I'm configuring OpenID authentication for a server-based software product. It supports OpenID, but only allows for one OpenID provider at a time. I have Google authentication working, but I want to add Microsoft and perhaps others as well. Is there anything I can sit on top of that would allow me to configure one provider in the settings, but actually connect to multiple OpenID providers?
I hope the question is clear and thank you for any input.
I have successfully configured Google to work, but the software configuration only allows one OpenID provider to be input. I would like to be able to configure multiple providers.
Related
We want to use SSO for a group of apps (this will include GitLab, probably Drupal and a bunch of small apps I will write in Symfony for various tasks). We would like to currently use Google accounts to authenticate all apps, but because there are limits (I know you can increase them) on how many apps you can have and Google sometimes change what features are free, it would be good to have the option of using our own login down the track if needed.
I have used SimpleSAMLphp in the past with GitLab (using a database to store credentials) and it worked well. Is there a way that I can use the Google Auth as an IDP and have SimpleSAMLphp record the email address to link the accounts etc and allow me to add things like groups etc in to send down to the app when a login happens? I would put a password field in the login table in the database as well so that if we decide to move away from Google we can generate random passwords and continue without too many issues.
The information I find online is for using SimpleSAMLphp as the IDP for gsuite etc (we will be using general Google accounts, not ones in gsuite) and not the other way around. I also couldn't see any Authentication Modules for Google authentication. Are there any tutorials or instructions anywhere on this?
You can accomplish what you are asking fairly easily. Instead of integrating your SPs with Google directly, integrate them with an SSP idP you control, then set up your authentication page (i.e. the page redirected to by your authsource module) to be an SP for Google. Here's what that looks like:
vendor sp -> your SSP idP -> your login app -> your SSP SP -> google idP
This way you end up with only a single Google integration configured for all your vendor integrations. There are numerous benefits to this approach:
You aren't affected by # of integration constraints imposed by google
Since your vendor SP integrations are controlled on your own server, you can easily move to a different cloud-based idP for authentication in the future without having to re-integrate all your SPs
You can easily give your users alternate sign-in choices if you want.
You aren't constrained to SAML or protocols supported by Google. Many vendors still use proprietary token based authentication. These can easily be supported with this setup.
Happy to help with implementation details if you need it.
Currently my organization uses a number of web apps/mobile apps/APIs, some of which authenticate against an in-house IdP and others which use a third-party proprietary system (over which we have no control).
We have been asked to implement SSO for these web applications and as a result I have been reading up on OpenID Connect. I believe this would be a better solution than SAML given that (a) end-users are not always enterprise users, and (b) SAML not designed for mobile applications.
I believe I understand the flow reasonably well but have one sticking point. To allow users to authenticate using an external IdP, we would need to map the user back to our internal id. For example, user authenticates using OIDC/Google, resulting in us receiving the user's unique Google idenitifer (and email etc if we queried further), but this is not useful to us until we can map the Google identifier back to our internal customer id.
Is this mapping out of scope for OIDC? If so, is there a best-practice method for doing this? I'm sure we are not alone in this requirement...
Thanks,
John
Is this mapping out of scope for OIDC?
Short answer, yes.! If your backend require a comparison/validation with internal identity details, then it has to be done out-of-scope of OpenID Connect(OIDC) protocol. OIDC simply define the process of obtaining tokens (ID and access token), which are required for authentication and authorization.
is there a best-practice method for doing this?
One option is to use out of band directory synchronization. For example, Google provider Google Cloud Directory Sync (GCDS), which allows you to synchronize identity details to LDAP or MS Active directory. Other alternative is to use SCIM protocol to communicate and provision users dynamically. For example Google provide that support as well.
Alternatively, you can use just-in-time provision at the time you receive tokens. This support will depend on your identity provider implementation. For example, WSO2 identity server support both JIT provisioning as well as SCIM.
I know that both the federation protocols can be used to manage user identities.
Basically for Gmail based login, I want to know the benefits of using OpenID Connect over SAML.
OpenID connect is simpler JSON/REST based with compared to SAML. Apart from this is there any benefit of using OpenID Connect for Gmail based authentication?
It depends on what you call "GMail based login".
1- if you mean let my users read their mails on GMail using their credentials maintained in my internal organization, OIDC and SAML will do the same. This is simply not the same protocol. So, depending on your internal directory (Active Directory, NetIQ eDirectory, openldap, /etc/passwd, etc.), it may be easier to use one of these protocols.
2- but if you mean connect to GMail with my application, on behalf of my users, only OIDC will let you do that, because of the underlying OAuth2.0 mechanism.
OIDC means authentication and authorization, SAML only means authentication.
Historically, SAML and WS-Fed were used for enterprise connections and are browser based.
OIDC is for mobile and can be used via ADAL for native devices i.e. non-browser based e.g. dektop applications.
We have an on-premise website at the moment and I need to make it public, but require users to log in with their office 365 username and password.
My problem is that I've looked everywhere and can't seem to find an implementation for ubuntu servers.
I've also seen many instances of syncing office 365 accounts to the on-premise AD accounts, but not the opposite.
Ideally it should be implemented through Single Sign On.
You need to register your website as an Azure AD application, which will provide you with an app id and app secret. Your website will then need to implement the oauth 2.0 flow. Microsoft provides libraries for most platforms but if they don't have one for yours, everything is accessible through REST calls.
There are two most likely approaches to achieve this:
Configure SAML SSO in your application then use Azure AD as the IdP (as in Bernhard's comment). This will allow your application to gain information passed within the Saml token. You'll still need to present the site to the Internet via some sort of reverse proxy
Consider placing your website behind Azure App Proxy. This will allow you to publish the site over the Internet without having to open any firewall ports, and will allow you to use KCD to log users in without having to configure anything in your application, simply enabling Windows Integrated Authentication. This provides two very important benefits: 1) Unauthenticated visitors cannot hit the site at all, providing significant DDoS/attack protection, and; 2) No reverse proxy or other appliances are required, typically
I have some some basic questions on Openid
1. Can anyone become an openid provider?
2. If someone signed-up to our site will they be able to use that id in any other website that uses open id ? example Google aps ?
Most sites that do OpenID are just consumers. If you become a provider, you dictate who can become a consumer. Many sites are only configured to accept specific OpenID providers, but those that accept any OpenID provider (e.g. SourceForge) will work with your provider.
For Google Apps, this post may be useful:
How do you delegate your OpenId to Google Apps
Sounds like you have to pay Google money to get access to that feature but a lot can change in three years.
If you are just looking for a generic SSO system, I recommend looking at:
http://barebonescms.com/documentation/sso/
It is "consumer-only" for the moment.