I have searched a lot for a good documentation on how to implement SSO as I am a beginner in this field. But got confused with documentations, available online. Is there any documentation that can help me directing :
How to Create/configure IDP , SP, how to implement SSO?
My web application uses, Java 8, angular JS , JSP, Spring ( with annotations), Hibernet, Maven, JBOSS.
Appreciate your time in advance.
Your question is kind of broad which is hard to give a definitive answer. Perhaps knowing better about what to research may help. Please let me try:
Your web application will be an SP. Thus, you don't need to research for how to implement an IdP.
You will need at least 1 IdP to test SSO for your application. Therefore, find out what IdP you want to use and research for how to set it up as well as how to configure a service provider trust against it.
What is the protocol you want to use for SSO? Is it SAML 2.0, WSFed, OAuth2, OpenId Connect or something else? Pick one.
Research a good library that you can use to implement the SP role for your application.
You've mentioned Java and Spring so typically you are looking at Spring Security and SAML.
If that's the case. then you need to implement a client side SAML stack.
Refer: SAML : SAML connectivity / toolkit.
Related
We are an ISV building an enterprise SaaS product.
We would like to enable our customers define their IDP SAML configuration.
We are a startup and would like to support SAML as lean as possible.
1. What is the minimal configuration needed to support the major IDPs?
After reading Okta's article I understand that:
Certificate
IDP Sign-in URL
Are a must.
Say that we use a single ACS endpoint (We will implement our own logic by looking at the SAML assertion)
Is there anything else mandatory?
What about bindings? Do all major IDPs support HTTP redirect?
2. What is needed to be defined on the IDP side?
We tend to use the HTTP redirect binding, should it work with most IDPs? Is a metadata endpoint important?
As for "what is required": in many cases, you will have to generate so called "metadata.xml" file to provide the information to the vendor, so they might install a testing environment for you.
I've implemented about 5 SAML integrations with different vendors so far. The truth is that not all of them require full-fledged SAML 2.0 standard, but some of them do. I think my article should be also helpful to you https://dev.to/optiklab/working-example-of-saml-single-sign-on-integration-using-c-39mb and my open sourced SAML integration project (https://github.com/optiklab/SAML-integration-utilities) contains both Metadata File generator and C# examples for forming both SAML response and assertions. They proved to be working with many vendors, like Ping Identity, etc.
Let me know if you have more specific questions.
After successfully implementing SAML-V2 Service Provider (SP); for supporting some specific use-case, I have to implement my own SAML-2 IdP. After going through OASIS Documentation and many others about the SAML protocol, I have started implementing it.
My Use-case is just a single profile (Web Browser SSO Profile) with SP-Initiated SSO: Redirect Bindings only.
I am looking for some lean third-party library or java based implementation which I can refer/use to speed up the implementation and customize on top of that.
Would love for any recommendation or suggestion in this direction.
To be specific I'm looking for any/all of below :
Easy to use open-source library for implementing SAML-V2 Identity Provider in Java.
Detailed documentation/specification for above profile.
Any advice from experts who have past experience in implementation such kind of IdP.
There is lots of material available for SP. However, very few and complex for IdP.
Some of the java-based implementation which I am already looking are : KeyCloak and Lite-IdP.
"Very few and complex" is true because building a real-world identity provider is a serious project. OpenSAML as the library is your best option in Java - many enterprise-grade implementations that we know about are built with it. A good, stripped-down example of how to use OpenSAML in IdP context is https://github.com/OpenConext/Mujina .
Lite IdP is written in Go. If you're open to non-Java options, SimpleSAMLphp is excellent, it's certainly better documented than many others.
I'd post it as comment, but I don't have enough reputation.
But here you have almost the same question, regarding Spring SAML:
using-spring-saml-as-an-idp-rather-than-an-sp
Take a look at Vladimir's answer, I think it's what you're looking for. Here is the link suggested by him.
Cheers
I need to implement Single Sign On feature for several internal web applications which are not deployed on the same domain.
Is federation a good solution in my case? Or it is only used if I want to federate the authentication to an external IdP.
I mean I want to create a custom WIF STS and make all the applications claims-aware RPs.
I'm thinking of it because I don't want to use custom solutions or third party libraries. WIF seems to have a straightforward solution integrated with .Net Framework.
Is my suggestion correct? Or this is an incorrect use for WIF.
Yes - a solution with WIF / STS will work even if it's only internal.
Beware of security if you roll your own.
You may want to look at ADFS or IdentityServer.
Going this route will make your life a lot easier.
I am looking for an SSO solution that can be customized according to our needs.
From what i saw over the internet it seems that Shibboleth and JOSSO are solutions that just need to be installed and configured. My question is to what extent can they be customized to use with web apps.Please consider following points.
control over cookies and session management
integration with existing authentication mechanisms being used for the app (e.g. two factor authentication)
collection of data from the user at the time of registration.
Suggestions on any other frameworks and approaches are welcome
I just strated my project with SAML 2. I want some help related SAML and OpenSAML libraries v.2.0.
Can someone tell me helpful and comprehensive tutorials for it? I just want to do a small POC.
I need Step-by-Step help for SAML. Here are some of my requirements. Please help.
All SAML specific functionality will be implemented using the open source OpenSAML libraries.
We will support both Service Provider (SP) initiated authentication as well as Identity-Provider (IdP) initiated authentication.
My book, A Guide to OpenSAML, gives a good introduction and step by step on SAML and the OpenSAML library.
Also my blog has a couple of examples on this.
https://blog.samlsecurity.com/categories/opensaml/
https://blog.samlsecurity.com/categories/saml/
I would suggest starting here:
http://identitymeme.org/doc/draft-hodges-learning-saml-00.html