We've developed a SAML2 SP (supporting IdP-Initiated SSO, as per the user journey we want).
My question is, short of developing an IdP, how can we test it is working? Is there an IdP-Initiated SSO test harness out there? (I know of SSO Circle, but that is for SP-Initiated SSO).
You can use a trial account from Onelogin and configure a SAML Test Connector, or deploy your own IdP with simpleSAMLphp
You can test out IdP-Initiated SSO via this JS Bin: https://output.jsbin.com/nukiso
The code is quite long and wouldn't be appropriate to put directly into this post.
It works completely on the browser side and uses web crypto APIs for signing the assertion. It is probably a better idea to use a real IdP as this is more of a tool for learning how to make the SAML response/assertion. To prevent anyone from being able to log into your website without authentication, do not use the JS Bin IdP metadata on a public/production server.
Related
I am new to this subject and was tasked with setting up an SSO environment
using shibboleth IDP. I downloaded the IDP software from the shibboleth website and tweaked the settings according to a few online guides. In the end I want to connect the IDP to a service now instance to work as the SP. I don't know why but the connection doesn't happen. Is there anything I'm missing that I should have for just a skeleton of the system to work? I skipped anything involving federation registration and encryption as this is not relevant for the time being. I don't know a lot about SSO systems and I don;t know if I just have a few settings wrong in the IDP or if I completely mis-understood how SSO's work.
I'm writing some SSO code, that will allow any IdP that supports SAML to authorize with my code.
I need an IdP Simulator that can provide me a metadata URL with the Idp config so that I can test my code. (I'm providing in my code the SP config).
I search but couldn't find some kind of simulator, all I found were tools that manage the apps if I provide both the IdP and SP configs, which is not what I'm looking for.
Thanks a lot!
SAMLtest.id is a free SAML 2.0 testing service that allows you to test your SAML-compliant Service Provider (which is effectively what you have, based on your description). You need to upload a metadata document representing your SP / your application, and you'll be able to download the SAMLtest metadata to use to form your half of the integration.
This is effectively the new version of TestShib, which shut down a number of months ago due to lack of community support, and I use it relatively regularly.
Good luck!
Alternatively you could also use SSOCircle , which offers a free of charge SAML IdP as well (https://www.ssocircle.com/en/portfolio/publicidp/). E.g. it is configured as a default SAML IdP for Spring Security SAML extension.
(I) How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository allows you to build and run a standalone IdP Simulator at your own testbed. Running a standalone SAML IdP Simulator by yourself allows you to test your SP code and debug your SAML SP log by checking server logs of both IdP and your SP developed by you.
(1) Download the source code from How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository
git clone https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP
(2) Copy your SP metadata file into
shibboleth-idp-dockerized/ext-conf/metadata/
(3) Extract IdP metadata file "idp-metadata.xml" from
shibboleth-idp-dockerized/ext-conf/metadata/
and upload it to your SP server developed by you
(4) Follow the README instruction to run OpenLDAP server and SAML IdP server using Docker container
(5) Run your SP server developed by you
(6) Now you can check the server logs of both Shibboleth IdP and your SP server to debug your SP code.
In addition, shibboleth-sp-testapp/ folder provides the reference SP configuration for your SP server developed by you.
(II) Another StackOverflow question Setting up a new Shibboleth IdP to work with an existing SAML SP discusses the SAML configuration between IdP and SP.
(III) TestShib is the online Shibboleth IdP simulator built and run by the Shibboleth community. It is exactly the same as the above standalone Shibboleth IdP simulator built and run by yourself.
I want to create a SSO to be used by multiple applications, what would be the best way to do it. I was going through SAML2.0 but I am confused as I didn’t find any articles to create own/custom SAML IDP.
1.How feasible it is to create own IDP.
2.What is the best way to implement SSO
Question 1: How feasible it is to create own IDP?
Answer:
How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the instruction on building your own IDP for SAML in Java using Shibboleth SAML IdP and OpenLDAP.
Shibboleth SAML IdP is responsible for identity federation.
OpenLDAP is responsible for identity authentication.
Question 2: What is the best way to implement SSO?
Answer:
Shibboleth IdP has implemented SSO for enterprise applications which have been integrated with SAML SP.
(I) I have validated SAML Single Sign-On (SSO) provided by Docker-running Shibboleth SAML IdP (Identity Provider) and OpenLDAP for the following enterprise applications. In other words, I leveraged Docker-running Shibboleth SAML IdP and OpenLDAP to log in to the following enterprise applications successfully.
Microsoft Office 365
Google G Suite
Salesforce
Dropbox
Box
Amazon AWS
OpenStack
Citrix NetScaler
VMware vCloud Director
Oracle NetSuite
(II) We developed our former version of Zero-Password Authentication and Authorization System in Java and leveraged Shibboleth IdP to provide SAML SSO for enterprise applications.
We developed our current version of Zero-Password Authentication and Authorization System with scalability and high availability in Scala to provide SAML SSO natively for enterprise applications without Shibboleth IdP.
For quick deployment of SAML IdP on your production environment, leveraging third-party SAML IdP (such as Shibboleth IdP) is highly recommended. Then you have sufficient time to develop your own SAML IdP in Java or other programming language.
(III) Another StackOverflow question "How to implement or integrate single sign on with SAML and Shibboleth" provides valuable information and discussions.
Question 1: How feasible it is to create own IDP?
Yes, it is possible but requires lots of efforts.
This repository can help you figuring out how to build your own IDP: A mock IDP and SP using the OpenSAML library
This repository can help you on how to integrate your own IDP to Spring Boot application: Spring Boot, SAML, and Okta
Question 2: What is the best way to implement SSO?
In my oppinion, the best way to implement SSO is using pay-as-go identity service. It helps you saving efforts and money. There are many such services from Amazon, Google, Apple, Okta, Auth0, geetoPod, etc.
Don't try and roll your own - use a supported solution.
On the client side, you need a SAML stack.
Some of these come with an IDP you can install.
Have a look at:
Shibboleth
Azure AD - SAML IDP in the cloud
SaaS e.g. Auth0, Okta - SAML IDP in the cloud
identityserver4 with SAML plugin
ComponentSpace - has both client and server side
Sustainsys - has both client and server side
All of these will provide a SAML IDP.
They also provide good documentation to get you up and running.
We have a requirement where user needs to login to portal with CAS (but SAML way). User can also login via login portlet of liferay.
We have few apps hosted on Intranet and few on Extranet. When user is in our office network, he should be able to login to all the apps via SSO. This includes apps which are hosted on extranet as well.
To achive this we want to use SAML with CAS.
By doing some research I understand that in this case CAS would be my IDP i.e. Identity provider and my apps on extranet would be SP i.e. service provider
Any idea how to proceed with it?
Any help is appreciated.
I have to do the same thing but using a LDAP too ...
I'm following this cookbook to achieve that, the second chapter talks about Authentication and Registration Process
I hope this would be helpful!!
we have a web application(Say wA) developed in java and we need to provide SSO login from client web application(Say WB) to WA and the requirement is to do with Okta-(SAML 2.0).
Currently im having the Idp mnetadatak, IDP Single Sign-On URL and Identity Provider Issuer link created from okta
Anybody please help me on this issue , what things to do in my application side to provide SSO login felicity. how to listen SSO request from my APP (WA).
Thanks and regards
In case you would like to add SAML support directly into your application (as opposed to including it for example in reverse proxy such as Apache or IIS), you can use either Spring SAML (with minimal Spring configuration in case you don't use Spring Security already) or OpenAM's Fedlet.
Spring SAML enables applications to act as a SAML 2.0 Service Provider by initializing web single sign-on towards IDP (Okta) and accepting and validating response (SAML 2.0 Assertion) sent back from Okta.
Good approach to implement Spring SAML is to start with the quick start guide which helps you create SAML 2.0 integration with a public SAML 2.0 Identity Provider, then change the IDP to Okta and then integrate the result into your application.
It is also possible to build SAML 2.0 support from scratch (using OpenSAML library), but significant knowledge of the protocol is needed for it to be done securely.
Some application servers also include SAML support (WebLogic, WebSphere, JBoss with its PicketLink library), but such configuration is of course not portable.