I have a portal called www.example.com and a Moodle site called moodle.example.com. I have some users on both sites, which have the same usernames and passwords. What I want is when a user logs in on non-Moodle site called www.example.com after clicking some link, he should auto login to the same user on moodle.example.com.
Is there any way to do this?
There are a lot of authentication methods that Moodle supports as standard (e.g. Shibboleth, OAuth 2.0, LDAP) and a great many others that it supports via 3rd-party plugins: https://moodle.org/plugins/?q=type:auth (SAML being quite a popular option).
Many of these can be configured to check the remote server and automatically log the user in, if the authenticating site has the user already marked as logged in (usually with a fallback to the standard Moodle login page, if this authentication fails).
Really it comes down to which (if any) SSO (Single Sign-On) authentication methods your www.example.com site is able to be an authentication provider for (or, at least, which methods it can be adapted to work as an authentication provider for).
All else being equal, I'd probably start my investigation with SAML and/or OAuth 2.0.
Whatever you do, please, please do not decide it's a good idea to come up with a brand new SSO method all of your own - unless you are an expert in writing secure authentication methods, I can almost guarantee it will be insecure and at risk of being hacked.
Related
We want to use SSO for a group of apps (this will include GitLab, probably Drupal and a bunch of small apps I will write in Symfony for various tasks). We would like to currently use Google accounts to authenticate all apps, but because there are limits (I know you can increase them) on how many apps you can have and Google sometimes change what features are free, it would be good to have the option of using our own login down the track if needed.
I have used SimpleSAMLphp in the past with GitLab (using a database to store credentials) and it worked well. Is there a way that I can use the Google Auth as an IDP and have SimpleSAMLphp record the email address to link the accounts etc and allow me to add things like groups etc in to send down to the app when a login happens? I would put a password field in the login table in the database as well so that if we decide to move away from Google we can generate random passwords and continue without too many issues.
The information I find online is for using SimpleSAMLphp as the IDP for gsuite etc (we will be using general Google accounts, not ones in gsuite) and not the other way around. I also couldn't see any Authentication Modules for Google authentication. Are there any tutorials or instructions anywhere on this?
You can accomplish what you are asking fairly easily. Instead of integrating your SPs with Google directly, integrate them with an SSP idP you control, then set up your authentication page (i.e. the page redirected to by your authsource module) to be an SP for Google. Here's what that looks like:
vendor sp -> your SSP idP -> your login app -> your SSP SP -> google idP
This way you end up with only a single Google integration configured for all your vendor integrations. There are numerous benefits to this approach:
You aren't affected by # of integration constraints imposed by google
Since your vendor SP integrations are controlled on your own server, you can easily move to a different cloud-based idP for authentication in the future without having to re-integrate all your SPs
You can easily give your users alternate sign-in choices if you want.
You aren't constrained to SAML or protocols supported by Google. Many vendors still use proprietary token based authentication. These can easily be supported with this setup.
Happy to help with implementation details if you need it.
I have multiple applications (made with different tech such as .NET, JSP, PHP, ... ). Each one of them have its proper login page which contacts the LDAP to verify the username and password (there is one LDAP for all the applications).
What I want is to do a SSO for these apps: One login page is to "rule them all".
The user enters his credentials once.
He chooses an app from list.
The app will load without accessing the original login page.
My additional questions are:
Is there anyway to implement a SSO solution without modifying the apps's source code?
Is there a trick to pass the username and password to the original login page and submit automatically?
You need an IdP, something like Shibboleth IdP or ADFS, which will handle the users from an Authentication Source and do that hard stuff like the login page, etc. Usually there's user management headaches here, i.e. how will users change their passwords, etc. That's where a commercial solution like Okta, Ping, or OneLogin might work better for you.
You need a SAML Service Provider for each of your apps (what SAML stack you choose largely depends upon tech used in site), or you can use something like Shibboleth SP which simply protects paths on the webserver. If the apps are all on the same one or two web servers, go with Shib, as it'll make the integration with ADFS simpler.
If you want to avoid modifying source code, something like Shibboleth SP is probably for you... it protects paths, and loads user attributes into server variables you can pull from (i.e. username, first name, last name, etc.) to render on your app.
I am using Azure MobileServiceClient to authenticate with a mobile app. I want to enable a secure logout function, which involves deleting the cookies created by the web component. Otherwise anyone selecting "Login" will simply get logged in if there's an unexpired cookie lurking around. Deleting the cookies is working great.
Unfortunately, it means that a user returning to the same provider on the same device has to provide their username again (clearly, I don't want to store their password).
I found out how to make it work with Google. (Google OpenId doc) I simply provide a dictionary of parameters to the LoginAsync method. That dictionary contains the key "login_hint" and the user's email address (which, btw, has to be valid to work).
This doesn't seem to work for Facebook, Microsoft or Twitter accounts and I don't know why. I read a document that said that "login_hint" or "username" was supported by convention, but none of that seems to work.
Anyone have any experience (even a completely different approach) with this they can share?
TIA.
In order to implement IdP provided solutions like that, you need to move to a client-flow authentication. Client-Flow is when you use the IdP provided SDK to authenticate the user. Once the IdP has given you a token, you pass that token (silently) to Azure Mobile Apps to exchange it for a ZUMO token that you can use with the Azure Mobile Apps service.
Once you have the client-flow enabled, you can do anything that the IdP (Facebook, Google, etc.) will allow you to do. It's not really an Azure Mobile problem - more of an IdP problem.
I'm working on a proof of concept app. The basic functionality works, where I can log into one website, link to another site that shares the same STS, and the partner site picks up the credentials properly.
However, the partner site only requests the token if the page that we link to requires authentication (which kind of makes sense I guess).
Ideally, I'd like to link to a partner page that does not require you to be authenticated, BUT if the user IS already authenticated, I'd like to at least be able to recognize them on the partner site.
Currently, if my partner landing page does not require authentication, it doesn't appear that the user is logged in when they arrive. As soon as the user requests a page on the partner site that does require authentication, it then grabs the token without requiring the user to log in.
I've tried playing around with the SecurityTokenReceived and RedirectingToIdentityProvider events, but so far I'm stumped.
Any thoughts are appreciated.
So, the problem you are running up against is in dealing with the SessionAuthenticationModule hijacking the request. This module is responsible for detecting if the user has a valid session (based on a cookie that is written upon a successful redirect from the STS) and if not, to redirect the user to the STS to fetch a valid token. The WSFederationAuthenticationModule supplies the eventing necessary to hook into various stages of the redirection/authentication process.
Based on your description, it sounds like you want the following to happen:
User clicks on a link that redirects to the partner site
At the partner site, the request is intercepted and the system determines if the user is signed-in to the STS or anonymous
If the user has a valid session with the STS, then pull the claims for that user
The problem is, your RP cannot know that the user has a valid session without sending the user to the STS first (the RP's do not talk to each other or the STS. The user's brower is used as the means of communication between the RP's and the STS in the form of WS-Fed directives and SAML tokens passed in the url during redirects). If the user is sent to the STS, then they must authenticate, which could be a problem for anonymous users.
So, I do not think there is a "trick" that you can pull via configuration or interception of the request to determine if the user has a valid session with the STS. You might be able to pass a hint, however, from the referrer that is intercepted by the partner site. This hint could take the form of a parameter on the url that indicates to the partner site that the current user has a valid session and to go ahead and redirect to the STS (absence of this hint would indicate an anonymous user). You could also build a system to "hand-off" knowledge of the signed-in user using a resource that both sites have access to (i.e. database).
As you are sure to learn soon, more often than not, WIF offers pieces to the puzzle, but every situation is different and you have to supply the other pieces on your own.
Hope this helps!
Curious what recommendations anyone has.
I have an existing asp.net forms application that does a Forms Authentication and has identity impersonate turned on.
The application has a link to a questionnaire that I would like to develop separately in an asp.net MVC application, but I don't want the users to click on the link and be prompted for a username and password, I would like them to be able seamless start filling out the questionnaire.
Is there a way to somehow transfer authentication from one .net app to another? I would like to be able to pass stuff like UserRole.
What's the best way to do this?
If you use the same MachineKey in both applications and the MVC application is on the same server, I think that it will reuse the auth cookie and simply consider them logged in. See this MSDN article on configuring the MachineKey, especially the section on sharing authentication tickets across applications. Note this assumes that both applications are on the same server. If they are on different servers then you'll need to investigate some other mechanisms -- say generating a single-use ticket for the URL that can be used by the remote system via a web call back to the originating server who the user is. It might not need to be a full-up implementation of a central authentication system, but along those lines. Just be sure that you're using SSL to encrypt the relevant bits to help avoid man-in-the-middle attacks.
Using Windows Identity Foundation (WIF) you can achieve Single Sign-On.
In WIF, a service called a Security Token Service (STS), issues a token with claims, which can be anything you want to declare about the authenticated user, for instance his roles. In your apps you can use the Page.User, Controller.Page or Thread.Current.Principal properties to check the User claims (though if you'll only be using role claims you can use the IsInRole method for simplicity).
You can easily create a STS using the tools for VS included in WIF's SDK. The Forms authentication will be done in the STS instead of in the Web Forms site and both sites should have a trust relationship with the STS.