I'm using Shibboleth SP (Service Provider) with multiple IdP (Identity Providers).
I'm currently using the SP EDS (Embedded Discovery Service) to provide the list of available IdP.
Is there a way (in EDS or not) to automatically redirect the user to the adequate IdP depending on his email domain? In this scenario the user is asked for his email/login ; then the domain is extracted and used to determine the correct IdP.
Thanks you for your suggestions.
You may need to code something to extract domain from email.
This may help you,
In the Shibboleth.xml file map the domain to different idp or map secure path to different idp.
Lets say example.com/secure1 to map to example-idp1.com and example.com/secure2 to example-idp2.com.
Then when the user user1#example1.com tries to login, redirect him to example.com/secure1 so it will automatically go to example.com/secure1. And vice versa.
If you want to understand how to configure multiple paths, here is the example taken from official site.
<RequestMap applicationId="default">
<Host name="www.example.org">
<Path name="secure1" authType="shibboleth" requireSession="true"/>
</Host>
<Host name="www.example.org" applicationId="app2" authType="shibboleth" requireSession="true">
<Path name="secure2" authType="shibboleth" requireSession="true"/>
<AccessControl>
<Rule require="affiliation">faculty#osu.edu student#osu.edu</Rule>
</AccessControl>
</Host>
</RequestMap>
And create two application as mentioned here.
Related
I followed below article to add authentication to my azure bot. Everything works fine, except below step:
https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=javascript#azure-ad-v1
Register your Azure AD application with your bot, step g, to add Resource URL
In my case, I need to grant bot permission to access both powerbi and sharepoint API, according to the document they are in two different domain, https://analysis.windows.net/powerbi/ and https://mytanent.sharepoint.com
But this field in bot setting page can only accept one URL.
Anyone can help on this?
Thanks.
It is recommended that you use AADv2, which requires no resource URL. If you use AADv1 then you can probably still use https://graph.microsoft.com/ as your resource URL, but if that doesn't work then you might try just using your app registration's client ID as the resource URL. The place where you'll want to configure Power BI and SharePoint permissions is described in Create your Azure AD application 6c:
I have multitenant setup for our application for example:
1.t1.xyz.com
2.t2.xyz.com
I want both to talk to okta for different IDP setup for both the tenants. Like t1.xyz.com should talk to shibboleth and t2.xyz.com should use ping identity or may be another tenant will use okta as an IDP.
Other solutions that I have seen are using different accounts for each tenant which is not feasible. Can we do it using okta applications for diff tenant. Or if anybody has different solution please respond.
We have to identify the tenant from the url. Based on that, in the application, you can have a redirect to the corresponding IDP [Shibboleth or PingIdentity etc].
However, this approach works fine if all the IDP's are talking using a common protocol like OAuth2. I have did one implementation with OAuth2. I did write a generic oauth middleware that can take care of handling any OAuth2 providers.
However, if your idea is to use the Okta as an IDP that internally handles the various IDP's, you will have to initiate the login request using the group [tenant code / id] so that it can lookup the identity provider and redirect accordingly
I am developing a Spring MVC webapp that has Spring security enabled. I am trying to use OpenID to use gmail login for access to the webapp given instructions here.
I want only a specific set of users to have access to webapp. For this, I would be required to add all the users and their ID's to tag. (Later will implement a DB access for this)
My question is: How can I find the OpenID for my gmail account that will be used to access the webapp?
I understand that the OpenID is unique for each account and can be used for local authorization. Please correct me if I am wrong.
Set up an OpenID relying party, that logs the communication with the
OpenID provider.
Authenticate with your Google account.
Look at the logs.
The short answer is that Google OpenID URL is not account specific and is determined by https://www.google.com/accounts/o8/id.
Details:
In the background, OpenID consumers should fetch an XRDS OpenID document, which is located at https://www.google.com/accounts/o8/id. By parsing this document and doing the Service Discovery process, consumers will extract the Google OpenID Provider Address, which is identified by https://www.google.com/accounts/o8/ud.
This document tell consumers what are Google OpenID parameters.
Below is the google XRDS document which is located at https://www.google.com/accounts/o8/id:
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
<Type>http://specs.openid.net/extensions/pape/1.0</Type>
<URI>https://www.google.com/accounts/o8/ud</URI>
</Service>
</XRD>
</xrds:XRDS>
I have a custom role provider, built on a Role entity, and a many to many relationship called RoleUser, between my forms auth User entities and the Roles. I would like to switch this roles provider into using Windows auth as well now. It seems convenient for me piggy back of the forms Users, and create 'shadows' of AD users in my Users entities.
Is this feasible or frowned upon, and are there any good papers etc. on this kind of setup?
I'm using EF Code First against SQL 2005, and am not using a custom membership provider, as my User controller and repository handle all I need quite fine; just a role provider.
Notice that we have 5 types of authentication:
1- Anonymous Authentication
2- Asp.net Impersonation
3- Basic Authentication HTTP 401 Challenge
4- Forms Authentication HTTP 302 Login/Redirect
5- Windows Authentication HTTP 401 Challenge
The Philosophy of MVC authentication refers to this fact that, MVC doesn't use ViewState to authenticate users.It does not use view state or server-based forms. This makes the MVC framework ideal for developers who want full control over the behavior of an application.
According to MVC standards, windows authentication is suitable for intranet applications, and forms authentication for internet application, because of security issues and so more.
It's not common to use both windows and forms authentication together. But you can use hybrid of them like this codeproject article. Unless you want to do an action like forms authentication and at the backend store windows account information via your programmability to store to DB or etc. Only make sure there is no challenge among types of authentications.
There is another important thing, that is diffrences between Authentication and Authorization that you can config them at web.config like bellow:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
or
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
</authorization>
This MSDN Article might be helpful too.
The membership provider in this case can be a custom membership provider that uses "user" and "role" models from enitity framework DbContext. The user model may have a boolean field that just tells if the user is domain user or not. When dealing with domain users you can have a option of importing the users from Active Directory domain. The admin can just imports the AD users that are required into the database. Once they are in database then they can login. In Account controller Login action we can check if the user is domain user if he is then authenticate the user with the domain controller and then allow him to log-in and issue him a token. Here is a nice article on AD authentication with forms. It is in VB however you can get things. Also you can follow the article and create a provider that supports both authentication.
http://www.cmjackson.net/2009/10/23/asp-net-mvc-using-forms-authentication-with-ldap/
The situation is this:
We have several (19) sites that are currently configured to share a single ASP Membership database using different applicationNames, such as:
<membership defaultProvider="Site1Membership">
<providers>
<add
applicationName="/site1"
name="Site1Membership" />
<add
applicationName="/site2"
name="Site2Membership" />
</providers>
</membership>
My question is if there are multiple providers defined in web.config, can a user login via other than the default provider?
In the given configuration, obviously a user stored in the default provider with an applicationName of "/site1" would be able to login, but we would like a user in the repository with an applicationName of "/site2" to also be able to login.
We've tried prefacing the username with both the provider name and applicationName at login, such as:
site2:username or site2Membership:username
Neither appears to work.
The end goal is that although we want the 19 sites to have seperate users and security (i.e. site 1 users cannot login to site 2), we want a 20th site where users from all the sites can login and collaborate without needing a second username/password.
It is possible to do however you have to write some custom code. In short, you need a way of determine to which group of users the given login belongs: an app specific user or a "global" user. I have handled this by requiring global users prefix their login with something like "G\" or "MyCompany\" whereas normal users are not required to do this.
The authentication aspect is actually quite easy. In the Click event of your login button or the OnAuthenticate method of the LoginControl, you simply need to detect the user and match them to the correct membership provider name.
MembershipProvider provider;
if ( username.Text.StartsWith("G\") then
provider = Membership.Providers["GlobalProvider"];
else
provider = Membership.Providers["StandardProvider"];
if ( provider.ValidateUser( ...
Where it gets complicated is the roles. The SqlRoleProvider is not designed to handle multiple applications using the same user store. You have to alter the procedures used by the SqlRoleProvider so that it will honor the application of the MembershipProvider instead of its default nature which is to only use the application of the RoleProvider. In addition, you'll need to ensure that the global users are automatically added to some role when they login.