The scenario is this: 1. There is a web application with a browser UI. 2. User has to log in to the Web UI. We would use Shibboleth for authentication (SSO) 3. The application connects to various backend components via REST API's 4. We are considering the REST API's are hooked with Shibboleth through the Shibboleth Service Provider
Once logged in the web app should pass the use context (session) to the REST API.
Is this scenario supported by Shibboleth? What is the best way to pass the session context to the REST API so that it validates the session through its service provider?
Related
I have a legacy SAP Java application hosted on neo platform which uses form based SSO authentication. I want to consume this service from rest client like Postman which is not possible right now. What options do I have?
Is it possible that I write a service on top of the current service and call the "original" service. But again, How do I pass the SSO credentials to the "original" service
I am using ServiceNow REST API calls to get ServiceNow records inside my application. My application takes username,password and domain url of their servicenow account from the user to do this. I have this situation where one of my client uses OneIdentity SSO for their servicenow application. How can I make REST calls in that case?
I should be asking them to provide a local account credentials instead of SSO credentials or is there anyway I can bypass the REST calls with SSO ? If so how ?
I should be asking them to provide a local account credentials instead
of SSO credentials
Yes, web services are not authenticated in the normal way people use to log in to the system, all of them are using the basic HTTP authentication (even if you are using the SSO URL to call the web service)
References: Service now community URLs [1] [2] & My tests using Postman :)
We are implementing RESTful service and the entire backend application using Vert.x. These API's are consumed by a hybrid mobile app (developed using Ionic / angularjs). We are using Keycloak for user management and also authentication and authorization on the app.
My question is, how can I use Keycloak to also protect (authenticate and authorize for the same set of users) my RESTful service access which is implemented using Vert.x. Any example implementation would be very useful.
We wrote a custom Vert.x auth provider using the Keycloak core library to solve this exact problem (the Vert.x JWT library doesn't work with the Keycloak JWT tokens - arguably we should have improved the Vert.x library instead). I'll see if I can get permission to open source the library.
So, if i understand correctly, you need one authentication entry point for user in mobile app and in REST service. If i am right, you can use JWT. When user will authenticate with Keycloak he will receive jwt with roles and user information. This token you can put into request for REST service and your Service will know who is the user and what roles he have. Please see https://jwt.io/
I want to implement SSO using Thinktecture Identity Server V3. The applications the I want to use this SSO are asp.net MVC apps. I was going through samples provided on the thinktecture wiki and am able to see two approaches:
1- Resource owner(providing credentials through application and calling Identity server using OAuth2Client Apis)
2- Using Owin middleware(Startup class) to call the Identity server.
In my case I wanted to calling Identity server login, but without using Owin. Do you any hints/sample on how to do that.
Thanks
If you don't want to use the Microsoft OpenId Connect middleware (and as a result OWIN) in your clients, you could initiate the login flow yourself by redirecting the user to the authorize endpoint.
Authorize endpoint: http://thinktecture.github.io/Thinktecture.IdentityServer.v3.Documentation/docs/endpoints/authorization.html
They guys behind IdentityServer have a client example showing some of the concepts if you want to handle it all yourself:
https://github.com/thinktecture/Thinktecture.IdentityServer.v3.Samples/blob/master/source/Clients/MvcFormPostClient/Controllers/AccountController.cs
I've been dropped into a hot potato project...an external entity produced a SOA architecture and we need to implement it now.
Using Drupal as a CMS and starting point of the architecture.
Here's what I think we need to do:
Authentication server
People register through the drupal site. We'd like to reuse the identity created for other (future) services, through a REST API
a) Can I add users to WSO2 Identity Server via a (REST) API?
b) Can I query WSO2IS to authenticate users via a (REST) API (creating a SSO env)?
c) Can I create re-usable profiles in WSO2IS, accessible through a (REST) API?
d) Can I authenticate drupal access via WSO2IS through a (REST) API?
e) Can I query the XACML policies via a (REST) API so that access to a requested service can be evaluated?
Other REST APIs we're going to build would use the OAuth functionality of WSO2
The architecture mandates each an authentication, a profiles and a policy (authorization) with XACML (...) module. The alternative is to build it all ourselves but I think we won't have the time for this, but I need to understand if we can do the above mentioned things to make a decision if WSO2IS is a good choice for our needs.
I have read the available documentation, browsed the help system, installed WSO2IS and checked out the interfaces, but couldn't find the responses. The only thing I managed to do is create the OAuth server.
Please find my answers..
a) Yes.. WSO2 Identity Server supports SCIM which is the standard approach for identity provisioning. Also there are web service APIs, that expose user management functions. You can front those web service API using WSO2 APIM and can expose as REST API.
b) Yes.. Apart from REST and web service API, Identity Server supports for authentication methods such as SAML2SSO, OpenID, IWA and so on.
c) Yes.. same as a) you have both options SCIM or Web service API fronted with APIM
d) There is an authentication framework in the WSO2IS, that users can be authenticated with different server.. Basically WSO2IS can act as federated IDP that application knows only to talk to WSO2IS.. WSO2IS can authenticate users from any other IDP, It can be drupal as well
e) Yes.. XACML is supported by WSO2IS... Its PDP API has been exposed via web service API.. but not as a REST API.. but as i mentioned earlier, you can expose it as REST using APIM. However REST support for XACML would be available with the further release