Here is our use case,
We are using SimpleSAMLPhp as an IDP and Saml2 Package as SP in our Laravel websites.
We want to use IDP Init SSO flow for our websites to setup idp and Test idp first approach I'm referring this doc https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_11
Now problem is, In login url of idp we need to provide spentityid= (same as we configure in /simplesamlphp/metadata/saml20-sp-remote.php) which points to the SP of website where SAMLResponse will be sent upon login, So it will be different for all websites instead we need common url for all our websites.
Below are the steps which user will be performing
User will access the common url
Gets the login screen
He/She enters his/her credentials
After successful login, Gets the screen where he has options to choose
the website they wants to navigate
Clicks on desired websites
Gets logged into desired website
Please help me find resource/solution for above use case.
Related
I have integrated this package aacotroneo/laravel-saml2 with ADFS on premises.
There is one scenario i am not able to check like as if we are logged in microsoft or google then we are not asked again to logged in with their relative websites like outlook or gmail etc as defined in SSO.
I have done implementation regarding ADFS on premises and particularly i need to check if user has been logged in their network then i need to redirect them to home of the application.
Generally we get response in idpname/acs route but that is post route we cant check directly.
So How i can check if user is already logged in ADFS network ? so i can directly redirect him to application.
For now acs route fires only if user add credentials in defined IDP.
is there any way via middleware or anything with which we can check if user is already logged in IDP then we just only need to redirect user.
Any help would be appreciated !
Thanks !
Requirement: I've a Ruby on Rails application named as "RoR App", for instance. Several different clients have their own Active Directory and when a user hits a particular URL in the "RoR App" then the control will be redirected to the client's login page where user will provide their AD credentials.
Once authenticated, a callback will be called to the "RoR App" where a user's session be created.
Work Done: So far, I'm able to use omniauth-saml gem to redirect to some URL (will be client's login page later) when a user enters a particular URL in "RoR App" using SAML.
Questions:
For testing purpose, do I need to create a login page in some technology (RoR, PRP etc), which will work as client's (IDP) login page. And when the user provide their credentials then I've to write some code in backend to authenticate with active directory?
OR
Does AD or windows provides some self-managed login page which can be created (after some configuration) and performed authentication process itself?
I'm new to Active Directory, so sorry it might be some obvious question.
Atlast, we've used Active Directory Federation Services (ADFS) for setting up the IDP which provides the login page and authenticate the user by using the configured user credentials in Active Directory.
I am looking forward to integrate logging in users using Facebook's authentication. I have my app protected by OpenAM and the users are already registered there. I have my own login page and would not like to move this to OpenAM and retain it in my app. As of now, I am using REST calls to authenticate users in OpenAM. Now, I want to integrate login using Facebook. My idea of implementation is as following:
User logs in using original credentials and is authenticated in
OpenAM.
User is asked to associate his/her Facebook account with the
OpenAM account.
User authenticates his/her Facebook account
(https://www.facebook.com/dialog/oauth?app_id={app-id-as-created-in-fb-developers-console}&redirect_uri={my-rest-service}).
This will return the code and that can be used to recheck against
Facebook to ensure that the user was authenticated against my app
and this is not a hacker intervention
(http://graph.facebook.com/debug_token?%20input_token={code-returned-from-facebook}&access_token={my-app's-access-token}.
The response will contain the app ID that can be verified against my
App's ID. On success, I shall call OpenAM to associate the user in
OpenAM with his/her Facebook credentials (Not sure what all to use
here.)
Next, whenever the user wants to login, he/she can use Facebook
login where in the redirect URL would be my REST service and the
code returned from Facebook can be rechecked from Facebook and then
OpenAM will be called to authenticate.
My queries:
I am not sure if this approach is feasible.
How do I pair an existing user in OpenAM with the Facebook account?
How do I authenticate the user in OpenAM after Facebook login, with
the userID?
Is the Facebook userID (numeric,returned from Facebook graph in JSON
response), unique and permanent?
I would also want to give the users an option to de-associate the
existing Facebook account and associate a new one-how do I do this?
Apologies for asking too many questions, but I am new to OpenAM and OAuth and keen on following the approach I have mentioned above.
Thank you.
As an aside, it will probably be much easier in the future if you delegate all of the login to OpenAM, and let it deal with local login and social. This will make it really easy to add more social providers.
If you want to keep your current architecture, you can create a new authentication chain in OpenAM that just has social (facebook) login. You should be able to redirect the user to that chain. Once the social login process is complete, you can have OpenAM redirect back to your application page.
To link local and social login you are going to have to offer some kind of account claiming in your application. After they do a social login you could ask them to link their local account by providing the username and password. You can call OpenAM's REST API to validate the credentials.
This kind of linking can be confusing for users - so sometimes it is better to treat them as separate accounts, or have a migration process for the user to migrate to social only.
We're using Spring Social LinkedIn in a single page javascript app to authenticate a user. We're able to successfully authenticate against LinkedIn, but we're having trouble getting that to integrate with our javascript app. It actually breaks down into two issues:
Issue 1:
We're using one API key for a set or related apps - and we use a single sign-in process. We need a way to identifiy which app the user came from and to send them back to the right app after logging in. The problem we're having is LinkedIn only allows one redirect URL and I don't believe it can carry any parameters (that would probably be the solution if it's possible to carry a parameter like the identifier of the app they're in). Do you know of a way to conditionally redirect the person after login?
Issue 2:
When the user is authenticated, we store the user info in our database, but after that we need the log the user into our app and provide the user with a token. Is there a way after the LinkedIn authentication completes to trigger another call to the server to request the token?
I have one website which is configured to use Azure ACS. When the user signs to this website, how will I get the user identity when he visits another one of my website so that the user will not need to choose and sign in to his identity provider in ACS? Is there a way to get the user identity from ACS across multiple websites so that once a user logs in to one of my websites he will be recognized as a logged in user when he visits other ACS configured websites? BTW Im using all 4 social networking sites in azure ACS as identity providers.
Each website is different from ACS perspective, so the tokens it will issue are also different. SSO however, happens at the IdP level:
User logs in with Google (as an example) on WebSite 1.
User goes to WebSite2, (with the same browser instance), WebSite2 redirects to ACS, ACS redirects to Google
User is already authenticated with Google, comes back to ACS
ACS issues a token (for WebSite2) and returns to WebSite2
ACS doesn't keep sessions with user so they will be forced to do the entire transaction at least once.
What could happen is that if you have 4 social IdP (Google, Live, FB, Yahoo presumably), in step 2, ACS will prompt the user for the IdP to use.
To avoid this, you have to send the login request to ACS with the whr parameter. You would have to remember which one was used by your user and instruct ACS to use that. With whr, there's no IdP prompt.