a Sharepoint front-end. Our single sign-on server is an Oracle SSO server that authenticates against the same domain as the sharepoint server does, but these two are currently 2 separate logins.
What I'm looking for is to configure this scenario:
A user logs in to the Sharepoint site, authenticating agains Active Directory through the TMG. This gives the user access to the sharepoint site, and this is all standard OOTB functionality. Then the user should be able to navigate into our other systems without a re-login (because the SSO configured for external authentication with the same AD, and therefore uses the same userbase).
So basically the users currently have to login twice with the same domain\user + password. I would like the SSO server to be able to read the cookie that was established in the first login, and use that instead of presenting the SSO login screen all over again.
Is it possible to share such a cookie between 2 different platforms on the same domain?
I have implemented a kerberos "Zero-sign-on" approach for the Oracle SSO server, but this only works as long as the user comes from a computer inside our domain. When the user logs on from the outside world (www) he will be prompted to login to sharepoint first, and then to the Oracle SSO.
I basically need the Oracle SSO Cookie to somehow read the Sharepoint Cookie that was established. Does this make sense?

Resources