I am reading alot about federated identity management and technologies like SAML, which can be used for implementing SSO for web applications, and Kerberos, which can be used for implementing SSO für desktop applications.
This is how I understood it so far. If we have the case, that we want to have SSO for a set of web applications and desktop applications, what are the technologies that are available for that? Do I have to combine SAML and Kerberos or is there another technology that fits better?
AFAIK, Microsoft ADFS and Oracle Access Manager are SSO products which supports SAML, Kerberos and other related protocols, does Windows based authentication and thus provide SSO access across webapps and desktop.
Check,
http://blogs.technet.com/b/abizerh/archive/2013/04/11/more-information-about-sso-experience-when-authenticating-via-adfs.aspx
https://docs.oracle.com/cd/E29542_01/doc.1111/e15740/wna.htm
Related
We have Single Sign-On (SSO) done via SAML.
Currently we have requirement to sync users from ADFS to our database as well as ADFS groups.
I was able to google out solutions for LDAP, however that seems quite old.
Is it possible to do this via SAML? Any other method?
I would be using PHP.
Both SAML and ADFS are about authentication.
What you are referring to is provisioning which is not provided by either.
The modern standard for provisioning is SCIM.
I want to create a SSO to be used by multiple applications, what would be the best way to do it. I was going through SAML2.0 but I am confused as I didn’t find any articles to create own/custom SAML IDP.
1.How feasible it is to create own IDP.
2.What is the best way to implement SSO
Question 1: How feasible it is to create own IDP?
Answer:
How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the instruction on building your own IDP for SAML in Java using Shibboleth SAML IdP and OpenLDAP.
Shibboleth SAML IdP is responsible for identity federation.
OpenLDAP is responsible for identity authentication.
Question 2: What is the best way to implement SSO?
Answer:
Shibboleth IdP has implemented SSO for enterprise applications which have been integrated with SAML SP.
(I) I have validated SAML Single Sign-On (SSO) provided by Docker-running Shibboleth SAML IdP (Identity Provider) and OpenLDAP for the following enterprise applications. In other words, I leveraged Docker-running Shibboleth SAML IdP and OpenLDAP to log in to the following enterprise applications successfully.
Microsoft Office 365
Google G Suite
Salesforce
Dropbox
Box
Amazon AWS
OpenStack
Citrix NetScaler
VMware vCloud Director
Oracle NetSuite
(II) We developed our former version of Zero-Password Authentication and Authorization System in Java and leveraged Shibboleth IdP to provide SAML SSO for enterprise applications.
We developed our current version of Zero-Password Authentication and Authorization System with scalability and high availability in Scala to provide SAML SSO natively for enterprise applications without Shibboleth IdP.
For quick deployment of SAML IdP on your production environment, leveraging third-party SAML IdP (such as Shibboleth IdP) is highly recommended. Then you have sufficient time to develop your own SAML IdP in Java or other programming language.
(III) Another StackOverflow question "How to implement or integrate single sign on with SAML and Shibboleth" provides valuable information and discussions.
Question 1: How feasible it is to create own IDP?
Yes, it is possible but requires lots of efforts.
This repository can help you figuring out how to build your own IDP: A mock IDP and SP using the OpenSAML library
This repository can help you on how to integrate your own IDP to Spring Boot application: Spring Boot, SAML, and Okta
Question 2: What is the best way to implement SSO?
In my oppinion, the best way to implement SSO is using pay-as-go identity service. It helps you saving efforts and money. There are many such services from Amazon, Google, Apple, Okta, Auth0, geetoPod, etc.
Don't try and roll your own - use a supported solution.
On the client side, you need a SAML stack.
Some of these come with an IDP you can install.
Have a look at:
Shibboleth
Azure AD - SAML IDP in the cloud
SaaS e.g. Auth0, Okta - SAML IDP in the cloud
identityserver4 with SAML plugin
ComponentSpace - has both client and server side
Sustainsys - has both client and server side
All of these will provide a SAML IDP.
They also provide good documentation to get you up and running.
Which is the best option for SSO implementation Keycloack Vs CAS Vs Okta? I'm specifically looking for the disadvantages of each service to identify the best suitability for my system.
Both Keycloak and Okta should provide what you're looking for. I'm not sure about CAS as I haven't used it in 10 years. Since both Keycloak and Okta use OAuth 2.0/OIDC, you might even be able to use Keycloak in development, and Okta in production.
I've implemented OAuth 2.0 / OIDC support in JHipster. It uses Keycloak (in a Docker container) by default, and provides instructions for switching to Okta. Thanks to the power of Spring Security and Spring Boot, you only need to override some properties to switch between the two!
We are looking forward to implement ADFS to implement SSO across our organization for various set of web applications such as (SAP, Siebel, Custom java based, Asp.net etc.).
I understand based on my research that ADFS can be used to achieve SSO for third party applications using SAML. It can act as an identity provider for third party applications. Please correct me if I am wrong.
Can we use the ADFS to implement cookie based SSO for the various internal web based apps which I mentioned above?? (For Ex: CA Siteminder, ORacle Access manager can work with almost every internal web based application)
In other words: we have one application using apache webserver, one using IIS webserver, one using IHS webserver; can ADFS be used to achieve Single sign on with all these applications??? If yes, How ???
Thanks in Advance...!!
Ashish
ADFS implements SSO via federation using either WS-Fed or SAML 2.0.
If these applications can support these protocols, then yes just federate these products with ADFS and you will get SSO.
e.g. SalesForce SSO with ADFS.
For Java you need a SAML stack e.g. Spring Security.
For ASP.NET, use OWIN or WIF.
I have a SAP sso2 service enabled in the company, how would I enable single sign-on in code? What do I need to insert to my code and possibly where?
When I log in to portal, single sign-on feature works, as I am not asked for password every time. I would like to have the same thing for my SAPUI5 application.
Can I possibly use cookies? If yes, how?
Yes, you can have the same thing for your SAPUI5 application. You don't need to code anything. SSO for ABAP is standard configuration. You can use any of these:
SPNego for ABAP (included in SAP Single Sign-On 2.0)
SAML to Active Directory (assuming your users are there and that's why you have SSO to Portal)
When your company has implemented SSO for Portal, they should of course do the same for SAP GUI and ABAP HTTP. :-)
Note that there is a licensing cost for SAP Single Sign-On 2.0.
If you use ABAP on-premise system for your SAPUI5 app, then you need to have SAP Single-Sign-On solution installed, it includes SAML support.
SAML implementation on AS ABAP is provided by CommonCryptoLib (SAPCRYPTOLIB) so what you need here:
Install SAPCRYPTOLIB library server-side.
Not needed on Netweaver 72x/74x kernel PL released after November 2013, because now built-in kernel.
Enable SAML provider in AS ABAP in SAML2 transaction
Configure AS ABAP as service provider
Set up SAP SSO
After that you will be able to connect to ABAP system from your app.
If you connect to SCP cloud ABAP or HANA system, then this is even more simply because it supports SAML natively.