Jasig Cas ticket validation on client web application logout - logout

My web application is integrated with a portal that use cas authentication.
Logout is possible in two ways: on my web application (I first invalidate my session and then logout on portal page) or directly by portal (in this case session on my web application continues to exist - there are no single signout mechanisms implemented). In this last case there's a problem..if I logout on portal and then write directly URL of my web application the page is shown to me! So..I would like the validation of ticket for each request in order to understand that the ticket is no longer valid..but I don't know how I can do it.
Can someone help me?

If I logout on portal and then write directly URL of my web application the page is shown to me!
Yes, because as you noted there is no SLO. Just because you kill the portal session, it does not mean that your app session will be destroyed. The most ideal solution would be to implement SLO, such that the portal can reach out to registered applications and ask them to logout by sending them a logout notification. Then, in your app you just need to intercept that notification and kill the app session.

Related

Keycloak and SSO with SAML and Safari

we are using keycloak 3.4.2 to try to integrate SSO behavior (via SAML). I configured two clients in the same realm; if user logins to clientA and he opens a new tab in the same browser and logins to clientB he is successfully automatically logged in.
But we are trying to integrate the following behavior:
- from ipad user opens safari and goes to site A
- he logins to site A successfully
- from site A he clicks an "universal link" to open an app previously installed which is simply a webview to site B.
Current result is the user lands in the login page of the app.
Expected result is the user gets automatically logged in.
We are using iOS 11 for frontend. Both site A and site B have a backend side written in Java6.
Our idea was to reuse all cookies from site A to app with webview of site B by using an iOS widget "SFAuthenticationSession"; but once logged in the only cookie available is JSESSIONID which is not enough I think.
In my tests when I am using only a browser with different tabs, for each different tab I have a different JSESSIONID so I expect to have a different JSESSIONID when I am landing to site B.
Our approach has been taken from current source code:
https://github.com/dvdhpkns/SFAuthenticationSession-example
So what can we do to accomplish our task ?
What are we missing ? Do we need any other tokens/cookie ? How to retrieve them ? And when ?
I hope I clearly explained issue, sorry but authentication issues are not my strong point.

How to implement openAM SSO to my existing web applications

I'm try to implementing SSO in my existing web applications with using OpenAM by refer following link
http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity_21.html
PS. my web applications have their own login page already
Now what is got after implementation is, openAM login page are protected in my web applications and i need to make login again to my application
what i need is, want to skip the login page of my application to become single sign on.
so, can anyone tell me what tasks need i do left?
do i need to revise my Login page of my application?
do i need any database or datastore to keep user login information?
Now that an OpenAM agent is in place on top of your app, your web app can work under the assumption the there is already a valid logged-in user - you need to remove the login page from your web app.
To get the current user details just alter your OpenAM agent config to set HTTP headers with relevant fields like username, full name, etc. Then instead of a web app login page you just check HTTP headers (should be safe from spoofing as long as the only route into your web app is coming through the OpenAM agent).
Another way is to grab the OpenAM cookie and use it to make REST calls directly to the server. Makes things a little more fragile though because you now need to maintain additional config.
You don't necessarily need any additional user tables / datastores for your web app, only if you need to map their login name to whatever it is your web app is doing (saving preferences, etc) in which case you need to check that the username you've been given already exists inside your app. If not then add it.
We were able to implement single sign on using openam with a JSF web application using Spring SAML extension and Openam.
Instead of agent we used fedelet that way we can port to ant application server
Please see my articles on generic info related to Openam concepts
http://reddymails.blogspot.com/2013/03/sso-for-java-or-net-web-based.html
Steps to integrate JSF 2 web application with Openam using Spring SAML extension and Spring Security.
http://reddymails.blogspot.com/2013/06/integrating-jsf-web-applicataion-with.html
-Ram

SSO web and ticket session

I'm developping a SSO web system for my company. When poeple want access to an application, it redirects the user on the SSO server (web application) which keeps the authenticated user in memory. The SSO server then redirects the user to the application, which is creating its own session.
The problem is when a user spend a lot of time on the application, the session on the SSO is lost.
Have you an idea to resolve this problem ?
My SSO application is an ASP .NET application and others applications could be in ASP .NET or ASP .NET MVC3.
Thanx for your help
You would need to look into setting the timeout values of the WebAgent by observing the typical usage patterns of your users..
So how do you currently handle the user's SiteMinder session timeout..? Ideally you would be using a redirect URL to a custom page that informs the user that the session was terminated, etc.

C# Facebook SDK, Page Tab App & Auth

Please forgive me if this is a silly question. We're running into a problem attempting to authenticate. The issue seems like a straight forward one so I'm sure it's something silly we're over looking.
Step 1: User hits our tab app front page. This page is public and doesn't not require us knowing who the current user is.
Step 2: There is a button on this page that let's people join our application. This takes the user to another action on our controller and here is where app authentication is checked. If the user has not authorized the application, we are providing the re-direct URL to our app being hosted on our server (I believe this is the crux of our problem).
Step 3: The user authenticates the app, however, when being re-directed we're taken outside of Facebook to the target page.
Do we have to re-direct back to our page tab and if so how can we exchange the code for an access token?
Thanks in advance,
Eric
Set a "Namespace" for the app. That creates a new link to you app which ends with the namespace. Use this new url as return_url when calling for authentification.

Authentication in a mobile app

We are developing a hybrid mobile app (code is written in HTML and runs on browser shell as a native app on the device). We need to authenticate the user against an external security manager. I've seen the Gmail App in iPhone which opens a browser to authenticate the user. We are also looking to do something of that sort. We just need to gather your thoughts on how authentication can be done with some external security manager in a mobile app.
Also I noticed that Dailymotion website was able to know if the user is authenticated with Facebook. This looks like a cross domain authentication.
Can you please share your thoughts on how Google and others have implemented it?
What you are looking for is OAuth and OpenID services to federate your login. Depending on the architecture of your system you can implement whichever one you like or even a hybrid of both.
Take a look at this link: Federated Login for Google Accounts
It provides all the useful information you need.
Hmm this question seems old but in case you haven't found an answer here's how I did it with my hybrid apps :
open url on client side with the provider's (facebook/twitter/instagram) url for login
the user logs in and is redirected to the server's callback url (my server is written in nodejs)
once I've got the access token from the provider. I save this token and then create a token for the client to reuse every time the user wants to access a protected ressource.
Download the apk and test it.
If this is what you're looking for you can checkout both the client side code at : https://github.com/malikov/Authenticate.me-client-cordova-ionic
And the server side code at : https://github.com/malikov/Authenticate.me-Node-Server
Cheers