UPDATE:
I was able to get ADFS to forward my user to the relying party application. I used ComponentSpace's SAML2.0 library and RelayState. Even though it successfully forwards to the WIF application, it doesn't recognize my user as having been authenticated. It instead initiates a SP-initiated SSO scenario by redirecting to the IDP STS. I'm not too sure how I should proceed.
Original Message:
I have configured a single-sign-on setup in the following manner:
IDP - A portal website that posts SAML2 responses to my SP.
SP - ADFS 2.0 configured with a claims provider trust configured as a SAML2.0 endpoint (with my IDP of course)
RP Application - An ASP.NET application which is configured as a Relying Party trust in ADFS (WS-Fed).
When I log into my IDP and click on the link that posts the SAML2 token to ADFS, everything works fine. I am taken to the IdpInitiatedSignOn.aspx page and am told that I have been logged in. The problem is that where I would normally expect to see a drop down list of applications to choose from (which should only include my single RP Application) I see nothing. I only have two buttons allowing me to sign out of all applications or a single application. Is there some trick to configuring the RP Application trust that I'm not aware of? It was my understanding that ADFS 2.0 would accept this configuration of SAML2 and WS-Fed. (See http://blogs.technet.com/b/askds/archive/2012/09/27/ad-fs-2-0-relaystate.aspx under "When can I use RelayState?")
I would greatly appreciate any advice on this.
IdpInitiatedSignOn shows the list of RP's that support SAML.
Your RP is WS-Fed so won't appear in the list. In your case, the path is:
RP -> WS-Fed -> ADFS (Home Realm Discovery) -> SAML -> IDP -> Authenticate.
Related
There is an existing mechanism to log into a website. Now, external / remote SAML IDP is being added to facilitate SSO. The website uses other micro-services and components that provide data and functionality to the website.
Is there a way to have an existing mechanism of local identity username password credentials to continue to co-exist as an alternate strategy for authentication alongside remote IDP SSO while keeping rest of the services handling authorization in a semantic way (using a saml token)?
P.S. I looked at the options to implement existing auth mechanism as saml IDP, but building it seems complex even with the likes of shibboleth or openSAML libraries.
P.P.S. I haven't looked at possibility of reimplementing existing auth mechanism with openId connect to co-exist with remote saml idps.
Sure: one can provide a landing page to the user that gives a choice between using a local account or an account at a remote IDP.
I have an identity provider that connects to a service provider. Im trying to put Okta in the middle of the IDP and the service provider (so that Okta acts as an SP).
I got Okta to work directly with the SP. (I also got the IDP to work directly with the SP.) I'm having an issue getting the IDP to work with Okta in the middle.
Does the IDP's certificate go somewhere in Okta in this case? Does the SP need any information about the IDP?
Is it possible that I have admin access but couldnt find the add identity provider option in Okta?
Would be curious to know what your use case is.
If you put Okta in the middle - then Okta is part SP (to your IDP) and part IDP (to your ultimate SP).
For the part where Okta is SP - you can leverage the instructions here - https://support.okta.com/help/articles/Knowledge_Article/40561903-Configuring-Inbound-SAML to set up an inbound SAML endpoint.
For the second part - to integrate Okta to your SP, you can use the instructions here to set up a SAML app via our App Wizard - https://support.okta.com/help/articles/Knowledge_Article/Using-the-App-Integration-Wizard
If your SP happens to be in our app catalogue, then you can simply do "add application" under the Application tab in the admin console and follow the instructions there to set up SAML with the app.
I am creating a java application to implement SSO (SAML) using ADFS. I am not sure if SAML can be done using ADFS alone. While installing ADFS, I noticed that it required configurations of relying party and claim providers trusts (which are basically the SP and IP, right?). I am confused as to whether to have SP and IP in the java application, or just leave it to the ADFS to handle.
Any help would be greatly appreciated. Thanks!
Your Java application needs a SAML stack and becomes the SP.
Refer: SAML : SAML connectivity / toolkit for some ideas if you don't have one.
ADFS (which handles SAML 2.0) can then function as the IDP.
You will also have to configure the claims in ADFS - which correspond to the SAML assertions.
Your Java application will be a Service Provider (SP) that receives identity from an Identity Provider (IdP) server. In the use case you have outlined, ADFS will be the IdP Server. within your application you will need to integrate a library (e.g. SAML stack) to process the SAML assertion. SAML requires configuration on both sides of the interface. There are a few open source options such as OpenSAML. Depending on your organization, you may want to look at a vendor provided solution as well for long term support.
We are building a SaaS application (enterprise oriented).
We have to be able to log-in the users against the saml2 IdP of their company with SSO functionality (so multi-tenant context)
We prefer to manage it in a isolated component and so not directly on the application it self.
We think to use a kind of "proxy".
We have two questions :
- Does WSO2 IS is able to act as proxy, delegating the authentication to an extern IdP ?
- Our SaaS application will be offered via UI relying on REST ful services, so we need to manage SSO
also with the services, so for example :
. The user comes on the UI without any log-in before
. The company IDP login-page is shown for authentication
. Once logged , the UI will perform some calls to REST service and we need to secure those service call, to be sure
the user is allowed to call this service
How to manage it ?
Does the "proxy" API can act also as "proxy services" in order to call the extern IDP API ?
Tks
Nicolas.
If i got your question correctly, There is an existing IDP in "foo" company. In "bar" domain you have applications. You are not going to integrate application directly with IDP in "foo". And you are wishing to install an another IDP in "bar" domain where this "bar" domain IDP can talks to existing IDP in "foo" domain. Yes. WSO2IS can be used to implement such use case. It has "Authentication Framework" for SAML2 SSO logon... Let me explain it bit. When user is directed to WSO2IS SAML2 IDP, user can be authenticated by verifying user/password which is the default behavior. (default authenticator that is picked by "Authentication Framework"). But there can be any other authenticators such as SAML2 SSO (where WSO2IS can call to another SAML2 IDP and authenticate the user), OpenID and so on. I guess, same scenario has been discussed here. I found blog on implementing this.
I am very confused about my current ADFS setup. I have an identity provider that issues a SAML 2.0 token to ADFS 2.0 in an IDP-Initiated scenario. ADFS translates the token into WS-Federation, and forwards it on to a claims aware (WIF) web application. The web application, however doesn't recognize the user has having authenticated and redirects back to Home Realm discovery. I've used SAML Tracer in Firefox and I can see the SAML assertions going in and the WS-Federation claims in the parameters being sent to the web application. Is there a step I am missing? I set up custom claim rules to translate the SAML assertion into a WS-Federation claim (e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name) If I switch the SP application to a SAML 2 web app, then everything works fine.
So after comparing the headers of an IDP initiated request and an SP initiated request, I noticed a difference. The IDP initiated request was missing the wctx parameter. Once I included this in my relaystate, the WIF RP app worked fine.
wctx=rm%3D0%26id%3Dpassive%26ru%3D%252FMyDesiredStartPage.aspx