I have an identity provider that connects to a service provider. Im trying to put Okta in the middle of the IDP and the service provider (so that Okta acts as an SP).
I got Okta to work directly with the SP. (I also got the IDP to work directly with the SP.) I'm having an issue getting the IDP to work with Okta in the middle.
Does the IDP's certificate go somewhere in Okta in this case? Does the SP need any information about the IDP?
Is it possible that I have admin access but couldnt find the add identity provider option in Okta?
Would be curious to know what your use case is.
If you put Okta in the middle - then Okta is part SP (to your IDP) and part IDP (to your ultimate SP).
For the part where Okta is SP - you can leverage the instructions here - https://support.okta.com/help/articles/Knowledge_Article/40561903-Configuring-Inbound-SAML to set up an inbound SAML endpoint.
For the second part - to integrate Okta to your SP, you can use the instructions here to set up a SAML app via our App Wizard - https://support.okta.com/help/articles/Knowledge_Article/Using-the-App-Integration-Wizard
If your SP happens to be in our app catalogue, then you can simply do "add application" under the Application tab in the admin console and follow the instructions there to set up SAML with the app.
Related
I am trying to integrate SAML in an ongoing project for one of our clients. I am new to Okta and its services. The only thing, the client wants to input okta URL and upload certificate in the admin panel. Rest I have to create a login module using okta. My question is what is the use of a certificate? How can I use that certificate in the project? If possible please share any info on how to develop this in PHP preferable.
Two reasons a client ( presumably the application requiring SSO with Okta ) would provide you with a certificate.
1) They are signing the SAML Request, in which case you need to be able to verify the signature. I don't believe OKta supports signed requests, which would rule this out.
2) They want the SAML Response encrypted. In which case you would include the public key provided in the Okta application configuration.
Niall
I have two service providers(SP) and one common identity provider(IDP).
I can login to both my SP through IDP initiated SSO.
I have same user in both my SP so user lookup is working fine.
After logging in through IDP i have landed in SP1. In SPA i want a link which will be redirected to SP2 landing page without calling the login ti ISP again.
How can i do this?
We are building a SaaS application (enterprise oriented).
We have to be able to log-in the users against the saml2 IdP of their company with SSO functionality (so multi-tenant context)
We prefer to manage it in a isolated component and so not directly on the application it self.
We think to use a kind of "proxy".
We have two questions :
- Does WSO2 IS is able to act as proxy, delegating the authentication to an extern IdP ?
- Our SaaS application will be offered via UI relying on REST ful services, so we need to manage SSO
also with the services, so for example :
. The user comes on the UI without any log-in before
. The company IDP login-page is shown for authentication
. Once logged , the UI will perform some calls to REST service and we need to secure those service call, to be sure
the user is allowed to call this service
How to manage it ?
Does the "proxy" API can act also as "proxy services" in order to call the extern IDP API ?
Tks
Nicolas.
If i got your question correctly, There is an existing IDP in "foo" company. In "bar" domain you have applications. You are not going to integrate application directly with IDP in "foo". And you are wishing to install an another IDP in "bar" domain where this "bar" domain IDP can talks to existing IDP in "foo" domain. Yes. WSO2IS can be used to implement such use case. It has "Authentication Framework" for SAML2 SSO logon... Let me explain it bit. When user is directed to WSO2IS SAML2 IDP, user can be authenticated by verifying user/password which is the default behavior. (default authenticator that is picked by "Authentication Framework"). But there can be any other authenticators such as SAML2 SSO (where WSO2IS can call to another SAML2 IDP and authenticate the user), OpenID and so on. I guess, same scenario has been discussed here. I found blog on implementing this.
I have a requirement for cross domain sso. So, i chose OpenAM with SAML. I have two applications hosted in different servers and host for which i need to implement SSO.
Now i read about OpenAM with SAML but could get the core idea about the setup. LDAP is used as user data store.
Now i have something in mind and want to verify if it meets my requirement.
Since i have two applications(AppA and AppB) in need of SSO implementation. I need two OpenAM configured as service provider? and should be deployed in different tomcat containers? Should the each service providers be deployed in AppA and AppB?
I need another separate tomcat container for identity provider OpenAM?
The sp should be registered to idp and idp should be registered to sp within same Circle of trust?
Do i have to do anything else? Again do i have to configure separate LDAP for each idp and sp ? Anyway, what can be the ideal setup in my case?
You need one IdP, your apps have to implement the SP. If your apps are Java based you could leverage OpenAM's Fedlet or use Spring Security SAML extension (works like a charm).
There's also a PHP SAML SP and even an Apache http server SAML module ...
Or you could use OpenIG as a reverse-proxy (but it's a java web app) which also implements a SAML SP.
-Bernhard
One more possible solution in which you can use OpenAM out of the box is by using OpenAM identity federation:
Use the standard OpenAM Identity federation setup (with IDP and SP) as explained in this post: http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity.html
You will need to have an IDP for AppA and SP for AppB or vice versa. IDP will be connected to your user store.
On SP side create a dummy user store using something like OpenDS.
Import all the users from IDP to SP (using a scheduled daily batch job)
Implement auto federation based on one or more of the user attributes.
Use OpenAM authorization features on SP side to give access to SP side App
UPDATE:
I was able to get ADFS to forward my user to the relying party application. I used ComponentSpace's SAML2.0 library and RelayState. Even though it successfully forwards to the WIF application, it doesn't recognize my user as having been authenticated. It instead initiates a SP-initiated SSO scenario by redirecting to the IDP STS. I'm not too sure how I should proceed.
Original Message:
I have configured a single-sign-on setup in the following manner:
IDP - A portal website that posts SAML2 responses to my SP.
SP - ADFS 2.0 configured with a claims provider trust configured as a SAML2.0 endpoint (with my IDP of course)
RP Application - An ASP.NET application which is configured as a Relying Party trust in ADFS (WS-Fed).
When I log into my IDP and click on the link that posts the SAML2 token to ADFS, everything works fine. I am taken to the IdpInitiatedSignOn.aspx page and am told that I have been logged in. The problem is that where I would normally expect to see a drop down list of applications to choose from (which should only include my single RP Application) I see nothing. I only have two buttons allowing me to sign out of all applications or a single application. Is there some trick to configuring the RP Application trust that I'm not aware of? It was my understanding that ADFS 2.0 would accept this configuration of SAML2 and WS-Fed. (See http://blogs.technet.com/b/askds/archive/2012/09/27/ad-fs-2-0-relaystate.aspx under "When can I use RelayState?")
I would greatly appreciate any advice on this.
IdpInitiatedSignOn shows the list of RP's that support SAML.
Your RP is WS-Fed so won't appear in the list. In your case, the path is:
RP -> WS-Fed -> ADFS (Home Realm Discovery) -> SAML -> IDP -> Authenticate.