I am using ForgeRock Access Management as the Identity Provider with an ASP.NET Webforms application as the Service Provider. I am doing an SP initiated SSO. SP is setup as a Remoted Identity Provider, and IDP is setup as a hosted Identity Provider. I have set up identities using the embedded OpenDJ identity store.
The following error is generated in the Federation log after the SP initiates the SSO, and when the IDP is trying to connect to the AssertionConsumerService.
Any inputs would be appreciated.
DEBUG: DoManageNameID.removeIDPFedSession trying to remove entity=http://NiadServiceProvider, nameID=MQn1laR0S3KpqCVnB2AiZvklmWy7 from IDP session cache
o.f.o.s.UtilProxySAMLAuthenticatorLookup: 2022-03-02 17:16:03,024: Thread[http-nio-8080-exec-8]: TransactionId[cee84c25-fa5b-408c-aea6-883ff540f925-548093]
ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
com.sun.identity.saml2.common.SAML2Exception: Unable to generate NameID value.
Related
I have a Keycloak server that is functioning as my identity provider, using X.509 authentication to the users in my realm. I have successfully configured this as an external identity provider (SAML 2.0) to an ADFS server since I'm trying to allow access to an IIS-hosted web application through Web Application Proxy.
My current effort is to configure the claim rules to map the incoming SAML assertion attributes to internal Active Directory user accounts, so that ADFS/WAP can perform integrated Windows authentication internally once the external authentication is mapped to an internal user.
Most of the search results I've found address the exact opposite, assuming that I've authenticated with ADFS and need to map LDAP attributes to an outgoing claim.
Can anyone provide help, or direct me to a good source?
Does SSO between OIDC and SAML2 clients are possible in Keycloak? if so how to achieve this condition, either by IDP initiated or SP initiated authentication process.
Does Keycloak produce cookies that can be used in SAML SP clients, even though we authenticate with OIDC clients?
I'm trying to connect my OIDC clients such as VueJS and Spring Boot applications with SAP ECC EHP7, so that I can use the authenticated user either token or cookie to send request SAP ECC EHP7 API.
I have already configure SAP ECC EHP7 SAML2 configuration to add Keycloak as a trusted identity provider and import it as a SP in Keycloak clients.
I need a clear infrastructure and technical configuration of authentication flow and request on how we can achieve this
I own an application which has it's own IDP - let's call it app1.
I would like to establish SSO to app2 which uses Keycloak as IDP - let' call it app2.
App1:
Up and running, So I cannot convert my IDP to Keycloak
App2:
No users yet
External vendor app (not managed on my domain)
Which possibilities do I have to establish SSO between app1 and app2?
Thanks
One possible scenario:
You could configure app1-IDP as a third-party IDP in your Keycloak. Then set the app1-IDP as the Default Identity Provider in the Identity Provider Redirector Authenticator in your Realms Browser Flow.
If app-IDP should control the SSO session alone, you can then remove the Cookie Authenticator from the Browser Flow.
I have WSO2 Identity Server set up together with a web application that is configured for SAML 2.0 SSO.
When a user has authenticated, I want to invoke a SOAP service from this application. The SOAP service trusts the Identity Server and is protected with WS-Security. It expects a SAML 2.0 token in the request.
Is it possible for the application to get a SAML token from the WSO2 STS for the currently logged-in user?
The STS seems to require username/password (or X.509 certificate) to authenticate the user, which I don't have in the application (I have only the username).
Is there another way apart from the STS to get a token for the logged-in user?
I have a requirement for cross domain sso. So, i chose OpenAM with SAML. I have two applications hosted in different servers and host for which i need to implement SSO.
Now i read about OpenAM with SAML but could get the core idea about the setup. LDAP is used as user data store.
Now i have something in mind and want to verify if it meets my requirement.
Since i have two applications(AppA and AppB) in need of SSO implementation. I need two OpenAM configured as service provider? and should be deployed in different tomcat containers? Should the each service providers be deployed in AppA and AppB?
I need another separate tomcat container for identity provider OpenAM?
The sp should be registered to idp and idp should be registered to sp within same Circle of trust?
Do i have to do anything else? Again do i have to configure separate LDAP for each idp and sp ? Anyway, what can be the ideal setup in my case?
You need one IdP, your apps have to implement the SP. If your apps are Java based you could leverage OpenAM's Fedlet or use Spring Security SAML extension (works like a charm).
There's also a PHP SAML SP and even an Apache http server SAML module ...
Or you could use OpenIG as a reverse-proxy (but it's a java web app) which also implements a SAML SP.
-Bernhard
One more possible solution in which you can use OpenAM out of the box is by using OpenAM identity federation:
Use the standard OpenAM Identity federation setup (with IDP and SP) as explained in this post: http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity.html
You will need to have an IDP for AppA and SP for AppB or vice versa. IDP will be connected to your user store.
On SP side create a dummy user store using something like OpenDS.
Import all the users from IDP to SP (using a scheduled daily batch job)
Implement auto federation based on one or more of the user attributes.
Use OpenAM authorization features on SP side to give access to SP side App