Single Sign-on through Spring Security - spring

I have a web portal built with spring security 3.X. My web portal has links of external web applications also built with spring. Id like to know if there are any working examples or code snippets on how i can automatically POST users login credentials from my portal to my external web applications in order to simulate SSO

I assume you are not looking for an SSO solution for which you could use http://projects.spring.io/spring-security-saml/ with OpenAM/OpenSSO.
In your case you could use the AbstractPreAuthenticatedProcessingFilter, here the documentation:
http://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/#preauth
Here a practical example I found:
PreAuthentication with Spring Security -> Based on URL parameters

Answering my own question.....
Solution was to create a table in the db containing username,password,and application name..
On a click event of a link the controller checks if the user has a record in the table with the corresponding application name, if so the user credentials is pasted into the form and submitted automatically.

Related

ASP NET Boilerplate API project creation problem

It is a first time that I am using ASP.NET Boilerplate for API development. There are default features like multi tenancy and role management which I don’t want to use in the template. When creating a new project. in the project wizard I am choosing “Single Page Web Application” and I am unchecking the “Include login, register, user, role and tenant management pages” box. But when I do this, it is removing the connection between Swagger and Application Service. So the methods I am writing in Application Service are not being translated as API endpoints automatically.
Ideally, I want this: ABP Template + Empty API solution + swagger connection.
Am I missing something? Could you point me in the right direction? Thanks in advance.
"The methods that I am writing in the Application Service are not automatically translated as API endpoints." Regarding that, the app service should be translated automatically in the version that does not include login and roles, check the documentation. Regarding the swagger, you have to add it manually.

Spring Boot OAuth2 linking internal users with Facebook/Google login

I have implemented a Spring Boot application with AngularJS frontend. Have also setup users along with their permissions. Right now I am able to login with any of these users and is working well with Spring security. I would like to turn this traditional login flow into a Facebook/Google OAuth login flow, where in I want the users to use their Facebook/Google account to log in and they will be mapped to their internal users automatically. This will help me in getting rid of maintaining passwords of these users.
I found many articles talking about setting up OAuth with Spring Boot and how can Facebook/Google login be integrated with a Spring Boot application. But I am having difficulty in finding an article which talks about linking a Facebook/Google user with internal users.
How should I go about this?
Look for a user with the associated facebook/google userID.
If that user does not exist you request an email address and try to match it with an existing legacy account.
If you do not get a email adress for any reason (not acceping the authorization request for example) you could show a popup box asking for the email adress explaining why you need it.
You then locate the legacy user and merge it adding the facebook/google ID to look it up in the future.
If no user is found with the email adress you either refuse the user or create a new account.
you should be able to do all of this by implementing your own AuthenticationProvider
Before you can fetch a user’s data from Facebook, you must specify your application’s ID and secret by setting the spring.social.facebook.appId and spring.social.facebook.appSecret properties. You can set these via any means supported by Spring Boot, including setting them in an application.properties file:
spring.social.facebook.appId=233668646673605
spring.social.facebook.appSecret=33b17e044ee6a4fa383f46ec6e28ea1d
For reference you can follow this article: https://spring.io/guides/gs/accessing-facebook/

IdP initiated flow - Identify okta account

I have an MVC application (.Net Framework 4.5) which is been there for the last three years and using Forms Authentication mechanism. This application provides different accounts like Personal, freebie, Enterprise etc. For an enterprise account, we are handling everything in the same application. I.e. Suppose an enterprise called “xyz” created an enterprise account with the application, then we are providing a custom URL like “https://application/xyz/login” and from the URL we are identifying that enterprise. I don’t know the exact reason why they implemented like this as I have seen applications that are having enterprise accounts are created as subdomains (e.g. https://xyz.okta.com). Now the client asked to integrate Okta into this application.
So I looked into Okta and found SAML is the right way to do and ends up in KentorIT Authservices. Initially, I was able to integrate this with a sample MVC application and the authentication part was working fine. With some basic idea about SSO, I have started integrating kentor authsevices into my application. The challenges I found in this implementation are:
1) For Enterprise accounts, Okta configuration settings are different for each enterprise and with my current application implementation, it is not possible to set it in from the web.config. So I have tried to set it from code and I was able to integrate those settings by replacing Configuration.Options.FromConfiguration;. I’m planning to store all configuration related things(Single sign-on URL, Audience URI,Identity Provider Issuer" etc.) in the database so that I can get the information whenever I wanted and I’m assuming that “Identity Provider Issuer Id is unique for each Okta account. In an IdP initiated flow, when the user tries to access the application it will redirect to AuthServices\Acs action method and from that, I’m trying to read the configuration settings. From the request is there any way I can identify from which Okta account call came(like Identity Provider Issuer)? Currently, I set the "Identity Provider Issuer" value (and I think which should be unique for okta account) to the Default RelayState field under General SAML settings tab and I was able to retrieve it from AuthServices\Acs action methods. Does it seem to be a good idea?  Please advice.
2) The Enterprise accounts are limited based on the number of licenses (say 50). Suppose if the Enterprise Okta admin intentionally added 55 users all those users can successfully authenticate the application based on the default settings. Is there any way I can handle this scenario. Do I need to keep a record of the list of users that came under a particular enterprise account?
3) From the documents I understand that Kentor authentication service is only for authentication and authorization part has to be done from the application itself. The current application implementation consists of a custom authorization attribute which checks for user permissions that are stored in the database. That should be there as it is and we have to do the authorization based on database permissions. Right?
Expecting your valuable suggestions and please correct me if I'm wrong. Thanks in advance.
Don't use the RelayState for sensitive data unless you cryptographically sign it. It is not protected by any signature when using the POST binding, so the user may manipulate it. To get the issuing idp, check the issuer field of any claim generated by AuthServices instead.
Yes.
Yes, that's the whole idea with Kentor.AuthServies: To plug SAML2 authentication into the security model of .NET to allow you to use any current/traditional Authorization setup.

Spring Boot Social /connect/twitter vs /signin/twitter

In my application I use Spring Boot Social and have two kind of urls, for example
/connect/twitter
and
/signin/twitter
Both of them work pretty similar.. what differences between these urls and which one should I use in order to authenticate\authorize user via social networks ?
The /signin/twitter link should be used if you want to support a user logging in to your application with their twitter credentials.
The /connect/twitter link should be used if you have user authentication in the app and you just want users to connect their accounts (for example, a logged in user wants to connect their twitter account so they can see their followers etc)
See the following docs for reference:
The "connect framework"
Sign in with service provider

Login to my own webapplication with another website's credentials(eg: login with google)

I have developed a web application (spring mvc, spring security) which has a its own login.
Now I want to change the application to login with an another web site's (2nd web) credentials and also need to get some user details from 2nd website.eg: username, user role list for create authentication object.
Please help me to choose best way to do this.
Is openID or oauth2 better for my client application?
OpenID and oAuth are 2 different things.
Lately, Google announced it stops supporting OpenID, so maybe oAuth2.0 is a better option for you.
Note that if you choose oAuth of 3rd-party, you force your users to have account there. for example, if your application (the resource server) uses Facebook for authentication/authorization, your users will HAVE TO have account on Facebook (you want that?!).
If you work with OpenID, your users have several options of where to hold their account...
If you have another 3rd party (or in-house, it does not really matter) authentication server and you want to authenticate your users with it - you have to know what specifications it supports. For example, if it supports oAuth2.0, you can pretty easily configure your app to work with it.
Hope that helps...
If I understand you correctly, you are talking about using Social Networks like Google+, Facebook, to be able to login to your application (This is identity services, where you don't have actual password, but rather access token with limited scope).
For that there is a Spring Social, project, that provides set of abstractions, for such kind of integration, including additional Spring MVC Controllers, needed for proper authentication in this Social Networks.

Resources