According to https://docs.wso2.org/display/IS460/Enabling+IWA+in+WSO2+Identity+Server IS seems to be configured to use WAFFLE which can be used only on Windows.
Did anyone have a chance to successfully install using http://spnego.sourceforge.net/ framework?
It would be appreciated to not limit the environment to Windows only.
If you use Tomcat, you can simply use my library: http://tomcatspnegoad.sourceforge.net/
We have managed to create a custom authenticator where
the authenticator redirects user to a page hosted in Tomcat (Custom logon page
the logon page doesn't display any logon form, but using the Tomcat SPNEGO user is authenticated with SPNEGO / Kerberos and a JWT ticket is posted back to the authenticator (commonAuthId) instead of username and password
the authenticator assumes identity of the user (set the username in the authentication context)
This is de facto a custom claim authentication, do not forget to sign / validate the posted ticket.
Related
I am configuring Azure B2C with Tableau using SAML protocol. How do I expose the password reset user journey? I can't do it from the portal and the policy URL doesn't load in the browser either.
When using a SAML SaaS app where the forgot password error cannot be handled, you can use this sample which embeds the password reset steps into the sign in journey.
https://github.com/azure-ad-b2c/samples/tree/master/policies/embedded-password-reset
What I want to do is this:
I have keycloak integrated with my application. So when my app is launched , keycloak login page is shown to user. Now , I am trying to provide an option to login with PingFedrate. So a button to login with PingFed appears(once a new SAML provider is configured in keycloak). On PingFedrate I tried to integrate SP inititated SSO:
I added a new SP connection and there I configured it as SSP initiated SSO. (It forced me to configure SOAP Authentication , where I selected basic and configured random username password). Then I downloaded metatdata.xml from this SP and imported in keycloak which autofilled the login url as : https://myserver:9031/idp/SSO.saml2 (i.e. without client id). After this when user clickon Login with PingFed - PingFed gives following error:
Unexpected System Error Sorry for the inconvenience. Please contact
your administrator for assistance and provide the reference number
below to help locate and correct the problem.
I found the solution to this.
Firstly, we need to add SP inititated SSO in Pingfed for keycloak.
Secondly, the reason I could not make SP inititated SSO work was that keycloak's entityId should be same as Pingfed SP connection's Partner's Entity Id / Connection Id.
Keycloak, by default keeps entity id equal to url of keyloak server containing your realm. E.g
https://(keycloak-server)/auth/realms/(realm-name)
(and I could not find a way to change it through Keycloak UI)
You need to enter this URL in Pingfed.
To avoid adding this manually, you can download the keycloak config from download export tab of identity provider.
And on Pingfed , import this file.
On a side note, though I was importing it earlier, I was changing value of Partenr id to some other name as I was not aware of above restriction until I started decoding the SAML tokens in request.
I have an ADFS single sign on application. Can we also have form authentication using login credential from a database on the same application? In other words, I need single-sign-on for people who have windows account and form authentication for people who do not have windows account. I did some research on this topic but I have no lead. Is there any suggestion?
Out of the box ADFS can only authenticate against Active Directory (The latest version of ADFS (vNext) do supports LDAP v3-compliant directories).
You need to build your own Custom Authentication Provider for ADFS if you would like to plugin your custom code.
Some pointers for further reading:
Understanding WIF 4.5
Create a Custom Authentication Provider for Active Directory Federation Services
I am new to CAS and single signon. Please correct me if my understanding is incorrect, below if what I understand about CAS.
I have 2 web applications
I setup CAS, and when I access URL of WebApp1, it shows me the CAS login page
I fill correct username/password
It takes me in WebApp1
From there I access WebApp2, and it works fine
What I need is as follows:
When I access WebApp1, I must see WebApp1 login page, not that of CAS
Let CAS generate some token for the session
Use this token to authenticate WebApp2 (which the way its working now - step 5 above)
Can someone suggest me how to achieve this?
I am using Java 1.6, CAS 3.4.11, Tomcat 6.
I've made a summary recently on how CAS works.
The principles are written there. Basically it is like this
Access The WebApp1
Show the CAS login page and authenticate
redirect to WebApp1
Now subsequently you do the following
Access WebApp2
the access request is redirected to CAS which without showing a login page authenticates the user
Always under the assumption that both WebApps are configured to use CAS as a login provider and CAS is setup to support both WebApps.
Now in the CAS way what you want to achieve is done like this:
exchange the standard CAS login page with your login page and your done
My knowledge of these systems is not large so please forgive me if I am asking dumb questions.
I hope to achieve the following:
Idp (AD FS 2.0) -> SAML 2.0 -> Sp (simpleSAMLphp)
*I don't need anything more fancy than to simply authenticate a user.
I have attempted to configure Windows Server 2008 with AD FS 2.0 (domain A) as an Identity provider and have it handle authentication requests from a service provider on a different domain (created using simpleSAMLphp (domain B)).
The AD FS 2.0 Management application allows me to add raw meta XML from the SP to configure the idp. And my SP has the facility to do the same. So I figure that If I setup the idp (AD FS 2.0) correctly then I will simple just have to make the SP interpret the metadata of the idp.
Currently I feel that I am close to a solution (but then again I am probably wrong!). Currently it seems everything is find right up to the point when the Idp asks for your login credentials, and I enter my credentials, it appears that the session has started, but I get a 'Not Authorized - HTTP Error 401. The requested resource requires user authentication.' message after entering the correct login credentials.
Could someone please explain how to fix this? or if it's quicker a step by step setup to make AD FS 2.0 authenticate using SAML 2.0 for simply authenticating a username and password.
Thankyou in advance for any hints!
Have you established a claims provider trust within ADFS 2.0 management? Your system needs to accept claims-bearing tokens from a trusted claims provider. That is, whatever STS -- "Security Token Service" -- you have in front of your user repository. ADFS can both a "Relying Party" -- RP -- or a STS. You need both a relying party and a STS.
Check out Eugenio Pace's MSDN blog for more details:
http://blogs.msdn.com/b/eugeniop/archive/tags/federated+identity/