I am trying to user Tivoli Federated Identity Manager 6.2 as identity provider and an application that have SAML 2.0 support using ComponentSpace library.
Will that application be able to support TFIM or not? And if it's supported then can anyone provide any instruction or information ore documentation related to use of these two.
Yes, interoperability with TFIM is supported. You should ask for the SAML metadata from the partner provider using TFIM. The SAML metadata includes information such as the URLs used for SSO, the X.509 certificate used for signature verification, and the partner's entity ID.
You can use the ImportMetadata utility to import the TFIM SAML metadata and have your local SAML configuration (ie saml.config) updated with this information.
The partner provider will most likely want your SAML metadata so they can update the TFIM configuration/
You can use the ExportMetadata utility to export the local SAML configuration (ie saml.config) to a SAML metadata file that may be supplied to the partner provider.
The ImportMetadata and ExportMetadata projects may be found under the Examples/Metadata folder.
Related
I want to create a SSO to be used by multiple applications, what would be the best way to do it. I was going through SAML2.0 but I am confused as I didn’t find any articles to create own/custom SAML IDP.
1.How feasible it is to create own IDP.
2.What is the best way to implement SSO
Question 1: How feasible it is to create own IDP?
Answer:
How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the instruction on building your own IDP for SAML in Java using Shibboleth SAML IdP and OpenLDAP.
Shibboleth SAML IdP is responsible for identity federation.
OpenLDAP is responsible for identity authentication.
Question 2: What is the best way to implement SSO?
Answer:
Shibboleth IdP has implemented SSO for enterprise applications which have been integrated with SAML SP.
(I) I have validated SAML Single Sign-On (SSO) provided by Docker-running Shibboleth SAML IdP (Identity Provider) and OpenLDAP for the following enterprise applications. In other words, I leveraged Docker-running Shibboleth SAML IdP and OpenLDAP to log in to the following enterprise applications successfully.
Microsoft Office 365
Google G Suite
Salesforce
Dropbox
Box
Amazon AWS
OpenStack
Citrix NetScaler
VMware vCloud Director
Oracle NetSuite
(II) We developed our former version of Zero-Password Authentication and Authorization System in Java and leveraged Shibboleth IdP to provide SAML SSO for enterprise applications.
We developed our current version of Zero-Password Authentication and Authorization System with scalability and high availability in Scala to provide SAML SSO natively for enterprise applications without Shibboleth IdP.
For quick deployment of SAML IdP on your production environment, leveraging third-party SAML IdP (such as Shibboleth IdP) is highly recommended. Then you have sufficient time to develop your own SAML IdP in Java or other programming language.
(III) Another StackOverflow question "How to implement or integrate single sign on with SAML and Shibboleth" provides valuable information and discussions.
Question 1: How feasible it is to create own IDP?
Yes, it is possible but requires lots of efforts.
This repository can help you figuring out how to build your own IDP: A mock IDP and SP using the OpenSAML library
This repository can help you on how to integrate your own IDP to Spring Boot application: Spring Boot, SAML, and Okta
Question 2: What is the best way to implement SSO?
In my oppinion, the best way to implement SSO is using pay-as-go identity service. It helps you saving efforts and money. There are many such services from Amazon, Google, Apple, Okta, Auth0, geetoPod, etc.
Don't try and roll your own - use a supported solution.
On the client side, you need a SAML stack.
Some of these come with an IDP you can install.
Have a look at:
Shibboleth
Azure AD - SAML IDP in the cloud
SaaS e.g. Auth0, Okta - SAML IDP in the cloud
identityserver4 with SAML plugin
ComponentSpace - has both client and server side
Sustainsys - has both client and server side
All of these will provide a SAML IDP.
They also provide good documentation to get you up and running.
All,
I'm trying to configure the wso2 product with an external IDP, not the IS IDP. What configuration files need to updated and with what information? Also, when I add an IDP from the API Manager browser, where is that file being saved server-side and is it being used?
Thanks,
Hunter
If your IDP supports saml you can configure it as federated IDP in APIM directly. If your IDP does not support saml , plug wso2 IS between APIM and your IDP and configure your IDP as federated IDP in wso2 IS.
In order to add an external IDP, you can use WSO2 Identity Server to bridge the external IDP to API Manager. I believe this article will be helpful to figure out the design and configuration for you solution. This webinar and related blog to the same, would help too.
I have made wso2 am 1.10.0 work with PingFederate saml2 (with and without IS, now without IS), for the majority of it. How to integrate WSO2 API Manager (AM) 1.10.0 with PingFederate SAML 2.0?.
I followed the instructions here https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 - just assuming WSO2 IS as PingIdentity. For the mojority part it's working, but I cannot generate keys when subscribing to an API. It says "invalid credentials" even if I have logged into applications and subscriptions and can create applications from /store UI.
As a requirement I need to configure 2 enterprise applications using SAML token.
Due to following listed constraints I need to write individual services for token generation and token signing.
The Constraints are:
No IdP(Identity Provider) available. No associated metadata file available.
Need to use SAML 1.1 version
Need to self-sign the SAML Response.
As part of POC I am able to generate SAML Token using 2.0 version by writing a service which is forwarding to Signing service for signing. I am able to sign it by generating certificate\keystore using Windows keytool command.
Although For SAML 1.1 Implementation using OpenSAML library I am unable to generate the SAML request message in proper format. I looked for additional libraries which could help like WSS4J which has SAML Token Profile Generator.
Also some configuration around IBM Websphere Application server (SAML Token Generater) as that is the used for hosting an application. Still could not implement the solution using the above options.
Questions:
Is it possible to do a SAML implementation without using a IdP Server ?
Can I use IBM Websphere Application Server(WAS) as IdP Server?
Can WAS be utilized for generating STS tokens ?
Any library like OpenSAML, WSS4J which can be helpful to generate & Sign SAML Tokens easily for SAML 1.1 version ?
I am trying to setup Josso2.4 to work as a sign in solution to multiple websites. (Starting with just one).
I have configured my test web site as an "external saml2 service provider" in jooso but this require a "metadata file" and I have been unable to find any documentation for this metadata file format. Is it a standard saml format shared accross all saml implementations?
I found some sample xml files I could import, but i newer found a sample which had sso enabled.
You didn't mention, what you use as service provider. You can use Spring Security SAML and download metadata from special URL, for examle: http://localhost:8080/spring-security-saml2-sample/saml/metadata
See documentation: http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/
we have a web application(Say wA) developed in java and we need to provide SSO login from client web application(Say WB) to WA and the requirement is to do with Okta-(SAML 2.0).
Currently im having the Idp mnetadatak, IDP Single Sign-On URL and Identity Provider Issuer link created from okta
Anybody please help me on this issue , what things to do in my application side to provide SSO login felicity. how to listen SSO request from my APP (WA).
Thanks and regards
In case you would like to add SAML support directly into your application (as opposed to including it for example in reverse proxy such as Apache or IIS), you can use either Spring SAML (with minimal Spring configuration in case you don't use Spring Security already) or OpenAM's Fedlet.
Spring SAML enables applications to act as a SAML 2.0 Service Provider by initializing web single sign-on towards IDP (Okta) and accepting and validating response (SAML 2.0 Assertion) sent back from Okta.
Good approach to implement Spring SAML is to start with the quick start guide which helps you create SAML 2.0 integration with a public SAML 2.0 Identity Provider, then change the IDP to Okta and then integrate the result into your application.
It is also possible to build SAML 2.0 support from scratch (using OpenSAML library), but significant knowledge of the protocol is needed for it to be done securely.
Some application servers also include SAML support (WebLogic, WebSphere, JBoss with its PicketLink library), but such configuration is of course not portable.