I've been working whit the SAML extension to connect to an ADFS server. I've hacked the sample application to use my ADFS server and everything went well, but I would like to know if there is a way to connect to an IDP without using the loging page of the IDP. I mean if there is a way to do this process in background for the end-user. I am thinking about doing a query to ADFS or something like to get the users and do authentication from the SP login page, avoiding the need for the user to authenticate in the IDP login page.
The purpose of federated authentication is to delegate it to a centralized server in such a way that the relaying parties/service providers do not have access to user's credentials. Enabling authentication directly in your application would violate this principle and for this reason is not supported by neither Spring SAML nor ADFS.
If you want to authenticate your users directly, use authentication directly against Active Directory instead of ADFS. This will fully support your use-case.
Related
I am trying to integrate OKTA as service provider to provide access to the custom application for external customers.
External Users login to enterprise Idp to access the custom application
After successful authentication IDP triggers the IDP-Initiated flow and submits the SAML response to OKTA
OKTA checks for the external user information in the SAML assertion and sends these details to Custom API application to identify the user
If the user is found, the API returns the required information to OKTA
OKTA will initiate the PKCE flow to provide access to the custom application
I was success in configuring the OKTA and external customer IDP. But, Can anyone knows how OKTA will call the custom API application to identify the user information? Also, how to configure the redirect URL?
unfortunately I don't have an answer to your question as we use PingFederate but I was curious as to how you setup Okta (as the SP) to accommodate the IdP-Initiated call, without having to call back into the IdP for authentication? I ask because, as the IdP, we are calling Okta (as the SP) and the SAML response but the vendor is stating they cannot setup Okta without the IdP URL to call back into to have us, the IdP, authenticate the user. Seems your setup works how we believe it should so wanted to get more details about this.
I have an ASP.NET Web API (v4, specifically) application that currently authenticates using Forms authentication (through a SQL membership provider (i.e. using aspnet_Membership, aspnet_Users tables and all that)). It's basically the backend API hub for a bunch of other applications.
Alongside that, I have a third-party application, SP (for service provider), which supports SSO and single logout using SAML. My goal is to set up a SAML identity provider that can receive a SAML single logout request, which would in turn send a logout response to SP.
I started out looking at Auth0 to achieve this, but I am confused about what role Auth0 would actually play as the identity provider since all of my user creds are stored in my own database. Is there some way I can supply Auth0 (or any of these identity providers) with my user creds store for it to authenticate my users? Or is this not desirable/possible and I need to make my existing app to be the SAML identity provider?
To use SAML in your client application, you need a SAML stack.
So you could add the stack and it would be self-contained.
Both identityserver and Auth0 can use a SQL DB as the authentication store. They both support the SAML protocol.
Once you have done the SAML configuration, you just need e.g. a login screen where the users decides local authentication or SAML authentication (this invokes the IDP and that would do the SAML side for you).
I have a requirement that needs to have login page at the service provider and I use java web app. Is there any way to use the spring SAML libraries to achieve this behaviour ? If so, what could be the steps? (it seems the default behavior of spring library is to redirect to IDP login page and I am not sure if we can configure to host login page on the service provider and relay that request to IDP)
I think what you're looking for is having two different ways to authenticate, one locally and one through SAML. I believe for having a login form, you would want to separate configurations with different AuthenticationEntryPoints, i.e. go to /login for local or /saml/login/alias/" + spAlias+ "?idp=" + spEntityID for direct login to SAML.
It sounds like right now you have SAML protecting any URL, which by default redirects you to the IDP since it's configured. The first step that I would take is getting user name and password authentication working with logins independently of SAML, then add SAML back in. Be sure to list whatever URL the login form uses as permit all so SAML doesn't kick in.
Could anyone explain what would be the best approach for this scenario?: There are 2 separate Service Providers:
System A is a server that works as a rest API for a mobile application.
System B is a website which login is handled with simple and plain cookies.
I have read a lot and Ive found that the most used protocols in use right now for these kind of systems are SAML and OAuth, where OAuth works specially to give security to API services and SAML for web applications (cookie based).
Ideally, what is being looked for is a single log in, which is right now handled for System B through cookies in the main domain.
Is there a way to use both SAML and OAuth? Or What would be a good way to go?
The answer depends on what IDP you currently have.
Is the IDP SAML based or is that just what you got from researching?
SAML and OAuth don't really play well together.
The ideal would be OpenID Connect where you could use the OpenID Connect token to get a REST API token. But that would involve using the same IDP for authentication for both.
It depends, If you have both app deployed on same server then you can use SSO with tomcat valve or JBOSS with picketLink. If your applications deployed on different domain then you need to use federation server with SAML like OpenId, OpenAM, Spring-saml with ADFS or any other IDP server.
For securing rest API, you have to use Oauth protocol. By implementing OAuth you will get Oauth token by providing userId and password. Then Oauth token can be used to access rest API from mobile or any other third party service.
I'm trying to integrate Facebook OAuth2 authentication with my own OAuth2 server. Just to be clear the scenario is the following:
I have a OAuth2 Server that is responsible for authenticating our users. I implemented a custom AuthenticationProvider that checks for the credentials provided and builds a UserDetails object if successful.
I also have a rest-api that is also a ResourceServer (runs in a different application). So users after being authenticated they can access our rest-api providing therefore the token.
The token information is shared using JDBC.
Everything works fine as expected, but now I want to add external authentication providers such as Facebook.
My question is: what's the best way to do this? What's the expected flow? From the top of my head I would imagine something like:
User authenticates with facebook
Facebook provides a token
User sends the token to our OAuth2 server
I check the token validity with facebook
I authenticate the user using the authentication provider
The server gets back to the user with a new token issued by my OAuth2 server which the user will use from now on to ask for resources
Is this right? If so, how can I send the facebook token to my OAuth2 server? Is there some kind of standard? Should I make up new parameters for that? For instance I will be needing some way to differentiate facebook authentications from user/password ones.
Am I suppose to use my own AuthenticationProvider to validate this facebook user? It seems strange then return a UserDetails object that doesn't have a password...
Also, how to register users and auto log them in? Do I have to expose an endpoint of my own or is there some OAuth2 magic for that as well?
Any thoughts?
Facebook has some very good documentation on this with the correct flow and how you should handle the process.
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2
You are on the right track, and I think the facebook documentation should help clear up any questions you may be having.
Additional Information is here:
https://developers.facebook.com/docs/facebook-login/v2.2