I'm using OpenAM as a service provider to provide an encrypted SAML token to a Salesforce canvas app.
Ideally I would like this SAML token to contain the OpenAM SSO token to enable the canvas app to refresh the SAML token. How do I add this to the SAML token?
There is no out of the box solution for this, I think you'll need to write a custom Attribute Mapper:
http://docs.forgerock.org/en/openam/12.0.0/apidocs/com/sun/identity/saml2/plugins/IDPAttributeMapper.html
Related
I have an application which currently works with Azure AD Oauth 2.0. It accepts the JWT token from AAD as a access_token and signs the user in. I am trying to setup this with Google IDP and I am running into an issue. Google IDP returns the JWT token as id_token which the application doesn't recognize and value returned in access_token is not a valid JWT. Is there a way to receive the JWT as access_token in Google? How can I achieve this? the Application can only accept JWT as access_token it cant be changed, this an application from Oracle Corp.
I have an AWS Cognito where thousand of users already registered, Now I have a scenario where I have to share my user with a 3rd-Party application, where 3parth application want to use my Cognito users for login using SAML 2.0 IDP.
Where Cognito user pool should work as IDP and 3party application should work as SP.
Is there any way to provide Cognito user as IDP to a 3rd-party?
Like, We can use Google, Facebook, LinkedIn, Okla, Auth0 etc... IDPs into Cognito(SP), but in my case is the opposite where I want to provide Cognito as IDP.
I was searching for a similar solution for one of the requirements in my project and came across this article where Auth0 has been used as a middle layer for acting as a SAML IdP.
https://aws.amazon.com/premiumsupport/knowledge-center/auth0-saml-cognito-user-pool/
AWS cognito here acts as an identity provider and Auth0 helps in transforming the request into SAML.
This has solved my use-case. Hope this is the same thing you are trying to achieve.
My understanding (which may be incorrect) of Keycloak is that once an User has logged in and is authenticated, the access-token/JWT is then stored as a cookie in the browser (under the default name 'kc-access').
Is it possible to configure keycloak to instead store the access-token directly as a Bearer Token instead of in a cookie?
Asking as I wish to use Keycloak to secure a web application, however most resources I have read on Authentication usually talk about access-tokens stored as Bearer Tokens, rather than as cookies.
From the Keycloak documentation, I cannot see any mention of options to store the access-token as a Cookie OR Bearer Token - Am I misunderstanding how Keycloak is meant to be used for providing authentication for web applications?
Keycloak is used as a Single-Sign-On (SSO) provider. As such, it is designed to be used with multiple components. It is designed to keep a session open on the user's browser with a cookie. This session is private to Keycloak. The authentication flow then provides your application with a token that authenticates the user. Your application will then usually set it's own cookie to establish a session for the user and avoid having them login on each page.
When you login with Keycloak, it keeps a session open with your browser by storing a cookie there. The length of this session and other factors are configurable in your realm settings.
When you use Keycloak to login to another app, such as your web app, you use OpenID Connect (or SAML) as a protocol to authenticate the user with a flow similar to the following:
The user's browser is redirected from your application to Keycloak,
which checks whether the user already has a session, requires them to login (and create a session) if they are not yet logged in on keycloak
Redirects the user back to your web app with a short lived code
Your application connects to keycloak to exchange the code against a token.
Your application reads the token to identify the user and possibly stores it if it needs to access third party resources as the user using OAuth2.
Your application creates a session cookie to keep the user authenticated.
Most of these steps should be handled by a library. Keycloak provides many OpenID adapters for popular frameworks and servers, such as Apache and Tomcat.
The session cookies can be any string so long as they are unique and private between the browser and your application. They identify the user from the browser across requests. The bearer token is generally used to authenticate or to connect to stateless services such as APIs.
You can find documentation about the OpenID protocol here: https://openid.net/connect/faq/ .
I want to use SAML login for a single web application with a REST API. How should I do this? Usually, say with OAuth, lets use Google/Firebase as an example:
SPA calls Google to login. Google returns a Google ID token
SPA can call Server with Google ID token which server can verify with Google and return an access token for use with the application
Firstly is this correct or did I get something wrong so far?
But with SAML, from what I can see, its user is redirected to SAML IDP, SAML IDP then redirects user to a server assertion URL. Because there is this redirect, how do I use it in the context of REST? I am unfamiliar with SAML, but I dont see a token. The server just gets an "assertion" with the user information?
Here is the sequence of events which happen when the application is using SAML for the authentication:
server should send a response to the client with the URL to SAML IDP.
client application redirects the browser to SAML IDP (1).
After successful authentication, SAML server sends response with the redirect back to the client. The browser automatically posts the HTML form SAML server to your server.
After validating SAML assert and successful authorization (you can use user's information or other attributes to authorize the user to use your application), your server should generate a token that now can be used by the client application.
This is a basic scenario.
See spirng-saml project here, you can try and play with the sample web application.
https://projects.spring.io/spring-security-saml
SAML assertion is an equivalent of id_token in OpenID Connect 1.0 that Google uses. There is no access_token in SAML. SAML is an authentication protocol.
OAuth 2.0 that uses access_tokens is an authorization protocol. That is why it provides an access_token to authorize access to your REST API.
OpenID Connect is an extension of OAuth 2.0 that supports user authentication in addition to API authorization and introduces id_tokens that contain user information.
One of the options to use SAML in your Single Page Application with REST API is to host them at the same domain. In this case you can:
Get an assertion from SAML Identity Provider.
Verify it (format, signature, lifetime, etc) on the server side.
Return a session cookie in the response to set it in the browser.
Each request to the REST API will come with a session cookie authorizing access to it.
I will try to keep the question as clear and direct as possible.
Social authentication (Facebook) configured with Okta with redirect URI as URL to my custom webapp. This custom webapp relies on Okta for authentication.
User visits my custom webapp (unauthenticated) and clicks on the social authentication URL to login to my custom webapp.
User follows the normal flow, gets authenticated by facebook and thereby by Okta (as per usual flow) and is then redirected by Okta back to the custom webapp.
The entire flow is successful and the user can see an Okta session cookie set in their browser.
Custom webapp now needs to show the user their own profile by making an Okta API call.
Problem: How can my custom webapp identify who just logged in so that they can fetch their Okta profile using API?
I am aware that Okta knows who just logged in due to claims that facebook sends to the OAuth client (Okta), but how will my app know the identity of the user who logged in?
Thanks,
Jatin
It depends on the OAuth2 flow you've chosen for your app, but the end state is getting an id_token from Okta which contains claims about the user that just logged in.
If you've set response_type=code in your social auth url (/authorize), after Step 4 you'll get a code query param in the redirect that you can then exchange for the id_token using the /token endpoint.
Or, if you've set response_type=id_token, you should already have the id_token in the redirect - you just need to validate/decode it (more info here).