I have SSO configured between IDP (ADFS) and SP, and IDP generate SAML token and post to the SP page for authentication. But, I like to create a new application called test-app, and this app should programmatically generate/extract SAML token for IDP and SP by using a pop up login window.
Is it possible?
After I get the SAML token, I intent to use it on a REST webservice of the SP.
The SAML flow requires the SAML token to be generated by the IDP.
The IDP has the private key to sign the SAML token.
You can generate one in your app. but you won't be able to sign it correctly and there is no flow to send it to the IDP.
Related
Requirement is to build application :
Accept SAML token coming from UI as input in #Controller
Decrypt it using 3DES algorithm
Authentication
covert to JWT token and send back to UI
Is any example custom authentication available?
I tried
https://docs.spring.io/spring-security/reference/servlet/saml2/login/authentication.html
example but it redirect to IDP url, I dont want to redirect to IDP, I don't want to redirect it to IDP url,
I just want to decrypt it by private key and using certificate and authenticate.
I have setup two SPs(service provider) with ADFS server.
Currently I can logout well in each SP. However I would like to implement that once the IdP receives logout request, it will invalidate the login session from all the SPs.
Could it be achieve?
NOTE : I am implementing with SAML 2.0 and ADFS(3.0)
I know how SAML works and i know how SSO works. My understanding of SSO is that IDP creates a cookie in IDP domain (and other domains can not access the cookie) and uses it to authenticate user.
SAML protocol itself doesn't talk anything about SSO. I get confused when they mix SAML with SSO. For eg : IDP initiated SSO etc.
As per my understanding SSO is implemented independent of SAML (using cookie). Please correct me if i'm missing something.
I am working with a client who is IDP and our application is SP.
The client has not provided SingleSignOnService location. Is it necessary for SP to know the location or SSO can work without that?
With a SAML 2.0 Unsolicited Web SSO event, there is no AuthnRequest generated by your SP, therefore you do not need the SSO endpoint of the IDP.
I am trying to connect to ACS using a SAML token, problem is ACS has been configured to only accept JWT tokens.
What is the best way to convert SAML to JWT?
thanks
You should ask your IDP to provide the JWT token as a SAML attribute inside your current SAML tokens, or ask them to provide you with an alternative way of acquiring the JWT tokens you require.
The SAML token (typically a SAML assertion) is usually issued by an identity provider (IDP) and digitally signed - so that the relaying parties can verify authenticity of the token. This means that you cannot convert token from SAML to JWT, as you will be unable to create a new signature on behalf of your IDP.
The JWT specification contains a good explanation of difference between SAML and JWT tokens, you might want to go through it:
While JWTs can do some of the things SAML assertions do, JWTs are not intended as a full replacement for SAML assertions, but rather as a token format to be used when ease of implementation or compactness are considerations.
I'm presuming here that you are not self-issuing your SAML tokens, as in such a case you wouldn't need to convert them - you could create your own JWT token directly.