How to integrate IDP-initiated SSO with AWS API gateway using Auth0? - aws-api-gateway

I have a React App + Set of lambda's which are using JWT api gateway authorizer (using cognito user pool as IDP)
Additionally I have an Auth0 app + SAML IDP-initiated enterprise connection which direct the logged users in my React App along with SAML assertion.
What will be the best and simplest solution to enable users who are directed to the React app with the SAML to be authorized in the API gateway?
I have came up with this possible solution: create a custom API gateway authorizer which will accept the SAML assertion and will validate it using passport.
Is my solution applicable?
Is there an existing solution (code reference) for such authorizer? (could not find such...)
Are there simpler \ better solutions?

Related

Implementing SAML Identity Provider in Node for Offline app?

We are in process of building a series of apps that will run offline or in very austere environments. We'll also be integrating with other 3rd party apps. Many of these will require logins so we're attempting to use SAML to handle login between them.
I found saml2-js:
https://github.com/Clever/saml2
And it seemed like a great starting point for both the SAML Service Provider and Identity Provider - but diving in I now see it does not implement the Identity Provider at all.
I already have a basic SAML Service Provider setup, but we need an Identity Provider that can run offline. Are there any Node or GoLang Identity Provider libraries we can use to implement this? If not, another recommendation?
Passport is the usual Node option but that's client side only.
There are a number of IDP's you can use e.g.:
Free: simpleSAMLphp / Shibboleth / identityserver4
Cloud: Auth0 / Okta / Azure AD
On-premises: ADFS

Is it possible to exchange an SAML assertion from AAD B2C for a JWT Token?

I have the following:
An existing WEB application using SAML for authentication. Using B2C custom
policies, I have successfully set up Azure AD B2C to allow this
application to authenticate users using SAML.
An API (ASP.NET Web API) using OpenID connect to authenticate callers (on the same Azure AD B2C).
I would like to authenticate calls from the Web Application to the WebAPI using the identity of the Web application authenticated user.
So I have would need a JWT token so I can validate it in my API middleware.
Is there any simple way of converting the SAML Assertion to a JWT token so the Web application can send it to my API with requests ?
I have read somewhere that IdentityServer could do the job using Azure ACS (For AAD B2C ?) but I understand that ACS will be retired on November...
Thanks.
You can ask your IDP to provide the JWT token as a SAML attribute inside your current SAML tokens, or ask them to provide you with an alternative way of acquiring the JWT tokens you require.
Also, you can configure IdentityServer to return JWT. Go to global config and change the default token type to JWT (same value as the default http token type).

AWS Cognito: support of SSO IdP-initiated workflow

I have my UI application which uses AWS Cognito for user authentication. We have successfully integrated the SAML identity provider in our Cognito UserPool.
Now i want to support SSO using AD FS.
Below is my URL which i can use to ADFS login.
https://adfs.DOMAIN.com/adfs/ls/IdpInitiatedSignOn.aspx
I have read this AWS Doc to configure for any aws management console.
But what steps i should follow to enable this for Cognito.
Any help?
From the Amazon Developer Forums: "Cognito User Pools do not currently support the IdP-initiated SAML flow."
If you are able to use Open-ID rather than SAML you will be able to overcome this issue. If SAML is a must, you may have to wait until support for the IdP-initiated SAML flow is provided.

Passing Authenticated info from WSO2 to SP App

We are starting a project for SSO and using wso2 to do all SAML , OAuth and keep our Webapplications as service providers.
I have been through the online documentation but need some help .
When user tries to Access to any resource in our webapplication i would send user to wso2 to get Authenticated in case of OAuth /openid connect , how would i form this url ?
I have configured IDP and SP in WSO2 console, after authentication how does WSO2 give credentials of authenticated users to service provider , i see as per document or sample app , this should be SAML or any other sso protocols like oauth etc. documentation is not clear or any examples i can find
i want to redirect the user after OAuth or SAML with my own created Authn cookie , what is the provision for that .
any help would be appreciated
Yes, You can configure your application as service providers and wso2 IS as Identity provider.I guess, You can implement saml sso for your scenario and its simply documented here.There is another blog which describe the same configuration
You can download travelocity sample code and war file .Analysing the code you can get some idea about implementation.
By following above blogs, You can implement the complete SSO flow.
Q. > When user tries to Access to any resource in our webapplication i would send user to wso2 to get Authenticated in case of OAuth /openid connect , how would i form this url ?
Answer :
https://localhost:9443/oauth2/authorize?response_type=code&client_id=wCmphfs69oaN3JhqO3d9FFgsNCMa&scope=openid&redirect_uri=http://localhost:8080/Samplespapp/googleauth.jsp
client_id : is that if which we get on UI oof wso2 console after we finish configuring Service provider in my case i configured Inbound Authentication Configuration as OAuth open id .
redirect_uri is the url where we want to go after authentication , this should match callbackback url in View/Update application settings
Answer 2: I still dont see any valid reason why inbound authentication has to be sso protocol but this is how wso2 works , to put it in laymans term i have a client to connect to using SAML and Other OAuth . i opt for a SSO vendor who takes that headache from me to implement SSO protocols but i Still have to implement atleast one SSO protocol as after SSO handshake wso2 has to communicate userX with role as Admin to service provider app this is done again using SSO !!
ping federate makes it simple it makes an encrypted request header that had data in key value pair. may be i am not understanding but i dont like this inbound Authentication in SSO .
Q. 3.>i want to redirect the user after OAuth or SAML with my own created Authn cookie , what is the provision for that
documentation is poor in this area just some java classes but no end to end example , every one will point to travelocity .

Keycloak and Vertx

We are implementing RESTful service and the entire backend application using Vert.x. These API's are consumed by a hybrid mobile app (developed using Ionic / angularjs). We are using Keycloak for user management and also authentication and authorization on the app.
My question is, how can I use Keycloak to also protect (authenticate and authorize for the same set of users) my RESTful service access which is implemented using Vert.x. Any example implementation would be very useful.
We wrote a custom Vert.x auth provider using the Keycloak core library to solve this exact problem (the Vert.x JWT library doesn't work with the Keycloak JWT tokens - arguably we should have improved the Vert.x library instead). I'll see if I can get permission to open source the library.
So, if i understand correctly, you need one authentication entry point for user in mobile app and in REST service. If i am right, you can use JWT. When user will authenticate with Keycloak he will receive jwt with roles and user information. This token you can put into request for REST service and your Service will know who is the user and what roles he have. Please see https://jwt.io/