I am a beginner in using CAS. My CAS server is up and running at port 8443(Secured HTTP layer). I have also made two applications - JAVA Client(My own JAVA Client) and PHP Client(Officially provided by CAS) for testing my CAS server. I am able to use single Sign On for both of the clients. I have also enabled Single Sign Out in the CAS properties file. My current version of CAS is 4.0.0 and I am using Apache Tomcat version 8.0.23
I have added the following dependency for Sign Out in web.xml for JAVA Client
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class> org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class> org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
But while performing Single Sign Out, When I log out of PHP Application I am unable to log out of already opened JAVA Applications. This means that on logging out from PHP application does not destroy my existing JAVA Application Sessions.
So after a lot of research I came across this and I was successfully able to implement Sign Out feature. But I do not want to use a common session database.
In the official documentation of CAS it is mentioned that:
CAS sends an HTTP POST message directly to the service ( back channel communication): this is the traditional way of performing notification to the service.
When CAS is configured for SLO, it attempts to send logout messages to every application that requested authentication to CAS during the SSO session.
But I am unable to understand how to fetch the SLO message as I do not receive any POST request( while tracking using firebug) during logout of an application. So Can anyone please help me to perform Single Sign Out.
Thanks in advance.
As found on CAS documentation:
When a CAS session ends, it notifies each of the services that the SSO session is no longer valid, and that relying parties need to invalidate their own session.
This can happen in two ways:
CAS sends an HTTP POST message directly to the service (back channel communication): this is the traditional way of performing notification to the service.
CAS redirects (HTTP 302) to the service with a message and a RelayState parameter (front channel communication): This feature is inspired by SAML SLO, and is needed if the client application is composed of several servers and use session affinity. The expected behaviour of the CAS client is to invalidate the application web session and redirect back to the CAS server with the RelayState parameter.
Usage Warning!
Front-channel SLO at this point is still experimental.
(emphasis added by me)
If you do not see corresponding activity on the browser, you are probably using option #1 where POST messages are send on the backend.
SLO is way more complicated than SSO...
Related
I have 3 applications
old JSP based java app
Spring Boot webapp
SPA
5 java micro services REST API built using Spring Boot
I need to secure all of them at the same time. I have picked keycloak as it seemed like a good idea. As we are using Apache for reverse proxy. We have picked mod_auth_openidc to limit access to services at reverse proxy level.
We have built Extensions for Spring Webapp and old JSP app to use headers provided by mod_auth_openidc to handle active users and aithentication.
At this point now we have run into the issue that the we also secured the APIs using mod_auth_openidc headers. Although this has a serious drawback as APIs can not talk to each other just using JWT tokens as the reverse proxy needs them to be authenticated.
Should we secure the APIs using JWT only instead ?
Any mod_auth_openidc guru knows the best approach to this scenario?
I need the REST API to be able to talk to each other without any user interaction. E.g. only using tokens.
Our webapps ( JSP and SPA ) are always fully secured e.g. the user has to be logged in to access any part of it.
I would appreciate any suggestions.
Thanks
We are about to integrate our JAVA application with SSO Federation. We will get a metadata in SAML2 Assertion format and all the session tracking is taken care by SSO federation.
I am not clear how the session tracking happens with each request in our JAVA application. Our main page URL is configured in the SSO federation and after user clicks the link control comes to our application. So if I navigate to other URL apart from the one configured, how the federation track the session? Do we need to pass any metadata for each and every request?
We have been asked to share the home page URL and certificate information and SSO federation will configure those in their portal.
A Java application server normally trackes a user session using a 'JSESSIONID' cookie. Once the SAML assertion generated by an IDP(say ADFS) has been validated by the SP(the java application here) a security context /session is created which is identified by a JSESSIONID. The browser sends JSESSIONID cookie with seubsquest requests and the application verifies it and servers the requetsed resource/URL.
We have a CRM Dynamics 2016 onpremise (IFD configured), we access to the CRM from a Cordova mobile application via SOAP authentication and consume the service "Organization.svc" to get or set Data: everything works fine until now.
After adding a Web Application Proxy, the call to ADFS for the token still working, and returns a valid token. However, the second step of consuming the service "Organization.svc" is blocked : the Web Application Proxy redirects the call to the ADFS login page, which is of course not what I want.
I think the root of the problem is in the fact that the proxy cannot 'read' the SAML token I'm sending in my HTTPRequest.
Did anyone have an idea how to resolve that ?
Could you maybe inspect with Fiddler if the proxy is forwarding the required authentication cookies / headers ? I presume these are ignored by the proxy and ADFS sees the second request as not authenticated.
Friends,
Recently I have created one web-services application using spring-boot and now its having few unsecured entry points. (This is a pure rest based application having only rest entry points doesn't have any UI components).
Now I would like to add CAS client with this application for securing the rest entry points.
My CAS server is ready and its up and running. And I have configured CAS Rest protocol as well in my cas server to access TGT/ST through rest call and I'm in the planning of using only the rest call rather than using login pages.
So, when an user tries to access my rest application, I'm going to call CAS rest entry points internally (by using restTemplate) to validate user credentials and generating TGT and ST.
Available CAS entry points are (from jasig reference docs),
POST /cas/v1/tickets HTTP/1.0
username=battags&password=password&additionalParam1=paramvalue
POST /cas/v1/tickets/{TGT id} HTTP/1.0
service={form encoded parameter for the service url}
DELETE /cas/v1/tickets/TGT-fdsjfsdfjkalfewrihfdhfaie HTTP/1.0
I think, I'm little clear on this part. Please correct me if I'm wrong.
And now my query here is, what should I do to add a ST ticket validator in my spring boot application? Do I need to add any filters using spring-security? Or do I need to call any other rest api for validating the ST? Please guide me to proceed further.
You can use existing Spring boot cas starter:
cas security spring boot starter
cas client autoconfig support
That will configure for you and magically your spring boot app with CAS authentication (and thus your application will be able to read ST or PT without effort).
I'm author of cas security spring boot starter, so I won't influence your choice but main difference from that project and cas client autoconfig support developed by Unicon is about Spring security integration.
Indeed cas security spring boot starter is fully compliant with spring security, thus you will be able to use any feature you know from spring security. Whereas cas client autoconfig support will instantiate and configure Apereo (Jasig) filters that is not designed to work out of box with Spring security.
You don't need a service ticket unless you want to call another service from your web service. Validating the received credentials via the CAS REST API is enough.
If you are looking for a security library to protect your web service via the CAS REST API, you should give a try to: https://github.com/pac4j/spring-webmvc-pac4j and especially this configuration: https://github.com/pac4j/spring-webmvc-pac4j-demo/blob/master/src/main/webapp/WEB-INF/demo-servlet.xml#L74
I am completely new to SiteMinder and SSO in general. I poked around on SO and CA's web site all afternoon for a basic example and can't find one. I don't care about setting up or programming SM or anything like that. All of that is already done by someone else. I just want to adapt my JS web app to use SM for authentication.
I get that SM will add a HTTP header with a key such as SM_USER that will tell me who the user is. What I don't get is -- what prevents anyone from adding this header themselves and bypassing SM entirely? What do I have to put in my server-side code to verify that the SM_USER really came from SM? I suppose secure cookies are involved...
The SM Web Agent installed on the Web Server is designed to intercept all traffic and checks to see if the resource request is...
Protected by SiteMinder
If the User has a valid SMSESSION (i.e. is Authenticated)
If 1 and 2 are true, then the WA checks the Siteminder Policy Server to see if the user is Authorized to access the requested resource.
To ensure that you don't have HTTP Header injections of user info, the SiteMinder WebAgent will rewrite all the SiteMinder specific HTTP Header information. Essentially, this means you can "trust" the SM_ info the WebAgent is presenting about the user since it is created by the Web Agent on the server and not part of the incoming request.
Because all traffic should pass through Siteminder Web Agent so even if the user sets this header it will be overwritten/removed
All Siteminder architectures do indeed make the assumption that the application just has to trust the "SM_" headers.
In practice, this may not be sufficient depending on the architecture of your application.
Basically, you have 3 cases:
The Web Agent is installed on the web server where your application runs (typical case for Apache/PHP applications): as stated above, you can trust the headers as no requests can reach your application without being filtered by the web agent.
The Web Agent is installed on a different web server than the one where your application runs, but on the same machine (typical case: SM Agent installed on an Apache front-end serving a JEE Application Server): you must ensure that no requests can directly reach your application server. Either you bind your application server to the loopback interface or you filter the ports on the server.
The Web Agent runs on a reverse proxy in front of your application. Same remark. The only solution here is to implement an IP filter on your application to only allow requests that come from your reverse proxy.
SiteMinder r12.52 contains a new functionality named Enhanced Session Assurance with DeviceDNA™. DeviceDNA can be used to ensure that the SiteMinder Session Cookie has not been tampered with. If the Session is replayed on a different machine, or from another brower instance on the same machine, DeviceDNA will catch this and block the request.
Click here to view a webcast discussing new features in CA SiteMinder r12.52
Typical enterprise architecture will be Webserver (Siteminder Agent) + AppServer (Applications)
Say IP filtering is not enabled, and webs requests are allowed directly to AppServer, bypassing webserver and the sso-agent.
If applications have to implement a solution to assert the request headers / cookies are not tampered / injected, do we have any solution simillar to the following?
Send the SM_USERID encrypted in a seperate cookie or encrypted (Sym/Asym) along with SMSESSION id
Application will use the key to decrypt the SMSESSION or SM_USERID to retrive the user id, session expiry status and any other addtional details and authorization details if applicable.
Application now trusts the user_id and do authentication