I am looking for a way to put my own login page, create SAML assertion and send to our ADFS server as a SAML request from my IONIC app. Any help on how it could be done.
I got my app url registered as Relying Party on our ADFS using ionic app custom url
I am not allowed to share my ADFS server details so I can not use:
auth0-ionic
Is there any other way to use my own login page and send a SAML request for ADFS
authentication?
I did find one option, to manually generate SAML request xml as a string and send the request, not sure if there is a better way available.
Appreciate your help. Please let me know if more information is required.
Thanks
Related
I am working on Ruby on Rails application. I need to implement Single Sign on / Single Log out (SSO / SLO) using OneLogin.
I used OneLogin-Ruby-Sdk => https://github.com/onelogin/onelogin-ruby-sdk to log user via session token API. It creates a cookie in browser and allows me to login on other apps. But when I logout using log_a_user_out Api. It only logs out of current application but not from all applications. So SLO is not working in this case.
Thereafter, I integrated devise_saml_authenticatable => https://github.com/apokalipto/devise_saml_authenticatable. It works with SSO / SLO perfectly. But it redirects to oneLogin UI to generate SAMLRequest and send back SAMLResponse.
Is there a way I can generate SAMLRequest and SAMLResponse programatically ?
Just like we do for OAuth2 where we can generate access token using refresh token again and again.
Basically I want users to signup and login through my app forms and communicate with OneLogin and implement SSO / SLO using API rather than going to oneLogin UI.
Please let me know if more information is required in terms of code which could help in providing answer. I will be more than glad to do so. Any help is hugely appreciated.
I want to use SAML login for a single web application with a REST API. How should I do this? Usually, say with OAuth, lets use Google/Firebase as an example:
SPA calls Google to login. Google returns a Google ID token
SPA can call Server with Google ID token which server can verify with Google and return an access token for use with the application
Firstly is this correct or did I get something wrong so far?
But with SAML, from what I can see, its user is redirected to SAML IDP, SAML IDP then redirects user to a server assertion URL. Because there is this redirect, how do I use it in the context of REST? I am unfamiliar with SAML, but I dont see a token. The server just gets an "assertion" with the user information?
Here is the sequence of events which happen when the application is using SAML for the authentication:
server should send a response to the client with the URL to SAML IDP.
client application redirects the browser to SAML IDP (1).
After successful authentication, SAML server sends response with the redirect back to the client. The browser automatically posts the HTML form SAML server to your server.
After validating SAML assert and successful authorization (you can use user's information or other attributes to authorize the user to use your application), your server should generate a token that now can be used by the client application.
This is a basic scenario.
See spirng-saml project here, you can try and play with the sample web application.
https://projects.spring.io/spring-security-saml
SAML assertion is an equivalent of id_token in OpenID Connect 1.0 that Google uses. There is no access_token in SAML. SAML is an authentication protocol.
OAuth 2.0 that uses access_tokens is an authorization protocol. That is why it provides an access_token to authorize access to your REST API.
OpenID Connect is an extension of OAuth 2.0 that supports user authentication in addition to API authorization and introduces id_tokens that contain user information.
One of the options to use SAML in your Single Page Application with REST API is to host them at the same domain. In this case you can:
Get an assertion from SAML Identity Provider.
Verify it (format, signature, lifetime, etc) on the server side.
Return a session cookie in the response to set it in the browser.
Each request to the REST API will come with a session cookie authorizing access to it.
I'm a bit confused about Identity Providers in a project I'm doing with Xamarin Forms.
I configured Facebook as an IP with Azure Mobile Apps following this page
https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-how-to-configure-facebook-authentication
It works, but my doubt is, how can I use the MobileServiceUser result of the authentication process to, for example, post to Facebook or get personal information from Facebook. Is this possible?
Thanks!
This is how I think about it.
Identity providers are used to provide a third party guarantee of WHO a user is.
The Mobile SDK lets you do Authorization. So you can decide WHAT the user can do on YOUR service after you know WHO they are.
Any thing you are doing via facebook would still need to be done through the Facebook API/SDK using the token their Authentication process returned to you.
Finally I found the solution to my problem.
What I was trying to do is get information from Facebook after I have authenticated myself.
All I had to do was invoke
await client.InvokeApiAsync("/.auth/me");
After authentication and thats all, the response of that request has the token to access the Facebook API. These tokens are saved in Azure.
For more information:
https://cgillum.tech/2016/03/07/app-service-token-store/
Thanks!
I create SAML application on my Okta dashboard. Now when I clicked on that application it redirect me to my site and on my site I got SAML response.
What I need to do is to check that request is valid or not. If the request is valid, I'll skip my login page and let user login automatically.
How can I make sure the request is valid? I develop that code in MVC C#.
Which SAML toolkit are you using? In case if you are using Kentor you can see this article http://developer.okta.com/blog/2016/03/22/use-kentor-authservices-with-Okta which uses example app to validate SAML response. If you are using another toolkit you would need to check its documentation as how to validate SAML response, as toolkits vary in configuration and are 3rd party tools.
You would need certificate from Okta, which you can download from your app by going to the sign on tab and click view setup tab and download the certificate from the page that will be used to validate SAML.
I have a Spring Security app that uses SAML. It is working fine. I go to a secured page, I get redirected to the IDP, login... success.
Now I want to have the login done "in house" as it were, with no redirection.
I want to have a login page that takes username/pass - then -- well I don't know. :)
Is there anyway to NOT have the user's browser go to the IDP, either POST the form to the IDP and then redirect back to my app?
I read in the documentation about back-channel SOAP calls, and that sounds like exactly what I want, but I can't find anything on it. Does anyone have an example of how this would be achieved?