I have been tasked to implement SAML into our web application.
What I would like to do is develop a proof of concept using our web application (Service Provider) and a identity provider.
What is the simplest and basic Identity Provider to install for a proof of concept?
Try ForgeRock's OpenAM solution. It is also Java based.
http://forgerock.com/products/open-identity-stack/openam/
As others wrote, SAML is not so plug and play game.
Related
We are looking forward to implement ADFS to implement SSO across our organization for various set of web applications such as (SAP, Siebel, Custom java based, Asp.net etc.).
I understand based on my research that ADFS can be used to achieve SSO for third party applications using SAML. It can act as an identity provider for third party applications. Please correct me if I am wrong.
Can we use the ADFS to implement cookie based SSO for the various internal web based apps which I mentioned above?? (For Ex: CA Siteminder, ORacle Access manager can work with almost every internal web based application)
In other words: we have one application using apache webserver, one using IIS webserver, one using IHS webserver; can ADFS be used to achieve Single sign on with all these applications??? If yes, How ???
Thanks in Advance...!!
Ashish
ADFS implements SSO via federation using either WS-Fed or SAML 2.0.
If these applications can support these protocols, then yes just federate these products with ADFS and you will get SSO.
e.g. SalesForce SSO with ADFS.
For Java you need a SAML stack e.g. Spring Security.
For ASP.NET, use OWIN or WIF.
we have a web application(Say wA) developed in java and we need to provide SSO login from client web application(Say WB) to WA and the requirement is to do with Okta-(SAML 2.0).
Currently im having the Idp mnetadatak, IDP Single Sign-On URL and Identity Provider Issuer link created from okta
Anybody please help me on this issue , what things to do in my application side to provide SSO login felicity. how to listen SSO request from my APP (WA).
Thanks and regards
In case you would like to add SAML support directly into your application (as opposed to including it for example in reverse proxy such as Apache or IIS), you can use either Spring SAML (with minimal Spring configuration in case you don't use Spring Security already) or OpenAM's Fedlet.
Spring SAML enables applications to act as a SAML 2.0 Service Provider by initializing web single sign-on towards IDP (Okta) and accepting and validating response (SAML 2.0 Assertion) sent back from Okta.
Good approach to implement Spring SAML is to start with the quick start guide which helps you create SAML 2.0 integration with a public SAML 2.0 Identity Provider, then change the IDP to Okta and then integrate the result into your application.
It is also possible to build SAML 2.0 support from scratch (using OpenSAML library), but significant knowledge of the protocol is needed for it to be done securely.
Some application servers also include SAML support (WebLogic, WebSphere, JBoss with its PicketLink library), but such configuration is of course not portable.
I'm currently assessing ways to impelement authentication&authorzation in a .NET SOA environment(ASP.NET MVC, WCF).
I have concluded that using Windows Identity Foundation with a STS should fullfill our criteria.
I'm having hard time finding any suitable STS to work with WIF other than ADFS. I know there are multiple options, but there is no documentation/experience available how well these play together with WIF.
Summa summarum, multiple questions:
Is this dumb idea?
Is there any STS product that plays together with WIF smoothly? Any resources on this?
Are there products that allows me to implement centralized(yet scalable) authorization(even with XACML support)?
What is your experience using WSO2 Identity Server with ADFS/WIF?
WSO2 Identity Server has some XACML capabilities but how can these be used in authorization with WCF services?
There is Starter STS
http://startersts.codeplex.com/
which has lately been replaced by the IdentityServer:
http://identityserver.codeplex.com/
It's been for a while and has some features ADFS lacks (like the ability to use a MembershipProvider to authenticate users).
Also, crafting your own STS is relatively easy. There are some good tutorials around, I've also written few posts on this:
http://netpl.blogspot.com/2011/08/quest-for-customizing-adfs-sign-in-web.html
WSO2 Identity Server can be integrated with ADFS. Also it can be run as an XACML engine. XACML engine is exposed to out side as a SOAP end point as well as a Thrift end point.
Disclaimer : I am an architect at WSO2.
No experience of WSO2 but if you don't want to use ADFS you'll have no problems with Identity Server. Both ADFS and Identity Server and more commercial products such as Ping Identity play very nicely with WIF.
I have a requirement to integrate Umbraco membership with SAML Web SSO.
I have never integrated with it before and would like to have a bit of advise:
Are there some existing modules for SAML WebSSO login in Umbraco?
Could you recommend the approach/articles to start with?
How hard could that be?
Thanks in advance, Anton.
If you're new to SAML 2.0, the wikipedia page is a worthwhile read to understand the main concepts of SAML.
A toolkit for Umbraco seems to exist: http://digitaliser.dk/resource/404629
This toolkit explains the integration with a specific SAML 2.0 Identity Provider, but as SAML 2.0 is norm, it should be compatible with any SAML 2.0-compliant IdP.
The other solution is to add the SAML 2.0 Service Provider manually in Umbraco. A good start point may be the Windows Identity Foundation SAML 2.0 toolkit released by Microsoft in May, that include code samples: http://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=36088
We are considering spring-ws as the platform for implementing web services that will be deployed on weblogic. We need to use WS-Security with SAML tokens issued by our identity management platform (TFIM).
The Spring-ws documentation for XwsSecurityInterceptor does not mention SAML, and it is not clear to me if would work in this context.
I guess alternatives could be to do our own interceptor which uses OpenSAML or somehow utilises the SAML support in weblogic.
Does anyone have experience with this? Would be nice to aim for a solution that is known to be workable.
Apache WSS4J does support SAML tokens, and Spring-WS comes with a Wss4jSecurityInterceptor, so I'd guess you could get it working out of the box.