Netscaler - Passtrough SAML Auth - single-sign-on

We have the following Situation.
Public reachable SSO Portal based on Microsoft ADFS (sso.company.com)
Public reachable Citrix Netscaler (netscaler.company.com)
Private WebServer (web.company.com) - Not reachable from the internet.
We managed to authenticate against the Netscaler portal with ADFS.
Also we can authenticate against the WebServer inside our Network with ADFS.
Our problem is now to configure Netscaler in a way that we also can use the SSO Login to web.company.com from outside via Netscaler.
I hope that's somewhat clear.

I assume you are using SAML and not OAUTH (shouldn't make a difference):
Is SSO for web.company.com SAML based?
if not then the NS can't help you since SAML does not hold a password by default.
if it is using SAML then just configure the new endpoint in your IDP and everything will be transparent

The anove answer is incorrect. Netscaler can indeed do this and i have done it several times.
You need to use Kerberos Constrained Delegation on backend and SAML/OIDC on Front End. With Kerberos Constrained Delegation you are allowed to impersionate another user without having the password.

Related

Is it possible to pass authentication from an old CAS 3.5.3 Server to a recent Keycloak 15.0.2 with SSO?

I have an existing JSF application that is secured by a CAS Server (version 3.5.3).
Due to customizations I am not able to update the CAS Server to a new version. So there are no OIDC, OAuth2 or other state-of-the-art protocols available. Only CAS and an early version of SAML I think.
I would like to establish SSO to an external Keycloak of a service provider. They want me to set up an internal Identity Provider that connects to their external IDP.
I have done this before with Keycloak, but in that old case my internal Keycloak has been the single point of authentication. This time it's CAS.
Is there a way to pass the authentication from CAS 3.5.3 to my internal Keycloak without logging in again?
I have thought of implementing a Custom User Storage Provider SPI to connect to my existing user database. But then I would have to log in again to my Keycloak. Is this true?
Is this achievable by implementing the CAS protocol to my internal Keycloak using an CAS Extension? I think that this allows Keycloak to crate a client using CAS protocol, but not to SSO by an existing CAS server and the user has to login to my Keyloak. Please correct me, if I'm wrong.
Is there a way to pass the authentication from CAS 3.5.3 to my internal Keycloak without logging in again?
No, and if there is one, it will require LOTS and LOTS of coding and development. If you're not able to upgrade, you most likely will not be able to make such changes anyway.
There is an plugin for external SAML2 authentication here, which should allow CAS login requests to be redirected to an external SAML2 IDP:
https://github.com/UniconLabs/cas-saml-auth
If your keycloak supports SAML2, maybe this can work. Note that the plugin has not been touched since 2016, and there is no support for it from anyone. You will be 100% on your own, if you decide to go with it.

Local Identity based login along with saml 2.0 SSO

There is an existing mechanism to log into a website. Now, external / remote SAML IDP is being added to facilitate SSO. The website uses other micro-services and components that provide data and functionality to the website.
Is there a way to have an existing mechanism of local identity username password credentials to continue to co-exist as an alternate strategy for authentication alongside remote IDP SSO while keeping rest of the services handling authorization in a semantic way (using a saml token)?
P.S. I looked at the options to implement existing auth mechanism as saml IDP, but building it seems complex even with the likes of shibboleth or openSAML libraries.
P.P.S. I haven't looked at possibility of reimplementing existing auth mechanism with openId connect to co-exist with remote saml idps.
Sure: one can provide a landing page to the user that gives a choice between using a local account or an account at a remote IDP.

Need to provide both Basic Authorization and SSO on Bluemix Liberty server

I have a Java app running under Websphere Liberty on IBM Bluemix. I need to be able to authenticate users 3 different ways - Basic Auth, SAML SSO, and OpenAuth SSO, in that order.
I can set up the app to do Basic Auth (using custom code) or SAML SSO (using the Bluemix Single Sign On service), but can't figure out a way to configure it to handle both at once. (I haven't even looked into how to do OpenAuth yet.) If I configure the app to use the Bluemix SSO service, then my app never sees the incoming requests to check for a userid and password to try Basic Auth before the SSO service grabs it.
I tried changing the redirect URL in the SSO service to an endpoint inside my app, but then all I get is
CWOAU0062E: The OAuth service provider could not redirect the request because the redirect URI was not valid. Contact your system administrator to resolve the problem.
I can't be the only one that needs to do this. Can anyone tell me how they did it?

SAML SSO request with redirect response to local private IP

I have a situation where I need to authenticate my application users with SAML2.0. SAML server is hosted at a public domain while our application runs in local intranet.
I wonder, if SAML would support redirecting my users back to the local application (local IP) after authentication.
This is by default or is there any special configuration need to be done in SAML server side?
If the application is being accessed from the local intranet, it will definitely work. There won't be any additional configuration required for that. The reason is simple - SAML uses HTTP Redirects and Form-Post to pass SAML tokens. So if the two applications (IdP and SP) are accessible, it will work.
I have an ADFS server on Azure (available publicly) and the SP is in my local development environment (accessible only on my laptop). It works.
SAML protocol provides the 'RelayState' request parameter for certain bindings. E.g. have a a loot at http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
This allows to specify a target URL for your application acting as SAML SP.

Configuring Ping Federate and Spring SAML to authenticate application

I installed PingFederate on an AWS EC2 running Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09. I have a Java application that is using Spring Security for authentication.
I have read about how with PingFederate, I can set up an Identity Provider(IdP) and a Service Provider(SP). I have gathered that the IdP would be the Application User providing login credentials(the Identity) and passing this to the SP which has the Target Application apart of the SP in this diagram on this page here:
http://documentation.pingidentity.com/display/PF66/Service+Providers+and+Identity+Providers
This image also shows the Federated Identity Software on both sides of the IdP and the SP.
I have created an IdP and SP with my local PingFederate server just to see what the configuration options are and I am confused on which parts of this I actually need to be able to have a SSO for my Spring Security application.
My questions are:
Do I need an IdP and SP to implement that I am trying to do.
Right now our usernames and passwords are stored in a SQL Server, would I leverage this for PingFederate to use to authenticate the users?
Should I even be using Spring Security SAML for this or would another route be more appropriate?
Thanks for any help, I have reached out to PingFederate but my Regional Solutions Architect happens to be out until Friday.
I also apologize if I am completely off in my thinking, I am trying to wrap my mind around what is needed.
Presuming your goal is to establish federation between Ping and your application (in order to e.g. externalize authentication or enable single sign-on), your thinking is correct.
The Ping Federate serves as an Identity Provider (IDP) and you can configure it to connect to your SQL server, so that it can authenticate your existing users from there. IDP communicates with other applications which are called Service Providers (SP).
In order to connect to Ping your application therefore needs to be able to act as a SAML 2.0 Service Provider and using Spring SAML is a very good way to enable it to do so.
The typical flow of data between SP and IDP for single sign-on is similar to:
User accesses SP application which requires authentication
SP creates an AuthenticationRequest and sends it to IDP (using redirect in user's browser)
IDP processes the request and authenticates the user
IDP responds back to SP with an AuthenticationResponse message
SP processes the response and creates a session for the user based on the included data
There is an assumption being made that you need SAML between your Spring app and PingFederate. That is not true depending on how it is deployed and if you (see Andy K follow-up questions). You should check out the OpenToken Integration Kit for Java or perhaps the ReferenceID Int Kit from Ping as a possible solution. Much simpler to integrate than trying to hack together another SAML solution that may not be needed. However, I would recommend talking to your RSA who can give you the best approach for your scenario.