Shibboleth 4 IDP: assign attribute resolver to specific flow - shibboleth

I have two login flows. I want flow1 to only use the standard attribute-resolver.xml file and flow2 to only use attribute-resolver-ldap.xml. Where do I tell the IDP what resolver it should use for a flow?

I talked to Shibboleth's main developer Scott Cantor, and he wrote that such behaviour is not possible with Shibboleth (at least with version 4.0.1). However, I solved my core problem using an entirely alternative way. Here's the link: Shibboleth 4 IDP: Query two different login sources with the Password flow

Related

Is it safe to use a common ACS URL and SP Entity ID for multiple Asserting Parties?

My use case is that my users create an application, for example in Okta, then send a link to the metadata from which my application creates a RelyingPartyRegistration. Users can then login using the IDP they registered. The app supports several commonly known IDPs, but it is also possible to add integration with a custom IDP that supports SAML
I'm trying to figure out if it's safe to use a common ACS URL and SP Entity ID for all users (without using {registrationId} in the links). If so, can this be done within a single IDP or can I use a common one for all IDPs that my application supports (Okta, OneLogin, etc).
Also, if I understand correctly, this use case is slightly different from the examples because the IDP metadata is known in advance in the examples. I would be grateful if you could tell me the correct name for this use case so I can read more about it.

Spring Application with SSO using Windows Credentials(via Kerberos)

I have a spring application with a login screen that authenticates credentials that the user has entered with users on our Active Ditectory(using LDAP).
However I'd like to add the capability of SSO , specifically with the Windows Credentials that the user has entered upon logging into Windows.
I'm aware that since AD uses Kerberos it wouldn't be such a "hard" task to do and I've found one possible solution as to how to implement it , specifically this guide , with what I want to achieve being on this part of the page.
But honestly I don't seem to be able to understand how to implement it...
I have the following questions:
1)Which parts/classes should I implement for what I actually need , meaning which of the following classes are needed in reality?(AuthProviderConfig , SpnegoConfig , KerberosRestTemplate , KerberosLdapContextSource)
2)If all my users are on a Windows environment do I really need cached tickets(kinit) or keytab? In that case application.yml is also not needed , right?
3)What does the AD admin need to do on his side to configure/enable this SSO with Kerberos?(For the login screen Adapter that works I have the domain, url, rootDn, service user, user searchbase, service user password in my application properties)
Based on this thread , specifically on what the highest scored answer shows , I'm missing only step 1 and 2(I suppose?).
If anyone has maybe a better "guide" or tips that I can follow in order to implement this I'm all ears.
In any case thank you for your time and appreciate any feedback you could give me.
I realised similiar task using tutorial:
https://www.baeldung.com/spring-security-kerberos
You need modificate only WebSecurityConfig extends WebSecurityConfigurerAdapter - Add there Spnego filter from point 6.2 form this tutorial and beans with KerberosAuthenticationProvider. Spring has built-in kerberos machines that generate and decrypt spnego tokens themselves. On this case in filter you should authenticate all paths but In my case I used kerberos authentication on first time, and later I used JWT token what I had implemented before I implemented SSO.
You need keytab file and ServicePrincipalName. You can generate it by kinit with user who have got access to users in AD.
I found something like this:
https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-kcd

Can multi-tenancy in Keycloak be done within a single realm?

First, I'm well aware of the multi-realm approach to multi-tenancy in Keycloak. I've taken over a legacy project where nobody thought of multi-tenancy. Now, two years later, suddenly, the customer needs this feature. Actually, the microservices are prepared for this scenario out-of-the-box.
The customer develops a mobile app that authenticates users via API on our keycloak instance with an account number (as username) and a password. Now, he'd like to add an tenant id to the login information.
The customer wants to avoid using several endpoints as a multi-realm solution would demand.
One first idea was to just concatenate tenant-id and account-id on registration. But that's a smelly approach.
So, my thought was that there may be a way to configure Keycloak in a way that I add a custom tenantid field together with username that acts just like a composite primary key in the database world.
Is such a configuration possible? Is there another way to achieve multi-tenancy behaviour using a single realm?
I can't say for sure, but after some research, I found this:
This website lists all of this together with more information:
https://lists.jboss.org/pipermail/keycloak-user/2017-June/010854.html
Check it out, it may help with your data organization in key-cloak.
Late to the party. But maybe for others who are interested. You could try the keycloak extension keycloak-orgs. I am currently building a test stack with it and I am pleased.
A tenant in keycloak-orgs is an organization. You can map organizations and their roles to token claims with a built-in mapper.
"organizations": {
"5aeb9aeb-97a3-4deb-af9f-516615b59a2d" : {
"name": "foo",
"roles": [ "admin", "viewer" ]
}
}
The extension comes w/ an admin interface. From there you can create organizations and assign users to it. There is also a well-documented REST API on the Phase Two homepage (the company who open-sourced the project).
The maintainers provide a keycloak docker image that has the relevant keycloak extensions installed.
If you want a single realm and singe client that serves many tenants, you can just use custom user attribute and e.g. add key(s) "tenant=MyTenant" and then add a client scope and a mapper to include user attributes that has key=tenant
Then the token will carry the user's tenant(s) and you can use that to filter data, add to newly created data etc.
It's only like 4 steps in Keycloak:
Add User attributes using a key-convention.
Add a Client scope that will represent tenants.
Add a mapper to extract the User attributes.
Add Client scope to the Client in use.
Wrote about it here: https://danielwertheim.se/keycloak-and-multi-tenancy-using-single-realm/

Windows Authentication--Authenticating numerous users

I am using Windows authentication on a website but want to have levels of access. Currently, I am using the [Authorize(Users = "userA")] syntax.
However, with upwards of twenty Windows accounts accessing a site, I don't want to have to hard-code in twenty users with each Authorize statement. What's more, some of the users need to have different access than others. I thought of having a list of users that a CustomAuthorizationAttribute iterates through to see if the desired user is among them.
Basically, I'm trying to get roles without using Forms authentication.
What is the most effective, most simple way of doing this?
Your answer lies within the ActiveDirectory domain. Since you are using MVC 3 you should have access to the following namespace "Directory Services Account Management":
http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.aspx
You can see this article for describing the whole process underneath, it provides sample code for you to use immediately out of the box:
http://msdn.microsoft.com/en-us/magazine/cc135979.aspx
Forwarning:
You will also have to establish an LDAP connection string. LDAP is a protocol used for retrieving that information from the secured windows database.
http://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx
To see the code being used in action:
http://www.willasrari.com/blog/query-active-directory-users-using-c/000133.aspx
I've done something similar to this in a .NET 3.5 environment using IIS 7.
One of the best articles I've ever read about Role-based Authorization is:
Role-Based Authorization With Forms Authentication (Part 2) By Darren Neimke and Scott Mitchell. They wrote it for ASP.NET 2.0, and no concept has been changed in version 4.0 (and 4.5 as far as I know).
To become a master in this field, read this MSDN and all of it chapters:
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

Glassfish 3.1 + Kerberos + roles from database (JDBC)

I can't find out how to get roles from database (JDBC) for user authorised with Kerberos. Kerberos login works ok but user doesn't have any roles.
I used spnego-r7 to run Kerberos - http://spnego.sourceforge.net/index.html
I can't find any tutorial or advices how to do it.
Do you have any idea or example?
This is your task, not Kerberos'. Kerberos is solely authentication. When the userprincipal is passed from the response look that up in your JDBC realm and retrieve your roles. This means that it is a two step process.
You can (1) handle user groups in a non-container managed way (i.e. in your application) or (2) try to tie into the container specific security mechanism. I haven't successfully tapped into Glassfish security for assigning groups, but it appears you must create at least two classes: one that extends com.sun.appserv.security.AppservRealm, and one that extends com.sun.appserv.security.AppservPasswordLoginModule. The former has a method named getGroupNames which takes a username as a parameter and the later has a method named commitUserAuthentication which takes an array of group names. Unfortunately it isn't clear how it is supposed to work and seems poorly documented. More information here: http://docs.oracle.com/cd/E19226-01/820-7695/beabs/index.html and here: https://blogs.oracle.com/nithya/entry/groups_in_custom_realms

Resources