Requirement: I've a Ruby on Rails application named as "RoR App", for instance. Several different clients have their own Active Directory and when a user hits a particular URL in the "RoR App" then the control will be redirected to the client's login page where user will provide their AD credentials.
Once authenticated, a callback will be called to the "RoR App" where a user's session be created.
Work Done: So far, I'm able to use omniauth-saml gem to redirect to some URL (will be client's login page later) when a user enters a particular URL in "RoR App" using SAML.
Questions:
For testing purpose, do I need to create a login page in some technology (RoR, PRP etc), which will work as client's (IDP) login page. And when the user provide their credentials then I've to write some code in backend to authenticate with active directory?
OR
Does AD or windows provides some self-managed login page which can be created (after some configuration) and performed authentication process itself?
I'm new to Active Directory, so sorry it might be some obvious question.
Atlast, we've used Active Directory Federation Services (ADFS) for setting up the IDP which provides the login page and authenticate the user by using the configured user credentials in Active Directory.
Related
Here is our use case,
We are using SimpleSAMLPhp as an IDP and Saml2 Package as SP in our Laravel websites.
We want to use IDP Init SSO flow for our websites to setup idp and Test idp first approach I'm referring this doc https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_11
Now problem is, In login url of idp we need to provide spentityid= (same as we configure in /simplesamlphp/metadata/saml20-sp-remote.php) which points to the SP of website where SAMLResponse will be sent upon login, So it will be different for all websites instead we need common url for all our websites.
Below are the steps which user will be performing
User will access the common url
Gets the login screen
He/She enters his/her credentials
After successful login, Gets the screen where he has options to choose
the website they wants to navigate
Clicks on desired websites
Gets logged into desired website
Please help me find resource/solution for above use case.
I have a site which is built in ASP.net and C#. Let's call it webapp. it uses a Form system to log on into it, and cannot be changed easliy.
I got a request to change the log in to some kind of windows authentication. I'll explain.
Our windows login uses active directory for users to log into their windows account. their login name is sXXXXXXX. X are numbers.
in my webapp, I want to take the users numbers from their active directory login, and check if those exist in the webapp database. if it exists, they will automatically log in. If it doesn't, they will be referred to the regular login page for the webapp system which is currently in use.
I tried changing my IIS to disable anonymous login and enabling windows authentication, therefore making the user browser to send it's current logged in user name to my webapp. I changed the web config as well from "Forms" to "Windows", which made my whole webapp obsolete as the whole forms system did not work.
My question is this - is there a different way for the browser only to send the username to my webapp? I thought maybe javascript, I just don't know how to implement that, if it's even possible. I know it's not very secure, but all this platform and system is built outside the internet, it's on a private network.
<script language="javascript">
var username = '<%HttpContext.Current.User.Identity.Name %>';
</script>
The only way you could get at the user's domain credentials via javascript would be by deploying some type of ActiveX component to expose that data to the browser. I wouldn't recommend that.
I would look at implementing a Login page for forms authentication that authenticates the user on the page load using HttpContext.Current.User.
The way forms works is that if an unauthenticated user attempts to access an access-controlled page and have not logged in (no cookie), they will be redirected to a login page that gives the facility to log in (this sets a cookie on the client-side). The user is then directed to the page they initially requested. You would simply be automating the login part.
If you have a mixture of pass-through and user who need to manually login you could check their client IP address to see if it matches one on your domain or not.
The solution I found for getting the username sent to the server was:
string winlogon = Request.ServerVariables["LOGON_USER"];
After enabled Windows Authentication Mode in IIS.
I have an Web application that uses Google Drive. In order to make it easier for user to integrate his account (in this web application will be easier for client this way), I would like to have two links for authentication:
A link with the current user email that sends the user to the authorization page.
A link that automatically logout the current user from Google (if any) and send the user to authorization page (in this case the login page).
In order to accomplish that I need:
- the current Google user email
- logout current Google user
I really think this is not possible, but is it possible to me do this actions before have my application authorized by user?
You will only be able to pull a user's email address after they have authorized you to do so, so that isn't possible.
You can use OpenID to retrieve a user's email address or redirect them to the Google login page if they aren't logged in. They have to authorize your application, though, so you won't be able to direct them to different places until after they've signed in. There are details on the login flow at https://developers.google.com/accounts/docs/OpenID#Interaction.
I've got a test MVC site set up, and configured to log users in to it using Facebook's authentication systems. Once users log out of my system, how do I ensure that the right thing happens wrt to the users being logged in to Facebook (ie, they revert to whatever state od logged in they were before visiting my site)?
I'm relying on the FB api wrappers that are available to download through NuGet.
Several of the examples I see include a facebook logout method that can be called through the API, to let FB know that user(s) have logged out of my site, which, I assume, is supposed to "do the right thing". However, the method seems to have been removed from the library (and from the API?).
Is there some other method I should be calling, in order for the "right thing" to happen? Or, alternatively, some sort of workaround that people use?
It sees a bit disingenuous to ask people to access my site with their FB logins, only to have them surreptitiously remain logged in to FB after they've logged out of my site.
Used workaround below (hand crafting a logout URL). Be careful of your url encoding
According to Facebook's developer TOS (item #6), you are required to log the user out of Facebook when the user logs out of your site (and used Facebook to login).
Consider the following use case:
A user accesses your site via a public computer (library) and opt to login (using facebook login) to access restricted features not available to users who are not logged in. The user conducts their business, then logs out. If you do not log them out of Facebook, their account is now available on the public computer, so if a new user uses the public computer after the initial user leaves, the new user could access the initial user's Facebook information.
Not sure about NuGet, but using Facebooks PHP SDK, you simply need to call Facebook's logout function which should generate a url with a next param, and access_token. So when the user clicks the logout link, they will be redirected to Facebook, logged out, then redirected back to your site to complete the logout process.
Example logout link:
https://www.facebook.com/logout.php?next=http%3a%2f%2fextapi.yourhost.com%2flogout&rd=http%3a%2f%2fyourhost.com%2flogout&access_token=AAACRZBIZAGE18BAEyQ8AcmRKGGtmeYlw4MFYjuDHfTlZBSZA3pZAJ5xnKABELBmkOroaxlDsoPgFVHPvvkfZAFRQarCRL0Fhy7UrZCAZAfRFtvwBo4lY4s4X
Explained:
next: This is the link the user will be redirected to after they are logged out of Facebook (this will be the domain you have registered with Facebook)
rd: This is an arbitrary url param so when the user is redirected back to my site, I can redirect them back to another landing page (other than logout page).
access_token: Is the access_token generated by Facebook when you logged the user in
im using websphere portal 6.1.5 and portlet factory 7
How can i send user to a custom page intead of portal home page if user accecces a certain page before loging in?
i want to return the user to the same page that they were on before they clicked login link and went to login page. any solution?
That should be the default behaviour. If the user is redirected to the login page after login the WAS Server woudl redirect you back to that particular page.
This assumes that the URL is unique for that page because that is what is stored by the server before it does the re-direct to the login page.
Cheers
Manglu
No WebSphere by default redirects the user to the first page that he has access to right after login. In order to make portal redirect the user to a custom page you would have to implement a LoginFilter; which can be attached to the wps.war.
Take a look at:
Info Center: Configuring authentication filters
Creating loginfilter for WebSphere Portal
TechNote: New security APIs in WebSphere Portal
I hope this helps.
The default Login redirect behaviour is true, but only if the Login page is requested using the unprotected URL.
If the page is available within the protected area, meaning for authenticated users as well you can change the calculation of the redirect behaviour even without a loginfilter.
Therefore you would need to send a redirect to the current page but reference the protected area. Like wps/portal/a/b/c is the URL the user is currently visiting the login link should trigger wps/myportal/a/b/c.
WebSphere will kick in and require authentication for the user, but stores the original requested URL. This information is then reused from Portal after the user authenticated