I have a web application deployed on WAS (8.5.5) where the login page was created using form login method, as described at: Customizing web application login
I would like to use Single Sign On (Windows domain [Kerberos/SPNEGO]) on this web application login page, but have no idea of what I need to add to that code to make it use SSO.
I really appreciate any help. Thanks
Just look in the documentation and other posts on SO regarding SPNEGO.
You dont have to do anything with your application nor login page. It is purely configuration on the server side. It is too broad to provide full configuration steps in this post.
Start with the following:
Creating a single sign-on for HTTP requests using SPNEGO Web authentication
Implementing Kerberos in a WebSphere Application Server Environment Redbook
Related
I was trying to setup OAuth workflow using the sample application as given here
However for some reason, after I enter my okta user Id and password, I never gets the control back on my call-back URL and application just hangs indefinitely.
However the normal Javascript Singn-in widget (check this link) with the minimal authentication does work and I get the control back to the redirect URL. But this is not for an OAuth2 workflow... which is completely useless for me. Because all it does is provide authentication service using Okta tenant app and it will redirect you to your App URL. This does not provide any authorization grant workflow or other OAuth2 complex workflow. May be useful for some application but not for enterprise app where you want to retrieve user profiles, and create a login session based on user profile data retrieved from OKTA.
So my question is why is the OAuth workflow not working using the PHP application that uses JS sign-in-widget? And why there are no instructions or warning on this page for this costly service (this is not free and many org is probably paying for this)?
I spent almost a day trying to setup my Authorization server as per the instruction given on this link, but nothing works. Any idea what must be going wrong ?
Does this entire example works only after contacting OKTA support to enable the Authorization server feature? Because, I also saw a documentation here that says that this is Early Access (EA) feature (and it is probably recently added in OKTA? Extremely frustrating experience).
BTW I sent email to their customer support to enable this Authorization server feature just in case if I am missing something. If this does not work then I will have to create my own OAuth2 server using Laravel 5.4 PHP framework, which is probably the quickest solution and 100% free.
I also tried to test the Authorization server setup as per the instructions provided here.
I was successful in getting the following end point working:
/oauth2/:authorizationServerId/.well-known/openid-configuration
But I am unable to get any scope and claims using api end-point:
/api/v1/authorizationServers/:authorizationServerId/scopes
So in short, I am so far unable to test my Authorization server to get my authorization grant workflow working.
Where can I look for some troubleshooting advice?
Is there another way to check whether I have configured my OKTA Authorization server properly?
I found out that the JS script provided for the PHP sample is not right for the workflow I am working on. So after changing that JS Script, things started to work.
Edit: Also please note that Setting up Authorization server is a new feature (It is Early Access feature) in OKTA. It is not enabled by default. So you need to contact OKTA support team to enable the Authorization service endpoint and functionality provided by it.
I have asp.net mvc3 application with forms authentication. But the our client request AD authentication as well. But the mvc3 app is hosted outside the clients network. What are the possible solutions for this.
Get permission to access the clients network from remote server.
Get an API to access the active directory data from webserver.
If we choose opt one how could we access active directory for authentication from outside the client network. I anybody have any idea or better options please let me know. Thanks in advance.
My guess is that the Microsoft security products can support this out of the box but I'm not sure how so I suggest that you direct your question to whoever supplies your client with their Microsoft product support.
If you'd rather build a solution so that you've got more control over how it works a quick search found an interesting approach at https://support.freshservice.com/support/solutions/articles/169196-setting-up-active-directory-single-sign-on-sso-for-remote-authentication where they created a simple ASP.Net web site that used AD authentication for sign-on. MVC 5 can build a WebApi site that does that just by creating a new project in Visual Studio with the right options.
That site wouldn't have to do anything except confirm that the credentials supplied were valid or not. Your application would ask the user to enter login / password details, then send a (properly secured) web request to the authentication site to determine whether they're valid. As long as you keep the communication between your server and the client web service tightly secured this should do what you need without much fuss. That approach removes the need for your server to communicate directly with the client's AD server.
I have a web portal built with spring security 3.X. My web portal has links of external web applications also built with spring. Id like to know if there are any working examples or code snippets on how i can automatically POST users login credentials from my portal to my external web applications in order to simulate SSO
I assume you are not looking for an SSO solution for which you could use http://projects.spring.io/spring-security-saml/ with OpenAM/OpenSSO.
In your case you could use the AbstractPreAuthenticatedProcessingFilter, here the documentation:
http://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/#preauth
Here a practical example I found:
PreAuthentication with Spring Security -> Based on URL parameters
Answering my own question.....
Solution was to create a table in the db containing username,password,and application name..
On a click event of a link the controller checks if the user has a record in the table with the corresponding application name, if so the user credentials is pasted into the form and submitted automatically.
Sorry if this is a bit long. Got a requirement to integrate our application with client's main portal site. The portal is maintained with a SAML 2.0 SSO features and as such, we'll need to integrate our login using SAML 2.0 as well.
The integration is done via an iframe, i.e. on the main portal, an iframe with the url pointing to our application. When user is logged in and click on a menu link, he/she will be presented with the iframe page, with our session checking with their IDP to make sure they are valid users. If so, then our application will continue to load as per usual.
The issue is that we'll need to maintain our session on our servers, while they shall maintain the session on their app server. If the user stayed on our site for a while, the session on the client main portal will timeout. And when the user click on the main portal link, they will be required to log in again.
It is suggested that when the user tries to navigate to the main portal pages, it will call a service (for now assuming it's an IDP) on our end to check whether the user session is valid or not. If it is, then we need to return a SAML response to them to validate the user.
We're exploring setting up an IDP service at our end to facilitates this, but it seems to be overkill to me. Is there a way for an IDP to only provides check on a user's session? Or is there a better option for us to achieve this?
Things that could not be changed:
1. SSO language: SAML 2.0
2. Server: Weblogic 10+
3. HTTPS a must.
Appreciate any suggestion or feedback.
Thanks.
Based on the provided information, I assume your application runs on WebLogic 10+. If the remote server too uses WebLogic you might be able to just implement the SAML authentication between the WebLogic federation. This will simplify everything and you don't need to do complicated application customization.
If the remote site does implement SAML and not on WebLogic, you still should be able to implement SAML authentication through the WebLogic configuration. This is straightforward and can be done without much hassle.
However, please be reminded that WebLogic 10+ does not support SAML SSO logout. Therefore, this needs to be handled separately.
I want to retrieve the Windows login of my users when they run my JSF script. The goal is to avoid asking my user a login information, just want get the Windows login throw the request.
I try this How to obtain request headers, remote address and other HttpServletRequest-specific information? but I always get a null String with externalContext.getRemoteUser().
Does it mean that the web browser doesn't send the remote user information? Must I change the configuration of my browser? Is it possible to get this information?
Thanks,
Philippe
Spring security kerberos plugin will pull this off quite nicely, but you'll be taking the spring framework on as a dependency. I'm also assuming here that you're running a managed security enterprise where your users authenticate against a domain.
What you want to achieve cannot be done by pure Java EE spec (someone prove otherwise). The purpose of the getRemoteUser method is to retrieve the username of the authenticated user who has been authenticated either by the Webapp container or third party web auth framework. See spec here
See this answer for more insight