I have the following:
An existing WEB application using SAML for authentication. Using B2C custom
policies, I have successfully set up Azure AD B2C to allow this
application to authenticate users using SAML.
An API (ASP.NET Web API) using OpenID connect to authenticate callers (on the same Azure AD B2C).
I would like to authenticate calls from the Web Application to the WebAPI using the identity of the Web application authenticated user.
So I have would need a JWT token so I can validate it in my API middleware.
Is there any simple way of converting the SAML Assertion to a JWT token so the Web application can send it to my API with requests ?
I have read somewhere that IdentityServer could do the job using Azure ACS (For AAD B2C ?) but I understand that ACS will be retired on November...
Thanks.
You can ask your IDP to provide the JWT token as a SAML attribute inside your current SAML tokens, or ask them to provide you with an alternative way of acquiring the JWT tokens you require.
Also, you can configure IdentityServer to return JWT. Go to global config and change the default token type to JWT (same value as the default http token type).
Related
I have created identity provider and from browser it's working fine.
Reference : Keycloak Identity provider post-broker-login throwing error
From browser I can do login with external IDP and if the external IDP user is not there in keycloak it gets created in the keyclock that is absolutely fine and redirect to dashboard.
But my question is how can we do this flow with keycloak rest api?
Is there any api for to login with external IDP and will get the token of external IDP as well as token of keycloak?
For the typical user authentication use-case, ideally the user would simply get redirected to the Keycloak login page of your realm, would click on the external IDP, and proceed with the authentication process.
But my question is how can we do this flow with keycloak rest api?
Via the Keycloak Rest API I do not think you can perform this exact flow, at least not out-of-the-box.
Is there any api for to login with external IDP and will get the token
of external IDP as well as token of keycloak?
You can use the Keycloak's Direct Access Grand flow (aka Resource Owner Password Credentials Grant in terms of OAuth2 specification), exchange the user's credentials for a token from the External IDP. Afterwards, you can then perform an external-to-internal token exchange of the token from the external IDP for a token from your internal Keycloak realm.
Bear in mind, however, that some might consider this approach has not being a good practice, read more about it in this stack overflow thread.
I have a React App + Set of lambda's which are using JWT api gateway authorizer (using cognito user pool as IDP)
Additionally I have an Auth0 app + SAML IDP-initiated enterprise connection which direct the logged users in my React App along with SAML assertion.
What will be the best and simplest solution to enable users who are directed to the React app with the SAML to be authorized in the API gateway?
I have came up with this possible solution: create a custom API gateway authorizer which will accept the SAML assertion and will validate it using passport.
Is my solution applicable?
Is there an existing solution (code reference) for such authorizer? (could not find such...)
Are there simpler \ better solutions?
I can acquire a JWT token using the SPA JavaScript Microsoft Authentication Library using acquireTokenSilent.
Instead of getting a signed JWT token, is there a way I can get a signed XML SAML token?
I have a backend application (out of my control to change) which is setup to receive SAML and will read the tokens and check them against a certificate.
MSAL is a client side library that supports OAuth and OpenID Connect and it is not designed for handling SAML.
Also ,Single Sign-On SAML protocol and Federated Authentication with a SAML Identity Provider should be good starting points to implement SAML directly.
I have WSO2 Identity Server set up together with a web application that is configured for SAML 2.0 SSO.
When a user has authenticated, I want to invoke a SOAP service from this application. The SOAP service trusts the Identity Server and is protected with WS-Security. It expects a SAML 2.0 token in the request.
Is it possible for the application to get a SAML token from the WSO2 STS for the currently logged-in user?
The STS seems to require username/password (or X.509 certificate) to authenticate the user, which I don't have in the application (I have only the username).
Is there another way apart from the STS to get a token for the logged-in user?
I didn't touch AAD before, but I have to use it for authenticate users for my REST service.
I have a mobile client that can authenticate a user on AAD with OAuth2. As a result it has a bearer token.
This bearer token mobile client should use as a parameter in a request for protected REST service.
REST service is a Java-based application (spring-boot) and it was registered in AAD as a Web application, but I can not find a way how it can connect to AAD for check is token valid or not.
I expected to have something like /oauth2/check_token endpoint that can take a token value and return a user data, but I didn't find anything.
Is it possible to use AAD for authentication users for third-party applications and if yes, how to do it?
The token issued by AAD is a signed JWT token. You do not need to communicate with AAD to verify the token is valid. If you trust the issuer (AAD) and the token is valid (correct audience, valid signature, not expired etc.), you accept the claims in the token.
See this article for the steps to validate the JWT token.