I am looking for an SSO solution that can be customized according to our needs.
From what i saw over the internet it seems that Shibboleth and JOSSO are solutions that just need to be installed and configured. My question is to what extent can they be customized to use with web apps.Please consider following points.
control over cookies and session management
integration with existing authentication mechanisms being used for the app (e.g. two factor authentication)
collection of data from the user at the time of registration.
Suggestions on any other frameworks and approaches are welcome
Related
We are an ISV building an enterprise SaaS product.
We would like to enable our customers define their IDP SAML configuration.
We are a startup and would like to support SAML as lean as possible.
1. What is the minimal configuration needed to support the major IDPs?
After reading Okta's article I understand that:
Certificate
IDP Sign-in URL
Are a must.
Say that we use a single ACS endpoint (We will implement our own logic by looking at the SAML assertion)
Is there anything else mandatory?
What about bindings? Do all major IDPs support HTTP redirect?
2. What is needed to be defined on the IDP side?
We tend to use the HTTP redirect binding, should it work with most IDPs? Is a metadata endpoint important?
As for "what is required": in many cases, you will have to generate so called "metadata.xml" file to provide the information to the vendor, so they might install a testing environment for you.
I've implemented about 5 SAML integrations with different vendors so far. The truth is that not all of them require full-fledged SAML 2.0 standard, but some of them do. I think my article should be also helpful to you https://dev.to/optiklab/working-example-of-saml-single-sign-on-integration-using-c-39mb and my open sourced SAML integration project (https://github.com/optiklab/SAML-integration-utilities) contains both Metadata File generator and C# examples for forming both SAML response and assertions. They proved to be working with many vendors, like Ping Identity, etc.
Let me know if you have more specific questions.
I am in the middle of setting up SSO in our infrastructure and I am wondering if people would more experience could share their learnings.
I already have a reverse-proxy in-front of our system.
We have several legacy java apps running on tomcat
We have SPA apps as well written in JS
We have few APIs that will also need to be protected
I have two ways to set SSO up for us.
set up SSO on the reverse proxy using mod_auth_openidc so our gatekeeper makes sure that anyone who is hitting our services is already validated.
add a keycloak libs to each individual service
My preference is to set this up on the referse proxy.
Are there any disadvantages / best practices when it comes to this?
For legacy apps I would just use the HTTP headers added by the reverse proxy to find user details
For the new apps I would like to use the keycloak libs to get user details.
I do not want to go down some routes which is obviously problematic. So Any tips so that I can save some time are very welcome.
So far I have come up with the following list
pros to use a proxy server and mod_auth_openidc
Single place to handle all auth specific configuration
Abstracts out the implementation detail of the SSO. E.g. we do not need to integrate keycloak into each service. In my opinion this could cause issues if we decided later to actually move to a different SSO. ( I know this does not happen often )
cons to use a proxy server and mod_auth_openidc
an additional piece of software to maintain ( bugs etc )
possible extra checks on credentials if the app also integrated with keycloak ( not required it is possible but only needed if keycloak specific features are required in the app and those not available in the headers )
I would be interested in other's opinion on the pros and cons?
Thanks
I have searched a lot for a good documentation on how to implement SSO as I am a beginner in this field. But got confused with documentations, available online. Is there any documentation that can help me directing :
How to Create/configure IDP , SP, how to implement SSO?
My web application uses, Java 8, angular JS , JSP, Spring ( with annotations), Hibernet, Maven, JBOSS.
Appreciate your time in advance.
Your question is kind of broad which is hard to give a definitive answer. Perhaps knowing better about what to research may help. Please let me try:
Your web application will be an SP. Thus, you don't need to research for how to implement an IdP.
You will need at least 1 IdP to test SSO for your application. Therefore, find out what IdP you want to use and research for how to set it up as well as how to configure a service provider trust against it.
What is the protocol you want to use for SSO? Is it SAML 2.0, WSFed, OAuth2, OpenId Connect or something else? Pick one.
Research a good library that you can use to implement the SP role for your application.
You've mentioned Java and Spring so typically you are looking at Spring Security and SAML.
If that's the case. then you need to implement a client side SAML stack.
Refer: SAML : SAML connectivity / toolkit.
I've been tasked with determining the feasibility of building an application that would act as a proxy between platforms that offer single sign-on capabilities.
Our "platform" offers SAML Service Provider capabilities, and we have some customers that provide their own SAML IDP and Identity Store. We have other customers that use different single sign-on technologies, such as oAuth, OpenID, or third-party Web Services. Some customers use a combination of these technologies.
The goal of the proxy would be to standardize and reduce the complexity of each customer's SSO integration on the platform. Currently, we're required to customize each implementation between the platform and the customer's Website(s).
I'm having difficulty finding frameworks, libraries, or functions for proxying between SSO protocols such as SAML and oAuth, or SAML and a third-party Web Service.
I'm wondering if anyone has experience building something similar and can recommend solutions that worked for them.
I've put together a diagram that illustrates what we're trying to accomplish below.
Check this Bitly project on GitHub:
https://github.com/bitly/oauth2_proxy
It supports multiple identity providers
hth
I need to implement Single Sign On feature for several internal web applications which are not deployed on the same domain.
Is federation a good solution in my case? Or it is only used if I want to federate the authentication to an external IdP.
I mean I want to create a custom WIF STS and make all the applications claims-aware RPs.
I'm thinking of it because I don't want to use custom solutions or third party libraries. WIF seems to have a straightforward solution integrated with .Net Framework.
Is my suggestion correct? Or this is an incorrect use for WIF.
Yes - a solution with WIF / STS will work even if it's only internal.
Beware of security if you roll your own.
You may want to look at ADFS or IdentityServer.
Going this route will make your life a lot easier.