I need some guidance on my SSO implementation. We have a web application where we are authenticating the user through applications Database. We check user details in USER table and match password. If everything looks good we create PHP session and allow user to Login. One of our partners is requested for SSO integration, they want us to behave like Identity Provider (their application will be Service Provider). I have no idea from where should I start. Few initial guiding points will be a great help.
Thank you!
First question is what protocol they want to use:
SAML 2.0, WS-Federation or OpenID Connect / OAuth?
What platforms do you use? - Windows , Linux? Microsoft shop?
Do you want to pay for a commercial product or use open source?
What repository do you want to authenticate against? You mention a DB. Is this SQL Server, MySQL or what? Not all products authenticate against all repositories.
If e.g. the answer is SAML 2.0 and open source, look at shibboleth or simpleSAMLphp.
identityserver would be another possibility.
If the answer is WS-Fed, Microsoft commercial, look at ADFS.
Related
Please help. I'm aware there are several posts / docs about SSO implementations but I still can't seem to find one that addresses my use case - probably because I'm still new to SSO implementation.
Scenario:
I have an existing Symfony 4 application with existing users. I want so that when users log into the app, they are automatically signed into Outlook Office 365 (web). Exactly the same implementations on https://mysso.centennialcollege.ca/. Please NOTE I do not want office 365 to authorize my app using the code flow approach, rather I want office 365 to recognize users signed into my app as valid identities.
Has anyone implemented this or has ideas please?
Your question is a bit unclear. You're likely going to need to change the existing application in some manner in order to achieve true single sign-on. You'll need to ensure that authentication against the Symphony app leads to the presence of a session that can be used to trigger subsequent sessions in a SSO framework supported by O365.
In your case, I'd take a look at SAML and, more specifically, SimpleSAMLphp.
Are you affiliated with the organization you linked to in some way? Because just by looking at the login page that looks like they've already got some sort of SAML Identity Provider solution... you can just integrate your Symphony app with that IdP in that case, and correlate the principal returned to your SP application from the SAML assertion on successful authentication against the user data in your existing DB. You wouldn't have to use SSP in that case... any kind of SAML middleware would work.
Say I'm a small application (www.example.com) and I'm integrating with a much larger enterprise (www.acme.com).
In this scenario I am the service provider and they are the Identity provider.Their request is that I integrate into their auth ecosystem using SSO (specifically SAML 2.0).
For the standard IdP-initiated flow, users will sign in on their end and they will POST an XML assertion to my application, which will then verify the user and sign them in to my application (i.e. set a browser session).
The enterprise uses PingFederate as their identity server, and they are curious what implementation my application uses. At this time I have none.
If my application is a single monolith (e.g. a small Ruby on Rails app), do I even need a federated server? Ultimately they are just looking for a place to POST SAML data to, so I can set up an endpoint and go from there right?
What are some general benefits of a federated server? Why wouldn't every service provider application (small and large) just set up an endpoint to ingest SAML data and call it a day?
Thanks!
You don't necessarily need a Federation server. However, if you decide in the future to divide/expand your application into micro-services or integrate your service with other 3rd Parties, a server will allow you to scale without disrupting your current customers (great CX) and not have to manage separate security endpoints.
I think we should move this to software engineering
How do users authenticate with your service? Having a federated identity guarantees that the whole user management process it's someone else's problem. They're looking for a way to integrate your service into their authentication system, so you need to set up an endpoint not only to consume but to be able to send SAML request to their identity server as well.
I use my Google Account credentials to access almost all my social networking sites (including Stack Exchange), that means among other things that all sites know me as the same entity plus I just have to remember the one password.
Don't know about SAML but almost everybody is using OpenId or OAuth.
I am implementing Single Sign On through SAML. For this, I need an IDP (Identity Provider) which can be installed on-premise. Can you provide me the list of IDP's available and their licence Cost and supported platform? I searched and found like Gluu, Shibboleth but not finding the exact. Please help me out.
Thanks in Advance.
Refer SAML-based products and services.
I have used shibboleth and simpleSAMLphp - both open source - both work.
If you want to pay, then Ping Federate, ADFS, OpenAM and Auth0 are all good options.
I do not want to share our user identity with anyone else. We are using Progress Open Edge Database to store user id and password and authenticate from there.
Is there any way that we install IDP on-premise where our user identities should not be shared in cloud rather it is in our network?
I am using OneLogin but it allows to share user id with themseleves but i do not want to share user id with any IDP, instead it should be on my network, that is why i am lokking for an IDP which can be installed on-premise.
A little old post but maybe someone else looking for an answer can benefit. There are many Identity Providers available out there. It depends on your use case which one you should go with and if you need an open source or if you want full support for it.
If your use case requires you to support all the IAM features with easy to configure UI then Keycloak and miniOrange are the ones I would recommend. Keycloak is open source and miniOrange charges for support if you need it. There are others like Shibboleth and SimpleSAMLphp but they don't have an intuitive and easy to use UI and you will have make changes in their config files directly.
As you already pointed above since you don't have any cost issues then you can check out ADFS and Ping Federate.
My best choices will be:
Paid : PingIdentity
Free (as in community) : WSO2 IS, Forgerock OpenAM, Redhat Keycloak
Free : SAMLphp, ADFS (you paid for the servers anyway)
I am tasked with setting up Single-Sign-On between ADFS and Taleo Business Edition. In this case it is an IdP initiated SSO and I have to use .net. I know .net 4.5 supports SAML, which is what the relying party (Taleo) requires to validate a user-- but I cannot find any good tutorials to even get started. Any help is appreciated, I have read through the WIF documents and some of their Developer Training Kit but it does not seem to be what I need to do. Does anyone have any pointers on good places to start? No one in my office is sure of how to do this.
EDIT: My approach is to just create a .aspx form and put that link on our intranet homepage, send the necessary credentials to the relying party (Taleo), who then interprets the SAML token and redirects the user. Does this this seem like a sound approach?
What you have to do is add Taleo as a Claims provider to ADFS. easiest to ask then for their metadata file and import that.
Essentially you are federating ADFS and Taleo.
This a common pattern - refer e.g. AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation for a SAML example.
.NET 4.5 does not support the SAML protocol - it only supports SAML tokens. Neither does WIF.
You would normally go to the ADFS IDP Initiated page, sign in and then pick Taleo from the dropdown and then you will be redirected to Taleo with SSO so you won't need to authenticate again.'
I need to implement SSO for a third party product our company has purchased (Service Provider). They need a SAML 2.0 token Posted to their server. We plan to implement this in an Application Page in SharePoint where we already have the user authenticated (Windows Sign-on). All I need to do is create the Token and send it along. However, I am having a great deal of difficulty finding recipes for this scenario. I would like to avoid as many moving parts as possible, so not interested in using things like AD FS, WIF, etc... if at all possible.
Does anyone have a good resource for setting up this type of IdP?
How does this 3rd party expect the token?
Via a web-service (WS-Trust), WS-Federation, SAML?
SP has an STS but it doesn't support SAML.
It sounds like the easiest way is to use ADFS for the heavy lifting.