I'm doing some research about authentication via Active Directory for internal application.
Application is divided in two parts - front-end in Angular 2, and back-end in Spring. I would like to add windows authentication to it to avoid providing credentials when you are already logged in, but i can't fully understand how possibly server knows the credentials of which user to compare with those stored in Active Directory. For example let's assume that I've logged into windows, my data are sent to Active Directory. Now I'm heading to website, which i would like to automatically authenticate me with http request sent to rest api. Rest server invokes some logic connected with authentication with Active Directory, and after success rest api sends token back to Angular. But the thing I'm missing is how server knows which credentials compare to know if user exists in AD. Should i somehow use angular to gain acces of user credentials stored in windows through browser? Or I'm missing something important here.
Related
I have two or more back-end API(Laravel) projects and a single front-end React JS project. From the front-end app, I will call all of the back-end API projects.
When the user login, authentication will check in App 1(with Laravel passport) and return access_token.
I want to use these access_token when calling API from both App 1 and App 2. But, the main problem is how to check access_token validation from App 2 to App 1 server.
To solve this problem, I think but not sure it is the correct way or not, I can create middleware in the App 2 server and get every incoming access_token and send it to check validation to App 1. If return true, user can access, else can't access.
But, I think this way is inappropriate because every incoming request needs to check access_token validation from App 2 to App 1, it will slow down the server and bottleneck problem.
I already search a lot of posts on google but, not yet find the best way for me. I found one way OAuth server implementation https://www.youtube.com/watch?v=K7RfBgoeg48 but, I think that way is not working well in my project structures because I have a lot of customization.
I'm also read the discussion on reddit(https://www.reddit.com/r/laravel/comments/dqve4z/same_login_across_multiple_laravel_instances/) but, I still didn't understand very well.
You have several options here:
I expect you have a database containing all your access and refresh tokens for your users - so just create a database access from the App2 backend server to the database containing your access and refresh tokens and just check them directly in the App2 via the new database connection.
Create the middleware that will check user authentication from App2 to App1, but as you correctly pointed out, that would cause an extra loading time.
Depending on whether you need the end user to know that he's connecting to "another server" - meaning App2 - you can use Oauth2 authorization - https://www.youtube.com/watch?v=zUG6BHgJR9w
Option 1. seems like the best solution to me
currently, I'm working on an application in which we want to offer a single sign-on experience, but let me put you in the context:
We have two different Cognito clients created for the same Cognito pool, both are configured to allow the users to login into two different applications:
App A: mydomain.com
App B: appb.mydomain.com
well, the thing is that when a user uses the hosted UI to log in to the first application, I noticed that the Cognito server creates a cookie called "Cognito" as can see in the image:
Cookie set by the auth server
Then, when a user tries to access the other application appb.mydomain.com, and the application, instead of showing the hosted UI, the user automatically enters the application without going to all the login process again, and this is possible because of the cookie I mentioned (when I delete that cookie, then the user is requested to login again using its credentials).
So, that's nice because the user doesn't need to go through all the login process again. But my situation is the following:
I want to create a login page in mydomain.com with my own customized form and using the Cognito SDK. I already have the backend working, also the frontend. The backend can authenticate users to get the JWT tokens (IDtoken, refresh token, etc.) as you can see in the next image:
Tokens I get when I authenticate a user
But at this point I'm not able to redirect the user to appb.mydomain.com with a valid session, I mean, I have the JWT tokens, and I tried to do the same thing that the hosted UI clients are doing, that is setting a cookie somehow containing the JWT session. But I don't know how to make the application appb.mydomain.com to be able to detect this cookie. But the most important problem is that I really don't know how to construct a valid cookie (like Cognito's) to be detected by mydomain.auth.eu-west-1.amazoncognito.com (this domain is shared for both Hosted UI clients).
I don't know if this approach is feasible, or if there is another approach to send a JWT token to the auth server with a callback to redirect the user to the appb.mydomain.com
without going to all the login process again or something like that.
Do you have any advice on how to implement this kind of SSO Experience? I'm using .Net Core in the backend.
We want to implement SSO in our multiple application
eg : abc.domain.com/app1 and abc.domain.com/app2.
We have configured ADFS on our server. WE have used WS federation authentication. Our both app are aware of claim based authentication.
Scenario we want to achieve,
1. Make login on app abc.domain.com/app1 using ADFS WS federation authentication.
2. We have successfully authenticated in this domain.
3. Now make request on abc.domain.com/app2. It should be login automatically in this app.
Actioned:
Both app URLs are added on relying party trust in ADFS.
We have added Endpoint URL of 1st app abc.domain.com/app1
Both app refer same ADFS metadata URL.
We have achieved this in our local environment. In local system these two different app are running on different port
1. localhost:44313
2. localhost:44330
When we make successfully login on localhost:44313 and request on localhost:44330 then user also authenticated for this app as well and displayed as logged in.
This scenario is not working fine for the live environment. Our live URL structure is same as mentioned above (abc.domain.com/app1, abc.domain.com/app2) but it's not working there.
Any help would be appreciated!
What errors do you see in the event log?
If you have two different apps, you need two different RP on ADFS.
Also you need to run both on https.
Do you have https on your live environment?
I have configured WSO2 Identity Server as IDP and have two applications configured as SP. All working fine, except few things:
when I logged out from one application, another application don't see, that I was logged out
when I login into one application, another application don't see, that I was logged in
IMHO, there is main principles of SSO and SLO.
When I check SecurityContextHolder.getContext().getAuthentication() there is no changes after logout or login in another app.
Maybe I should call WSO2 page /samlsso before every load url?
What can I do wrong? How to retrieve from another app, that user logged out/logged in?
EDIT:
For example, WSO2 API Manager Store have such mechanism:
when I logged out from my application and reload Store page, then going redirection to main not logged page in Store. Same with login.
UPDATE:
I found problem in class org.springframework.security.saml.websso.SingleLogoutProfileImpl. When logout request is coming from WSO2 IS, than objects Authentication and SAMLCredential are nulls and error No user is logged in is occured, but for real user still logged in in Spring SAML application.
Same discussion was here, but with no effect :\
You have to verify whether both apps are calling Identity Server (IS) using the same host name. E.g. https://is.blahblah.com/samlsso.
IS session is based on cookies ('commonAuthId' and 'samlssoTokenId' cookies to be specific). If apps are calling IS using two different host names, there will be two different sessions created at the IS side. For SSO and SLO to happen both apps must share a single IS session.
We are using travelocity.com and avis.com web app for test SAML2 sso. You can found the more details here[1]. Further you can checked this documentation[2] Registering the two service providers in the Identity Server and followed the 1 to 8 steps.
[1] https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0
[2] https://docs.wso2.com/display/IS500/Customizing+Login+Pages
We are building a SPA application using Durandal and we are authenticating the users via Windows ACS in Windows Azure.
We currently have a problem with users who leaves their applications open for a long time. When they come back, the ACS token is expired and the application won't redirect to the ACS login (since it is a SPA application).
Is there a good way to detect on the client side when the Windows ACS session times out?
I don't know Durandal, but I know all Ajax calls feature (optional) error handlers in which you can test whether the server status code is 401 or 403.
(that's usually the case when the user tries to access a secure resource when he is not authenticated).
All you have to do is redirect the user to ACS with the correct parameters when this happens.