I have an ASP.NET Web API (v4, specifically) application that currently authenticates using Forms authentication (through a SQL membership provider (i.e. using aspnet_Membership, aspnet_Users tables and all that)). It's basically the backend API hub for a bunch of other applications.
Alongside that, I have a third-party application, SP (for service provider), which supports SSO and single logout using SAML. My goal is to set up a SAML identity provider that can receive a SAML single logout request, which would in turn send a logout response to SP.
I started out looking at Auth0 to achieve this, but I am confused about what role Auth0 would actually play as the identity provider since all of my user creds are stored in my own database. Is there some way I can supply Auth0 (or any of these identity providers) with my user creds store for it to authenticate my users? Or is this not desirable/possible and I need to make my existing app to be the SAML identity provider?
To use SAML in your client application, you need a SAML stack.
So you could add the stack and it would be self-contained.
Both identityserver and Auth0 can use a SQL DB as the authentication store. They both support the SAML protocol.
Once you have done the SAML configuration, you just need e.g. a login screen where the users decides local authentication or SAML authentication (this invokes the IDP and that would do the SAML side for you).
Related
I'm having a hard time figuring a good way to implement Oauth 2.0 and OpenID Connect authentication alongside an existing internal email+password authentication for a B2B Web app's API using Spring security.
We have a backend REST API that is a Spring Boot servlet application which currently authenticates users with OAuth 1.0 and the password grant. The front-end is an Angular single-page app through which users must log in with their username and password. The API's /oauth/token endpoint then delivers an opaque access token to be used for fetching secured resources that are then displayed within the app.
We'd like to add the possibility to log in using external authentication with OpenID connect, which is a perfect opportunity for switching to OAuth 2.0 and JWT tokens. Our API would then accept JWT tokens it delivered as well as external JWT tokens emitted by accepted issuers.
Reading and validating JWT tokens won't be a problem using Spring security's OAuth Resource Server. However things get complicated with how to make the classic username+password login flow work with JWT tokens.
We thought about delivering JWT access tokens the same way we used to with our old OAuth 1.0 tokens. The thing is, newer OAuth specifications advise against using the password grant, plus it simply isn't supported in the Spring authorization server project we're planning to use. The authorization-code flow w/ PKCE seems like too much for this case as we do not want the back-end API to render a login form but use credentials entered in the existing login form that is part of the single-page app.
I've read a lot about not using OAuth for 1st party login since its primary use is for external authentication, but again, that doesn't apply since we also want 3rd party authentication.
What would be a secure way to implement a Spring boot authorization server that can deliver JWT access tokens to a 1st party client in exchange for a user's credentials, all this using the existing log in page, and given the password grant type no longer being supported?
I thought about implementing a preliminary step that would be a POST request with Basic authentication to a /login endpoint that just returns a 200 HTTP status, then proceeding to the /oauth2/authorize request that would deliver the authorization code immediately without redirecting since my session is authenticated.
I'll be happy to provide more details if needed. Here are the resources I'm using for this project.
What about setting up an authorization-server capable of identity federation?
In such configuration, the authorization-server is responsible for providing with identities, proxying one or more sources (your existing user database for instance, plus maybe Google, Facebook, Github, etc.)
Keycloak does it for instance.
From the client point of view (your Angular app), the authorization-server is used to get:
access-token: put in Authorization header of requests to secured resource-server(s) (can be a JWT or an opaque string, doesn't matter, clients should not try to extract data from access-tokens)
refresh-token: send to authorization-server to renew access-token before it expires
id-token: get user-profile data (email, username, profile picture, etc.)
You should have a look at https://github.com/damienbod/angular-auth-oidc-client for connecting an Angular app to an OIDC authorization-server.
From resource-server point of view, access-tokens are the source ofr setting-up security-context, either by decoding and validating a JWT locally or with token introspection on authorization-server.
Have a look at those tutorials for such resource-servers configuration.
I am trying to integrate OKTA as service provider to provide access to the custom application for external customers.
External Users login to enterprise Idp to access the custom application
After successful authentication IDP triggers the IDP-Initiated flow and submits the SAML response to OKTA
OKTA checks for the external user information in the SAML assertion and sends these details to Custom API application to identify the user
If the user is found, the API returns the required information to OKTA
OKTA will initiate the PKCE flow to provide access to the custom application
I was success in configuring the OKTA and external customer IDP. But, Can anyone knows how OKTA will call the custom API application to identify the user information? Also, how to configure the redirect URL?
unfortunately I don't have an answer to your question as we use PingFederate but I was curious as to how you setup Okta (as the SP) to accommodate the IdP-Initiated call, without having to call back into the IdP for authentication? I ask because, as the IdP, we are calling Okta (as the SP) and the SAML response but the vendor is stating they cannot setup Okta without the IdP URL to call back into to have us, the IdP, authenticate the user. Seems your setup works how we believe it should so wanted to get more details about this.
I have a portal application developed using spring security and mvc framework. This portal application connects to IDP (Developed using Spring security and spring saml) for authentication. if the user authentication is success,user will be navigated to homepage where multiple links are provided for external applications… When the user clicks on the application link, user should successfully navigated to the respective application without challenging login page.
Other applications are developed using struts and spring security. How do I make sure that when a link is clicked from the portal, either saml token or context is passed to other application so it will not ask for login.
Any help is greatly appreciated.
The most common flow for SAML is something like the following:
Application (called service provider, or SP) receives request (any request, like request for a business resource) from unauthenticated user
It redirects the user (most commonly via http redirect) to the IdP (in which the SP should already be registered)
If the user is not authenticated to the IdP (not logged in to SSO), a login form is presented and login is managed by the IdP until there is a user session with the IdP
If the user is already authenticated with the IdP (because either he was already or entered a correct user/password), the IdP issues its claim token and posts the user with the token back to the Assertion Consumer Service in the SP (the original application)
The Assertion Consumer Service (practically just an API endpoint) receives and validates the SAML token and creates an own application session with the user. Now the user is authenticated to the application (SP)
Upon the next request to the application (SP), there is already a session, so SAML is not involved
Note that if there is already a session with the IdP, all of this is seamless for the user. A bunch of redirects take place, but the user will just reach the application without entering credentials.
So the short answer to your question is that your external applications need to support SAML SSO and need to be registered with the identity provider, in which case they can just use the IdP for authenticating the user and signing the claims it may have.
I'm developing an application using asp.net core Web API and Angular2
I want to implement authentication and authorization for my application
I want to know if it is a good choice to use identity server if have just one client(in angular 2 ) and I want that the login screen be attached to my client and not the identity server ?
As far as i understand, you want to use Token Based Authentication with following flow :
Client sends user cridentials(username, password) to server
Server generates a token and sends it to client
Client uses the token each secure web api calls
So, my suggest for your case:
If you use AspNet Identity, OpenIddict with password grant is an option.
If you use custom user store, use IdentityServer4 with password grant.
If you want to write your own token endpoint, take a look at Token Based Authentication in ASP.NET Core
note: password grant enable you to implement own login screen.
I've been working whit the SAML extension to connect to an ADFS server. I've hacked the sample application to use my ADFS server and everything went well, but I would like to know if there is a way to connect to an IDP without using the loging page of the IDP. I mean if there is a way to do this process in background for the end-user. I am thinking about doing a query to ADFS or something like to get the users and do authentication from the SP login page, avoiding the need for the user to authenticate in the IDP login page.
The purpose of federated authentication is to delegate it to a centralized server in such a way that the relaying parties/service providers do not have access to user's credentials. Enabling authentication directly in your application would violate this principle and for this reason is not supported by neither Spring SAML nor ADFS.
If you want to authenticate your users directly, use authentication directly against Active Directory instead of ADFS. This will fully support your use-case.