Jasig - CAS - Windows session - windows

Is it possible to integrate CAS with the authentification and SSO from multiple applications ( let's say 2 in php and 1 in java) straight from the Windows' session, so the user don't have to auth from an other login form?

This can be achieved via CAS's SPNEGO module. You'll need a browser that supports Integrated Windows Authentication alone with the user and the computer have to be members of an Active Directory domain. Implementation details can be found at: https://wiki.jasig.org/display/CASUM/SPNEGO.

Related

Password Authentication with Vaadin Flow and Firebase

I set up a Spring Boot project using https://start.spring.io including Spring Security and Vaadin. Then I set the Vaadin version to 22.0.4 and followed this tutorial to set up a login page using Vaadin Flow and Spring Security: https://vaadin.com/docs/v22/flow/tutorial/login-and-authentication
This works perfectly and checks login attempts against an InMemoryUserDetailsManager having a dummy user. As you can see in the tutorial, this is configured in the WebSecurity class, which extends VaadinWebSecurityConfigurerAdapter.
Now, I want to authenticate against Firebase users with email address and password instead. Therefore, I set up a Firebase project and added a user. I first thought, that the login can be done using the Firebase Admin SDK, but now I think this is not possible.
How can I authenticate Firebase users with email address and password in my Spring Boot application using Vaadin Flow as a frontend framework?
Firebase has two types of SDKs:
Its regular SDKs are designed to be used in client-side, untrusted environments, such as web front-ends, Android apps, or iOS apps.
Its Admin SDKs are designed to be used in (typically server-side), trusted environments, such as your development machine, a server that you control, or Cloud Functions/Cloud Run.
Only the regular, client-side SDKs have methods to sign the user in. For the Admin SDKs this is not needed, since they already run in a trusted environment and this establish their credentials in some other way (typically through a credentials file that you download from the Firebase/Cloud console).
So there's no way to sign in to Firebase on your server-side code. This also would not make a lot of sense, because a lot of users will likely be accessing the server at once, so who is the current user?
Instead, in Firebase you typically sign the use in client-side through one of the regular SDKs, and then (if needed) you pass the ID token to the server, where your code (through an Admin SDK if available) can decode that ID token and determine what user is making the request.
You can mint your own ID token in the Admin SDK, but the flow remains the same there and you typically use this to implement a custom sign-in provider.

SpringSecurity 5 AuthServer vs Embedded Keycloak vs MiTre OpenID

We would like to choose ,which would be better for OAUTh/OIDC implementation to choose for the given below requirements
Our Solutions Channels include
Client App [ SPA's , Mobile App] - UI Login Wizard with Multifactor [Password , biometric]
Partner API integration[ SYStem]
We tried keycloak standalone, but it needs more customisation as per UI/Login wizard.
OUR UX for login has pre-Login contents , Multifactor authentication [ biometric's external] and doesnt come out of box in keycloak.
**Keycloak Standalone **
Heavy Customisation of Ui
Custom Flow Define and Custom authenticators has to be packed
Support for step up is to be custom built
If we go for bespoke development ,but which one is best springsecurity authorization server [ new one] or to MITRE
option 1 - SPring Security Auth server
how to implement Multifactor authentication of Authentication provider
Step -Up Authentication
option 2 MITRE OPEN ID COnnect
Mobile App- we would like to go for the password grant flow [eventhough it is going to be deprecated, as in react-native, we were unable to implement formiddable-react native library for the Biometric or complex login wizards.
To summarize
OIDC Implementation which supports easy UI Customisation, MFA for both Mobile and SPA is what needed.
Kindly advise

Windows Authentication for Life Ray 6.2

I need to do windows authentication(Intranet users) for LifeRay Login Portal. LifeRay Login uses same UID and PWD which is used for Windows Login. Both Windows Login and LifeRay login interacts with Active Directory for Authentication. So My requirement is to land user on HomePage instead of asking user credentials.
After Doing R&D I came to conclusion that I should use option provided in LifeRay Admin Portal(Authentication) - CAS SSO / NTLM SSO .
I am not clear which option will be correct for my requirement OR any other option you see fitting as solution for my requirement.
Kindly Help.

Implementing SSO using Passive Federated Identity and login page on relying party

We have implemented SSO (Single Sign-On) for a group of websites with different domain names using passive federated identity (C#, ASP.Net MVC 3, WIF). The setup works fine as it follows the standard passive federation with login page hosted on STS.
www.brand1.com
www.brand2.com
...
www.sts.com (login page hosted here)
Now the client wants that login pages are implemented on each relying party so that the user does not get redirected to STS. The reason is that each relying party is a known brand therefore redirecting to a different domain name (hosting STS) is not acceptable for the respective brand. Customizing login pages on STS for each brand is not acceptable either.
Is there a way to move login pages to relying parties?
There are two routes you could go with this:
You can create a login page on each relying party that uses active federation to authenticate your users. This is dependent on the STS offering a WS-Trust endpoint.
If you have control over the STS code, you can simply have your relying parties POST the login credentials (username/password) to the STS, and the STS site would process the authentication request as before. This is an approach I've used successfully in the past.
Hopefully this helps.

windows authentication vs forms authentication

I am trying to understand concepts of windows authentication, forms authentication and their differences. I am confused. Can someone help me in clarifying this.
Thanks.
Windows Authentication provider is the default authentication provider for ASP.NET applications. When a user using this authentication logs in to an application, the credentials are matched with the Windows domain through IIS.
There are 4 types of Windows Authentication methods:
1) Anonymous Authentication - IIS allows any user
2) Basic Authentication - A windows username and password has to be sent across the network (in plain text format, hence not very secure).
3) Digest Authentication - Same as Basic Authentication, but the credentials are encrypted. Works only on IE 5 or above
4) Integrated Windows Authentication - Relies on Kerberos technology, with strong credential encryption
Forms Authentication - This authentication relies on code written by a developer, where credentials are matched against a database. Credentials are entered on web forms, and are matched with the database table that contains the user information.
Windows Authentication refers to authenticating against Windows user accounts on the box that the application is running on.
Forms authentication is a stand alone method of authenticating in .NET forms that you can hook up to some other system, such as a database.
It's pretty simple. Windows Authentication makes use of the Windows Login system.
http://en.wikipedia.org/wiki/Integrated_Windows_Authentication
And with Forms Authentication the user will need to provide a username and password manually.
http://www.asp.net/web-forms/tutorials/security/introduction/an-overview-of-forms-authentication-vb
The Forms Authentication also allows you to choose where you access the login data from. It could for example be stored in your own local database. While Windows Authentication is only going to use your Windows login data. This data usually comes from Active Directory, if your network is built using an enterprise/buisness/domain setup.
http://en.wikipedia.org/wiki/Active_Directory
Windows Authentication-- The user will be authenticated on the IIS server against the credentials he provided when logging into his system. If the authentication fails then a pop up form will be displayed in the Internet Explorer asking for his credentials i.e. username and password.
Forms Authentication-- A default Login Page will be available like Facebook login, where user will be authenticated instead of automatically getting the credentials from the system credentials i.e. the current user of the Windows system. If the user requests a secure page and has not logged in, then ASP.NET redirects him/her to the login page. Once the user is authenticated, he/she will be allowed to access the requested page. Here IIS does not come into effect for authentication, it completely depends on the web application.

Resources