I have installed Zimbra Network Edition v8.8.8 and it is running fine. I am trying to configure SSO using simplesaml but I am stuck at the part where I have to pass the SAML response for the SSO. Quoting from https://wiki.zimbra.com/wiki/Authentication/SAML:
Note for SAML Provider
SAML Provider must POST the SAML Response at the following URL for
SSO:
<zimbra_base_url>/service/extension/samlreceiver
This SAML Consumer extension requires that the Subject Name Identifier
inside the SAML Assertion must be the account email address, so
configure the Provider accordingly.
I have tried to edit the saml20-idp-remote.php and include the Assertion Consumer Service (ACS) URL but I think the URL that I used was wrong. Or should I actually configure it in saml20-sp-remote.php file? I'm new to both SSO and Zimbra.
In the meantime I'll check out this (just found it):
SAML 2.0: How to configure Assertion Consumer Service URL
Appreciate all the help.
Thanks.
The Zimbra SAML extension provides support for the Browser/POST Profile of SAML.
https://sites.google.com/site/ranmanicwikii/opensource/zimbra-saml-sso
Hope this helps!
Related
I am trying to test and debug SAML authentication with my app. I currently do not have my own SAML IDP so I am trying to test with free/open SAML IDP providers.
Currently I am testing with SSOCircle: https://www.ssocircle.com/
And when testing after I sign in with that provider I get:
Error occurred
Reason: Unable to do Single Sign On or Federation.
Please enable the additional debug option in "My Debug". Detailed
trace information only available with paid accounts. Check our plans.
Anyone successfully setup SAML auth within their app using SSOCircle. If so can you provide insight into what might be the problem. I signed up for an account and registered my service provider on their site.
I have also looked around for simple free SAML testing IDPs without much luck. If anyone has one they are using that is working that would be helpful as well.
using http in SSOCircle address instead of https has worked for me
I've just configured Shibboleth IdP3.2 with my web application that authenticates the users against an LDAP server at the backend.
I could test this authentication process at the local machine. But, while deploying the code on CI server, I realized that the authentication process could not be completed successfully.
The reason behind this failure is that the Service Provider (SP) cannot access the (IdP). From our initial investigation, We chose SAML as the authentication protocol over other protocols like CAS because it did not need a back channel communication. As long as the user has access to both SP and IdP,the authentication process would still work.(SP and IdP need not interact with each other)
On testing we found that the attribute resolution is successful, but the subsequent artifact resolution is failing. In artifact resolution, IdP directly contacts the SP and expects a response. SP cannot send a response to IdP as it is inaccessible. Hence, the authentication fails. (Tomcat logs show: unknownHostException)
Some SAML flows in Web Browser SSO do not require direct communication between SP and IdP as seen from flow diagram in this link.
Does Shibboleth IdP make provisions for such implementations? Is there a work around for implementing Shibboleth IdP without any back channel communication?
SOLUTION:
As Stefan mentioned, there are alternative bindings like HTTP-Redirect and HTTP-POST that do not use back channel communication. You can read more about these bindings here
I changed the SP metadata to make HTTP-POST as the default binding, referring this link.
I did not have to make any changes to Shibboleth IdP configuration as these alternative bindings were already being supported, as substantiated by the metadata file.
According to this documentation, you can set the outgoingBindings attribute to set the preferred binding to use.
I would also recommend removing the HTTP-Artifact binding from the SP metadata.
We are starting a project for SSO and using wso2 to do all SAML , OAuth and keep our Webapplications as service providers.
I have been through the online documentation but need some help .
When user tries to Access to any resource in our webapplication i would send user to wso2 to get Authenticated in case of OAuth /openid connect , how would i form this url ?
I have configured IDP and SP in WSO2 console, after authentication how does WSO2 give credentials of authenticated users to service provider , i see as per document or sample app , this should be SAML or any other sso protocols like oauth etc. documentation is not clear or any examples i can find
i want to redirect the user after OAuth or SAML with my own created Authn cookie , what is the provision for that .
any help would be appreciated
Yes, You can configure your application as service providers and wso2 IS as Identity provider.I guess, You can implement saml sso for your scenario and its simply documented here.There is another blog which describe the same configuration
You can download travelocity sample code and war file .Analysing the code you can get some idea about implementation.
By following above blogs, You can implement the complete SSO flow.
Q. > When user tries to Access to any resource in our webapplication i would send user to wso2 to get Authenticated in case of OAuth /openid connect , how would i form this url ?
Answer :
https://localhost:9443/oauth2/authorize?response_type=code&client_id=wCmphfs69oaN3JhqO3d9FFgsNCMa&scope=openid&redirect_uri=http://localhost:8080/Samplespapp/googleauth.jsp
client_id : is that if which we get on UI oof wso2 console after we finish configuring Service provider in my case i configured Inbound Authentication Configuration as OAuth open id .
redirect_uri is the url where we want to go after authentication , this should match callbackback url in View/Update application settings
Answer 2: I still dont see any valid reason why inbound authentication has to be sso protocol but this is how wso2 works , to put it in laymans term i have a client to connect to using SAML and Other OAuth . i opt for a SSO vendor who takes that headache from me to implement SSO protocols but i Still have to implement atleast one SSO protocol as after SSO handshake wso2 has to communicate userX with role as Admin to service provider app this is done again using SSO !!
ping federate makes it simple it makes an encrypted request header that had data in key value pair. may be i am not understanding but i dont like this inbound Authentication in SSO .
Q. 3.>i want to redirect the user after OAuth or SAML with my own created Authn cookie , what is the provision for that
documentation is poor in this area just some java classes but no end to end example , every one will point to travelocity .
I am creating a java application to implement SSO (SAML) using ADFS. I am not sure if SAML can be done using ADFS alone. While installing ADFS, I noticed that it required configurations of relying party and claim providers trusts (which are basically the SP and IP, right?). I am confused as to whether to have SP and IP in the java application, or just leave it to the ADFS to handle.
Any help would be greatly appreciated. Thanks!
Your Java application needs a SAML stack and becomes the SP.
Refer: SAML : SAML connectivity / toolkit for some ideas if you don't have one.
ADFS (which handles SAML 2.0) can then function as the IDP.
You will also have to configure the claims in ADFS - which correspond to the SAML assertions.
Your Java application will be a Service Provider (SP) that receives identity from an Identity Provider (IdP) server. In the use case you have outlined, ADFS will be the IdP Server. within your application you will need to integrate a library (e.g. SAML stack) to process the SAML assertion. SAML requires configuration on both sides of the interface. There are a few open source options such as OpenSAML. Depending on your organization, you may want to look at a vendor provided solution as well for long term support.
I am getting a strange error from ADFS 2.0 event Log as follows:
"The Federation Service could not fulfill the token-issuance request because the relying party 'https://my-relying-party' is missing a WS-Federation Passive endpoint address.
Relying party: https://my-relying-party
This request failed.
User Action
Use the AD FS 2.0 Management snap-in to configure a WS-Federation Passive endpoint on this relying party."
This happens after SAML response is verified successfully by ADFS 2.0 but apparently fails to issue a token for the relying party application.
I configured in ADFS 2.0 both IDP and SP as SAML 2.0 so I don't understand why is WS-Federation endpoint is expected?
Any help will be appreciated.
Is your web application talking the WS-Federation protocol or the SAML protocol (SAML-P)? If your web application is based on WIF, then you are using WS-Federation. Note that both protocols use SAML tokens.
If your application talks the WS-Federation protocol, then in your AD FS Relying Party Trust you need to set the WS-Federation endpoint(s). If it talks the SAML protocol, you need to set the SAML protocol endpoint(s).
Based on your error message, your application probably talks WS-Federation, therefore you need to set the WS-Federation endpoint.
The integration between your SAML 2.0 SP (ADFSv2) and your RP Application is done via WS-Federation Passive Requester Profile. So you'll need to setup your application to receive the WS-Fed Response and parse it appropriately. You'll also have to configure ADFSv2 to generate this message as well (per the error message you received).
Hope this helps -
Ian
You need to add the web application url to the endpoints in the properties of you relying party.
add ws-federation passive reference manually or in federation file will solve the problem.
Please let me know if you need detail guidance.