I have a Java app running under Websphere Liberty on IBM Bluemix. I need to be able to authenticate users 3 different ways - Basic Auth, SAML SSO, and OpenAuth SSO, in that order.
I can set up the app to do Basic Auth (using custom code) or SAML SSO (using the Bluemix Single Sign On service), but can't figure out a way to configure it to handle both at once. (I haven't even looked into how to do OpenAuth yet.) If I configure the app to use the Bluemix SSO service, then my app never sees the incoming requests to check for a userid and password to try Basic Auth before the SSO service grabs it.
I tried changing the redirect URL in the SSO service to an endpoint inside my app, but then all I get is
CWOAU0062E: The OAuth service provider could not redirect the request because the redirect URI was not valid. Contact your system administrator to resolve the problem.
I can't be the only one that needs to do this. Can anyone tell me how they did it?
Related
I am trying to setup SSO with third party IDPs in Google Workspace admin console.
I am using SAP IAS as an IDP.
It works with the default configuration.
But if i mark the the SAML requests to IDP must be signed in SAP IAS then it fails saying "SAML requests are not signed ".
It seems Google as a service provider does not sign the requests ? is it a correct understanding or is there a way to enable signing of SAML requests in Google workspace admin console ?
Best Regards,
Saurav
When you use Google Workspace as Service Provider with a third-party IdP requests are not signed by default and I am afraid that setting is not available in Google's side at the moment.
I assume by signing both the request and response of your SSO flow you are looking to grant extra security to this process however if you really need to use Google services and the authentication is successful without the setting I would recommend to skip this for now.
Neither in the documentation nor in the Google Admin console section for third-party IdPs SSO you would find it, the setting is simply not there:
Google as Service Provider setup
I hope this information helps!
I'm building a microservice based REST API and a native SPA Web Frontend for an application.
The API should be protected using OAuth2.0 to allow for other clients in the future. It should use the Authorization Code Flow ideally with Proof Key for Code Exchange (PKCE)
As I understand it I need to run my own OAuth Auth Server that's managing the API Clients and generating access tokens, etc.
Also I need my own Authentication/IAM service with it's own fronted for user login and client authorization granting. This service is the place the users login credentials are ultimately checked against a backend. That last part should be flexible and the backend might be an LDAP server in some private cloud deployment.
These components (Auth Server and IAM servicve) are outside of the OAuth scope but appear, correct me if I'm wrong, to be required if I'm running my own API for my own users.
However creating these services myself appears to be more work than I appreciate besides the obvious security risks involved.
I read about auth0 and okta but I'm not sure if they are suited for my use case with the application potentially deployed in private cloud.
I also thought about running Hydra (OAuth Server) and Kratos (IAM) by ory but I'm not sure if this is adding too many dependencys to my project.
Isn't there an easy way to secure an API with OAuth that deals with the Auth Server and the IAM that's good for small projects?!
I'm working on an enterprise application and our UI is a web application. We are looking to add OAuth2 support and I don't understand what to provide for the redirect URI field to the OAuth provider.
For example, I have registered my app in github OAuth provider.
Homepage URL: https://localhost:7980/index.html
Authorization callback URL: https://localhost:7980/oauth_callback
Now this works fine with localhost as the hostname. But, when this application gets used by the customers they can install it on any of their boxes and invoke the web app from any device connected to our server via https://[hostname]:7980/index.html. In this case, if the customer wants to use OAuth2 authentication option, then I don't understand what should be the redirect URL. Obviously I cannot use localhost for redirect URL as the customer can access the web app from any machine. I wouldn't know the machine ip/hostname where the customers are going to be installing our server beforehand.
One suggestion was to use a server from our company which would handle redirect URLs for the OAuth2 authentication. Is this a good idea? Is there a standard way for handling the use case I have narrated above in OAuth2?
We are starting a project for SSO and using wso2 to do all SAML , OAuth and keep our Webapplications as service providers.
I have been through the online documentation but need some help .
When user tries to Access to any resource in our webapplication i would send user to wso2 to get Authenticated in case of OAuth /openid connect , how would i form this url ?
I have configured IDP and SP in WSO2 console, after authentication how does WSO2 give credentials of authenticated users to service provider , i see as per document or sample app , this should be SAML or any other sso protocols like oauth etc. documentation is not clear or any examples i can find
i want to redirect the user after OAuth or SAML with my own created Authn cookie , what is the provision for that .
any help would be appreciated
Yes, You can configure your application as service providers and wso2 IS as Identity provider.I guess, You can implement saml sso for your scenario and its simply documented here.There is another blog which describe the same configuration
You can download travelocity sample code and war file .Analysing the code you can get some idea about implementation.
By following above blogs, You can implement the complete SSO flow.
Q. > When user tries to Access to any resource in our webapplication i would send user to wso2 to get Authenticated in case of OAuth /openid connect , how would i form this url ?
Answer :
https://localhost:9443/oauth2/authorize?response_type=code&client_id=wCmphfs69oaN3JhqO3d9FFgsNCMa&scope=openid&redirect_uri=http://localhost:8080/Samplespapp/googleauth.jsp
client_id : is that if which we get on UI oof wso2 console after we finish configuring Service provider in my case i configured Inbound Authentication Configuration as OAuth open id .
redirect_uri is the url where we want to go after authentication , this should match callbackback url in View/Update application settings
Answer 2: I still dont see any valid reason why inbound authentication has to be sso protocol but this is how wso2 works , to put it in laymans term i have a client to connect to using SAML and Other OAuth . i opt for a SSO vendor who takes that headache from me to implement SSO protocols but i Still have to implement atleast one SSO protocol as after SSO handshake wso2 has to communicate userX with role as Admin to service provider app this is done again using SSO !!
ping federate makes it simple it makes an encrypted request header that had data in key value pair. may be i am not understanding but i dont like this inbound Authentication in SSO .
Q. 3.>i want to redirect the user after OAuth or SAML with my own created Authn cookie , what is the provision for that
documentation is poor in this area just some java classes but no end to end example , every one will point to travelocity .
I require help on integration of web service with JOSSO for authentication.
Whenever a request comes from SOAP UI(client) to service, it should be authenticated against an Active Directory server, and if it succeeds then it should hit the service endpoint.
After a long struggle, we came to know JOSSO exposing their login methods as web services also.
But for authenticating against AD, you have to make least two or three web service calls.
Get Assertion Id by passing Username & Password.
Get Session Id by passing Assertion Id.
Get Role information by passing the Session Id.
Just for testing, you can download this wsdl as a project in to SOAP-UI tool and hit to get response.
JOSSO WEB SERVICES WSDL LINK
You can find the same from source code also:
\josso-1.8.3-src\components\josso-ws-v1_2\src\main\wsdl\josso-1.2.wsdl