We are building a SaaS application (enterprise oriented).
We have to be able to log-in the users against the saml2 IdP of their company with SSO functionality (so multi-tenant context)
We prefer to manage it in a isolated component and so not directly on the application it self.
We think to use a kind of "proxy".
We have two questions :
- Does WSO2 IS is able to act as proxy, delegating the authentication to an extern IdP ?
- Our SaaS application will be offered via UI relying on REST ful services, so we need to manage SSO
also with the services, so for example :
. The user comes on the UI without any log-in before
. The company IDP login-page is shown for authentication
. Once logged , the UI will perform some calls to REST service and we need to secure those service call, to be sure
the user is allowed to call this service
How to manage it ?
Does the "proxy" API can act also as "proxy services" in order to call the extern IDP API ?
Tks
Nicolas.
If i got your question correctly, There is an existing IDP in "foo" company. In "bar" domain you have applications. You are not going to integrate application directly with IDP in "foo". And you are wishing to install an another IDP in "bar" domain where this "bar" domain IDP can talks to existing IDP in "foo" domain. Yes. WSO2IS can be used to implement such use case. It has "Authentication Framework" for SAML2 SSO logon... Let me explain it bit. When user is directed to WSO2IS SAML2 IDP, user can be authenticated by verifying user/password which is the default behavior. (default authenticator that is picked by "Authentication Framework"). But there can be any other authenticators such as SAML2 SSO (where WSO2IS can call to another SAML2 IDP and authenticate the user), OpenID and so on. I guess, same scenario has been discussed here. I found blog on implementing this.
Related
I'm trying to create a SAML IDP for the system I built. Probably I'm getting confused with concepts. My problem is as follows:
This system was built in SymfonyPHP which authentication is made by OAuth token. Nothing so special, the username and password are passed to the /auth endpoint and the request returns the token if the credentials are valid. It's working fine.
Now I have to integrate this credentials to a client system. Once the user is logged to my system, so it should be on the client side (like the "login with Google button). I've been searching and realized I should use SAML for that.
I installed the SimpleSAMLPHP and I'm trying to understand how to set it up as my IDP. Once it's made, I can create SPs for my clients systems.
Question: how to make the SimpleSAML use my existing service for authentication? Which module should I use?
With SimpleSAMLPHP acting as an IdP, you want to have a look at authentication modules. The latter is a component that encapsulates the mechanics of signing into the identity provider. For example, if you were trying to sign in to the IdP with your Facebook account, SimpleSAMLPHP ships a FB authentication module that does this for you.
If your existing service can be supported by one of the SimpleSAMLPHP modules, then you're all set. Else, you need to develop your own module.
There is an existing mechanism to log into a website. Now, external / remote SAML IDP is being added to facilitate SSO. The website uses other micro-services and components that provide data and functionality to the website.
Is there a way to have an existing mechanism of local identity username password credentials to continue to co-exist as an alternate strategy for authentication alongside remote IDP SSO while keeping rest of the services handling authorization in a semantic way (using a saml token)?
P.S. I looked at the options to implement existing auth mechanism as saml IDP, but building it seems complex even with the likes of shibboleth or openSAML libraries.
P.P.S. I haven't looked at possibility of reimplementing existing auth mechanism with openId connect to co-exist with remote saml idps.
Sure: one can provide a landing page to the user that gives a choice between using a local account or an account at a remote IDP.
I have a Java app running under Websphere Liberty on IBM Bluemix. I need to be able to authenticate users 3 different ways - Basic Auth, SAML SSO, and OpenAuth SSO, in that order.
I can set up the app to do Basic Auth (using custom code) or SAML SSO (using the Bluemix Single Sign On service), but can't figure out a way to configure it to handle both at once. (I haven't even looked into how to do OpenAuth yet.) If I configure the app to use the Bluemix SSO service, then my app never sees the incoming requests to check for a userid and password to try Basic Auth before the SSO service grabs it.
I tried changing the redirect URL in the SSO service to an endpoint inside my app, but then all I get is
CWOAU0062E: The OAuth service provider could not redirect the request because the redirect URI was not valid. Contact your system administrator to resolve the problem.
I can't be the only one that needs to do this. Can anyone tell me how they did it?
We are starting a project for SSO and using wso2 to do all SAML , OAuth and keep our Webapplications as service providers.
I have been through the online documentation but need some help .
When user tries to Access to any resource in our webapplication i would send user to wso2 to get Authenticated in case of OAuth /openid connect , how would i form this url ?
I have configured IDP and SP in WSO2 console, after authentication how does WSO2 give credentials of authenticated users to service provider , i see as per document or sample app , this should be SAML or any other sso protocols like oauth etc. documentation is not clear or any examples i can find
i want to redirect the user after OAuth or SAML with my own created Authn cookie , what is the provision for that .
any help would be appreciated
Yes, You can configure your application as service providers and wso2 IS as Identity provider.I guess, You can implement saml sso for your scenario and its simply documented here.There is another blog which describe the same configuration
You can download travelocity sample code and war file .Analysing the code you can get some idea about implementation.
By following above blogs, You can implement the complete SSO flow.
Q. > When user tries to Access to any resource in our webapplication i would send user to wso2 to get Authenticated in case of OAuth /openid connect , how would i form this url ?
Answer :
https://localhost:9443/oauth2/authorize?response_type=code&client_id=wCmphfs69oaN3JhqO3d9FFgsNCMa&scope=openid&redirect_uri=http://localhost:8080/Samplespapp/googleauth.jsp
client_id : is that if which we get on UI oof wso2 console after we finish configuring Service provider in my case i configured Inbound Authentication Configuration as OAuth open id .
redirect_uri is the url where we want to go after authentication , this should match callbackback url in View/Update application settings
Answer 2: I still dont see any valid reason why inbound authentication has to be sso protocol but this is how wso2 works , to put it in laymans term i have a client to connect to using SAML and Other OAuth . i opt for a SSO vendor who takes that headache from me to implement SSO protocols but i Still have to implement atleast one SSO protocol as after SSO handshake wso2 has to communicate userX with role as Admin to service provider app this is done again using SSO !!
ping federate makes it simple it makes an encrypted request header that had data in key value pair. may be i am not understanding but i dont like this inbound Authentication in SSO .
Q. 3.>i want to redirect the user after OAuth or SAML with my own created Authn cookie , what is the provision for that
documentation is poor in this area just some java classes but no end to end example , every one will point to travelocity .
I have a requirement for cross domain sso. So, i chose OpenAM with SAML. I have two applications hosted in different servers and host for which i need to implement SSO.
Now i read about OpenAM with SAML but could get the core idea about the setup. LDAP is used as user data store.
Now i have something in mind and want to verify if it meets my requirement.
Since i have two applications(AppA and AppB) in need of SSO implementation. I need two OpenAM configured as service provider? and should be deployed in different tomcat containers? Should the each service providers be deployed in AppA and AppB?
I need another separate tomcat container for identity provider OpenAM?
The sp should be registered to idp and idp should be registered to sp within same Circle of trust?
Do i have to do anything else? Again do i have to configure separate LDAP for each idp and sp ? Anyway, what can be the ideal setup in my case?
You need one IdP, your apps have to implement the SP. If your apps are Java based you could leverage OpenAM's Fedlet or use Spring Security SAML extension (works like a charm).
There's also a PHP SAML SP and even an Apache http server SAML module ...
Or you could use OpenIG as a reverse-proxy (but it's a java web app) which also implements a SAML SP.
-Bernhard
One more possible solution in which you can use OpenAM out of the box is by using OpenAM identity federation:
Use the standard OpenAM Identity federation setup (with IDP and SP) as explained in this post: http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity.html
You will need to have an IDP for AppA and SP for AppB or vice versa. IDP will be connected to your user store.
On SP side create a dummy user store using something like OpenDS.
Import all the users from IDP to SP (using a scheduled daily batch job)
Implement auto federation based on one or more of the user attributes.
Use OpenAM authorization features on SP side to give access to SP side App