I want to use single sign-on for authentication and authorization in multiple website using Identity server. Please, anyone guide me how to proceed for the implementation Single sign-on using Identity server (Owin/KATANA).
Just having your applications all login to the same Identity Server gives you Single Sign On. SSO comes out of the box.
Implementation Guides:
Identity Server with ASP.NET MVC Client
Identity Server with JavaScript Client
Just Identity Server
Related
I implemented authentication and authorization using Identity server 4 with OIDC to allow clients accessing our application to get the necessary tokens to access our resource server (web APIs). This is the current architecture :
Identity Server 4 using my custom DB to authenticate users
Resource APIs (ASP.NET Core)
Angular 2 front end
I need to implement SSO, where users from other systems will pass SAML2 assertions from their identity providers to allow them to access our resource APIs without logging in to our application.
I have some confusion about where this step will happen, and what will be the workflow, will our identity server be involved in this process and how to implement that using Identity Server 4.
Right now there is no SAML2 support for ASP.NET Core.
If you are using IdentityServer3, you can act as a SAML2 SP via the Kentor authentication middleware. This is not available for ASP.NET Core yet.
Generally speaking - you cannot use SAML2 to secure APIs - it is a protocol for web based SSO - not API access.
I’m having trouble understanding OpenID Connect actors/roles. I’m coming from using SAML. In the scenario I’m familiar with, the Service Provider is a web application with protected resources and the Identity Provider server is where users authenticate. With SAML, the typical client is a web browser although SAML also has the ECP profile where a non-browser client (such as a native application) can be used. I understand how all of those pieces work and their various flows.
I’m trying to apply that same understanding to OpenID Connect. My understanding is the OpenID Provider is the same as the Identity Provider. But what about the other pieces? Is the Service Provider the Relying Party? What’s the client then? The OpenID Connect documentation substitutes "Relying Party" with "client" and that’s throwing me off.
To me, coming from SAML, a client is either a web browser or, in the case of ECP, a native or mobile application. So what role is that kind of client in the OpenID Connect world?
Since OpenID Connect is built on OAuth, I've familiarzed myself with it but that hasn't cleared up this SAML to OpenID Connect confusion. Any help would be greatly appreciated. Thanks!
The term "Client" is a generic name that is inherited from OAuth 2.0 for an entity that requests, receives and uses tokens. OpenID Connect builds on top of that but since there's an identity token in play now, the Client is also called Relying Party.
The Relying Party (or Client) is really the same as the SAML Service Provider and the ECP, being the entity that relies on the IDP to provide user identity to it.
The Relying Party (or Client) can be any of a web application, a native application or mobile application.
I want to implement SSO using Thinktecture Identity Server V3. The applications the I want to use this SSO are asp.net MVC apps. I was going through samples provided on the thinktecture wiki and am able to see two approaches:
1- Resource owner(providing credentials through application and calling Identity server using OAuth2Client Apis)
2- Using Owin middleware(Startup class) to call the Identity server.
In my case I wanted to calling Identity server login, but without using Owin. Do you any hints/sample on how to do that.
Thanks
If you don't want to use the Microsoft OpenId Connect middleware (and as a result OWIN) in your clients, you could initiate the login flow yourself by redirecting the user to the authorize endpoint.
Authorize endpoint: http://thinktecture.github.io/Thinktecture.IdentityServer.v3.Documentation/docs/endpoints/authorization.html
They guys behind IdentityServer have a client example showing some of the concepts if you want to handle it all yourself:
https://github.com/thinktecture/Thinktecture.IdentityServer.v3.Samples/blob/master/source/Clients/MvcFormPostClient/Controllers/AccountController.cs
I installed PingFederate on an AWS EC2 running Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09. I have a Java application that is using Spring Security for authentication.
I have read about how with PingFederate, I can set up an Identity Provider(IdP) and a Service Provider(SP). I have gathered that the IdP would be the Application User providing login credentials(the Identity) and passing this to the SP which has the Target Application apart of the SP in this diagram on this page here:
http://documentation.pingidentity.com/display/PF66/Service+Providers+and+Identity+Providers
This image also shows the Federated Identity Software on both sides of the IdP and the SP.
I have created an IdP and SP with my local PingFederate server just to see what the configuration options are and I am confused on which parts of this I actually need to be able to have a SSO for my Spring Security application.
My questions are:
Do I need an IdP and SP to implement that I am trying to do.
Right now our usernames and passwords are stored in a SQL Server, would I leverage this for PingFederate to use to authenticate the users?
Should I even be using Spring Security SAML for this or would another route be more appropriate?
Thanks for any help, I have reached out to PingFederate but my Regional Solutions Architect happens to be out until Friday.
I also apologize if I am completely off in my thinking, I am trying to wrap my mind around what is needed.
Presuming your goal is to establish federation between Ping and your application (in order to e.g. externalize authentication or enable single sign-on), your thinking is correct.
The Ping Federate serves as an Identity Provider (IDP) and you can configure it to connect to your SQL server, so that it can authenticate your existing users from there. IDP communicates with other applications which are called Service Providers (SP).
In order to connect to Ping your application therefore needs to be able to act as a SAML 2.0 Service Provider and using Spring SAML is a very good way to enable it to do so.
The typical flow of data between SP and IDP for single sign-on is similar to:
User accesses SP application which requires authentication
SP creates an AuthenticationRequest and sends it to IDP (using redirect in user's browser)
IDP processes the request and authenticates the user
IDP responds back to SP with an AuthenticationResponse message
SP processes the response and creates a session for the user based on the included data
There is an assumption being made that you need SAML between your Spring app and PingFederate. That is not true depending on how it is deployed and if you (see Andy K follow-up questions). You should check out the OpenToken Integration Kit for Java or perhaps the ReferenceID Int Kit from Ping as a possible solution. Much simpler to integrate than trying to hack together another SAML solution that may not be needed. However, I would recommend talking to your RSA who can give you the best approach for your scenario.
I am trying to setup WSO2 cloud identity server (stratoslive) as the identity provider and salesforce as a service provider. Basically in salesforce I want to leverage the salesforce federated single sign on feature and connect with stratoslive identity server. Will be helpful if anyone can give me a link to follow or can guide me with the steps.
I am relatively new to the identity and access domain and for one of my project I need to setup WSO2 startoslive as identity provider and salesforce as service provider and have to fit in SAML in this process.
Thanks
Indranil
These links should be helpful to implement your use case:
WSO2 SAML Single Sign-On with Google Apps Tutorial
http://wso2.com/library/articles/integrate-google-apps-wso2-cloud-identity/
WSO2 Identity Server Single Sign-On Documentation
http://docs.wso2.org/display/IS450/Managing+Single+Sign-On
Salesforce SAML Single Sign-On Reference
https://help.salesforce.com/apex/HTViewHelpDoc?id=sso_saml.htm&language=en