Single Sign On Microsoft ADFS - single-sign-on

I am tasked with setting up Single-Sign-On between ADFS and Taleo Business Edition. In this case it is an IdP initiated SSO and I have to use .net. I know .net 4.5 supports SAML, which is what the relying party (Taleo) requires to validate a user-- but I cannot find any good tutorials to even get started. Any help is appreciated, I have read through the WIF documents and some of their Developer Training Kit but it does not seem to be what I need to do. Does anyone have any pointers on good places to start? No one in my office is sure of how to do this.
EDIT: My approach is to just create a .aspx form and put that link on our intranet homepage, send the necessary credentials to the relying party (Taleo), who then interprets the SAML token and redirects the user. Does this this seem like a sound approach?

What you have to do is add Taleo as a Claims provider to ADFS. easiest to ask then for their metadata file and import that.
Essentially you are federating ADFS and Taleo.
This a common pattern - refer e.g. AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation for a SAML example.
.NET 4.5 does not support the SAML protocol - it only supports SAML tokens. Neither does WIF.
You would normally go to the ADFS IDP Initiated page, sign in and then pick Taleo from the dropdown and then you will be redirected to Taleo with SSO so you won't need to authenticate again.'

Related

How to SSO with an ADFS only with relying party Identifier without using adfs.domain.com/adfs/ls/IdpInitiatedSignOn?loginToRp=my-identifier?

I am trying to onboard users from an organization that uses an ADFS server to our web app. But we do not have an ADFS server of our own. Hence we are unable to take advantage of the federation metadata. So we had our wepapp setup as a relying party and we have an identifer.
For logging in I have been using the ADFS IdpInitiatedSignOn page like the following:
https://adfs.ogdomain.com/adfs/ls/IdpInitiatedSignOn?loginToRp=our-identifier and this works.
I have found this idea here. Now, are there any other ways to obtain the login URL of that ADFS server for my identifer using only the identifier? or is it the only way to do it for those who do not have an ADFS?

SSO Integration (As Identity Provider)

I need some guidance on my SSO implementation. We have a web application where we are authenticating the user through applications Database. We check user details in USER table and match password. If everything looks good we create PHP session and allow user to Login. One of our partners is requested for SSO integration, they want us to behave like Identity Provider (their application will be Service Provider). I have no idea from where should I start. Few initial guiding points will be a great help.
Thank you!
First question is what protocol they want to use:
SAML 2.0, WS-Federation or OpenID Connect / OAuth?
What platforms do you use? - Windows , Linux? Microsoft shop?
Do you want to pay for a commercial product or use open source?
What repository do you want to authenticate against? You mention a DB. Is this SQL Server, MySQL or what? Not all products authenticate against all repositories.
If e.g. the answer is SAML 2.0 and open source, look at shibboleth or simpleSAMLphp.
identityserver would be another possibility.
If the answer is WS-Fed, Microsoft commercial, look at ADFS.

How do I integrate my web app with One Drive so that users don't have to log in twice?

We want to deeply integrate OneDrive with our web app in order to handle document and storage data. However, we want the users not to log in twice. I'm not sure whether this is possible, but I've been reading about SSO and SAML and it seems like it's the way to go.
Is it possible, and if so, is Single Sign On the way to go?
Single Sign-On (SSO) is a great solution for user experience when web applications are hosted on different domains. SAML as a standard was developed for cross domain authentication to solve this use case. You will need an Identity Provider (IdP) server that handles authentication of users to your web application and then the IdP Server issues SAML assertions to your web application and OneDrive. Your application in this architecture will be a Service Provider (SP) that will consume SAML assertions, as well as OneDrive is a SP that consumes SAML assertions. There are a number of SSO/Federation vendors that provide the IdP Server.
As far as implementation, once you have chosen and installed the IdP Server, you will need to implement your web application to consume the SAML assertion and configure the IdP Server as a connection. OneDrive will simply be a configuration as it already supports SAML and WS-Federation.
In addition to SAML as a protocol, there are other standards with respect to SSO/Federation such as OpenID Connect (OIDC) and OAuth2. When choosing a IdP Server solution you may want to look at these other protocols that can solve additional use cases. SAML works well for web applications and the use case you have described. OIDC and OAuth2 are better suited for secure APIs and native mobile applications.
Another consideration when looking at an IdP Server is how authentication is to be performed. Options for authentication could be using Kerberos/IWA if all clients are on a common domain, or authentication using a Login Form. You may also want to look at MFA support when looking at an IdP Server as part of the SSO solution.

Need to SSO to a vendor using SAML, not sure what path to take

I'm trying to set up a single-sign-on solution to a 3rd party site. They currently don't have anything set up on their end yet, but they want to use SAML. They instructed us to "provide them a sample of a standard SAML2.0 message", and sent over a certificate. Kind of asking me to show them a key and they'll build a lock to put it in.
I need some direction on what to actually set up for this. The vendor has cryptically stated that they are using these parts of the SAML message: ds:Signature, saml:Conditions, samlNameId. I've put together a C# console app that can produce a Saml2SecurityToken using their certificate and a given Name Identifier, and set a timeframe for the condition. I think this is what they need from me.
We do have ADFS however. I've used it to authenticate users accessing internal sites, so I have a little experience with it. I'm overwhelmed by the information for ADFS though, and can't grasp what to set up for this kind of situation - I don't know how to translate the vendor & I's relationship into ADFS terminology.
Can someone explain who I am and who they are in ADFS terms? I think all the pieces for setting this relationship are right there, but I'm just getting swamped by the volumes of information on every page about ADFS.
On your ADFS site, navigate to:
https://your server/federationmetadata/2007-06/federationmetadata.xml.
Save this file, send to the vendor. This is the metadata. It describes the SAML profiles, the certificates, the public keys etc. You don't need to send them any actual certificates.
Ask the vendor for their metadata. Import this into ADFS as a Claims Provider Trust.
Configure your application via WIF to use ADFS.
When the user navigates to the application, the user will be redirected to ADFS. They will get the Home Realm Discovery screen and select either the 3rd party vendor or ADFS to authenticate and then they will get access to the application.
If ADFS is the source of authentication ADFS is the IP, the vendor is the service provider (RP). And obviously vice versa.

Inititiate a SAML 2.0 Post to an SP for an already Authenticated User

I need to implement SSO for a third party product our company has purchased (Service Provider). They need a SAML 2.0 token Posted to their server. We plan to implement this in an Application Page in SharePoint where we already have the user authenticated (Windows Sign-on). All I need to do is create the Token and send it along. However, I am having a great deal of difficulty finding recipes for this scenario. I would like to avoid as many moving parts as possible, so not interested in using things like AD FS, WIF, etc... if at all possible.
Does anyone have a good resource for setting up this type of IdP?
How does this 3rd party expect the token?
Via a web-service (WS-Trust), WS-Federation, SAML?
SP has an STS but it doesn't support SAML.
It sounds like the easiest way is to use ADFS for the heavy lifting.