I've just tried to resolve my question reading oldest post on this forum, but i think i need some direct answer for my problem. so pls be patience with me.
I'm making a web application for my university in witch i have to send a Mac address from my shibboleth sp to the university idp, and if idp matchess Mac it will respond me with some other info correlated with Mac.
Now, i have configured my sp following this guide 'https://www.testshib.org/'.
My configuration is in local so at the end these are my questions:
1)
the entityID of my SP how should it be? i'm using an idp like that: "servername.org/shibboleth-sp". I really don't know if it's correct because it will be associate with a real organizzation and maybe it's better an idp like: "univerity_x_servername.org/shibboleth-sp/".
2)
As I just said, my SP is in local, and i don't understand if i can only send my metadata to idp just attaching the file that i can download in local from "https://servername/Shibboleth.sso/Metadata" or maybe i can pass a link with witch the idp can download itself my metadata.
someone know how can i implement the second case, by passing a single link for the download.
3)
last and less important question. the guide that i've followed to configure sp, test it at the end by opening an index page on my secure directory in local "/var/www/html/secure/". i didn't yet understant what type of check is it. so if someone have already used that guide and can explain the final test it will be awesome .
Thanks.
ps: i hope you will understand this post, i know that my english sucks. sorry
You can use any entityId, it doesn't matter. Refer this
You can do both, put the configuration in shiboleth2 configuration file. If you have put URL then idP will take URL or if you have put filename then idp will download that filename.
You can download the file from that URL(https://.../Metadata) and change and then save and then put it on your server
Shibboleth is not doing authentication at SP, it is just for Authorization. What I mean by that is, you have configured to protect /secure path. So primary task of shibboleth SP is that - it won't allow any user to access that page until user have valid authentication in idP. You can configure any other path too. In addition to authorization, it gives use the data about user.
My this, this and this answers may help you.
Related
After reading a lot of documentation on the SAML protocol, I still don't understand how the trust between an IDP and a SP works.
I know that both the IDP and the SP must have a "Metadata" file containing an x509 certificate. To establish this trust, the IDP and SP must exchange these Metadata files.
But I don't understand how technically this works. According to my research, many IDPs offer to do this in a graphical way by uploading the metadata files. My final goal is to implement the SAML Protocol in Golang. That's why I would like to understand how it works.
Thanks in advance!
When you first set up a integration between SP and IdP, they exchange a metadata XMLs. The SP gets one from the IdP and the IdP get one from the SP.
It can be exchanged in many ways for example by email, or letting a SP upload it in a form or exposing your metadata on page on you service. The important thing is that SP and IdP get each others matadata and they trust they got it from the right person.
Metadata contain many things like endpoints and supported services, but also public keys. These keys are used to sign messages between the two.
When the SP send messages to the IdP, SP signs with its private key and the IdP verifies with the public key in the SP metadata. And vise versa, When the IdP sends something, it signs it with its private key and the SP verifies it with the public key in the IdP metadata. This way everyone can trust that the message came from the expected sender.
I have some other detail in a blog post I wrote if you need it.
I also agree with #Robby Cornelissen. SAML is not simple, you have to do it right and consequences can be sever.
I am looking for some help setting up a connection between Oracle Fusion and DocuSign API. We want to use DocuSign to electronically sign procurement contracts we have in Oracle Fusion Procurement application and to set this up you need to provide the following details onto a form in Oracle Fusion:
Username
Password
Account ID
EndPoint URL
Once this is entered, you can click 'Validate' and the form will validate the connection for you.
I got most of this information from the API section of my demo account so have been able to provide everything except the EndPoint URL. To fibnd this out, I used the API explorer tool http://iodocs.docusign.com/, entered my account details at the top of the form and ran the GET v2/login_information REST message. The response I retrieved contained a 'baseURL' which I assumed was the same as the EndPoint URL and input this into the Oracle Fusion form, hit validate but unfortunately I was still unable to validate the connection.
I spoke with Oracle support and they advised that from their side they simply need the information in the form to validate the connection (assuming that information is correct and a DocuSign account exists) there doesn't appear to be anything else required to make a connection. So I can only assume that something isn't configured correctly within my DocuSign demo account and need some advice on how to check this. If anyone has had to do this in the past and came up against the same issue I'd love to know how you managed to get it working.
Any help and suggestions would be greatly appreciated :-)
Thanks,
Jamie
Based on that information, my guess is that the "EndPoint URL" would actually be something like https://demo.docusign.net. The application can then append whatever it needs after that. You could also try these:
demo.docusign.net
https://demo.docusign.net/restapi/v2
https://demo.docusign.net/API/3.0/api.asmx
https://demo.docusign.net/API/3.0/dsapi.asmx
(Note: The last two are for the SOAP API.)
I hope I am not being to dense but I don't know how to use phpoidc. I have downloaded phpoidc from https://bitbucket.org/PEOFIAMP/phpoidc. I have followed the instructions in the INSTALL file. Now that it it supposedly installed, how do I use it? There does not seem to be any documentation on this.
I just want to set up simple user authentication on my site. I am running CodeIgniter 3.0 rc. I primarily want to allow login with google accounts.
Are you talking about the OP side or RP side?
OP side should be quite self-explanatory as it is a stand alone thing.
RP side needs integration to your application.
The phpRp is just a sample implementation that uses these libraries.
What it does is to create an OpenID Connect request and process the call back to see validate the response. Then, typically, an application needs to associate the iss and sub in the ID Token to a local account: you need a mapping table for it. Once you are done with that, create a session and off you go.
We have a .Net Web API (v2) serving an SPA that I aim to secure using OAuth 2.
In my OWIN Startup.Configuration(), I set my Provider in IAppBuilder.UseOAuthAuthorizationServer to an override of OAuthAuthorizationServerProvider. I have this successfully providing refresh tokens.
I want to be sure that these tokens cannot be spoofed by someone implementing a similar provider. No searching I have done has given me any kind of answer.
Does OAuthAuthorizationServerProvider ensure that the refresh tokens received are those issued by itself, and not any similar code on a hacker's machine?
My own experiment seems to confirm that it does - I tried the same code running on two different machines and took the unexpired refresh token (with a long expiry of 24 hours) from the other machine, and got a 401 as I'd hope. But just in case I've wrongly convinced myself, I'd like some reassurance and/ or advice from someone who knows more about OAuth in the .Net Web API than I.
Thanks,
Paul
I'm sure I eventually found a definitive answer in the doc for OAuthAuthorizationServerProvider but now can't find it.
However, Dominick Baier, an expert in this field, says:
Access tokens are protected using the machine key. Protection of refresh tokens is up to you. You need to manually set the machineKey element in web.config (otherwise the key gets auto generated and might change over time).
His comment comes from a reply to a post on implementing OAuthAuthorizationServerProvider.
I've have some authentication scenario that I'm not sure how to approach. I'll appreciate any advice on the subject.
Requirement:
Website will contain one section
that will be only available to
specific computers.
Website needs to be aware which PC is currently making request (I need to be able to tie this PC to other tables in Database)
We have full access to PCs that will be accessing website
Website cannot require login, user should be just presented with content pages without need for logging in.
Solution needs to be secure since, it will have to pass security audit
Assume that every PC is on different network.
My ideas so far:
use client certificates but I'm
not sure whether you can issue
different certificate per client? If
the answer is 'you don't know who is
making the request' than it's failing
requirement number 2 and therefore is
not an option.
Windows
Authentication with impersonation so
I can have different users logged in
on PC (I'm in control what will be
the user name/account logged in on
the machine)
Basic Authentication and set PC to remember username/password first time. I'm a bit afraid that this "remember me" can expire which would cause big chaos since someone would have to setup this PC(s) again...
Windows Identity
Foundation - never tried but if I can
implement this scenario here in some
nice way I appreciate if you can
point me in the right direction.
Thanks in advance for your help.
EDIT:
I would prefer not to use SSL if possible... (performance consideration)
EDIT2:
Currently I think that the best option would be to check whether PC is authenticated (whether it contains Forms Authentication cookie) and if it is not then redirect him to some https:// page that will check client certificate, set cookie if cert exists and redirect back to target page.
This shouldn't be slow since SSL will be used only in rare cases when cookie expires.
Please let me know if you see any flaws in this solution. If you know how to create server certificate and later generate different client certificates from it I would be grateful for guidelines.