I'm using activesync to sync exchange emails, where the authentication happens using basic auth. I was wondering if it's possible to use activesync with a single sign-on solution?
The only way to implement SSO on ActiveSync is with Certificate based authentication. ActiveSync has no support for identity federation, hence no SAML, OAuth, ... Setting up an internal CA is not that complicated, especially if you use Microsoft's CA: ADCS. Simply follow the instructions in the link from BastianW.
You will then need an Enterprise Mobility Management tool like AirWatch, MobileIron, ... to integrate with your CA and distribute the certificates seamlessly to your users.
I assume with SSO you wish to implement a way where your users can use there mobile phones without the need to adjust her password every time when they change there password inside the active directory. The solution to do that is using "certificate-based authentication for Exchange ActiveSync". Via that approach an internal CA will create an certificate for the user which can be used on the mobile device to authenticate an ActiveSync session against your Exchange environment. As long as the certificate is valid the user can use that on there mobile device instead of an password.
Keep noted that this required a higher workload for the IT department (for most my customers) so most of them started to use a MDM environment which can push these certificates to the enrolled devices nearly automatically. AirWatch for example can do that (but there might be other, however I can only speak from AirWatch as this is in use by 6 customers).
And just another advise how we build that: We added additional IPs to the Exchange environment then configured an additional ActiveSync side with certificate authenticated. Then we could test the whole solution and later one switch over the user. But if you do not have that much users you might considering a "big bang" migration.
Simple activesync via BasicAuth is not really "the way".
E.g.: Airwatch is using the "Mobile Email Management", which works like an Proxy to your network. Working that way, you can use SSO via AD / LDAP and so on...
I would highly recommend doing it that way.
Related
We want to use SSO for a group of apps (this will include GitLab, probably Drupal and a bunch of small apps I will write in Symfony for various tasks). We would like to currently use Google accounts to authenticate all apps, but because there are limits (I know you can increase them) on how many apps you can have and Google sometimes change what features are free, it would be good to have the option of using our own login down the track if needed.
I have used SimpleSAMLphp in the past with GitLab (using a database to store credentials) and it worked well. Is there a way that I can use the Google Auth as an IDP and have SimpleSAMLphp record the email address to link the accounts etc and allow me to add things like groups etc in to send down to the app when a login happens? I would put a password field in the login table in the database as well so that if we decide to move away from Google we can generate random passwords and continue without too many issues.
The information I find online is for using SimpleSAMLphp as the IDP for gsuite etc (we will be using general Google accounts, not ones in gsuite) and not the other way around. I also couldn't see any Authentication Modules for Google authentication. Are there any tutorials or instructions anywhere on this?
You can accomplish what you are asking fairly easily. Instead of integrating your SPs with Google directly, integrate them with an SSP idP you control, then set up your authentication page (i.e. the page redirected to by your authsource module) to be an SP for Google. Here's what that looks like:
vendor sp -> your SSP idP -> your login app -> your SSP SP -> google idP
This way you end up with only a single Google integration configured for all your vendor integrations. There are numerous benefits to this approach:
You aren't affected by # of integration constraints imposed by google
Since your vendor SP integrations are controlled on your own server, you can easily move to a different cloud-based idP for authentication in the future without having to re-integrate all your SPs
You can easily give your users alternate sign-in choices if you want.
You aren't constrained to SAML or protocols supported by Google. Many vendors still use proprietary token based authentication. These can easily be supported with this setup.
Happy to help with implementation details if you need it.
Currently my organization uses a number of web apps/mobile apps/APIs, some of which authenticate against an in-house IdP and others which use a third-party proprietary system (over which we have no control).
We have been asked to implement SSO for these web applications and as a result I have been reading up on OpenID Connect. I believe this would be a better solution than SAML given that (a) end-users are not always enterprise users, and (b) SAML not designed for mobile applications.
I believe I understand the flow reasonably well but have one sticking point. To allow users to authenticate using an external IdP, we would need to map the user back to our internal id. For example, user authenticates using OIDC/Google, resulting in us receiving the user's unique Google idenitifer (and email etc if we queried further), but this is not useful to us until we can map the Google identifier back to our internal customer id.
Is this mapping out of scope for OIDC? If so, is there a best-practice method for doing this? I'm sure we are not alone in this requirement...
Thanks,
John
Is this mapping out of scope for OIDC?
Short answer, yes.! If your backend require a comparison/validation with internal identity details, then it has to be done out-of-scope of OpenID Connect(OIDC) protocol. OIDC simply define the process of obtaining tokens (ID and access token), which are required for authentication and authorization.
is there a best-practice method for doing this?
One option is to use out of band directory synchronization. For example, Google provider Google Cloud Directory Sync (GCDS), which allows you to synchronize identity details to LDAP or MS Active directory. Other alternative is to use SCIM protocol to communicate and provision users dynamically. For example Google provide that support as well.
Alternatively, you can use just-in-time provision at the time you receive tokens. This support will depend on your identity provider implementation. For example, WSO2 identity server support both JIT provisioning as well as SCIM.
We have an on-premise website at the moment and I need to make it public, but require users to log in with their office 365 username and password.
My problem is that I've looked everywhere and can't seem to find an implementation for ubuntu servers.
I've also seen many instances of syncing office 365 accounts to the on-premise AD accounts, but not the opposite.
Ideally it should be implemented through Single Sign On.
You need to register your website as an Azure AD application, which will provide you with an app id and app secret. Your website will then need to implement the oauth 2.0 flow. Microsoft provides libraries for most platforms but if they don't have one for yours, everything is accessible through REST calls.
There are two most likely approaches to achieve this:
Configure SAML SSO in your application then use Azure AD as the IdP (as in Bernhard's comment). This will allow your application to gain information passed within the Saml token. You'll still need to present the site to the Internet via some sort of reverse proxy
Consider placing your website behind Azure App Proxy. This will allow you to publish the site over the Internet without having to open any firewall ports, and will allow you to use KCD to log users in without having to configure anything in your application, simply enabling Windows Integrated Authentication. This provides two very important benefits: 1) Unauthenticated visitors cannot hit the site at all, providing significant DDoS/attack protection, and; 2) No reverse proxy or other appliances are required, typically
I am implementing Single Sign On through SAML. For this, I need an IDP (Identity Provider) which can be installed on-premise. Can you provide me the list of IDP's available and their licence Cost and supported platform? I searched and found like Gluu, Shibboleth but not finding the exact. Please help me out.
Thanks in Advance.
Refer SAML-based products and services.
I have used shibboleth and simpleSAMLphp - both open source - both work.
If you want to pay, then Ping Federate, ADFS, OpenAM and Auth0 are all good options.
I do not want to share our user identity with anyone else. We are using Progress Open Edge Database to store user id and password and authenticate from there.
Is there any way that we install IDP on-premise where our user identities should not be shared in cloud rather it is in our network?
I am using OneLogin but it allows to share user id with themseleves but i do not want to share user id with any IDP, instead it should be on my network, that is why i am lokking for an IDP which can be installed on-premise.
A little old post but maybe someone else looking for an answer can benefit. There are many Identity Providers available out there. It depends on your use case which one you should go with and if you need an open source or if you want full support for it.
If your use case requires you to support all the IAM features with easy to configure UI then Keycloak and miniOrange are the ones I would recommend. Keycloak is open source and miniOrange charges for support if you need it. There are others like Shibboleth and SimpleSAMLphp but they don't have an intuitive and easy to use UI and you will have make changes in their config files directly.
As you already pointed above since you don't have any cost issues then you can check out ADFS and Ping Federate.
My best choices will be:
Paid : PingIdentity
Free (as in community) : WSO2 IS, Forgerock OpenAM, Redhat Keycloak
Free : SAMLphp, ADFS (you paid for the servers anyway)
I'm working in a company that uses Microsoft Active Directory. We have an external company that provides an internal web site for a particular project. The site is external to the company. The sign on to the external site is the user's company email.
We want a system whereby the external site calls into the organisation's AD to verify if an email address is still valid or if the user has left the company. It should be a simple call to Active Directory Federation Services or some sort of SAML interface. The call would be a simple request 'here's an email, is it valid?' and the response is either yes or no.
Our IT department are trying to tell us that it's too complicated and I don't believe them. I think they just don't want to do it.
Does anyone know how easy it would be to create a simple system that would allow an external service to do the query outlined above.
ADFS is not meant to do that. However, a by-product of using it, would be the validation you are looking for.
The first question would be: what is the authentication method of your app? e-mail and what else? password? which password? Does the app keep a database of users/passwords?
ADFS works as an "identity provider" and would authenticate users in AD. ADFS would supply a security token that can be consumed by your app. Part of the information sent in the security token could very well be (and often is) the user e-mail address (that's why it is a "by-product").
For this to work, the app would have to be changed to accept security tokens (SAML tokens to be specific). If the app is .NET based, then it is done usually with WIF (WIndows Identity Foundation).
This approach would be the most elegant and secure because the app would delegate the responsibility of authenticating users to the authority of these employees: AD.
App --trusts--> ADFS --authenticates--> AD
Setting up ADFS, etc is not super-difficult, but it is not super-simple either, and might not be worth just for this app. There are other lighter weight alternatives: open source products like Identity Server, or products like the one I work on.
Now, if all you need to do is to validate that the e-mail actually exists, the best is to send a verification message to that address with some unique code that the user sends back. This is the same approach used in many common web apps.
Agree with everything #Eugenio said - have same questions about authentication.
But if you simply want code to query an user's email address in AD, you use the AD API's.