I am planning to integrate OKTA SSO through SAML in one of my angular app. However, i couldn't find specific manual/documentation around this. Would you be able to redirect me on that?
Login with multiple application
Related
Background
We have two apps, App A and App B. I'm working on a POC for connecting the apps to each other.
For background, IT wants to use Okta in some fashion. My experience with Okta has always been as the IDP and SSO was done via a normal SAML or OIDC workflow. But this requires the user to know about Okta and log into Okta. This setup is suitable for companies who are managing their users through Okta.
Desired UX
The UX that we are looking for involves a user with a fresh browser (no cookies anywhere) logging into App A, and then being able to click a link in App A and ending up in App B authenticated, without ever having to see an Okta page (a redirect through an Okta URL would be OK, however). We would also like to support the opposite (App B sending the user, authenticated, to App A). There is a shared convention between the apps that the email address of the user will be the same on both sides.
Obviously we could create some form of SSO directly between these apps, but IT wants to manage whatever authentication connection we use in Okta (for security, etc.).
Without knowing the direction to go my instinct tells me that we will need to use Okta as an IDP, but that we will need to use an Okta SCIM API of some kind to register users in Okta, at some point before we send them from App A to App B. Is this correct? If so, is it also possible to authenticate the user so that they don't have to log into Okta in order to arrive authenticated at App B? Is this completely wrong? Would that basically require us to make App A and App B both identity providers and consumers? Or is there some kind of better / simpler workflow for this scenario?
You can do Okta sign-in w/o redirects to Okta, if you are using Okta widget or Okta APIs. Then you don't need to show any Okta UI to your users. Only one thing, make sure that Okta cookies are sent with those requests, so that Okta knows that you already have a session.
you just need to implement SSO for app A and app B, separately. Both A and B will share the same Okta tenant as the IdP.
We have a Spring Boot Web Application serving some REST API and the client consuming these API is a mobile app developed in React Native.
Now we need to secure the APIs and we're going to use Keycloak with Google as Identity Provider.
The integration between Keycloak and Google auth it seems pretty straight forward but I'm not able to understand the entire flow among parts and how to join the Browser login (on Keycloak page that redirects to Google authentication) in order to get a valid access token to perform API calls from mobile app.
I'll try to exaplain in another way, I supposed that:
Mobile app shows a web page (with Its browser) in order to perform the Keycloak login.
The end user using the mobile app press the Google button on Keycloak web page and begin redirect to Google for the authentication.
Google authentication the user and send a redirect URI with identity token and access token to the browser
...
then
...
is it correct to get the access token from the URI and use it form the subsequent API calls?
Is it supposed to work in this way?
I have to say that We also have and API Gateway (Ambassador) in front of our Web Application (containerized in a Kubernetes cluster).
I read different articles online but I'm still confused with the best approch.
Any suggestion is welcome.
Thanks.
I have one java app in which the user logs in. In one functionality of the app, when the user clicks on one button , it will redirect to client website where user has to login in that website. If i want to do the SSO to redirect to the client website without logging in , How can i do that? I don't want to use third party IDP'S(okta, Salesforce, azure) since the user is logging into the java app, so the user is verified, is there anyway i can make the java app as an idp and do the sso by sending saml assertion directly to the client site from the java app ?
You could do this by adding a Java SAML client to your application.
A number of these can act as an IDP as well as a SP (the application).
But this is not recommended since it does not scale.
Rather use an IDP. You get SSO so the user only has to login once.
I am working on Ruby on Rails application. I need to implement Single Sign on / Single Log out (SSO / SLO) using OneLogin.
I used OneLogin-Ruby-Sdk => https://github.com/onelogin/onelogin-ruby-sdk to log user via session token API. It creates a cookie in browser and allows me to login on other apps. But when I logout using log_a_user_out Api. It only logs out of current application but not from all applications. So SLO is not working in this case.
Thereafter, I integrated devise_saml_authenticatable => https://github.com/apokalipto/devise_saml_authenticatable. It works with SSO / SLO perfectly. But it redirects to oneLogin UI to generate SAMLRequest and send back SAMLResponse.
Is there a way I can generate SAMLRequest and SAMLResponse programatically ?
Just like we do for OAuth2 where we can generate access token using refresh token again and again.
Basically I want users to signup and login through my app forms and communicate with OneLogin and implement SSO / SLO using API rather than going to oneLogin UI.
Please let me know if more information is required in terms of code which could help in providing answer. I will be more than glad to do so. Any help is hugely appreciated.
I have four custom apps (that are SPs), using Auth0 or OneLogin as my IdP. In Auth0 I create a connector for each application. When I login to one application and then open the other application, I get redirected to Auth0 to login again.
Is it possible to log the user into my IdP (or Auth0/OneLogin) automatically on that second app without having to click the login button on Auth0, since they've already authenticated with Auth0?
There is an unfortunate need to embed the second app into the first app and it's a poor UX to have the user login to the first app and then login again in the iFrame.
Auth0 Dev here, Yes this is supported Out of the box in Auth0, for this to work you'd have to turn Use Auth0 as IdP "ON" in your Client. When doing this Auth0 will then remember the client for 10 hours upto 3 days if the client is active.
The flow in your scenario will be
User logs in to any of the application.
User visits the other application.
The other application sees no session.
The other application redirects to /authorize endpoint.
Auth0 notices the session and redirects it back to your application immediately.
This is further detailed and explained at https://auth0.com/docs/sso
SSO is not having to re-enter credentials again but you only get SSO once you redirect to the IDP and you authenticate under the hood i.e. seamlessly.
So you still have to do something to trigger the redirect.
You could programmatically redirect to a dummy page that requires authentication that then redirects via your client stack e.g. OWIN OIDC.
Also, there is no standard for the cookies so you don't get SSO across multiple IDP unless they are federated together.
So if no federation and you login to Auth0, you will still have to login to OneLogin.