Iam just starting to pick up on Identity Federation. I have a few questions on the differences between openID and SAML. Hope to get more insights here:
Scenario:
1)What is the different between SAML and openID?
OpenID:
2) I have 3 IDP (Google, Yahoo, AOL) and 4 RP (relying parties)
If I login to the 1st RP via a user account in Google, will I be able to SSO to the other 3 RP web site without logging in again?
3) Is openID suitable to be implemented where the RP are in the internet and the IDP is in the intranet?
SAML:
4) I read that SAML does not work well on internet and is more suitable for intranet. Is that true?
5) Is SAML suitable to be implemented where the RP are in the internet and the IDP is in the intranet?
Thank you.
A bit specific question. How they are stored depends on the application that uses Oauth or SAML. The safest and easiest way to handle them would be for to use some third party application or library that abstracts and takes care of the communication.
For Oauth - look here
For SAML - Have a look at for example Shiboleth or OpenSAML
Related
I have successfully set up my own application with Google SAML, but now I can't understand how do I implement SSO with Google as my IdP.
For example, according to the SAML standart, I (the service provider) should be able to send to Google IdP a logout request to logout a certain user from my system, but I can't find any info about this in google docs.
Similar thing about implementing true SSO in case I will have multiple web services, and I would want to make SSO between them - I can't find any info about that on Google SAML. After Google sends me SAML assertion with user email, that's it, I can't interact with Google, I can't create SSO between my multiple web servers.
So, does Google SAML support SSO? Because it seems to me that the only thing it does is send SAML assertion to my callback URL and that's it.
For example, according to the SAML standart, I (the service provider) should be able to send to Google IdP a logout request to logout a certain user from my system, but I can't find any info about this in google docs.
Google doesn't support SLO, the problem is that this fact is not officially documented, the information can only be found by third parties
Regarding to this question:
I have successfully set up my own application with Google SAML, but now I can't understand how do I implement SSO with Google as my IdP.
I'm not sure if I'm grasping the situation correctly, but I understand that you need your users created on Google to access other configured apps through SSO. In theory (based on my understanding of your question), this federation should be configured within the Admin console as a 'custom app' just like you did it following these steps
Could you elaborate a bit more about what's the behavior you are expecting?
References
Keeper's documentation SAML setup with Google as IdP
We want to deeply integrate OneDrive with our web app in order to handle document and storage data. However, we want the users not to log in twice. I'm not sure whether this is possible, but I've been reading about SSO and SAML and it seems like it's the way to go.
Is it possible, and if so, is Single Sign On the way to go?
Single Sign-On (SSO) is a great solution for user experience when web applications are hosted on different domains. SAML as a standard was developed for cross domain authentication to solve this use case. You will need an Identity Provider (IdP) server that handles authentication of users to your web application and then the IdP Server issues SAML assertions to your web application and OneDrive. Your application in this architecture will be a Service Provider (SP) that will consume SAML assertions, as well as OneDrive is a SP that consumes SAML assertions. There are a number of SSO/Federation vendors that provide the IdP Server.
As far as implementation, once you have chosen and installed the IdP Server, you will need to implement your web application to consume the SAML assertion and configure the IdP Server as a connection. OneDrive will simply be a configuration as it already supports SAML and WS-Federation.
In addition to SAML as a protocol, there are other standards with respect to SSO/Federation such as OpenID Connect (OIDC) and OAuth2. When choosing a IdP Server solution you may want to look at these other protocols that can solve additional use cases. SAML works well for web applications and the use case you have described. OIDC and OAuth2 are better suited for secure APIs and native mobile applications.
Another consideration when looking at an IdP Server is how authentication is to be performed. Options for authentication could be using Kerberos/IWA if all clients are on a common domain, or authentication using a Login Form. You may also want to look at MFA support when looking at an IdP Server as part of the SSO solution.
I am tasked with setting up Single-Sign-On between ADFS and Taleo Business Edition. In this case it is an IdP initiated SSO and I have to use .net. I know .net 4.5 supports SAML, which is what the relying party (Taleo) requires to validate a user-- but I cannot find any good tutorials to even get started. Any help is appreciated, I have read through the WIF documents and some of their Developer Training Kit but it does not seem to be what I need to do. Does anyone have any pointers on good places to start? No one in my office is sure of how to do this.
EDIT: My approach is to just create a .aspx form and put that link on our intranet homepage, send the necessary credentials to the relying party (Taleo), who then interprets the SAML token and redirects the user. Does this this seem like a sound approach?
What you have to do is add Taleo as a Claims provider to ADFS. easiest to ask then for their metadata file and import that.
Essentially you are federating ADFS and Taleo.
This a common pattern - refer e.g. AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation for a SAML example.
.NET 4.5 does not support the SAML protocol - it only supports SAML tokens. Neither does WIF.
You would normally go to the ADFS IDP Initiated page, sign in and then pick Taleo from the dropdown and then you will be redirected to Taleo with SSO so you won't need to authenticate again.'
Im a newbie to the SSO concept and SAML.My requirement is in detail below :
having a common login page. End user will be logged in using credentials;
once the user is logged in, he will be redirected to my application. From there, we will have links to other application.
Here, my application is working as Service Provider.
My question is : as SP, how could I generate SAML 2.0 request to other applications from mine?
How to check whether my application supports SAML 2.0?(its java based).
To conclude, how to generate and send/receive digital signatures through SAML 2.0?
Can anyone please explain me the flow first then direct me to some link?
Does your application support SSO? If not, it probably doesn't support SAML.
You need a client side SAML stack. - examples here.
The commercial implementations in particular have lots of example code.
For Java, look at the Spring SAML extension.
Also, get as much information as you can re. the IDP because that will determine what SAML protocols and bindings you need to implement.
I'm working on a research about some new usage of SSO. Basically I'm trying to find way how to intercept SAML Request which is sent from Service Provider to Identity Provider with some kind of IdP proxy or 3rd party service, which will hold the SAML Request and will provide some additional functionality to users. The desired process could look like this:
User invokes SAML request from SP - click Login button for example
User is redirected to the 3rd party service, where is, for example, small survey(this is theoretical example)
After submitting the survey, user is redirected to the IdP and should continue with login
I have quite good experience with SimpleSAMLphp and configuring federation. But I my attempts to find some useful information about this kind of interception have failed. I add a super basic picture of the solution.(please don't laugh:) )
Does SAML support any kind of this processing? I'm open for discussion. I was also thinking to intercept the SAML after user signs in on IdP(to have redirection from IdP to 3rd part service proxy and then to SP)
Thank you for advices and your thoughts; hopefully, it's not totally stupid question
EDIT: During my research I came across technology/approach which is called IDP Proxy. Do you think that is feasible for my purpose? Basically, a SAML IdP Proxy is a bridge or gateway between a federation of SAML IdPs and a federation of SAML SPs. More about it for example here
I don't think this is possible, it's simply beyond the protocol. The SP provides a service, the IdP is responsible for user authentication. There seems to be no place for a 3rd party service between the two.
I guess you control (at least) either the SP or the IdP. Try to implement your survey (or whatever) at the provider you control.
As an alternative, you could try to implement your own IdP including a survey (or whatever) that uses the original IdP for authentication.