I have a client application (windows) which the user is logged into. From this application, the user will want to access a remote website using single sign-on (SAML) and will be authenticated by Microsoft WIF. To do this the user, will click a button which opens a local web browser, generates a SAML token (containing username and roles, etc) and makes a HTTP POST to a remote website to access it, signing them in.
I want the user to be signed-in automatically, based on their credentials from the windows application.
I know roughly how to generate the SAML token, but presume this requires the signing certificate to be installed on the local PC, which would need to be installed into all PCs in my Company.
Installing this certificate doesn't seem quite right. How else can I safely allow users to generate a SAML token which will be accepted by the Service Provider (via single sign-on)?
UPDATE:
The user is not authenticated into the Windows Application using Windows Authentication (Kerberos), we make a custom SQL call to a database of username/password.
In the win app, we will know the username and their roles, so could generate claims from this, or pass it to a remote STS to generate and sign the SAML token. But again passing this data across to the STS seems totally wrong again.
The signing certificate must not be on the user desktop. Otherwise, any user could potentially generate a SAML token with the userid it wants.
What you want is a Secure Token Service (STS): an identity provider that will authenticate your user through Kerberos (as you want to re-use the identity of the logged-on user) and give you a signed SAML token.
All of this could be done when you open a web view in your application. The starting url should be the Identity Provider endpoint for IDP-initiated SSO, with a url parameter identifying the service you want to access.
Related
I’m new in the Keycloak’s world and I need some help to configure my login flow.
I’ve configured Keycloak to allow people to login with their ADFS account or with a ldap account.
ADFS Identity Provider is configured to use OpenID Connect.
When people connect to my application, they are redirected to Keycloak where they see a login form and a button to login through ADFS.
This work perfectly, but we would like people not to see that screen if they are already logged in on ADFS and only see the login form if they’re not connected in ADFS.
I changed the browser flow to use the Identity Provider Redirector first and then display the username password form, in this case the user is automatically logged in via ADFS, but if the user is not logged in, ADFS asks for a password and the user is not redirected to Keycloak .
Do you know how can we configure Keycloak to implement that flow?
I’m using Keycloak 11.0.0-alfresco-001 (keycloak 11 packaged by alfresco (as alfresco-identity-service) with a custom theme. The code is available on Alfresco’s github .
Here’s my browser flow configuration:
IAM Browser flow
Thanks for your help
• Yes, its possible to configure keycloak to implement the desired flow as a brokered IdP in the following way: -
While configuring ADFS in keycloak and importing its federation metadata file in it, check the settings and enable validate the signature option for the authentication requests to be sent to ADFS, also enable ‘Want AuthnRequests’ signed option. Afterwards, set the signature key name field to CERT_SUBJECT as AD FS expects the signing key name hint to be the subject of the signing certificate.
Then check the mappers for group and attribute claims in keycloak for transforming the details through SAML assertion to keycloak user store.
After that, check the descriptor URI that needs to be set by modifying the ADFS redirect URI by adding the ‘/descriptor’ to the redirect URI in this field. The URI will be like ‘https://kc.domain.name:8443/auth/realms/master/broker/adfs-idp-alias/endpoint/descriptor’.
Also, please ensure that the signing certificate for the keycloak in ADFS claims provider is not self-signed and is issued from a trusted third-party CA and installed in the server’s local system certificate store.
Disable certificate revocation check for the certificate installed on the Adfs server and ensure ‘backchannel logout’ option is checked in keycloak
• Once the above settings are checked thoroughly, the default login redirection page should be displayed after that and the user should be able to select the IdP from the login page accordingly.
Please find the below links for more information: -
https://www.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
Keycloak AD FS Interaction
My site was .Net webapp.It was linked some where in client dashboard.
But client website have duo idp 2 factor authentication.
Whenever client logins to his website and enter his valid logins and if he is authenticated as a valid user by duo idp then he will able to login his dashboard.
After succesfully login to dashboard(his app) if the client is trying to access my integratrd application link then he can able access my .Net app without asking username and password.
My .Net app don't have any saml settings.
please help me on this and how many ways we can do this single sign on.
I'm trying to create a SAML IDP for the system I built. Probably I'm getting confused with concepts. My problem is as follows:
This system was built in SymfonyPHP which authentication is made by OAuth token. Nothing so special, the username and password are passed to the /auth endpoint and the request returns the token if the credentials are valid. It's working fine.
Now I have to integrate this credentials to a client system. Once the user is logged to my system, so it should be on the client side (like the "login with Google button). I've been searching and realized I should use SAML for that.
I installed the SimpleSAMLPHP and I'm trying to understand how to set it up as my IDP. Once it's made, I can create SPs for my clients systems.
Question: how to make the SimpleSAML use my existing service for authentication? Which module should I use?
With SimpleSAMLPHP acting as an IdP, you want to have a look at authentication modules. The latter is a component that encapsulates the mechanics of signing into the identity provider. For example, if you were trying to sign in to the IdP with your Facebook account, SimpleSAMLPHP ships a FB authentication module that does this for you.
If your existing service can be supported by one of the SimpleSAMLPHP modules, then you're all set. Else, you need to develop your own module.
I'm trying to understand whether my Owin-hosted Web Api needs to validate the certificate used to sign a JWT-token.
I've set up an identity provider using IdentityServer. On the "relying party"-side, I have an ASP.NET WebApi hosted using Owin. On the RP-side, I'm using UseOpenIdConnectAuthentication to install the OpenIdConnectAuthenticationMiddleware in the Owin pipeline.
What's working so far:
Any unauthenticated user visiting my web app is redirected to the login page on IdentityServer
The user logs on
The user is redirected back to my web app
My web app receives the JWT containing the id token and access token
My web app calls the user info endpoint to retrieve the claims using the access token
What I'm missing is logic to validate the certificate which was used to sign the JWT containing the identity token.
Using Fiddler, I've been able to see that the OpenIdConnectAuthenticationMiddleware retrieves the keys from the identity server (by calling https://myidentityserver.example.com/core/.well-known/jwks HTTP/1.1)
Is the OpenIdConnectAuthenticationMiddleware performing some kind of validation of the certificate? Or should I be writing this code myself?
The flow you describe relies on the fact that the verification certificate is pulled from a TLS protected endpoint (JWKs URL) that presents a valid SSL server certificate. This SSL server certificate guarantees that you're talking to the right OpenID Connect provider.
Found some explanations here
For validating reference tokens we provide a simple endpoint called the access token validation endpoint. This endpoint is e.g. used by our access token validation middleware, which is clever enough to distinguish between self-contained (JWT) and reference tokens and does the validation either locally or using the endpoint. All of this is completely transparent to the API.
You simply specify the Authority (the base URL of IdentityServer) and the middleware will use that to pull the configuration (keys, issuer name etc) and construct the URL to the validation endpoint
I am using Thinktecture identity server v3 for authentication and authorization. It works good with local database. I added external identity provider as ADFS. It also works good but it asks credentials for intranet users. My requirement is automatically login the intranet users without asking credentials. If the user is internet user, it asks for credentials. Is it possible?
This is unrelated to IdentityServer3. Your browser and ADFS need to be configured correctly to use Windows integrated authentication.