I am looking for local open source application which can run in my local environment which supports SAML authentication. To test my idp as SP initiated authentication.
So, I need a SP application in which I can import my idp metadata to test.
Please suggest open source application to achieve that.
There are a number of SAML stacks here that you could use.
Related
There is an existing mechanism to log into a website. Now, external / remote SAML IDP is being added to facilitate SSO. The website uses other micro-services and components that provide data and functionality to the website.
Is there a way to have an existing mechanism of local identity username password credentials to continue to co-exist as an alternate strategy for authentication alongside remote IDP SSO while keeping rest of the services handling authorization in a semantic way (using a saml token)?
P.S. I looked at the options to implement existing auth mechanism as saml IDP, but building it seems complex even with the likes of shibboleth or openSAML libraries.
P.P.S. I haven't looked at possibility of reimplementing existing auth mechanism with openId connect to co-exist with remote saml idps.
Sure: one can provide a landing page to the user that gives a choice between using a local account or an account at a remote IDP.
Hopefully this isn't a duplicate or too broad. I just have a feeling I need a bit more information than anything else I've been able to find.
I have a program/server that already has a functioning SAML SP built in to it. I'm trying to get it connected to a test Shibboleth IdP (V3.3.3) on an internal server running Windows Server. I have it installed and connected to our Active Directory users. The documentation was great for getting to that point.
Now I have no earthly clue how to proceed. I see a lot of information about exchanging configuration/XML info and certificates between SPs and IdPs. I believe I have a valid SP XML and certificate to give to the IdP, but I don't know:
Where to put the SP XML information in the IdP installation
Where to put the SP certificate in the IdP installation (or setup/configure a path to a certificate)
Where to get the IdP certificate (I think the default setup generates something for me? Unclear)
Where the IdP login path is
Whether or not there's anything else I need to configure to get the two talking
1 through 4 are probably my biggest confusions that I can't seem to find info on. The Shibboleth documentation seems to assume I am far more familiar with configuring an IdP than I am. It tells me where to configure literally anything/everything possible, but I don't know what I should be configuring.
Anyhow, thanks for any help on this. I've been wasting a pitiful amount of time trying to figure this out.
To answer your five (5) questions, without loss of generality, we assume that
(I) the metadata file of SAML IdP is idpsaml-metadata.xml
(II) the metadata file of SAML SP is sp-example-org.xml
Q&A
Where to put the SP XML information in the IdP installation
Answer: /opt/shibboleth-idp/metadata/sp-example-org.xml
Where to put the SP certificate in the IdP installation (or setup/configure a path to a certificate)
Answer: The metadata file of SAML SP consists of the SP certificate.
SAML IdP will extract SP certificate from SAML SP's metadata (e.g., sp-example-org.xml)
Where to get the IdP certificate (I think the default setup generates something for me? Unclear)
Answer: The metadata file of SAML IdP consists of all the IdP certificates (which have been generated by the default setup of SAML IdP).
You need to place the metadata file of SAML IdP (e.g., idpsaml-metadata.xml) into the SAML SP's home directory, e.g., /etc/shibboleth/idpsaml-metadata.xml
Where the IdP login path is
Answer: Usually SAML SP uses HTTP-POST endpoint as SAML IdP login path, e.g.,
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://IdP-Server-URL/idp/profile/SAML2/POST/SSO"/>
You also need to configure Shibboleth IdP with LDAP user authentication.
/opt/shibboleth-idp/conf/idp.properties
/opt/shibboleth-idp/conf/ldap.properties
/opt/shibboleth-idp/conf/attribute-filter.xml
/opt/shibboleth-idp/conf/attribute-resolver-full.xml
Whether or not there's anything else I need to configure to get the two talking
Answer: To allow SAML IdP to provide identity authentication for SAML SP, both SAML IdP and SAML SP need to exchange their metadata.
Then you need to configure SAML IdP with SAML SP.
SAML IdP
/opt/shibboleth-idp/conf/metadata-providers.xml
/opt/shibboleth-idp/conf/relying-party.xml
SAML SP
/etc/shibboleth/shibboleth2.xml
/etc/shibboleth/attribute-map.xml
Remarks:
How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the sample configuration files for Shibboleth IdP and SP.
I've just configured Shibboleth IdP3.2 with my web application that authenticates the users against an LDAP server at the backend.
I could test this authentication process at the local machine. But, while deploying the code on CI server, I realized that the authentication process could not be completed successfully.
The reason behind this failure is that the Service Provider (SP) cannot access the (IdP). From our initial investigation, We chose SAML as the authentication protocol over other protocols like CAS because it did not need a back channel communication. As long as the user has access to both SP and IdP,the authentication process would still work.(SP and IdP need not interact with each other)
On testing we found that the attribute resolution is successful, but the subsequent artifact resolution is failing. In artifact resolution, IdP directly contacts the SP and expects a response. SP cannot send a response to IdP as it is inaccessible. Hence, the authentication fails. (Tomcat logs show: unknownHostException)
Some SAML flows in Web Browser SSO do not require direct communication between SP and IdP as seen from flow diagram in this link.
Does Shibboleth IdP make provisions for such implementations? Is there a work around for implementing Shibboleth IdP without any back channel communication?
SOLUTION:
As Stefan mentioned, there are alternative bindings like HTTP-Redirect and HTTP-POST that do not use back channel communication. You can read more about these bindings here
I changed the SP metadata to make HTTP-POST as the default binding, referring this link.
I did not have to make any changes to Shibboleth IdP configuration as these alternative bindings were already being supported, as substantiated by the metadata file.
According to this documentation, you can set the outgoingBindings attribute to set the preferred binding to use.
I would also recommend removing the HTTP-Artifact binding from the SP metadata.
I installed PingFederate on an AWS EC2 running Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09. I have a Java application that is using Spring Security for authentication.
I have read about how with PingFederate, I can set up an Identity Provider(IdP) and a Service Provider(SP). I have gathered that the IdP would be the Application User providing login credentials(the Identity) and passing this to the SP which has the Target Application apart of the SP in this diagram on this page here:
http://documentation.pingidentity.com/display/PF66/Service+Providers+and+Identity+Providers
This image also shows the Federated Identity Software on both sides of the IdP and the SP.
I have created an IdP and SP with my local PingFederate server just to see what the configuration options are and I am confused on which parts of this I actually need to be able to have a SSO for my Spring Security application.
My questions are:
Do I need an IdP and SP to implement that I am trying to do.
Right now our usernames and passwords are stored in a SQL Server, would I leverage this for PingFederate to use to authenticate the users?
Should I even be using Spring Security SAML for this or would another route be more appropriate?
Thanks for any help, I have reached out to PingFederate but my Regional Solutions Architect happens to be out until Friday.
I also apologize if I am completely off in my thinking, I am trying to wrap my mind around what is needed.
Presuming your goal is to establish federation between Ping and your application (in order to e.g. externalize authentication or enable single sign-on), your thinking is correct.
The Ping Federate serves as an Identity Provider (IDP) and you can configure it to connect to your SQL server, so that it can authenticate your existing users from there. IDP communicates with other applications which are called Service Providers (SP).
In order to connect to Ping your application therefore needs to be able to act as a SAML 2.0 Service Provider and using Spring SAML is a very good way to enable it to do so.
The typical flow of data between SP and IDP for single sign-on is similar to:
User accesses SP application which requires authentication
SP creates an AuthenticationRequest and sends it to IDP (using redirect in user's browser)
IDP processes the request and authenticates the user
IDP responds back to SP with an AuthenticationResponse message
SP processes the response and creates a session for the user based on the included data
There is an assumption being made that you need SAML between your Spring app and PingFederate. That is not true depending on how it is deployed and if you (see Andy K follow-up questions). You should check out the OpenToken Integration Kit for Java or perhaps the ReferenceID Int Kit from Ping as a possible solution. Much simpler to integrate than trying to hack together another SAML solution that may not be needed. However, I would recommend talking to your RSA who can give you the best approach for your scenario.
I have a requirement for cross domain sso. So, i chose OpenAM with SAML. I have two applications hosted in different servers and host for which i need to implement SSO.
Now i read about OpenAM with SAML but could get the core idea about the setup. LDAP is used as user data store.
Now i have something in mind and want to verify if it meets my requirement.
Since i have two applications(AppA and AppB) in need of SSO implementation. I need two OpenAM configured as service provider? and should be deployed in different tomcat containers? Should the each service providers be deployed in AppA and AppB?
I need another separate tomcat container for identity provider OpenAM?
The sp should be registered to idp and idp should be registered to sp within same Circle of trust?
Do i have to do anything else? Again do i have to configure separate LDAP for each idp and sp ? Anyway, what can be the ideal setup in my case?
You need one IdP, your apps have to implement the SP. If your apps are Java based you could leverage OpenAM's Fedlet or use Spring Security SAML extension (works like a charm).
There's also a PHP SAML SP and even an Apache http server SAML module ...
Or you could use OpenIG as a reverse-proxy (but it's a java web app) which also implements a SAML SP.
-Bernhard
One more possible solution in which you can use OpenAM out of the box is by using OpenAM identity federation:
Use the standard OpenAM Identity federation setup (with IDP and SP) as explained in this post: http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity.html
You will need to have an IDP for AppA and SP for AppB or vice versa. IDP will be connected to your user store.
On SP side create a dummy user store using something like OpenDS.
Import all the users from IDP to SP (using a scheduled daily batch job)
Implement auto federation based on one or more of the user attributes.
Use OpenAM authorization features on SP side to give access to SP side App