IdentityServer3 MVC App with Windows Authentication - windows-authentication

I'm working on creating an MVC Web application backed by an API which uses IdentityServer3 and is compatible with Windows Authentication, but I'm losing my custom claims in the process.
To this end, I've deployed this project: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/MVC%20Authentication
When I deploy it to IIS7 I cannot access either of two pages which display claims information until I turn on Windows Authentication. When I do this, I have access to the secure Web Page that shows claims and the API that shows claims. This is promising, but these displayed claims are SidGroups, and Default claims, respectively. I lose my custom claims.
Monitoring traffic in Fiddler, I notice that when hitting the protected claims page, there are two failed attempts which 401 followed by the successful attempt but which displays the wrong claims.
Has anyone encountered this? Does any one know the location of a working example of a Windows Auth compatible IdentityServer? I've looked over several tutorials which imply it's possible but I don't think they are compatible with IdentityServer3.

Related

AEM 6.2 SSO (SAML) Integration

I'm trying to integrate a SSO SAML provider into a local AEM instance for testing. First I tried this article: https://helpx.adobe.com/experience-manager/kb/simple-saml-demo.html , when starting the AEM, user is redirected to the ssocircle login page, but after the login, it stucks in an infinite recaptcha page redirects. So i assumed that the article and setup was for AEM 6. I went next to this article: http://www.aemstuff.com/blogs/july/saml.html which looks promising for AEM 6.1 and probably 6.2. In that article the identity provider has 'blogsaml.com' as it's host name. I couldn't find any provider under this domain.
my questions are:
1- How can i get rid of the recaptcha loop, and get back to AEM after the login in open circle?
2- is there the possibility to get a "IdP certificate" from ssocircle? (and what exactly is this cert?)
3- is there any other free to use / try sso provider that could be used with AEM?
4- any other tutorials/ articles for integrating a free sso in AEM is welcomed.
We get AEM 6.2 with an SSO Circle Pro account running.
Key changes from the setup in https://helpx.adobe.com/experience-manager/kb/simple-saml-demo.html
and http://www.aemstuff.com/blogs/july/saml.html were:
using the old certificate from SSO Circle: https://www.ssocircle.com/en/public-idp-configuration-deprecated/
Apache Sling Service User Mapper Service Amendment :"com.adobe.granite.auth.saml=authentication-service"
Making sure the authentication-service has all read/write permissions.
and setting the default group to 'contributor' in the SAML 2 configMgr instead of "administrators" from the config package from the first adobe docs link.

How to secure a Rest web service with OpenAM as OAuth2 provider

I developed a Rest web service with Play! Framework. I aim to secure access to this WS. I'm discovering OAuth2 and it seems to be a good solution in my case. However, instead of using an external OAuth2 provider, I prefer to manage this part myself. So, I installed the last snapshot of OpenAM (12.0.0), which can do this. I have an instance of Active Directory on which the authentication should be based.
I have access to the documentation but I don't know how proceed. I would like to have some tracks.
Thanks for your help.

Authentication with CAS for rest service call

In our current setup we have about a dozen web applications that deploy to a single Tomcat server. One of these applications is CAS which is used for all authorization.
This works pretty well and in our jRuby web application we use the rubycas-client gem, point to CAS and we're done.
Now we have a requirements where, in a Java component, we need to be able to call out to another web application via a rest service that resides on the same server. My first thought was to use CAS proxy tickets but the web application we have to hit currently doesn't have this enabled and, due to the nature of the environment, this cannot be changed.
So as far as I can tell we're left trying to impersonate the user by using an iframe in our web application that points to the other one (we're all on the same domain and server) and scrape its sessionid for impersonation and pass it down to the Java layer. But I really, really don't want to do this.
Am I missing anything? Is there any better ways of doing this? Is there a way to get the sessionid without an iframe maybe?
Thanks!
If you want to call a web service from a web application using CAS identity, you certainly should use the CAS proxy feature.
If you can't cassify your web service, there is another option for you : you could use the Apache module for CAS : https://wiki.jasig.org/display/CASC/mod_auth_cas.

Exploring web service through WSDL that require authentication

I'm working with SOAP based web services that require authentication. I usually use the Eclipse Web Service explorer to explore the offered services but for the services requiring authentication, there does not seem to be an authentication option and I keep getting the 401 response.
I tried online clients as well. There is one at http://soapclient.com/soaptest.html but it also exhibits the same behavior.
When I try to access the web services through the browser I get the username/password prompt and it works.
I have also tried using https://username:password#webserviceURL. Again, this works in the browser but not in Eclipse or the online SoapClient utility.
Any ideas how I can get do this ?
It was pretty trivial in SoapUI.
I also found an online client that works with the http://username:password#webserviceURL pattern. Its at : http://tools.pointbeing.net/wsdlviewer

External SSO and Web Application running on TOMCAT 6.0

New to JAVA. I developed Web application(JSP) successfully delpoyed on TOMCAT 6.0. Now the client want to use external SSO to authenticate users. As of now when the users are authenticated the website is displayed with Login Page where the user has to login again.
I am using the Login.jsp to bring the user roles from the SQLDB for Website.
What I want to accomplish now is when User is authenticated login.jsp should retrieve the credentials from the SSO and display the website thus accomplishing the purpose of Single sign on process.
I read a lot from this forum and other websites but kinda lost in the process.
Any help would be appreciated.
thank you
We developed a Tomcat extension (valve) which does just that. Basically you use standard J2EE security (role-ref etc) in your app and our Tomcat valve then acts as a bridge between Tomcat and our SSO platform. You can find out more at www.cloudseal.com
Of course you may not want to use our SSO platform :-( but you can still use our Tomcat valve and modify it to fit your needs. It's released under an Apache 2 license and you can grab the source from Github