I am using an IDP which supports Oauth and SAML BOTH
USER ---->SP--Oauth-->IDP--Oauth-->google(oauth2)
above flow is working fine where i am logging in to system from google.
now what want to achieve is
User ------>SP----oauth--->IDP---SAML--->Another IDP
now my question is ...
Is that possible...? if yes please provide me some guide lines how to achieve that.
how can i achieve same thing IDP Initiated flow.
Thanks in advance
You can used other way around like below. It named SAML2Bearer assertion profile, You can found more details here[1].
User---->SP----SAML2Bearer--->IDP---Oauth--->Federated IDP
[1] http://xacmlinfo.org/2014/10/31/saml2-bearer-assertion-profile-for-oauth-2-0/
Related
I have a spring application with a login screen that authenticates credentials that the user has entered with users on our Active Ditectory(using LDAP).
However I'd like to add the capability of SSO , specifically with the Windows Credentials that the user has entered upon logging into Windows.
I'm aware that since AD uses Kerberos it wouldn't be such a "hard" task to do and I've found one possible solution as to how to implement it , specifically this guide , with what I want to achieve being on this part of the page.
But honestly I don't seem to be able to understand how to implement it...
I have the following questions:
1)Which parts/classes should I implement for what I actually need , meaning which of the following classes are needed in reality?(AuthProviderConfig , SpnegoConfig , KerberosRestTemplate , KerberosLdapContextSource)
2)If all my users are on a Windows environment do I really need cached tickets(kinit) or keytab? In that case application.yml is also not needed , right?
3)What does the AD admin need to do on his side to configure/enable this SSO with Kerberos?(For the login screen Adapter that works I have the domain, url, rootDn, service user, user searchbase, service user password in my application properties)
Based on this thread , specifically on what the highest scored answer shows , I'm missing only step 1 and 2(I suppose?).
If anyone has maybe a better "guide" or tips that I can follow in order to implement this I'm all ears.
In any case thank you for your time and appreciate any feedback you could give me.
I realised similiar task using tutorial:
https://www.baeldung.com/spring-security-kerberos
You need modificate only WebSecurityConfig extends WebSecurityConfigurerAdapter - Add there Spnego filter from point 6.2 form this tutorial and beans with KerberosAuthenticationProvider. Spring has built-in kerberos machines that generate and decrypt spnego tokens themselves. On this case in filter you should authenticate all paths but In my case I used kerberos authentication on first time, and later I used JWT token what I had implemented before I implemented SSO.
You need keytab file and ServicePrincipalName. You can generate it by kinit with user who have got access to users in AD.
I found something like this:
https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-kcd
I need to use Apple_Sign_In option with other Google, Facebook sign in options. Even though Apple is adopted the existing open standards OAuth 2.0 and OpenID Connect (Hybrid Flow). It's difficult to get it work by simply changing the .yml configurations as described in GitHub fix for raised issue..
I have tried Customizing oauth request approach and I am stuck on reading Authorization code which is sent in body to use for token exchange and get logged user details(Apple does not support userInfoUri.)
More details can be found on github_comment
Can someone share a working code example how can we use Apple Sign In with oauth2 client ?
I am learning Spring and have written a simple RESTful web service that is not intended for browsers but for native mobile apps only. When trying to implement basic authentication for users. I've hit a wall, because the sources (even official tutorials) assume (and recommend) using OAuth2 through a browser with SSO and\or social logins.
All I want is to create an API RESTful endpoint that will take an email address and a password and return a token (possibly JWT). I do not need extended support for roles (but am not against it) and dynamic token revokation if that matters.
Is there any easy library/solution/tutorial that focuses on something similar?
Edit:
Thanks for the answers — all of them shed more light on the auth process and are quite useful and on point!
Please check here, I have a working example for the spring security on my github. You may need to change the spring.active.profiles=jwt, to enable the jwt configurations on this project.
There are many tutorials available on internet for implementing JWT token based authentication using Spring Boot. Please find below some of them
https://dzone.com/articles/spring-boot-security-json-web-tokenjwt-hello-world
https://www.javainuse.com/spring/boot-jwt
Please go through them and try to implement. If you need a working code for reference, you can search GitHub for code. This is one of them https://github.com/murraco/spring-boot-jwt
I am currently using Quarkus in combination with "quarkus-security-jpa" to realize a form based authentication. No problems here so far. I now got another requirement to enable user impersonation in my app. For example the admin can impersonate the user A to get the same access rights and see the same data. In Spring I would use the SwitchUserFilter for this feature.
Now to my question. Does Quarkus has a similar function? And if yes how can I use it? Does anybody have an idea how to realize this feature in Quarkus?
Best regards and thanks in advance
I used the code at https://github.com/oktadeveloper/okta-spring-boot-saml-example to understand how to use Okta for SSO. We are using SAML. My question is how to detect if the session is still valid and if not, redirect the user to the Okta log in page.
I tried using HttpSession but I did not know how to link it to Okta.
If someone can give me a few pointers as to where to start, I would appreciate it.
Thanks
The short and best answer is no.
You can use Javascript on the browser to see if the User still has a live session with Okta using this:
https://developer.okta.com/docs/reference/api/sessions/#get-current-session
There is a way using the Sessions API to authenticate a User, and then check to make sure the session is still valid, but managing the state creates more headaches than it's worth. I would not suggest doing this.
If you are using Oauth 2.0, then it's easier, you can just redirect the User to Okta and perform a re-authorize more easily, plus Oauth 2.0 tells you when the token was minted.