We have a peculiar request from a customer who uses Oracle's Access Manager (OAM) as their SSO solution: They wish to add One-Time Password functionality, but they'd rather employ Keycloak's functionality for this.
So my question is, can one integrate Keycloak with OAM in order to leverage Keycloak's OTP functionality, while keeping the core SSO functionality served by OAM?
The One-Time Password, OTP integration in Oracle OAM is done via the Adaptive Authentication Service- refer the doc from version 12c, read section 32.2. Integration with Keycloak is not an option. Using the Adaptive Authentication Service (which is out of the box in 12c version) will provide you the One-Time Password functionality. However, if your requirement is to use Keycloak OTP then you will have to develop your own Custom Authentication plugin for integration with your third party, i.e. Keycloak. refer this doc on "Developing Custom Authentication Plugins".
Note: I have provided url for reference/docs from the latest version of Oracle Identity Management 12c since I do not know your current OAM version. There is significant development involved in writing your own custom authentication plugin. The out of the box OTP functionality with OAM (in version 12c) would be a much straightforward option.
Related
My organization has decided to use Drools as a decision management framework. We are using the new UI business-central which is deployed as a WAR file in WildFly server for managing the rules and the assets related to the rules.
We have licensed Gsuite for our emails and other activities. We want to use Google login for the users of the business-central system instead of the username and password-based auth provided.
One way to do it is by using a Keycloak server which will provide us a way to manage users and authentication. But we do not want to maintain an extra server just for authentication.
Can someone please help me in achieving this authentication? Also, it would be helpful if I can know in advance the pitfalls of such a type of authentication approach.
Here are the version details for the drools system:
Java: openjdk version "1.8.0_242"
Drools: 7.33.0.Final
After doing a lot of trial and error and quite a bit of googling around. I have reached the conclusion that providing social login in business-central should be done via Keycloak if you are using Wildfly.
There are a lot of security-related features that you will get out of the box and you won't have to tweak around the drools code and later on finding out that you have missed a use case.
Which is the best option for SSO implementation Keycloack Vs CAS Vs Okta? I'm specifically looking for the disadvantages of each service to identify the best suitability for my system.
Both Keycloak and Okta should provide what you're looking for. I'm not sure about CAS as I haven't used it in 10 years. Since both Keycloak and Okta use OAuth 2.0/OIDC, you might even be able to use Keycloak in development, and Okta in production.
I've implemented OAuth 2.0 / OIDC support in JHipster. It uses Keycloak (in a Docker container) by default, and provides instructions for switching to Okta. Thanks to the power of Spring Security and Spring Boot, you only need to override some properties to switch between the two!
I followed official documentation from : https://docs.wso2.com/display/IS541/Integrating+WSO2+Identity+Server+with+Liferay to Login in my Liferay Portal with wso2is user, but it not work for me in wso2is-5.4.1 and liferay6.2ga6. When I try login, liferay's log print "Primary URL :https://wso2is.local:9443/services/Secondary URL :null" but no call to wso2is server is done.
I added this lines into my portal-ext.properties :
auth.pipeline.pre=org.wso2.liferay.is.authenticator.WSO2ISAuthenticator auth.pipeline.enable.liferay.check=false wso2is.auth.service.endpoint.primary=https://wso2is.local:9443/services/ wso2is.auth.thrift.endpoint=localhost wso2is.auth.thrift.port=10500 wso2is.auth.thrift.connection.timeout=10000 wso2is.auth.thrift.admin.user=admin wso2is.auth.thrift.admin.user.password=admin wso2is.auth.thrift.endpoint.login=https://wso2is.local:9443/ wso2is.auth.thrift.system.trusstore=/wso2is-5.4.1/repository/resources/security/wso2carbon.jks wso2is.auth.thrift.system.trusstore.password=wso2carbon
Is there something wrong?
Unfortunately, a lot of the WSO2 documentation is very crufty, containing articles that have been pulled forward from previous versions of the documentation without regression testing on the use cases they present. In short, there's stuff in the documentation that plain doesn't work. If you look at the bottom of the article you'll see the following:
Please note that the above configuration is tested with Liferay 6.1.1
and WSO2 Identity 3.2.3/4.0.0.
I recall I tested this a long time ago, and determined that it wouldn't work with the current version, but that was so long ago that I can't remember why. In any case, the approach presented for integrating Liferay was offered at a time where Liferay didn't have the ability to use standardized authentication protocols like SAML. Now that it does, you probably want to do it in a standards compliant manner instead of using an authentication interface Liferay only promotes using for proprietary authentication systems.
My suggestion is that if you are using Liferay portal enterprise with LDAP that you use the built-in SAML connector. If you aren't using Enterprise, there are some compatible authenticator extensions in the extensions store that will also integrate with Liferay. If you configure Liferay to be a client against WSO2 and then integrate Liferay to LDAP on the backend, it also allows Liferay to be used as a user dashboard instead of the jaggery based one that comes in the product.
I have a SAP sso2 service enabled in the company, how would I enable single sign-on in code? What do I need to insert to my code and possibly where?
When I log in to portal, single sign-on feature works, as I am not asked for password every time. I would like to have the same thing for my SAPUI5 application.
Can I possibly use cookies? If yes, how?
Yes, you can have the same thing for your SAPUI5 application. You don't need to code anything. SSO for ABAP is standard configuration. You can use any of these:
SPNego for ABAP (included in SAP Single Sign-On 2.0)
SAML to Active Directory (assuming your users are there and that's why you have SSO to Portal)
When your company has implemented SSO for Portal, they should of course do the same for SAP GUI and ABAP HTTP. :-)
Note that there is a licensing cost for SAP Single Sign-On 2.0.
If you use ABAP on-premise system for your SAPUI5 app, then you need to have SAP Single-Sign-On solution installed, it includes SAML support.
SAML implementation on AS ABAP is provided by CommonCryptoLib (SAPCRYPTOLIB) so what you need here:
Install SAPCRYPTOLIB library server-side.
Not needed on Netweaver 72x/74x kernel PL released after November 2013, because now built-in kernel.
Enable SAML provider in AS ABAP in SAML2 transaction
Configure AS ABAP as service provider
Set up SAP SSO
After that you will be able to connect to ABAP system from your app.
If you connect to SCP cloud ABAP or HANA system, then this is even more simply because it supports SAML natively.
My company is using shibboleth to perform Single sign on.
The applications we use to sign in are wordpress and Owncloud. Now, We are planning to include Tuleap Open ALM (Application Lifecycle Management) to use shibboleth to do single sign on.
So is there a plug-in to do it, A way it can be done or is it possible or impossible, Could you provide your views and thoughts to help me?
There is no explicit plugin for Tuleap to use shibboleth. However, I think shibboleth can be used with openId and that Tuleap can also be configured to use openId. The other Tuleap authentication methods are native and ldap.