I can acquire a JWT token using the SPA JavaScript Microsoft Authentication Library using acquireTokenSilent.
Instead of getting a signed JWT token, is there a way I can get a signed XML SAML token?
I have a backend application (out of my control to change) which is setup to receive SAML and will read the tokens and check them against a certificate.
MSAL is a client side library that supports OAuth and OpenID Connect and it is not designed for handling SAML.
Also ,Single Sign-On SAML protocol and Federated Authentication with a SAML Identity Provider should be good starting points to implement SAML directly.
Related
I have the following:
An existing WEB application using SAML for authentication. Using B2C custom
policies, I have successfully set up Azure AD B2C to allow this
application to authenticate users using SAML.
An API (ASP.NET Web API) using OpenID connect to authenticate callers (on the same Azure AD B2C).
I would like to authenticate calls from the Web Application to the WebAPI using the identity of the Web application authenticated user.
So I have would need a JWT token so I can validate it in my API middleware.
Is there any simple way of converting the SAML Assertion to a JWT token so the Web application can send it to my API with requests ?
I have read somewhere that IdentityServer could do the job using Azure ACS (For AAD B2C ?) but I understand that ACS will be retired on November...
Thanks.
You can ask your IDP to provide the JWT token as a SAML attribute inside your current SAML tokens, or ask them to provide you with an alternative way of acquiring the JWT tokens you require.
Also, you can configure IdentityServer to return JWT. Go to global config and change the default token type to JWT (same value as the default http token type).
I have a domino server (v9) with SAML Login enabled through Oracle OpenSSO (and simple login methods disabled, like Basic or Forms).
I can log onto the server using a browser, which does multiple redirects, form submits and so on, to push the SAML token from the Identity Provider to the names.nsf, which then creates a LTPAToken based on the SAML token.
However, I have to access some URLs (API endpoints) programmatically, which are secured by this SAML Login. Does names.nsf allow any API-friendly means of authentication (like Bearer Token) instead, and does OpenSSO support them as well?
I don't know Domino, but for OpenSSO I can say that it embeds a STS (Security Token Service). That means you can request it a SAML Bearer Token.
https://docs.oracle.com/cd/E17842_01/doc.1111/e17844/concepts.htm
We are acting as service provider (supporting SAML2.0) and we are working on a proposal to federate with a new federation whose IDP is ADFS2.0. We are currently supporting several other Federations that are currently using OKTA as their IDP.
We expect the IDP to post SAML assertion either through (SP initiated or IDP initiated). If ADFS2.0 is acting as IDP, will the SAML assertion will be similar to OKTA or will it be different? (I heard that the SAML assertion from ADFS2.0 will be compressed in addition to Base64 encoding while from OKTA it is only base64 encoded.)
You can expect both OKTA and ADFS to support the SAML2 standard.
If you are using the HTTP Redirect binding the xml is deflated+Base64-encoded. If you are using the HTTP POST binding the xml is only Base64-encoded. For receiving SAML2 assertions you shouldn't use the HTTP Redirect binding due to data length restrictions. So if you have a working implementation for OKTA it should work for ADFS too.
I have WSO2 Identity Server set up together with a web application that is configured for SAML 2.0 SSO.
When a user has authenticated, I want to invoke a SOAP service from this application. The SOAP service trusts the Identity Server and is protected with WS-Security. It expects a SAML 2.0 token in the request.
Is it possible for the application to get a SAML token from the WSO2 STS for the currently logged-in user?
The STS seems to require username/password (or X.509 certificate) to authenticate the user, which I don't have in the application (I have only the username).
Is there another way apart from the STS to get a token for the logged-in user?
I have a working ADFS machine. I want to construct a passive request that will generate a saml 2.0 token.
the following request for saml 2.0 token:
https://adfstest.cld.sr/adfs/ls/?wa=wsignin1.0&wtrealm=https%3A%2F%2Flocalhost%2FPro%2FFederatedLogin.mvc&wauth=urn:oasis:names:tc:SAML:2.0:am:password
generates the error: "Microsoft.IdentityServer.Protocols.Saml.NoAuthenticationContextException: MSIS7040: None of the requested authentication types are supported by the server."
yet if I change the request to a request for saml 1.0:
https://adfstest.cld.sr/adfs/ls/?wa=wsignin1.0&wtrealm=https%3A%2F%2Flocalhost%2FPro%2FFederatedLogin.mvc&wauth=urn:oasis:names:tc:SAML:1.0:am:password
It works but the token generated by ADFS is SAML 1.0.
What is the correct form to construct a request for passive federation with SAML 2.0 tokens?
AD FS 2.0 does not support SAML 2.0-based IDP-initiated SSO to a WIF relying party application.
The url you used in a ws-federation request and as such only saml 1.1 will be returned by ADFS.