Does PingFederate and ADFS support SAML ECP (Enhanced Client and Proxy) Profile? If yes, is there any documentation?
Yes, PF supports ECP as I believe it is required per SAML 2.0 compliance testing. I would contact them directly for more info as it has very little documentation around it.
No idea about Ping but for ADFS, no it doesn't support ECP.
Related
I am creating a java application to implement SSO (SAML) using ADFS. I am not sure if SAML can be done using ADFS alone. While installing ADFS, I noticed that it required configurations of relying party and claim providers trusts (which are basically the SP and IP, right?). I am confused as to whether to have SP and IP in the java application, or just leave it to the ADFS to handle.
Any help would be greatly appreciated. Thanks!
Your Java application needs a SAML stack and becomes the SP.
Refer: SAML : SAML connectivity / toolkit for some ideas if you don't have one.
ADFS (which handles SAML 2.0) can then function as the IDP.
You will also have to configure the claims in ADFS - which correspond to the SAML assertions.
Your Java application will be a Service Provider (SP) that receives identity from an Identity Provider (IdP) server. In the use case you have outlined, ADFS will be the IdP Server. within your application you will need to integrate a library (e.g. SAML stack) to process the SAML assertion. SAML requires configuration on both sides of the interface. There are a few open source options such as OpenSAML. Depending on your organization, you may want to look at a vendor provided solution as well for long term support.
Does Thinktecture IdentityServer V3 has support for SAML or does it only support OAuth?
IdentityServer v3 supports any Katana-compatible Owin middleware for authentication. With a compatible middleware for SAML2 such as Kentor.AuthServices IdentityServer 3 can authenticate against external SAML2 Identity Providers with Idsrv acting as a SAML2 Service Provider. I wrote a blog post on how to do it.
There's also a plugin interface which would allow IdentityServer v3 to act as a SAML2 Identity Provider but as far as I know there's no implementation available.
There is Owin middleware to support the SAML protocol you can use with IdentityServer v3. It does not yet support all flows but it is being used in a couple implementations. Full disclosure - I am the author of this code which was forked from a previous SAML2 library on CodePlex.
OpenID Connect, OAuth2, WS-Fed.
#DavidEdwards - no - IdentityServer2 has no SAML support OOTB.
I normally get around this by:
IdentityServer --> WS-Fed --> ADFS --> SAML --> IDP
Nope! No SAML.
leastPrivilege.com
In the article Dominick says... "Having spent a considerable amount of time in the WS*/SAML world, it became more and more apparent that these technologies are not a good match for the modern types of applications that we (and our customers) like to build."
They focused on OpenID Connect and OAuth2.
Is it possible to sign a SAML 2.0 post with a self-signed certificate? I am in charge of implementing a new SSO procedure with a vendor using SAML 2.0 and we trying to determine if we can sign the SAML post with a self-signed certificate or if we need to buy one.
If we can use a self-signed certificate, does the Service Provider need to do any additional steps to verify the signature? We are creating the SAML 2.0 post as the Identity Provider.
Thanks in advance.
Yes, I assume you mean signing the Assertion that is returned via POST binding (see SAML 2.0 Profiles, section 4.1.4.5). The SAML 2.0 specification mandates it be signed for SSO, but doesn't get into specifics of CA signed vs. self-signed.
Check with your software (both IdP and SP side) to see what is supported - some have limitations in this regard.
The SAML spec actually recommends that you use long-lived self-signed certificates. See this document for more info
I am getting a strange error from ADFS 2.0 event Log as follows:
"The Federation Service could not fulfill the token-issuance request because the relying party 'https://my-relying-party' is missing a WS-Federation Passive endpoint address.
Relying party: https://my-relying-party
This request failed.
User Action
Use the AD FS 2.0 Management snap-in to configure a WS-Federation Passive endpoint on this relying party."
This happens after SAML response is verified successfully by ADFS 2.0 but apparently fails to issue a token for the relying party application.
I configured in ADFS 2.0 both IDP and SP as SAML 2.0 so I don't understand why is WS-Federation endpoint is expected?
Any help will be appreciated.
Is your web application talking the WS-Federation protocol or the SAML protocol (SAML-P)? If your web application is based on WIF, then you are using WS-Federation. Note that both protocols use SAML tokens.
If your application talks the WS-Federation protocol, then in your AD FS Relying Party Trust you need to set the WS-Federation endpoint(s). If it talks the SAML protocol, you need to set the SAML protocol endpoint(s).
Based on your error message, your application probably talks WS-Federation, therefore you need to set the WS-Federation endpoint.
The integration between your SAML 2.0 SP (ADFSv2) and your RP Application is done via WS-Federation Passive Requester Profile. So you'll need to setup your application to receive the WS-Fed Response and parse it appropriately. You'll also have to configure ADFSv2 to generate this message as well (per the error message you received).
Hope this helps -
Ian
You need to add the web application url to the endpoints in the properties of you relying party.
add ws-federation passive reference manually or in federation file will solve the problem.
Please let me know if you need detail guidance.
I'am are trying to implement a Web SSO with claim based identity using WIF and AD FS 2.0 right now. Right now I have a existing ASP.Net application which delegates authentification to the AD FS 2.0 server and trust issued security tokens. That works just fine.
However, in the organization there is an existing JA-SIG Central Authentication Service (CAS) server which supports the SAML 2 protocol. I would like to replace AD FS 2.0 with the existing CAS service.
In my understanding WIF uses WS-Federation, which is like a container around a SAML token. Is it possible to use the plain SAML 2 protocol and it's bindings (redirect or POST)? If that is not possible (as I guess), a second alternative might be to use federate identity and federate AD FS 2.0 with CAS. Is that possible? There is little to no information about that on the web.
Thanks :-)
After some research I came up with the following issues. CAS 3.x supports SAML 1.1 tokens and the SAML 1.1 protocol including Web SSO. There is support for SAML 1.1/2.0 tokens in ADFS 2.0. However, only the SAML 2.0 protocol is supported. That means no out of the box federation between CAS and ADFS 2.0 is possible.
We are researching OpenSSO as an alternative now, which provides support for all necessary protocols including WS-Federation for attaching WIF clients.
Access control Service v2 (ACS v2) may be an option. It supports both SAML1.1 and 2.0 as well in addition to other ones like simple web token (SWT) etc. It then allows to translate tokens from the source system to the relying party format..
https://portal.appfabriclabs.com/Default.aspx