AEM as IDP( Identity Provider) for CRM using SAML - osgi

Is there any out of the box implementation to act AEM as IDP for another application by SAML. I have googled about this and found there is OOTB configuration for AEM to act as a service provider (SP). Please provide informtion or references to make AEM as IDPso that the users in the AEM are authorised to use some other service provider by using single sign on (SSO). Thanks in advance.

Out of the box, AEM (at least as of AEM version 6.2) can only play the Service Provider (SP) role in a federation supporting the SAML 2.0 Web Browser SSO profile.
You would need to deploy one of the supported SAML 2.0 IdP in order to implement seamless cross domain browsing for your users.

AEM does not expose any functionality of an IDP so using it for this purpose won't work. A custom implementation or 3rd party libraries might be able to expose this feature but there is nothing OOTB to provide it.

Related

How to Integrate Websphere with Identity Providers , please share steps or any documentation available online.eps

Please share the steps for Websphere integration with IDP providers. Like Okta, Microsoft e.t.c
I am configuring Okta getting an issue. If any one have done. Can they help me.
I'm assuming you're using Liberty app server, this video may help
If you're using traditional WebSphere, use these two documents:
Enabling SAML Web SSO
Configuring SSO Partners
Following those two step-by-step documents will configure IdP-initiated SAML Web SSO using OKTA as the IdP.

What are the possibilities with Spring Authorization Server when using it for authentication (and authorization)?

I'm looking to find a tool that will do the authentication (and authorization) part of the project. For the project, I will be using spring boot and java 8.
I will be working with OAuth2.0, the flow for untrusted client(web-applictation) and trusted client(another server)
I was looking at Keycloak and Spring Authorization Server.
But it's unclear what are all the possibilities with the Spring Authorization Server.
Like with Keycloak you have single sign on, identity brokering, social login, user federation, admin console, account management console, standard protocols etc.
Is this also possible with Spring Authorization Server, or what are the possibilities of Spring Authorization Server?
We're working on reference documentation which will include a feature list. In the meantime, see feature list on the GitHub wiki for the project.
From this PR, a possible short overview/answer to your question would be:
Spring Authorization Server is a framework that provides implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specifications. It is built on top of Spring Security to provide a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.
Update: The reference documentation is now available and contains an Overview page with this information.
You can make custom OAuth resource server implementation or use the SAML standard.
Also, you can implement access by JWT token, which suites well for API-only service.
You can use also "Basic Authentication", but it's too simple for a mature applications.

SCIM implementation for Spring Boot SAML and OKTA

My requirement is to implement SCIM 2.0 server for Spring Boot application which supports SAML for OKTA authentication.
I haven't found any library provided by Spring Boot for SCIM sever and neither the documentation exists for it in Spring's Repos.
I have found some third party implementations like Better Cloud SCIM 2.0 or WSO2 Charon etc. But should I use those third party implementations ? Because what if their git hub repos are messed up later or we may not get our issues resolved.
Also if there does not exist any documentation for SCIM server implementation in Spring Boot. Then should it just be treated as implementing other restful APIs ?
Any help on this will be much appreciated.
I'm watching over my company's SCIM API. So far what I have seen is there's no Spring official library and you should stick to the protocol description to provide your implementation (see more here: https://www.rfc-editor.org/rfc/rfc7644).
Despite the lack of an official Spring Boot library (that would be cool, I agree!), I'm using this thirty party library: https://github.com/pingidentity/scim2. It has all the resources you need to expose your endpoints for users operations as well as filtering when getting users, that can become quite complicated implementing from scratch as the specification provides a quite extensive query language for it.
Open source version for a lightweight SCIM spring-boot server.
https://bitbucket.org/wouter29/personify-scim-server/src
For using SAML, a custom java authentication filter can be plugged in, because only Basic and Bearer tokens are implemented.
Don't know if SAML is even mentioned in the specs/RFC
Storage layer can be chosen : ldap, mongo, postgres or MySQL.

How can I use multiple Oauth2 SSO Servers on a single Spring boot application with Spring Cloud Security Oauth2?

I'd like to give users the option to login to a Spring Boot web application using their Google or Facebook account.
I checked The Spring Cloud Security documentation and also This GitHub issue to add such SSO functionality, but on both they only show how to configure one SSO server, so it's either Google or Facebook.
How can I add both options? on the web front-end I will add a button for each option so the users can choose which account to use, either Google or Facebook.
Or I am choosing the wrong package and should use something different altogether to achieve this?
Thanks!
You basically have to install a separate authentication filter for each provider. There's a tutorial here: https://spring.io/guides/tutorials/spring-boot-oauth2/.

SSO Between Websphere Portal and .NET Application

What's the best way to configure SSO between a WebSphere Portal Portlet and a .NET application?
We are using WebSphere Portal 6.1.5 and the portlet should just redirect to the .NET application, but not require the user to login since they already did on portal. Both Portal and .NET app are using same Active Directory(LDAP) for authentication.
SPNEGO is a mechanism that is widely used in WebSphere and Windows for SSO. I am not sure about .Net applications but it is worth your time to explore and see if this would help you in achieving your needs.
Try this for some basic info on SPNEGO and WebSphere
http://www.ibm.com/developerworks/websphere/library/techarticles/0809_lansche/0809_lansche.html
Using same LDAP for authentication does not necessarily mean anything. In most of the SSO scenarios, not all the back end servers use the same LDAP repository. All i am trying to say here is that there is no strong co-relation between the LDAP server and SSO.
HTH
Manglu

Resources