I need to perform actions after Shibbolethlogin and before redirect to SP url.
For me, the best solution would be "Shib page login" -> login ok -> redirect to my custom page -> redircet to sp url.
How can i do that if it's possible?
It's possible, you need to create a custom HTTP filter as a extension of Shibboleth, make it available on the classpath of Shibboleth IDP application and register it in the descriptor of shibbboleth IPD web application (web.xml).
There's Shibboleth extension that uses this principle to prompt the user to confirm releasing of the attributes from IDP to the SP. The application is uApprove, developed by SWITCH.
You can read more about the application at uApprove and get ideas how to implement your own at uApprove manual
Related
I have a requirement that needs to have login page at the service provider and I use java web app. Is there any way to use the spring SAML libraries to achieve this behaviour ? If so, what could be the steps? (it seems the default behavior of spring library is to redirect to IDP login page and I am not sure if we can configure to host login page on the service provider and relay that request to IDP)
I think what you're looking for is having two different ways to authenticate, one locally and one through SAML. I believe for having a login form, you would want to separate configurations with different AuthenticationEntryPoints, i.e. go to /login for local or /saml/login/alias/" + spAlias+ "?idp=" + spEntityID for direct login to SAML.
It sounds like right now you have SAML protecting any URL, which by default redirects you to the IDP since it's configured. The first step that I would take is getting user name and password authentication working with logins independently of SAML, then add SAML back in. Be sure to list whatever URL the login form uses as permit all so SAML doesn't kick in.
I am doing a POC where I need to integrate the Shibboleth SP with OKTA idp provider.I have completed all below steps documented on OKTA official site for this integration.
Install Shibboleth Service Provider
2.Configure the webserver to use Shibboleth
3.Configure Shibboleth to protect a specific folder Create an Okta SAML 2.0 Template application
4.Modify Shibboleth to use the metadata obtained from the Okta application 5.Modify the attribute-map.xml file within Shibboleth
to set the appropriate header variables
6.Restart everything
But there are details missing from the step 5 where I need to modify the atrribute-map.xml. when I fire my protected URI(hosted on apache) it is getting redirected to OKTA login page. But after user enters the user-id and password and clicks login I get a spinner on my browser and it never takes me to my protected site URI hosted on Apache. Any clues to fix this attribute-mapping in Shibboleth SP is highly appreciated.
If the page is not being redirected to SP, he problem need not be with attributes-map.xml
Endpoints could be incorrectly configured. Check
{web app uri}/Shibboleth.sso/Metadata to see if the endpoint URLs are correctly defined.
Check Shibboleth2.xml if entityID is correctly defined, this is the web application that Shibboleth is protecting.
Check {web app uri}/Shibboleth.sso/Session this displays if all the attributes that are being sent from Okta. You can make it display the values too by changing Shibboleth2.xml since it is just POC.
Finally comes attributes-map.xml where you can configure attributes as agreed with Okta. There are some default attributes like NameID that are pre-configured here. You can see the format in attribute-map.xml and in /Shibboleth.sso/Session and code to make use accordingly. For example
formatter="$NameQualifier!$SPNameQualifier!$Name"
If you are adding custom attributes a simple element as shown below should work as long as the name is matching the attribute name that Okta is sending.
This issue was resolved by doing proper configuration on the OKTA side .OKTA provides sam2.0 template app for integration with shibboleth .The below mentioned parameters of this template app were properly configured.
Post Back URL -
Name ID Format - Transient
Recipient -
Audience Restriction -
authnContextClassRef - PasswordProtectedTransport
Response - Signed
Assertion - Signed
Request - Compressed
Destination -
Attribute Statements - username|${user.userName}
Then our integration was succesful
I've a web application which is configured to use SSO - Siteminder authentication. Now we have developed over own custom authentication code and want it to be implemented instead of using Siteminder. The application is being deployed in WAS 8.0 server which by default is using Siteminder. So even after we changed our code to perform custom authentication I don't know how when deploying it to server it automatically redirects us to SSO login instead of our custom login page.
In my local machine, the same code picks up this newly developed custom authentication and we've tested it too successfully. But when this code is deployed in actual DEV server, it ignores our custom login module and goes to Siteminder login page. Do I have to set something at the server side to disable SSO ? If so, can anyone tell me how to disable Siteminder at server for my application?
You need to disable the TAI (Trust Association Interceptor) for Siteminder. You can either disable TAI completely or just the Siteminder Interceptor. Via Admin Console go to Security>Global Security>Web and SIP Security>Trust Association to make the necessary changes.
HTH
Dan
I am implementing Spring Security login and I am trying to understand something, here is the scenario I want to implement:
For initial login show login page and let user in.
If after some inactivity session expired and user makes some action show him popup window to authenticate (js-based popup in browser). Continue with the action like there was no login form.
Implementing form is easy, but how do I make the popup work - let's say I make the request to some protected URL after session expired, how do I make sure it's not forwarded to login page, but to my login handler that shows popup window?
Another issue - I need to integrate with SiteMinder, so I would need to read the Login/Password combination and after it's read, forward to SiteMinder for authentication, after that's done I want to return without forwarding.
Answer to SiteMinder issue:
Siteminder is generally installed on a Webserver behind your servlet container.
Also, Siteminder manages the authentication and an application does not have access to a user password at all.
To integrate with Siteminder use this filter:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6295.
Answer to the login with the popup issue: since you need to integrate with Siteminder, I would not recommend to implement the login via the popup.
The sample given on the above springsource website is quite primitive and can break in several use cases. Using the SM_USER header alone has several caveats, see my answer here: How to validate SM_USER header in Spring Security preauthentication for siteminder
CA SSO aka SiteMinder, as well as other traditional html-form-request-response SSO systems, have a hard time dealing with Single Page Applications and protecting the web services that you invoke via AJAX, without breaking the flow of your application.
I have an ASP.NET MVC site running in a Framework 4.0 app pool. I need to now put Active Directory Federation Services (ADFS) in front of it for authentication against a remote AD store. If authentication fails, I would like to redirect to my own custom page. What is the right way to do this? Since ADFS is implemented in an HTTP Module, should I make my own "reject module" and put it before or after the ADFS one?
What kind of authentication are you using? IF FBA, just modify the ADFS FormsSignIn.aspx to redirect to your custom page on failure.