for an application which offers the integration of one SSO solution, we need to add multiple SSO "providers".
One connection which authorizes the employees working in our company and multiple others which authorize each of our customers, which should have access.
Is there any self-hosted or saas solution providing something like that?
As I understood the identity broker services I had a look at, they provide a solution as Many-To-One.
I would like to find a service, which works as a broker between the application and different sso sources (e.g. AzureAD, local AD, LDAP, ...).
There are a few services available as far as I know.
WorkOS
SAML Jackson from BoxyHQ (Open-source and Self hosted)
Datawiza
The above services support multiple IdPs such as Okta, OneLogin, Azure AD, JumpCloud, etc.
Related
I'm using OneLogin for Single Sign On on my application. I'd like to have a different URL to authenticate users of the mobile app (infrastructure reasons). On the OneLogin app admin page it seems I can only define one ACS (Consumer) URL, whereas on IDP's like Azure I can have multiple. Is this possible on OneLogin?
I can confirm that OneLogin does not have this feature at the moment. I'm implementing a server cluster that would utilize a single multi-san certificate and we were hoping to be able to create a single connector with OneLogin but they say that they can't provide this at the moment and the best they can do is put in a feature request to their development team.
Regards,
Hunor
Looking today I can see that there are some application configurations that support multiple ACS URLs:
If you configure a new application with one of them it is possible to list multiple ACS URLs (although I can't see a way to specify the ACS Index for each of them):
I'm not sure if it's possible to repurpose one of those configurations for a completely different service but at this stage I think it would be the only possible way as I can't find a generic Multi ACS configuration.
I have generated JAX-RS stubs for a REST service using Swagger and want to set up the security.
The security side is very new to me and I would like to use standards as far as possible. (In the past, for other J2EE applications, I have used Filters to handle Authentication which put User objects into a Session. As I understand it, Sessions should be avoided for REST.)
There are 4 types of user who will access the services
Customers and business partners (Authentication via oAuth or similar)
Employees (Authentication via NTLM & LDAP)
Developers (Mock authentication/authorisation of some kind)
Integration test (JUnit with pre-defined users and roles)
Is it possible to define a security mechanism which would handle all of these users?
How would I use the Swagger security directives?
Am I making this more complicated than it needs to be?
You could use an open source API gateway like Tyk? Here’s a link to some handy info on API Security in the tyk docs.
And here is a blog post that describes taking a layered approach to API Security that goes beyond the gateway.
Disclosure: I work for Tyk!
I work for a SaaS provider that is wanting to SSO enable our application to enterprise customers with our application acting as the service provider.
I understand the concepts behind what needs to happen and that SAML is an appropriate solution for what we are looking to do. Looking at bigger SaaS providers (slack, dropbox, new relic etc..) I can see they typically seem to integrate with a number of Identity Providers such as OneLogin, Bitium, Okta, Ping Identity etc... along with generic SAML support
As a smaller outfit we don't have the resources to partner and integrate with multiples of ID providers and to continue to add to that list as new providers emerge.
My question is that in order to provide SAML support in our application do I really need to have integrations with multiple IDPs or can I rely on a generic SAML implementation?
So if for example I used OneLogin to set up Single Sign On does that only enable SSO for clients who are using One Login as their Identity Provider?
No. It is not required IMHO. As long as you are SAML 2.0 compliant (SP-Lite typically), you'll find that you'll have customers using many different commercial (and open source) Identity Provider solutions. The vast majority of SaaS vendors have not done anything specific to support different IDP implementations. The SaaS supports the SAML 2.0 spec and ends up having customers integrating successfully with the different (IDP) products. At that point they claim to "support" the different providers.
Adhere to the spec as best you can and the rest will take care of itself.
We are using PingFederate to enable SSO. It's being mapped with the LDAP directory server and our site is able to use SSO. Now we are integrating a helpdesk software application which is being hosted somewhere within our own site. We want the help desk user to be able to login using our site credentials. For that I need to add the help desk as a partner (SP) in PingFederate acting as an IdP.
How can I achieve this? A brief explanation would be helpful. Thanks in advance.
You may want to check out the Getting Started - Part 3 recording from our website. It demonstrates how the setup a connection to a typical service provider.
https://www.pingidentity.com/support/training-center/index.cfm/103-creating-a-connection?id=1011570451001
In a nutshell, you would need communicate with your partner about federation and share some information like:
Federation Standard/Protocol,
Base URL, Entity ID, Endpoints,
Binding,
SSO profile,
Attributes,
and so on.
All of the above depends on what federation server your partner is using. Once you have all the information you can quickly setup the connection to your partner within PingFederate.
I hope this helps. I've also sent you a PM.
There's lots of good information in our documentation on managing SP connections: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-92&topicId=adminGuide%2FmanagingSpConnections.html
How the connection is made largely depends on how you authenticate users, what attributes you're sending, and what the SAML capabilities/details are of your help desk software. If no SAML features are available, you may have to use one of our Integrations to either front end it (with a web server plugin, like Apache or IIS) or modify the app (using one of our language kits or agentless integration approach).
You may also want to consider sitting in one of our training sessions on PingFederate basics: https://www.pingidentity.com/en/resources/training.html
Should all else fail, our support centre is there to help if you have a valid contract.
(This question is not about programming, but about how to avoid doing any programming. Also, lots of terminology in here-- I'm assuming someone with an answer will already know what they mean.)
Background: I'm working on single sign-on in an environment with 'federated identity'. We have several products that are federation-aware (using, e.g., WS-Federation or SAML protocol, implemented with, e.g., WIF on .NET and Fedlet on Java), and they are offered to customers using a SaaS model. Many of those customers don't have their own store of usernames/passwords, so they will not run an "identity provider" themselves.
Question: Is there a product out there that
can be installed at the SaaS provider;
plays the role of an IdP/STS (i.e., identity provider in a federated enviroment) to the SaaS-provided applications;
has its own username/password store, separately for each SaaS customer ("tenant");
allows the SaaS customer to do his own user management, without requiring assistance from the SaaS provider.
(We could build this ourselves, e.g., as a custom STS on top of WIF with user admin screens, but we're trying to avoid that. It's not really our core business.)
Have you had a look at Google app engine ?
They support SAML, so you can use them as your Idp.
So we did not find a product that fulfills all these requirements.
What we decided on was to use AD FS 2.0 as the SaaS IdP/STS, store usernames/passwords in AD (making the SaaS customer name part of the username), and customize the AD FS sign-in page linked to a custom web application for user management and user self-service.