I need to implement SAML SSO in a webb site based on web forms, can someone please show a example of how to that?
You need a SAML stack on your client.
Some of the commercial clients have examples of this.
Basically:
Configure the client-side SAML parameters based on your IDP
Have a form with a Login button
When the button is clicked, use the stack to send an AuthnRequest
This will trigger an IDP login form
After the user has logged in, the IDP will return to your Assertion Consumer Endpoint with the SAML token
Use the stack to extract the attributes you need
Related
I am trying to integrate OKTA as service provider to provide access to the custom application for external customers.
External Users login to enterprise Idp to access the custom application
After successful authentication IDP triggers the IDP-Initiated flow and submits the SAML response to OKTA
OKTA checks for the external user information in the SAML assertion and sends these details to Custom API application to identify the user
If the user is found, the API returns the required information to OKTA
OKTA will initiate the PKCE flow to provide access to the custom application
I was success in configuring the OKTA and external customer IDP. But, Can anyone knows how OKTA will call the custom API application to identify the user information? Also, how to configure the redirect URL?
unfortunately I don't have an answer to your question as we use PingFederate but I was curious as to how you setup Okta (as the SP) to accommodate the IdP-Initiated call, without having to call back into the IdP for authentication? I ask because, as the IdP, we are calling Okta (as the SP) and the SAML response but the vendor is stating they cannot setup Okta without the IdP URL to call back into to have us, the IdP, authenticate the user. Seems your setup works how we believe it should so wanted to get more details about this.
I added support for SAML 2.0 SSO with Okta to my application using Kentor AuthServices .NET package and the first action done by a user is clicking "Login with Okta" button and then being redirected to Okta's sign in page with SAML request token generated by Kentor.
In some scenarios the user email (username in Okta) is already known beforehand and I want to pre-populate the Username textbox on Okta's sign in page with this value.
Is it possible to do that, for example by providing the desired username in SAML request or in the cookies?
The SAML standard has support for including a Subject (that is a user name in SAML lingo) in the AuthnRequest. Unfortunately Kentor.AuthServices doesn't support that (yet). There has been some work done (see https://github.com/KentorIT/authservices/issues/430) but I don't know the current status.
Then you of course need to check whether Okta supports reading that data.
Normally ,the client redirect to Oauth server ,with client id
http://localhost:8181/sparklr2/oauth/authorize?response_type=code&client_id=tonr-with-redirect&state=xyz
the login page is displayed ,after proper credentials are received and authenticated ,confirmation is not call back done to client with authorization code
http://localhost:9090/tonr2/sparklr/redirect?code=gm4XN3&state=xyz
If the user is not registered and sign up need to be done ,then how to generate a authorization code after sign up with out login
I think this is a general question for Spring security, what you want is a login flow which supports signup and generates a complete authentication at the end of the signup flow.
So you will have to create a custom login form flow that offers signup and then completes the authentication at the end of the signup flow.
If you do this properly Spring oauth should take over and continue the redirect flow just as if you signed on the normal way.
I had a requirement to implement spring security saml implementation.
And I want to connect to IDP(Identity Provider) to authenticate without using IDp's login page. In my case, I want to use Service Provider (login page)..
Is this possible? If yes how to achieve this?
You can try with WSO2IS with request path authenticators which validates user credentials comes from SP login request. If you take SAML2 SSO scenario, SP can send SAML2 Auth request using POST binding to IDP. In the same request SP can send the end user's credentials that is retrieved from the login page of SP application. Then you would not see the login page in IDP and credential are retrieved from auth request and validates with IDP's user store. If success SAML2 response is generated. You can take help from this link.
This is not really a good idea since by definition, the service provider is not supposed to authenticate users, that is the IDP's responsibility.
If you are concerned about branding.. you may be able to request the IDP to personalise their login page if your SP has requested authentication although it is slightly unlikely that they will agree to this.
I am trying to implement SAML SSO between two J2ee applications (form-based) deployed on two different instances of WAS, I have configured both WAS instances as service providers using the steps in http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.nd.multiplatform.doc%2Finfo%2Fae%2Fae%2Ftwbs_enablesamlsso.html
I set the property sso_1.sp.login.error.page to the login page of the Identity provider but when I get redirected to the login page, it displays that no SAML request (AuthRequest) is available, can anyone tell me why the WAS is not issuing the SAML authentication request?
WAS does not send a SAML request in the redirect. This is explained in the paragraph above this section of the DeveloperWorks SAML TAI article. The scenario you're expecting is referred to as the solicited response. WAS only supports what the article terms the unsolicited response. In this latter case, the IDP must understand how to authenticate the user (usually through a browser interaction) without a SAML request.