I have problem with JOSSO logout – I can’t logout after session-timeout expires. It just redirected to default home page. I increase session-timeout as suggested in http://www.atricore.org/jira/browse/JOSSO-70. It helps, but it is not solution for me for security reasons. I'm using JOSSO 1.8.5. Please help.
When you are logged in, can you provided the list of cookies that are set in you application relatively to JOSSO session ?
should be one for each partner app
and one for the gateway
Then have a look of the expiration of each cookie. This is the expiration date that might cause you trouble. Also, what kind of agent are you using ?
Related
I have a web app that uses firebase for auth. Once a user signs up/logs in there is always a certain cookie present.
I would like to, based on the presence of that cookie, redirect the user from the root path to a sub path i.e. site.com=>site.com/app whenever they visit the site.
I'm using Netlify to host my site and I've read through their documentation
but I can't figure out anyway to do this. It appears as though the only "conditions" that can be used for a redirect are langauge & role, but nothing about cookies.
Maybe this is possible using JWT Roles?
It's not possible today, but you can keep an eye on this thread: https://community.netlify.com/t/expanding-functionality-of-redirects/988/36?u=goleary
I'm researching on SSO but there is one thing I coudn't understand is how SSO consumer can get session without clicking on Login Button. I can explain the case as below:
I have:
accounts.domain.com (Identity Server. Already Allow consumer 1 & 2)
myapp.com (Consumer 1)
yourapp.com (Consumer 2)
When I go to myapp.com -> I have no permisson or no session to access the server resources.
I click on Sign In button in myapp.com, this will redirect to accounts.domain.com and after authenticated, I get back to myapp.com with my local session.
The question is: When I go to yourapp.com, I already have session without click on Sign In button.
The real case is google.com, accounts.google.com, youtube.com, ...
I don't know how it works and how to implement this?
And one more question, Can I use Auth0 or Google Cloud Identity or AWS Cognito to build my Identity Provider like google did?
Can someone support me in this?
To better understand the concept u should 1st know what happens when u use SSO login.
I will take google and YouTube as examples.
When u login to google using your credentials u will not only get a local session but a single sign on token. We generally have this as SAML which is security assertion markup language token.
This SAML token will be stored in your client or browser in this case.
Now when u try to load youtube in the same browser this token will be sent to the IDP along with the request. Since the IDP knows that this user is already authenticated it will check for authorization for the particular website in this case YouTube, the page loads.
I have a Spring Security app that uses SAML. It is working fine. I go to a secured page, I get redirected to the IDP, login... success.
Now I want to have the login done "in house" as it were, with no redirection.
I want to have a login page that takes username/pass - then -- well I don't know. :)
Is there anyway to NOT have the user's browser go to the IDP, either POST the form to the IDP and then redirect back to my app?
I read in the documentation about back-channel SOAP calls, and that sounds like exactly what I want, but I can't find anything on it. Does anyone have an example of how this would be achieved?
Iam new to gadgets.
Iam using the oauth2 example for facebook authentication which is bundled with Shindig 2.5.0
The file is under /gadgets/oauth2/oauth2_facebook.xml
I don't know whether this is an issue or not?
I created a gadget container like commoncontainer is created.
Inside the gadget url i have given the above facebook gadget url.
I have created a facebook app and i have configured all the details in oauth2.json file.
When the gadget is rendered, it is asking for facebook username and password. After that it is returning some data.
The main problem here is, after this whenever i access the same gadget over the container it is not asking for the facebook credentials. Simply it is logging with the earlier credentials(I donno how the conainer is storing). Even I access the same gadget in other browser also, it is not asking for creadentials.
I googled it but i didn't find anything regarding this.
Even after deleting all the cookies in the browser, it is not asking for the credentials unless I restart the app server.
Please help me on this.
Is there anyway restrict this kind of behaviour?
Shindig stores the access token on the server. In a production implementation the access token would be stored by individual user, but the sample implementation does not have this concept right now. OAuth access tokens are usually long lived, so the user should not have to go through the oauth dance for a while. Once the access token expires you would have to do the dance again.
We have enabled SSO for our Google Apps Domain. When users try to access "http://mail.google.com/a/domainname.com" they get redirected to the custom SSO Sign in page url. But when url http://google.com/a/domainame.com is accessed users are able to login to google apps users hub without being redirected to SSO sign in page url. As per my understanding, this kind of login should be only enabled for administrator of domain. Why is it happening for normal users of our domain.
How can we redirect http://google.com/a/domainname.com" url to custom sso sign in page. Please help. Thanks in advance.
You can't block people from logging into Google through 'local' credentials, if they know them: they need this for access via mobile devices, where you can't be redirected to a web page for SAML SSO, for example.
The normal solution is to change the password to something the user doesn't know.
Further, if you force 2-factor authentication for your users, this means a user can have one-time passwords for their mobile devices and still have an account password they don't know.
The www.google.com/a/yourdomain.com url points to google cpanel, which can never, ever be restricted through custom SSO, as this is your only recourse to disable SSO. If anything goes wrong, you need to hit that url to turn off SSO or change SSO settings.
If you wish to restrict access to cpanel, please look into organizations restrictions / superuser privileges; you can restrict cpanel superadmins to only one or two trusted admins.
If you wish to have only a single admin account with access to cpanel, but want to give some cpanel features to regular users, check out some third party apps in the google marketplace; gPanel is especially good as it gives you fine grained control over who can access what. Couple that with SSO, and you get a complete logging / monitoring / access control solution.