OKTA SAML Integration - saml

I am trying to integrate SAML in an ongoing project for one of our clients. I am new to Okta and its services. The only thing, the client wants to input okta URL and upload certificate in the admin panel. Rest I have to create a login module using okta. My question is what is the use of a certificate? How can I use that certificate in the project? If possible please share any info on how to develop this in PHP preferable.

Two reasons a client ( presumably the application requiring SSO with Okta ) would provide you with a certificate.
1) They are signing the SAML Request, in which case you need to be able to verify the signature. I don't believe OKta supports signed requests, which would rule this out.
2) They want the SAML Response encrypted. In which case you would include the public key provided in the Okta application configuration.
Niall

Related

Who signs the SAML Digital Signature

I'm a Service Provider, and the SME for the Identity Provider has specified that they require that the SP provide them a certificate different from the standard server certificate.
Every SSO Integration I've accomplished so far has had the IdP provide me with the certificate.
Is a SP able create and provide a separate certificate to the IdP?
Currently, the IdP SME is advising that unless I can provide this, he won't enable Solicited SSO(SP-Initiated SSO).

Local Identity based login along with saml 2.0 SSO

There is an existing mechanism to log into a website. Now, external / remote SAML IDP is being added to facilitate SSO. The website uses other micro-services and components that provide data and functionality to the website.
Is there a way to have an existing mechanism of local identity username password credentials to continue to co-exist as an alternate strategy for authentication alongside remote IDP SSO while keeping rest of the services handling authorization in a semantic way (using a saml token)?
P.S. I looked at the options to implement existing auth mechanism as saml IDP, but building it seems complex even with the likes of shibboleth or openSAML libraries.
P.P.S. I haven't looked at possibility of reimplementing existing auth mechanism with openId connect to co-exist with remote saml idps.
Sure: one can provide a landing page to the user that gives a choice between using a local account or an account at a remote IDP.

Passing Authenticated info from WSO2 to SP App

We are starting a project for SSO and using wso2 to do all SAML , OAuth and keep our Webapplications as service providers.
I have been through the online documentation but need some help .
When user tries to Access to any resource in our webapplication i would send user to wso2 to get Authenticated in case of OAuth /openid connect , how would i form this url ?
I have configured IDP and SP in WSO2 console, after authentication how does WSO2 give credentials of authenticated users to service provider , i see as per document or sample app , this should be SAML or any other sso protocols like oauth etc. documentation is not clear or any examples i can find
i want to redirect the user after OAuth or SAML with my own created Authn cookie , what is the provision for that .
any help would be appreciated
Yes, You can configure your application as service providers and wso2 IS as Identity provider.I guess, You can implement saml sso for your scenario and its simply documented here.There is another blog which describe the same configuration
You can download travelocity sample code and war file .Analysing the code you can get some idea about implementation.
By following above blogs, You can implement the complete SSO flow.
Q. > When user tries to Access to any resource in our webapplication i would send user to wso2 to get Authenticated in case of OAuth /openid connect , how would i form this url ?
Answer :
https://localhost:9443/oauth2/authorize?response_type=code&client_id=wCmphfs69oaN3JhqO3d9FFgsNCMa&scope=openid&redirect_uri=http://localhost:8080/Samplespapp/googleauth.jsp
client_id : is that if which we get on UI oof wso2 console after we finish configuring Service provider in my case i configured Inbound Authentication Configuration as OAuth open id .
redirect_uri is the url where we want to go after authentication , this should match callbackback url in View/Update application settings
Answer 2: I still dont see any valid reason why inbound authentication has to be sso protocol but this is how wso2 works , to put it in laymans term i have a client to connect to using SAML and Other OAuth . i opt for a SSO vendor who takes that headache from me to implement SSO protocols but i Still have to implement atleast one SSO protocol as after SSO handshake wso2 has to communicate userX with role as Admin to service provider app this is done again using SSO !!
ping federate makes it simple it makes an encrypted request header that had data in key value pair. may be i am not understanding but i dont like this inbound Authentication in SSO .
Q. 3.>i want to redirect the user after OAuth or SAML with my own created Authn cookie , what is the provision for that
documentation is poor in this area just some java classes but no end to end example , every one will point to travelocity .

SSO with Okta as an SP

I have an identity provider that connects to a service provider. Im trying to put Okta in the middle of the IDP and the service provider (so that Okta acts as an SP).
I got Okta to work directly with the SP. (I also got the IDP to work directly with the SP.) I'm having an issue getting the IDP to work with Okta in the middle.
Does the IDP's certificate go somewhere in Okta in this case? Does the SP need any information about the IDP?
Is it possible that I have admin access but couldnt find the add identity provider option in Okta?
Would be curious to know what your use case is.
If you put Okta in the middle - then Okta is part SP (to your IDP) and part IDP (to your ultimate SP).
For the part where Okta is SP - you can leverage the instructions here - https://support.okta.com/help/articles/Knowledge_Article/40561903-Configuring-Inbound-SAML to set up an inbound SAML endpoint.
For the second part - to integrate Okta to your SP, you can use the instructions here to set up a SAML app via our App Wizard - https://support.okta.com/help/articles/Knowledge_Article/Using-the-App-Integration-Wizard
If your SP happens to be in our app catalogue, then you can simply do "add application" under the Application tab in the admin console and follow the instructions there to set up SAML with the app.

SAML 2 IdP - should you create a different certificate for each Service Provider?

I've got a site acting as an Identity Provider (IdP) for Single Sign on and another 2 service providers that authenticate against it using SAML 2. At the moment, both service providers use the same certificate to validate the SAML response from the IdP.
I've now got a 3rd Service Provider joining shortly and I wondered whether I should really be issuing separate certificates to each party so that we could potentially revoke their access, if required, without affecting the other Service Providers? What approach have others taken and why?
I'm using SimpleSamlPHP as the IdP.
As I understand, what you want is to be able to revoke SSO access for one SP but not all.
I would think this should not be done by revoking certificates but rather by removing the metadata from SimpleSamlPHP.
The problem with this is that the certificate information is in the IDP metadata that is sent to the SP and the metadata normally only allows for one certificate for one task (can be different tasks e.g. for signing and encryption).
Coming back the other way e.g. signing the SP Authn request, all the SP's can have different cetificates or they can share.
Some products e.g. ADFS 2.0 before Rollup 3 do not allow SP to share certificates.