Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 11 months ago.
Improve this question
I have a django website and I'd like to allow students from a few universities to login to it using their university credentials.
I understand that I need to register with each of these universities first but what is that process like and what do I need to prepare on my end?
You have tagged SAML in you question so I will explain based on that. If you set up a integration with the universities using SAML, you will need to have software at your end to act as a SAML Service Provider(SP) and the universities will act as SAML Identiy Providers(IdP).
Tyipcal scenario.
When as student enters your site
User choose the university were they have an account.
User is redirected to the university login site with a SAML authentication request
User signs in to the usniversity login and is redirected back to you page with a SAML response, containing an SAML assertion.
The SAML assertion is the proof of authentication and you then validate this and let the user in to your site. The assertion also typically contain information about the user you can use in your application.
To set up this authentication, you will need a SAML SP software. A quick google suggest this might be something. You then need to contact the univerities and give them a metadata XML file from your software that tells them about your service. You also get a metadata XML from them that you import in your software to say that you trust them to authenticate users.
All this is ofcourse dependent on that the univerities want to allow you to use them to authenticate users.
You can ask your NREN. https://en.wikipedia.org/wiki/National_research_and_education_network
Usually a NREN will run a national federation which provides SSO for the research and education organizations such as the universities.
From your side you have to implement/install a working Service Provider, the easiest one IMO is the shibboleth Service Provider.
Then you ask your NREN to join the federation as a SP with your metadata (for shibboleth you can view your metadata at fqdn/Shibboleth.sso/Metadata). If you join the federation an your SP's metadata are published then the only thing that needs to be done by universities is to release the requested attributes to your service with an attribute-filter.
Related
I'm currently integrating SSO into a web application using passport-saml. Still fairly new to this and trying to understand all the nuances that comes with it so I've got a few questions that I can't seem to find the answer to:
Question 1
I guess, there are two aspects to the IdP side of things. 1 for the customer and 1 for the organisation hosting the SP. So as the org that has the SP, we would need to have our own IdP account to upload our application with all the relevant SAML settings (let's say Okta for this example). The customers would then be able to find the SP from the catalogue of applications from whatever IdP they're using where they can add it and can use the generated Identity Provider Single Sing-On URL and X.509 to input into the SP's settings. I know Okta has a setting to enable their users to find organisation-managed applications which they may need to enable to be able to find our application once approved by Okta. Am I correct in thinking this?
Question 2
Would this mean that as an org, I would need a presence on each IdP a customer might use? OneLogin, Okta, Active Directory, etc.
Question 3
Are IdP's the same for the most part? As in, would I just need to implement SAML into my back end and users can just enter the Idp URL and their certificate, and this will just work for any IdP that the users might be using?
Question 4
Is uploading an application to an IdP a paid service? I've currently got a sample project that is using Okta as an Idp, got all the settings set up but I've noticed that I can submit the application on Okta as a software vendor. Obviously I can't go through it since it's a sample project and I'm also using a trial account so I don't actually know what this entails
Question 5
Lastly, as I previously mentioned, I've noticed that Allow users to add org-managed apps is an available setting for users so they may need to enable this to find my application. But I've noticed that there are thousands of applications that I can browse through on Okta while having this setting disabled. So Okta -> Applications -> Browse App Integration Catalog, I can find applications like Dropbox, etc. Is it a different process (than q5) for an application to be visible on this list?
Question 6
Is SSO at user level or at organisation level? As in, can users of an organisation have a mixture of different ways of logging in? Like, user 1 has SSO enabled but user 2 doesn't. Is that how it tends to work? Or is it more so, an admin enables SSO for the entirety of the organisation whole organisation?
I'm still trying to piece everything together but hopefully I've asked the right questions to properly set this all up but any other additional information you want to share would be helpful!
Answer 1: You are correct that as the organization that has the SP, you would need to have your own IdP account (for example, with Okta) to upload your application with all the relevant SAML settings. Customers would then be able to find the SP from the catalog of applications from whatever IdP they're using, where they can add it and use the generated Identity Provider Single Sign-On URL and X.509 to input into the SP's settings. You would also need to enable the setting in Okta that allows customers to find organization-managed applications.
Answer 2: Yes, this would mean that as an organization, you would need a presence on each IdP a customer might use. Different IdPs have different ways of setting up and managing SP applications, so you would need to create an account and configure your application on each IdP that you want to support.
Answer 3: IdPs are not all the same, but most of them support SAML, which is the standard for SSO. By implementing SAML into your back-end, you can allow users to enter the IdP URL and certificate, and this should work for most IdPs. However, you should check the documentation and settings of each IdP you want to support to make sure that everything is configured correctly.
Answer 4: It depends on the specific IdP provider. Some providers may offer free or trial plans for uploading and managing SP applications, while others may require a paid subscription. It's best to check the pricing and plans of the specific IdP provider you're using to see if there are any costs associated with uploading and managing your application.
Answer 5: Yes, there may be a different process for an application to be visible in the app integration catalog. Some IdPs, such as Okta, have a public application catalog that includes a wide range of popular applications that are pre-integrated with the IdP. These applications may be accessible to all users regardless of whether the "Allow users to add org-managed apps" setting is enabled. It's worth noting that the specific process for making an app visible to users may vary depending on the IdP provider you're using.
Answer 6: SSO is typically implemented at the organization level, meaning that all users within the organization will use the same SSO method to access various applications. However, it is possible to set up different SSO methods for different groups of users within an organization.
For eg. an admin can enable SSO for all users within the organization, but also set up a separate SSO method for a specific group of users, such as contractors or partners. This way, users within the same organization can have different ways of logging in. Some IdPs may offer more granular control over SSO settings than others.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
Maybe this question seems opinion based, but I am facing a hard time in deciding to secure a RESTful API.
Firstly, my use-case:
My application is pretty straight forward: The front-end is written using React.js(for browser client) and that will consume the RESTful API for getting its data from the database(or something). The API is built using Spring framework.
This API is not a public API, and it has only a single client(as of now, later would be mobile apps).
Now lets come to the security problem. Obviously, I want to secure my API, I am using Spring-security as a tool for this job. During the starting days of learning, I knew only about the Basic-Authentication. But, when I kept on reading about more secure options, I learned some new fancy terms:
Token-based Authentication, using JWT
OAuth2
OpendId connect
When I read more blogs like from Auth0, Okta and a lot more, I messed up everything. This made me think twice if I should use OAuth for securing a REST API (which is not public). Also, almost all of the blogs about OAuth take examples of social logins. This made me more messed, that OAuth is for giving access of your API to the third party application. And that's it, not for my use-case.
I then asked some experts from some channels and blogs, some said the Basic-Authentication is very enough for security(using https) and I should avoid OAuth for such a small requirement. Other said opposite to that, saying Basic-Auth has security vulnerabilities.
Let's consider that OAuth is perfect for me, but in that case also, where would my Authorization server reside? Because tutorials only explain about Authorization server by keeping their code in the same layer. No separate project or something.
JWT also has some negative reviews for my user-case:
they cannot be revoked, will only expire on its own. Isn't it insecure?
they are massive in size, compared to session token or cookie
hight computational cost for verification
I really need some more advice on this, it has already taken my lot of weeks.
Thanks.
The real answer depends on information not in your question. For example do you need identity verification or are you just authorizing API access?
OAuth and Open ID Connect (OIDC) today are basically the same thing for most services such as Google Login. OIDC adds an identity layer on top of authorization. If you need to verify the identity of your users, log their activity, control resources per user, etc. this is your solution.
For authorizing API endpoints, there are many solutions. The most common are secret key value and JWT. Secret key has many weaknesses so I will not touch on that here.
A very common method of authorizing API endpoints is using JWT tokens and the Authorization: Bearer TOKEN HTTP header. I will now try to answer your concerns about using JWT tokens. Here I only refer to Signed-JWT tokens.
they cannot be revoked, will only expire on its own. Isn't it
insecure?
JWT tokens can be revoked by revoking the signing certificate. This would require creating a certificate revocation server, so this is not so common. An improved approach is to create short-lived tokens. Typical expiration time is 60 minutes (3600 seconds) but you can create tokens for any time period. When the token expires, the client requests a new one, which your backend can authorize or refuse.
they are massive in size, compared to session token or cookie
What is massive? You can create a token of any size from just a few bytes (the size of the signature plus data) or include extensive information in the token. Unless your tokens are out of control in size, this will not matter to most implementations.
high computational cost for verification
Again you are using a vague term. Verifying a Signed JWT is not computational expensive unless you are on tiny devices such as IoT (which are already using SSL certificates, encryption, etc.) or you need to handle millions of transactions per minute. In other words unless you have a solid reason to worry about CPU cycles, don't worry about them in regards to improved security.
Let's consider that OAuth is perfect for me, but in that case also,
where would my Authorization server reside?
Your OAuth 2.0 authorization server can reside anywhere you want. Implementing OAuth is very easy and there are many libraries to manage the details for you. Your authorization server can be part of your backend, be a separate server, etc. You can even just outsource this completely to identity providers such as Google Login, Auth0, Okta, etc.
What I know so far is, to make any application SSO enabled, there must be an Identity provider taking part in the SSO game. So there is direct dependency on IDP as the SP need to "know" who the IDP is. Can SP have a common saml communication mechanism which can work with any IDP that my customer is using ? Or I need to build different saml communicator based on the customer supported IDP ?
Reason: One of our company customer is using Okta for its employees and want us to make our application Okta enabled so that its employees need not to remember credentials on our site anymore. That's fine. Now, if any other customer comes with some other IDP (PingOne for example), do we need to work again to make it that xyz IDP enabled ? or our existing implementation will work same way by just adding that IDPs url ? Let me know if I am missing any big picture or key concept here.
P.S. Our application is on .NET platform.
Unfortunately you will need to create a new association if a user want to use a new IDP.
There is a good reason for this. You need to be say that you trust the IDP. The IDP is the one that vouches that the user is who they say they are. So you have to ensure that you trust it to authenticate users for you system.
What you could do is to allow for the customer to define its the IDP to be used, provided that the IDP is only allowed to authenticate that customers users.
If you want to do this I would recommend using some third party software.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
i want to derive role from SAML attributes like 'group' attributes.
my question is , if SAML identity provider would return all SAML attributes in SAML response ?
or i have to do something in SAML authentication request to ask for SAML attributes explicitly ?
thanks,
The identity provider and service provider need to agree on what information will be included in the SAML assertion. Typically this is done as part of setting up SSO between the two organizations and prior to any actual SSO. The identity provider needs to know what information you need so they can configure their system to include this information in the SAML assertion.
If there is certain information you need such as user group information then you need to specify this in your requirements to the identity provider. This is not done through the authentication request.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 4 years ago.
Improve this question
In my understanding of SP-init and IDP-init SSO is as follow:
IDP-init SSO: A base64-encoded saml response is generated by IDP and send to SP, SP then verifies the response and finally the user is logged into the application if the response is valid.
SP-init SSO: A saml request is sent from SP to IDP, then IDP will authenticate the user then send back the saml response, the next part is same as IDP-init SSO.
How do we decide to choose whether the SSO is using SP-init or IDP-init ? SP-init seems to be more secure and reliable than IDP-init SSO because of the authentication part.
To me, the business requirements of the service provider's application tell you:
If all user interaction with the service provider's application will start at a "homepage", or default landing page, then IdP-initiated probably makes a lot of sense (less to break - no signed AuthnRequest needed).
If there are "deeplinks" that are provided to your users to things like reports via email (that is, a user can click on a link that should take them deep within the service provider's application), then SP-initiated is the only way forward.
In both instances, the user will be authenticated at the IdP based on the IdP's authentication rules - neither SP-init or IdP-init is "more secure" in that regard. The flows:
IdP-init:
User clicks link to start IdP-init SSO
IdP validates that User is authenticated - if not redirect for authentication
IdP converts authentication attributes (like username, email, etc.) into SAML assertion and redirects user to SP
SP converts SAML assertion to SP application token and redirects to application
SP-Init:
User clicks link to go to SP application
SP Application determines the user does not have a token and redirects to SP
SP redirects to IdP
IdP validates that User is authenticated - if not redirect for authentication
IdP converts authentication attributes (like username, email, etc.) into SAML assertion and redirects user to SP
SP converts SAML assertion to SP application token and redirects to application
The only difference, as you can see, is the first three steps.
You choose based on the desired or required navigation flow of a user (assuming browser POST binding based on your description).
If your requirements dictate the user start from secure (logged in) website A and navigate without password to site B, this is by definition IdP initiated.
If on the other hand the user is expected to be on an unauthenticated site yet log in with credentials from a partner site, this is where the SP initiated scenario comes into play. StackOverflow itself offers this style of sign in if you choose to log in with a Google account (though an alternative to SAML is used). The user starts somewhere on StackOverflow, clicks the login link, chooses their IdP (in SAML semantics) as Google, and are sent with an authn request to the IdP. After credential challenge of unspecified sort (eg your browser might already have an authenticated session at the IdP site, or the IdP might use two factor auth, etc) the user is returned to the SP site with a SAML response document.
SP-initialized is always to prefer. IDP-initilized will make work easier for the SP implementation but it comes with a buch of problems such as XSRF, interaoperability and deep linking.