I'm using thinktecture idserver 3 to auth some APIs, (STS A), now I would like to have a new STS (STS B) in a different network (probably a DMZ) and make tokens from STS B work in STS A.
The APIs uses STS A for auth but I would like to call the API with tokens from STS B.
From what I have searched, fond this
Authenticate to STS by Issued Token
it states it's possible by setting WsTrust but dont really have details and dont even know if its possible
Has anyone have done this and know the details or at least point in the right direction ?
If its like the url above, would it mean enabling ws federation on both STS and then make one trust the other one?
Note that in theory STS B wont have conectivity to STS A, maybe STS A can communicate with STS B if required. So I cant setup STS A as an identity provider to STS B
Related
What is the best way to integrate my Spring Boot app with OAuth2? It already has login functionality with issuing a JWT token. What I want to achieve: perform login using OAuth2 and issue the same JWT to access my app.
What should I use:
Keycloak auth server + make my app a resource server
Write my own auth server using spring-security-oauth2-autoconfigure and spring-boot-starter-oauth2-client + make my app a resource server?
Any other approach you can suggest...
Maybe, this link can help you: https://stackshare.io/stackups/keycloak-vs-spring-security
It really depends on your scenario.
But, in my opinion, the first option has more advantages. The main one is the maintenance effort. With your own oauth server, you must maintain one more service. Keycloak is mature and open source, with many developers maintaining it.
is possible create authorization server for PKCE authentication in current version of spring security?
I did research and I found out this authorization server project https://github.com/spring-projects-experimental/spring-authorization-server but there is no usable sample for that project.
I also find out that spring recommends Keycloak as authorization server, but it is not fit for my case.
We need be able fetch and verify user against remote service, and then use authorization server only for generating and verifying jwt tokens. In my knowledge Keycloak should holds also users right? So the best solution would be custom spring standalone authorization server. Is it possible in some way? Thank you!
You may have a look to this project: CloudFoundry User Account and Authentication (UAA) Server.
UAA is a (Spring MVC) component of Cloud Foundry but it could be used as a stand alone OAuth2 server. It can support external authentication service. And there is a Pull Request that implements PKCE: https://github.com/cloudfoundry/uaa/pull/939 (not yet merged, but under review).
You can find an example on how to use UAA on baeldung.com.
As far as I know, Spring framework has one more implementation of the authorization server. It is a part of spring-security-oauth project. But this project was moved into maintenance mode.
According to this migration guide, the new authorization server project (that you have already found) will be created to change the legacy solution.
From my point of view now there are several possible options:
Using old legacy spring-security-oauth. More examples with old auth server
Using external services like Keycloak, Auth0, Okta and etc
Hi, I am trying to use single-sign on with keycloak and springboot 2 app
I got local keycloak setup realm and client.
I followed this example : spring-boot-keycloak-tutorial
This works fine, my issue is that I want to implement single sign on. Which means I don't want the user to login using keycloak login page.
If the users are logged in to the network (using Windows machine), and try to access the page, then they should be able to access the application without login because they are valid network users.
I don't seem to find an example on how to setup SSO and pass the credentials directly from windows to keycloak
You can configure your realm to use Kerberos user federation. This will enable SSO using the active directory.
See the official example page
You then need to make sure that your browser to support the SSO.
It turned out that the keycloak-spring-boot-adapter does not work for spring boot 2.0+
I changed my spring version to 1.5.3 instead of 2.0.5 and this solved the problem.
I am not sure if there is an alternative for spring boot 2.0
Background: my web-app is running in PROD, and real users are using it. The initial authentication was implemented using Spring Basic Security.
Recently, client decided to use SSO for authentication, so my app should act as SP with client IdP. I used Spring SAML to configure my app as SP.
Integration with client IdP on QA environment involved next steps:
Get and store IdP metadata file received from customer.
Deploy code with SP configuration on the environment.
Generate SP metadata file using /saml/metadata endpoint and share it with customer.
Get a green light from customer IdP side that SP metadata file in a right place.
Verify that SSO is working successfully.
Now, It's time to deploy SP SSO configuration on PROD environment and integrate it with client PROD IdP.
I don't like to use the approach above for PROD, as real users will not be able to login into the app until app SP metadata file will be generated, and put in a right place at customer IdP.
Can anyone tell me how can I generate SP metadata file for my app in advance, before deploying SSO configuration on PROD?
(1) Quote "Recently, client decided to use SSO for authentication, so my app should act as SP with client IdP. I used Spring SAML to configure my app as SP."
Response:
I suppose that you use Spring SAML provided by the official GitHub repository of Spring Security SAML to "configure your app as SP".
(2) Quote "Integration with client IdP on QA environment involved next steps:.."
Response:
The five (5) steps (provided by your post) regarding integration of your web app as SP with client IdP are the practical SAML standard for "deploying SP SSO configuration on PROD environment and integrate it with client PROD IdP."
I have shared hands-on experience on integration of web app as SAML SP with SAML IdP by providing my answer to another recent Stackoverflow question "I have provided an instruction to address another Stackoverflow How can I generate metadata file of my Java Spring Application to establish a connection with Identity Provider like Ping Federate?"
(3) Quote "I don't like to use the approach above for PROD, as real users will not be able to login into the app until app SP metadata file will be generated, and put in a right place at customer IdP."
Response:
If you "don't like to use the approach above for PROD", you can modify the source code of "spring-security-saml/samples/boot/simple-service-provider/" (provided by the official GitHub repository of Spring Security SAML) to configure your web app as SAML SP.
(4) Question "Can anyone tell me how can I generate SP metadata file for my app in advance, before deploying SSO configuration on PROD?"
Answer:
(I) The README on "How to run a simple sample of an Identity Provider (IDP) and Service Provider (SP)" (provided by the official GitHub repository of Spring Security SAML) will guide you "how can I generate SP metadata file for my app in advance, before deploying SSO configuration on PROD".
(II) I highlight the related information on "how to generate SAML SP metadata file of Spring Basic Security for my web app in advance, before deploying SSO configuration on PROD" (Quote your question).
Step 2 - Start the Service Provider
Service Provider runs on http://localhost:8080/sample-sp
$git clone https://github.com/spring-projects/spring-security-saml
$cd spring-security-saml
$./gradlew :spring-security-saml-samples/boot/simple-service-provider:bootRun &
(II.a) Launch a web browser to access the URL http://localhost:8080/sample-sp
to ensure that Spring Security SAML Service Provider runs well.
(II.b) Launch a web browser to access the SP metadata endpoint
http://localhost:8080/sample-sp/saml/sp/metadata
to download or "generate SP metadata file for my app in advance, before deploying SSO configuration on PROD" (Quote your question).
(5) Question "Spring SAML: alternative ways to generate SP metadata besides using /saml/metadata endpoint"
Answer:
you can modify the source code of "spring-security-saml/samples/boot/simple-service-provider/src/main/java/sample/config/SecurityConfiguration.java" (provided by the official GitHub repository of Spring Security SAML) to "generate SP metadata besides using /saml/sp/metadata endpoint".
For example, if you want to generate SP metadata from a specific endpoint such as /example/metadata, then you just need to replace
"super("/saml/sp/", beanConfig);"
(in the source code shown below) with
"super("/example/", beanConfig);"
public SamlSecurity(BeanConfig beanConfig, #Qualifier("appConfig") AppConfig appConfig) {
super("/saml/sp/", beanConfig);
this.appConfig = appConfig;
}
As long as you know the URIs of the endpoints and the signature certificate you can generate them manually and specify it in the configuration.
I have a client/consumer application that needs to access the Rest Services from the provider application. However, i need to go thru SSO first before accessing the Rest Services. Manually pasting the SSO URL with the parameters, I was successfully redirected to the provider app. However, I need to do it from java class and get the token after SSO so i can use the token to call the Rest Services. can anyone point me to the right direction, please?