I want user to be authenticated by using its windows login credentials without explicitly showing him login page. The user will just login to his machine and when we will try to open the url he will be authenticated by spring security using his windows login credentials and data related to his role will be fetched from AD. How can I achieve this?
Adding to this question, what I need to do if machine is non-window? say CentOS?
Related
We have one intranet Application and implemented ADFS authentication on it. We have our custom login form with Username and password and we are authenticated easily using ADFS. we are using windowsmixed endpoint to authenticate
Application, Users and ADFS all are in one domain
Now we want to skip that login page, so if Domain\User1 is logged in on his/her machine , intranet application should authenticated with current windows logged in user automatically without asking username and password when we open it.
Is it Possible and How?
Thanks!!!
Regards,
Darshit Gajjar
Normally this is done via IWA in a browser (WS-Fed passive profile). IWA is a function of the browser not ADFS.
You are using WCF (WS-Fed active profile) which has no browser component.
I have a requirement that needs to have login page at the service provider and I use java web app. Is there any way to use the spring SAML libraries to achieve this behaviour ? If so, what could be the steps? (it seems the default behavior of spring library is to redirect to IDP login page and I am not sure if we can configure to host login page on the service provider and relay that request to IDP)
I think what you're looking for is having two different ways to authenticate, one locally and one through SAML. I believe for having a login form, you would want to separate configurations with different AuthenticationEntryPoints, i.e. go to /login for local or /saml/login/alias/" + spAlias+ "?idp=" + spEntityID for direct login to SAML.
It sounds like right now you have SAML protecting any URL, which by default redirects you to the IDP since it's configured. The first step that I would take is getting user name and password authentication working with logins independently of SAML, then add SAML back in. Be sure to list whatever URL the login form uses as permit all so SAML doesn't kick in.
I am using Spring Security to authenticate with SAML and Okta, generally it works, I am able to authenticate a user and access secured URLs within my application. So far so good.
Now I have a requirement for a special type of 'internal' users to use different authentication mechanism (those users will not be in AD nor Okta) - so if authentication fails using Okta I want to display different login page. Problem is that I am unable to redirect from Okta login page to my custom page after unsuccessful login, seems like Okta will not redirect even after many unsuccessful attempts.
Is there a way to implement such requirement?
You can't redirect Okta on a failed authentication. You will need to determine what type of authentication to use prior to validating the username and password. Okta supports application based custom login page and so when the user tries to access the application, Okta redirects to your login page. From there your login page will determine where to authenticate the user.
Okta configuration for custom login page
You can use Okta's Authentication APIs and SDKs to authenticate against AD and custom code.
My requirement is authenticate the login request to the Active Directory LDAP and to the local db as the user may be created manually or by the LDAP.
I am loading all the users i my database in a users table but i want to make the dynamic login to LDAP for the ldap users if user did not get authenticated by LDAP with invalid login or invalid user then only i need to authenticate it to the db.
Am not certain on this, so obviously please confirm, but in your Spring security.xml, set up two authentication providers under your authentication manager, first your ldap one and then your database one. A failure with the LDAP authentication should cause the DB one to activate and give the user a second chance to authenticate with the same credentials. Also see this article for some testing I had done earlier with Active Directory and Spring Security.
I have an application and API. I am using Spring and Spring security for both. Authentication is required to access API.
I configured RESTFUL web service only respond when authentication is successful (handling with JSESSIONID after login) which makes querying database not possible if user is not logged in or credentials are wrong. But somehow, I need to access database and make some changes for forgotten password. I need to check if requested email is on the record. Also, update the database after password change. eg; If I make 'UPDATE USER' action permitAll(), there will be a security problem.
Can you give me some ideas to handle that problem?
You can create some user with permissions to change password and later when changing password automaticly login this user -> send request ->logout user and all of that behind user view.