Please help. I'm aware there are several posts / docs about SSO implementations but I still can't seem to find one that addresses my use case - probably because I'm still new to SSO implementation.
Scenario:
I have an existing Symfony 4 application with existing users. I want so that when users log into the app, they are automatically signed into Outlook Office 365 (web). Exactly the same implementations on https://mysso.centennialcollege.ca/. Please NOTE I do not want office 365 to authorize my app using the code flow approach, rather I want office 365 to recognize users signed into my app as valid identities.
Has anyone implemented this or has ideas please?
Your question is a bit unclear. You're likely going to need to change the existing application in some manner in order to achieve true single sign-on. You'll need to ensure that authentication against the Symphony app leads to the presence of a session that can be used to trigger subsequent sessions in a SSO framework supported by O365.
In your case, I'd take a look at SAML and, more specifically, SimpleSAMLphp.
Are you affiliated with the organization you linked to in some way? Because just by looking at the login page that looks like they've already got some sort of SAML Identity Provider solution... you can just integrate your Symphony app with that IdP in that case, and correlate the principal returned to your SP application from the SAML assertion on successful authentication against the user data in your existing DB. You wouldn't have to use SSP in that case... any kind of SAML middleware would work.
Related
I'm currently integrating SSO into a web application using passport-saml. Still fairly new to this and trying to understand all the nuances that comes with it so I've got a few questions that I can't seem to find the answer to:
Question 1
I guess, there are two aspects to the IdP side of things. 1 for the customer and 1 for the organisation hosting the SP. So as the org that has the SP, we would need to have our own IdP account to upload our application with all the relevant SAML settings (let's say Okta for this example). The customers would then be able to find the SP from the catalogue of applications from whatever IdP they're using where they can add it and can use the generated Identity Provider Single Sing-On URL and X.509 to input into the SP's settings. I know Okta has a setting to enable their users to find organisation-managed applications which they may need to enable to be able to find our application once approved by Okta. Am I correct in thinking this?
Question 2
Would this mean that as an org, I would need a presence on each IdP a customer might use? OneLogin, Okta, Active Directory, etc.
Question 3
Are IdP's the same for the most part? As in, would I just need to implement SAML into my back end and users can just enter the Idp URL and their certificate, and this will just work for any IdP that the users might be using?
Question 4
Is uploading an application to an IdP a paid service? I've currently got a sample project that is using Okta as an Idp, got all the settings set up but I've noticed that I can submit the application on Okta as a software vendor. Obviously I can't go through it since it's a sample project and I'm also using a trial account so I don't actually know what this entails
Question 5
Lastly, as I previously mentioned, I've noticed that Allow users to add org-managed apps is an available setting for users so they may need to enable this to find my application. But I've noticed that there are thousands of applications that I can browse through on Okta while having this setting disabled. So Okta -> Applications -> Browse App Integration Catalog, I can find applications like Dropbox, etc. Is it a different process (than q5) for an application to be visible on this list?
Question 6
Is SSO at user level or at organisation level? As in, can users of an organisation have a mixture of different ways of logging in? Like, user 1 has SSO enabled but user 2 doesn't. Is that how it tends to work? Or is it more so, an admin enables SSO for the entirety of the organisation whole organisation?
I'm still trying to piece everything together but hopefully I've asked the right questions to properly set this all up but any other additional information you want to share would be helpful!
Answer 1: You are correct that as the organization that has the SP, you would need to have your own IdP account (for example, with Okta) to upload your application with all the relevant SAML settings. Customers would then be able to find the SP from the catalog of applications from whatever IdP they're using, where they can add it and use the generated Identity Provider Single Sign-On URL and X.509 to input into the SP's settings. You would also need to enable the setting in Okta that allows customers to find organization-managed applications.
Answer 2: Yes, this would mean that as an organization, you would need a presence on each IdP a customer might use. Different IdPs have different ways of setting up and managing SP applications, so you would need to create an account and configure your application on each IdP that you want to support.
Answer 3: IdPs are not all the same, but most of them support SAML, which is the standard for SSO. By implementing SAML into your back-end, you can allow users to enter the IdP URL and certificate, and this should work for most IdPs. However, you should check the documentation and settings of each IdP you want to support to make sure that everything is configured correctly.
Answer 4: It depends on the specific IdP provider. Some providers may offer free or trial plans for uploading and managing SP applications, while others may require a paid subscription. It's best to check the pricing and plans of the specific IdP provider you're using to see if there are any costs associated with uploading and managing your application.
Answer 5: Yes, there may be a different process for an application to be visible in the app integration catalog. Some IdPs, such as Okta, have a public application catalog that includes a wide range of popular applications that are pre-integrated with the IdP. These applications may be accessible to all users regardless of whether the "Allow users to add org-managed apps" setting is enabled. It's worth noting that the specific process for making an app visible to users may vary depending on the IdP provider you're using.
Answer 6: SSO is typically implemented at the organization level, meaning that all users within the organization will use the same SSO method to access various applications. However, it is possible to set up different SSO methods for different groups of users within an organization.
For eg. an admin can enable SSO for all users within the organization, but also set up a separate SSO method for a specific group of users, such as contractors or partners. This way, users within the same organization can have different ways of logging in. Some IdPs may offer more granular control over SSO settings than others.
First of all I do not have any experience with SAML (version 2).
I was asked to investigate how we can make an existing site, which has a normal login page with a username and password page, ready for SSO with SAML.
There are some tools around which we can use in order to do this.
So I think it is not so difficult to implement the SSO part.
But however it is not clear to me how the authorization is managed.
The system (web site) is using authorization rights in order to determine if the user is able do access certain parts and if he does, the right type he has (view, create or edit).
These rights are assigned to each user by an administrator in the system itself.
When a user logs in the system by specifying his credentials (without SAML/SSO) his rights are also retrieved.
How is this done when a person logs into the site by using SSO?
Is there a mapping of the userId which is know by the IdP (Identity Provider) to the userId which is know by our system?
And is this send in the SAML response from the IdP?
Or is this done in another way?
Thanks in advance
SAML is mainly a authentication protocol but there are still many ways to solve this. SAML supports sending authorization infromation in AuthzDecisionStatement in the assertion.
Another alternative is to extend SAML using XACML which is a big framework for transferring Authz information.
However the support for these are limited in many SAML providers.
The simpler solution and probably the best in your case, if it is just one access right per user, is to send it as an attribute in the SAML assertion. This can usualy be mapped against for user properties.
I'm trying to set up a single-sign-on solution to a 3rd party site. They currently don't have anything set up on their end yet, but they want to use SAML. They instructed us to "provide them a sample of a standard SAML2.0 message", and sent over a certificate. Kind of asking me to show them a key and they'll build a lock to put it in.
I need some direction on what to actually set up for this. The vendor has cryptically stated that they are using these parts of the SAML message: ds:Signature, saml:Conditions, samlNameId. I've put together a C# console app that can produce a Saml2SecurityToken using their certificate and a given Name Identifier, and set a timeframe for the condition. I think this is what they need from me.
We do have ADFS however. I've used it to authenticate users accessing internal sites, so I have a little experience with it. I'm overwhelmed by the information for ADFS though, and can't grasp what to set up for this kind of situation - I don't know how to translate the vendor & I's relationship into ADFS terminology.
Can someone explain who I am and who they are in ADFS terms? I think all the pieces for setting this relationship are right there, but I'm just getting swamped by the volumes of information on every page about ADFS.
On your ADFS site, navigate to:
https://your server/federationmetadata/2007-06/federationmetadata.xml.
Save this file, send to the vendor. This is the metadata. It describes the SAML profiles, the certificates, the public keys etc. You don't need to send them any actual certificates.
Ask the vendor for their metadata. Import this into ADFS as a Claims Provider Trust.
Configure your application via WIF to use ADFS.
When the user navigates to the application, the user will be redirected to ADFS. They will get the Home Realm Discovery screen and select either the 3rd party vendor or ADFS to authenticate and then they will get access to the application.
If ADFS is the source of authentication ADFS is the IP, the vendor is the service provider (RP). And obviously vice versa.
I have a question regarding ADFS and forms authentication. I currently maintain a database of users and have built a somewhat complex claims-based system around it. All of my clients use forms authentication to access my website (ASP.NET). Recently one of my clients expressed a desire to switch to a single sign on model. I would like to use ADFS to accomplish this. My question is how do I go about using both forms authentication and ADFS at the same time. I need all of my other clients to still be able to access the site using forms authentication. I know this cannot be a rare problem, but I can't seem to find any good answers to the question. Thanks very much.
using ADFS V2.0 allows both types of authentication, windows and forms and both relies on the active directory that means you must save and keep all the users data in the active directory.
pleases see http://www.richardawilson.com/2010/10/adfs-20-login-page.html
if you need the ADFS reads the users and credentials from another source than the Active directory,
in that case you must implement a custom claim provider and configure the ADFS.
Not sure I totally understand the question but ADFS can use FBA - AD FS 2.0: How to Change the Local Authentication Type.
Is your "complex claims-based system" a STS? If it is, just federate with ADFS.
If it isn't, have a look at Thinktecture IdentityServer.
I have a 3rd party program that supports web SSO using SAML 1.1 (it is ready to serve as the Service Provider, in other words).
We would like to implement this SSO for our intranet users based on their Active Directory credentials. In other words, they've already logged on to their system, so let's simply use those credentials to facilitate an SSO. I am a little overwhelmed at where to begin, though.
My initial thought is that IIS / Active Directory could easily serve as the Identity Provider since IIS gives us "Integrated Windows Authentication" abilities. I would think we could just create a .NET web app that requires Integrated Authentication which simply extracts the current user ID, builds the SAML response, and re-directs the user back to the Service Provider with this SAML response to complete the SSO.
But then, my problem is that I simply have no real idea of how to go about creating this SAML response, the X.509 certs involved, etc... I am wondering if I am in over my head on this, or if creating this SAML response should be relatively easy.
Note this SSO is to be used by intranet users only, so no need to worry about federating with other companies / domains.
Another option that you may want to look into is Microsoft's Active Directory Federation Server (ADFS) 2.0.
I wouldn't bother trying to build something SAML compliant. It will take you weeks to use a toolkit and your efforts will probably only handle the one use case. Once you get something custom into place you'll soon realize the rest of your organization needs some type of SAML integration as well (either internal or externally).
The quickest (and IMHO) easiest way (and you'll come out looking like a hero) is to use something like PingFederate from www.pingidentity.com. You can have it up and running in less than a day if you know what you are doing.
Just my $0.02
HTH - Ian