I am using Thinktecture identity server v3 for authentication and authorization. It works good with local database. I added external identity provider as ADFS. It also works good but it asks credentials for intranet users. My requirement is automatically login the intranet users without asking credentials. If the user is internet user, it asks for credentials. Is it possible?
This is unrelated to IdentityServer3. Your browser and ADFS need to be configured correctly to use Windows integrated authentication.
Related
I have an SPA web app using openidconnect for authentication and authorization with local keycloak.
This app is now moving to an windows onprem infrastructure using AD, kerberos tickets and a central SSO.
users log in in their windows session, and then we shall be able to transparently login in our SPA web app. (ie with out entering credentials)
How can I convert kerberos ticket/authentication into Openidconnect world? Where is the magic?
Shall we add some kerberos in our app?
how can we retrieve our access token containing the user role?
thanks
Your SPA should continue to talk to Keycloak using OIDC, and no code in the SPA should need to change. Your APIs will also continue to receive the same access tokens.
You should only need to configure Keycloak to use AD for authentication as an LDAP data source. Here is an article on how to do that. It is an infrastructure job rather than just a coding one, so I would recommend collaboration with AD administrators on the environment setup.
AD is only one possible authentication method, and by doing things this way you keep your options open. You are likely to need to perform account linking, eg to identify users the same before and after the migration. There may be some data setup involved here, eg ensure AD has the same emails as the existing system.
I’m new in the Keycloak’s world and I need some help to configure my login flow.
I’ve configured Keycloak to allow people to login with their ADFS account or with a ldap account.
ADFS Identity Provider is configured to use OpenID Connect.
When people connect to my application, they are redirected to Keycloak where they see a login form and a button to login through ADFS.
This work perfectly, but we would like people not to see that screen if they are already logged in on ADFS and only see the login form if they’re not connected in ADFS.
I changed the browser flow to use the Identity Provider Redirector first and then display the username password form, in this case the user is automatically logged in via ADFS, but if the user is not logged in, ADFS asks for a password and the user is not redirected to Keycloak .
Do you know how can we configure Keycloak to implement that flow?
I’m using Keycloak 11.0.0-alfresco-001 (keycloak 11 packaged by alfresco (as alfresco-identity-service) with a custom theme. The code is available on Alfresco’s github .
Here’s my browser flow configuration:
IAM Browser flow
Thanks for your help
• Yes, its possible to configure keycloak to implement the desired flow as a brokered IdP in the following way: -
While configuring ADFS in keycloak and importing its federation metadata file in it, check the settings and enable validate the signature option for the authentication requests to be sent to ADFS, also enable ‘Want AuthnRequests’ signed option. Afterwards, set the signature key name field to CERT_SUBJECT as AD FS expects the signing key name hint to be the subject of the signing certificate.
Then check the mappers for group and attribute claims in keycloak for transforming the details through SAML assertion to keycloak user store.
After that, check the descriptor URI that needs to be set by modifying the ADFS redirect URI by adding the ‘/descriptor’ to the redirect URI in this field. The URI will be like ‘https://kc.domain.name:8443/auth/realms/master/broker/adfs-idp-alias/endpoint/descriptor’.
Also, please ensure that the signing certificate for the keycloak in ADFS claims provider is not self-signed and is issued from a trusted third-party CA and installed in the server’s local system certificate store.
Disable certificate revocation check for the certificate installed on the Adfs server and ensure ‘backchannel logout’ option is checked in keycloak
• Once the above settings are checked thoroughly, the default login redirection page should be displayed after that and the user should be able to select the IdP from the login page accordingly.
Please find the below links for more information: -
https://www.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
Keycloak AD FS Interaction
I'm trying to create a SAML IDP for the system I built. Probably I'm getting confused with concepts. My problem is as follows:
This system was built in SymfonyPHP which authentication is made by OAuth token. Nothing so special, the username and password are passed to the /auth endpoint and the request returns the token if the credentials are valid. It's working fine.
Now I have to integrate this credentials to a client system. Once the user is logged to my system, so it should be on the client side (like the "login with Google button). I've been searching and realized I should use SAML for that.
I installed the SimpleSAMLPHP and I'm trying to understand how to set it up as my IDP. Once it's made, I can create SPs for my clients systems.
Question: how to make the SimpleSAML use my existing service for authentication? Which module should I use?
With SimpleSAMLPHP acting as an IdP, you want to have a look at authentication modules. The latter is a component that encapsulates the mechanics of signing into the identity provider. For example, if you were trying to sign in to the IdP with your Facebook account, SimpleSAMLPHP ships a FB authentication module that does this for you.
If your existing service can be supported by one of the SimpleSAMLPHP modules, then you're all set. Else, you need to develop your own module.
I have a client application (windows) which the user is logged into. From this application, the user will want to access a remote website using single sign-on (SAML) and will be authenticated by Microsoft WIF. To do this the user, will click a button which opens a local web browser, generates a SAML token (containing username and roles, etc) and makes a HTTP POST to a remote website to access it, signing them in.
I want the user to be signed-in automatically, based on their credentials from the windows application.
I know roughly how to generate the SAML token, but presume this requires the signing certificate to be installed on the local PC, which would need to be installed into all PCs in my Company.
Installing this certificate doesn't seem quite right. How else can I safely allow users to generate a SAML token which will be accepted by the Service Provider (via single sign-on)?
UPDATE:
The user is not authenticated into the Windows Application using Windows Authentication (Kerberos), we make a custom SQL call to a database of username/password.
In the win app, we will know the username and their roles, so could generate claims from this, or pass it to a remote STS to generate and sign the SAML token. But again passing this data across to the STS seems totally wrong again.
The signing certificate must not be on the user desktop. Otherwise, any user could potentially generate a SAML token with the userid it wants.
What you want is a Secure Token Service (STS): an identity provider that will authenticate your user through Kerberos (as you want to re-use the identity of the logged-on user) and give you a signed SAML token.
All of this could be done when you open a web view in your application. The starting url should be the Identity Provider endpoint for IDP-initiated SSO, with a url parameter identifying the service you want to access.
I just read the article here: http://www.asp.net/aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/single-sign-on
I have just finished building an app that can authenticate users via WAAD, or via a local installation of ADFS on their corporate network (configuration point allows them to select one or the other).
The app will be hosted in Azure. Can someone tell me if it is possible for users who are on their corporate network to login to this Azure app WITHOUT entering their credentials?
Here is the flow:
user navigates to the cloud app
FAM detects they aren't authenticated, and redirects the browser to their ADFS server on the corporate network
ADFS server replies with 401 challenge (I assume this is what's happening)
user sees a user name/password box, and enters in credentials
user is redirected back to the cloud app with a token containing their claims
I don't understand why #4 is required if the user is already on their corporate network. Shouldn't ADFS use Windows Authentication here so they don't have to enter their password? Is there a way to configure ADFS to do this?
Thank you!
This can be accomplished by adding the Url of the ADFS endpoint to the local intranet or trusted sites of Internet Explorer. By default Internet Explorer will pass in the Windows credentials to sites in those two groups. If that doesn't work, you would have to double check that setting hasn't been modified.