Integrating a simpleSAMLphp IdP with a Shibboleth 2.2 SP - saml

I'm new to SAML, but I'm tasked to integrate a website with a shibboleth 2.2 service provider.
Now simpleSAMLphp (the latest release) has configuration files for SAML 2.0 and Shibboleth 1.3.
But I thought Shibboleth was merely on implementation of SAML; I would not have thought the simpleSAMLphp side would have to be configured differently for a different SAML server; that would seem to defeat the point of a standard.
My hope is that Shibboleth 2.2 IS a standard SAML 2.0 implementation, and for Shibboleth 2.x, you would use the regular SAML2.0 configuration files in simpleSAML, rather than special shibboleth configuration.
But is that correct? If not, how do you configure simplesaml for shibboleth 2?
Thanks,
Chris

Yes - you use the "regular" SAML2 configuration.
Not sure what Shibboleth 1.3 did but it's classed as another identity protocols
"But also supports some other identity protocols, such as Shibboleth 1.3, A-Select, CAS, OpenID, WS-Federation and OAuth."

Related

how to create own IDP for SAML in java or node

I want to create a SSO to be used by multiple applications, what would be the best way to do it. I was going through SAML2.0 but I am confused as I didn’t find any articles to create own/custom SAML IDP.
1.How feasible it is to create own IDP.
2.What is the best way to implement SSO
Question 1: How feasible it is to create own IDP?
Answer:
How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the instruction on building your own IDP for SAML in Java using Shibboleth SAML IdP and OpenLDAP.
Shibboleth SAML IdP is responsible for identity federation.
OpenLDAP is responsible for identity authentication.
Question 2: What is the best way to implement SSO?
Answer:
Shibboleth IdP has implemented SSO for enterprise applications which have been integrated with SAML SP.
(I) I have validated SAML Single Sign-On (SSO) provided by Docker-running Shibboleth SAML IdP (Identity Provider) and OpenLDAP for the following enterprise applications. In other words, I leveraged Docker-running Shibboleth SAML IdP and OpenLDAP to log in to the following enterprise applications successfully.
Microsoft Office 365
Google G Suite
Salesforce
Dropbox
Box
Amazon AWS
OpenStack
Citrix NetScaler
VMware vCloud Director
Oracle NetSuite
(II) We developed our former version of Zero-Password Authentication and Authorization System in Java and leveraged Shibboleth IdP to provide SAML SSO for enterprise applications.
We developed our current version of Zero-Password Authentication and Authorization System with scalability and high availability in Scala to provide SAML SSO natively for enterprise applications without Shibboleth IdP.
For quick deployment of SAML IdP on your production environment, leveraging third-party SAML IdP (such as Shibboleth IdP) is highly recommended. Then you have sufficient time to develop your own SAML IdP in Java or other programming language.
(III) Another StackOverflow question "How to implement or integrate single sign on with SAML and Shibboleth" provides valuable information and discussions.
Question 1: How feasible it is to create own IDP?
Yes, it is possible but requires lots of efforts.
This repository can help you figuring out how to build your own IDP: A mock IDP and SP using the OpenSAML library
This repository can help you on how to integrate your own IDP to Spring Boot application: Spring Boot, SAML, and Okta
Question 2: What is the best way to implement SSO?
In my oppinion, the best way to implement SSO is using pay-as-go identity service. It helps you saving efforts and money. There are many such services from Amazon, Google, Apple, Okta, Auth0, geetoPod, etc.
Don't try and roll your own - use a supported solution.
On the client side, you need a SAML stack.
Some of these come with an IDP you can install.
Have a look at:
Shibboleth
Azure AD - SAML IDP in the cloud
SaaS e.g. Auth0, Okta - SAML IDP in the cloud
identityserver4 with SAML plugin
ComponentSpace - has both client and server side
Sustainsys - has both client and server side
All of these will provide a SAML IDP.
They also provide good documentation to get you up and running.

How to use SSO with SAML2.0

we have a web application(Say wA) developed in java and we need to provide SSO login from client web application(Say WB) to WA and the requirement is to do with Okta-(SAML 2.0).
Currently im having the Idp mnetadatak, IDP Single Sign-On URL and Identity Provider Issuer link created from okta
Anybody please help me on this issue , what things to do in my application side to provide SSO login felicity. how to listen SSO request from my APP (WA).
Thanks and regards
In case you would like to add SAML support directly into your application (as opposed to including it for example in reverse proxy such as Apache or IIS), you can use either Spring SAML (with minimal Spring configuration in case you don't use Spring Security already) or OpenAM's Fedlet.
Spring SAML enables applications to act as a SAML 2.0 Service Provider by initializing web single sign-on towards IDP (Okta) and accepting and validating response (SAML 2.0 Assertion) sent back from Okta.
Good approach to implement Spring SAML is to start with the quick start guide which helps you create SAML 2.0 integration with a public SAML 2.0 Identity Provider, then change the IDP to Okta and then integrate the result into your application.
It is also possible to build SAML 2.0 support from scratch (using OpenSAML library), but significant knowledge of the protocol is needed for it to be done securely.
Some application servers also include SAML support (WebLogic, WebSphere, JBoss with its PicketLink library), but such configuration is of course not portable.

Windows Identity Foundation does not officially support SAML 2.0; use WIF CTP or stick with SAML 1.1?

We would like to use SAML 2.0 for a Single Sign On solution. As a typical Microsoft shop, we prefer to use Microsoft components as much as possible. Windows Identity Foundation supports SAML 2.0, but the extension is still in Community Technology Preview (CTP) for more than a year, with no information anywhere on future course. See http://blogs.msdn.com/b/alikl/archive/2011/05/16/windows-identity-foundation-wif-extension-for-saml-2-0-protocol-community-technology-preview-ctp.aspx
I came across an inspiring article by Michèle Bustamante: http://www.devproconnections.com/article/federated-security/generate-saml-tokens-using-windows-identity-foundation She actively promotes WIF + SAML 2.0, but nowhere in the article she talks about CTP or final release. Neither could I reach her for a clarification.
With this background, is it safe to use WIF Community Technology Preview for SAML 2.0 or stick with SAML 1.1? Does SAML 2.0 offer significant advantage over SAML 1.1? Is the future of SAML 1.1 in question?
Any other alternatives?
You should clarify whether you're talking about SAML 2.0 protocol (e.g SAMLP) or just the token type. WIF RTM supports SAML 2.0 tokens, but not SAMLP.
So if it's just SAML 2.0 token support you need, WIF RTM is sufficient, though WIF extensions CTP does add some SAMLP support.
If you're looking for a SAMLP solution and you're a Microsoft shop then you should consider ADFS 2.0.
ADFS 2.0 would do "protocol transition": it will talk SAMLP with the Identity Provider and WS-Federation with your app (both use SAML "Tokens"). WIF supports WS-Federation.
Take a look at Identity Server which is a STS that does use SQL Server for authentication. You can easily federate this with ADFS.
From what I remember about reading the licence agreement for the CTP release, it's just out there for comment - you can't use it e.g. in a Production environment.
As per #Eugenio, WIF only supports WS-Federation.
How were you intending to "stick with SAML 1.1"?
Update: What I suggest is that you use Identity Server to do the authentication against the DB. Your WIF applications are bound using FedUtil to Identity Server. You then federate Identity Server with ADFS. Your external parties use SAML to talk to ADFS and ADFS will handle the plumbing to enable them to authenticate with the Identity Server DB.
Note that WIF doesn't support SAML at all.

Umbraco membership integration with SAML Web SSO

I have a requirement to integrate Umbraco membership with SAML Web SSO.
I have never integrated with it before and would like to have a bit of advise:
Are there some existing modules for SAML WebSSO login in Umbraco?
Could you recommend the approach/articles to start with?
How hard could that be?
Thanks in advance, Anton.
If you're new to SAML 2.0, the wikipedia page is a worthwhile read to understand the main concepts of SAML.
A toolkit for Umbraco seems to exist: http://digitaliser.dk/resource/404629
This toolkit explains the integration with a specific SAML 2.0 Identity Provider, but as SAML 2.0 is norm, it should be compatible with any SAML 2.0-compliant IdP.
The other solution is to add the SAML 2.0 Service Provider manually in Umbraco. A good start point may be the Windows Identity Foundation SAML 2.0 toolkit released by Microsoft in May, that include code samples: http://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=36088

Anyone using Spring-ws with SAML authentication?

We are considering spring-ws as the platform for implementing web services that will be deployed on weblogic. We need to use WS-Security with SAML tokens issued by our identity management platform (TFIM).
The Spring-ws documentation for XwsSecurityInterceptor does not mention SAML, and it is not clear to me if would work in this context.
I guess alternatives could be to do our own interceptor which uses OpenSAML or somehow utilises the SAML support in weblogic.
Does anyone have experience with this? Would be nice to aim for a solution that is known to be workable.
Apache WSS4J does support SAML tokens, and Spring-WS comes with a Wss4jSecurityInterceptor, so I'd guess you could get it working out of the box.