I am into integration with Magento 2.0, however I have a cakePHP 2.0 application and I want the user to be already logged in after he successfully logged into my cakePHP application.
How can I implement such feature?
Thank you in advance
The standard way to SSO between 2 apps that are hosted in different domains is to use SAML2
In that standard there are 2 type of entities:
Identity Provider (IdP). The entity that authenticates the user and send its info to the SP.
Service Provider (SP). The entity that protect the app, is connected with the IdP and can make access control decision.
Since you are using PHP stack I recommend you to use the simpleSAMLphp software to deploy your IdP.
You will need to decide what gonna be your user data source, CakePHP or Magento, and disable registration and password reset on the source not selected.
So in your project you will need:
Deploy an IdP with simplesamlphp and use as authentication source the database of your cakePHP app (if this source is the selected), removing user registration/password on Magento (otherwise connect Magento's database as your main user source and not let users to be registered on cakePHP).
Enable SAML on cakePHP
Enable SAML on Magento2
The advantage of using this standard instead of custom tricky SSOs mechanism is that you will be able to add to your SSO federation any other app (with SAML support) like Salesforce, Wordpress, Google Apps, Drupal, Joomla...
On this video you can see the Magento2 extension in action (I'm using Onelogin as Identity provider). In this other video you can see simpleSAMLphp in action with Magento1.
Note: I'm the author of the Magento2 SAML extension. Right now there is no other option to add SAML to a Magento2 app and is a complex task so I don't recommend to implement it yourself ;)
Related
We maintain a website that uses the built-in .NET Core / EF Identity model so all user data is in DB tables. We now have a need to support SSO into another 3rd party system which requires that we host our own IDP with support of SAML 2.0. We don't want to change our identity model or login process for our own website, we just need to return a SAML Response for a user without our website as a response to an SSO request by the 3rd party website. Our site is hosted in Azure as a Web App but we don't use Azure AD for this website which is public facing for external client employees.
Are there any recommendations to create a simple IDP that maps to our existing AspNetUsers database table to retrieve and prepare an SSO Response but doesn't impact our existing identity setup? In all likelihood, we'll have to support other SSO protocols in the future with the same implementation. Do we need to go as far as to implement IdentityServer4, making the existing web app act as both an IDP and a client app?
idsrv4 supports the EF identity model (AFAIK). If it doesn't you could always write your own plugin.
idsrv4 then becomes the IDP and will authenticate against your current DB.
idsrv4 has SAML and WS-Fed plugins to support future SSO.
Your other choice is to implement something like Auth0 that supports authentication against local DB and has full support for SAML and WS-Fed.
Looking for direction.
I've got a single web application that I want to SSO into from multiple applications that all handle their own authentication. The web application wants to use SAML for SSO'ing. The web application requires IdP metadata (we've got one web service that is its own IdP, don't know what the other applications are using). The web application can also accept SAML Assertions with provisions to determine user access when it creates the new users after they SSO in.
I'm looking to get a one stop shop for the web application to hit to determine authentication and authorization.
I've got another web application (.NET Core) that runs Identity Server 4 to handle authentication for one of the many applications that wants to SSO into the web application. Can I use that? I would need to integrate SAML into it. How do I do that? Also, how can I easily integrate all the other applications to use this one web application to SSO into the SAML web application. Is this what Federating is?
Trying to do this with minimal work to all the other applications because that kind of integration work across multiple teams would be kind of a nightmare.
Any suggestions?
Thanks!
If you're already using Identity Server 4, you're probably best to stick with it and add SAML SSO support to it.
SAML SSO support isn't included natively in Identity Server 4 but there are two commercial offerings that add this support.
The following link has some good articles describing how to support SAML SSO in Identity Server 4.
https://medium.com/the-new-control-plane/tagged/identityserver4
Our company maintains a Web App composed of a front-end and a back-end in (Node.js), and we support the standard username/password login authentication. A couple of our partners have requested we support SAML SSO, so their end-users can access our web app through a link on their respective portals without the need to login again.
Question: Do we need to turn our app into a full-fledged service provider (SP) by implementing a SAML sdk/library in our front-end and back-end?
Or is it possible to use a 3rd party authentication provider like Okta to handle the SAML nitty-gritty behind the scenes and then redirect the end user to our app, with possibly a token (JWT?) so we can retrieve the user info from Okta?
I've read everything I could find on Okta's site, and here, and couldn't find a definitive answer, either yes it's possible (with example) or no you can't do that.
Like you already mentioned in your question, there are 2 possible ways to do it.
Update your application to support SAML login flow with your app as SP, in which case you will not need to use any 3rd party auth provider
If you don't want to get into the SAML nitty-gritty, you can use a 3rd party provider like Okta as an intermediary that will consume the SAML responses from the IdP (used by your external customers) and then convert that assertion into an Open ID token (JWT). In this case, Okta will act as an IdP (Authorization server) to your web app and generate ID tokens.
Your app will then need to implement the Open ID connect login flow.
You can refer to http://developer.okta.com/code/javascript/okta_sign-in_widget_ref for this.
I have one sugarcrm application and Web application. For user login purpose i am using Auth0 in my web Application. When user logged into my application, the same user want to login in sugarcrm.
Is it possible by using SSO? or do we need to pass the corresponding logged in user details to sugarcrm for login?
Please suggest the better option
Yes this is possible. You need to enable SAML in SugarCRM. In Auth0 you would add SugarCRM as any other app (Dashboard > Apps/API > NEW), then configure it for SAML (Addons > SAML).
The parameters in Auth0's SAML config are app dependent (whatever SugarCRM expects). The most important parameters are:
The "ACS". This is the URL where the SAML Response is sent to (this is a location in Sugar)
The signing certificate (you will find this on the Usage section of Auth0's SAML config). This is the certificate the SAMLResponse is signed with.
I am tasked with setting up Single-Sign-On between ADFS and Taleo Business Edition. In this case it is an IdP initiated SSO and I have to use .net. I know .net 4.5 supports SAML, which is what the relying party (Taleo) requires to validate a user-- but I cannot find any good tutorials to even get started. Any help is appreciated, I have read through the WIF documents and some of their Developer Training Kit but it does not seem to be what I need to do. Does anyone have any pointers on good places to start? No one in my office is sure of how to do this.
EDIT: My approach is to just create a .aspx form and put that link on our intranet homepage, send the necessary credentials to the relying party (Taleo), who then interprets the SAML token and redirects the user. Does this this seem like a sound approach?
What you have to do is add Taleo as a Claims provider to ADFS. easiest to ask then for their metadata file and import that.
Essentially you are federating ADFS and Taleo.
This a common pattern - refer e.g. AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation for a SAML example.
.NET 4.5 does not support the SAML protocol - it only supports SAML tokens. Neither does WIF.
You would normally go to the ADFS IDP Initiated page, sign in and then pick Taleo from the dropdown and then you will be redirected to Taleo with SSO so you won't need to authenticate again.'