I'm developping a SSO web system for my company. When poeple want access to an application, it redirects the user on the SSO server (web application) which keeps the authenticated user in memory. The SSO server then redirects the user to the application, which is creating its own session.
The problem is when a user spend a lot of time on the application, the session on the SSO is lost.
Have you an idea to resolve this problem ?
My SSO application is an ASP .NET application and others applications could be in ASP .NET or ASP .NET MVC3.
Thanx for your help
You would need to look into setting the timeout values of the WebAgent by observing the typical usage patterns of your users..
So how do you currently handle the user's SiteMinder session timeout..? Ideally you would be using a redirect URL to a custom page that informs the user that the session was terminated, etc.
Related
I’ve got a set of APIs written in ASP.NET. These are to be accessed by a web app and native mobile app, and should be protected by the SSO.
I would like to be able have a SSO, where the user can login online and access the web app, and can also login on the native app (via the browser), and it’ll remember their login details (ie with an authorization_token).
I’ve been looking into IdentityServer4 but I’m a bit stuck on which authorization flows I would need for this.
Any help is appreciated, as it’s starting to hurt my brain! Do let me know if I need to explain it better.
For flows, there are today only two flows you should consider.
Authorization code flow, this flow is for clients where you want a user to login/signup, like a mobile app or web-application. Meaning, you have a user and a browser involved here.
Client credentials flow, is all about machine to machine communication, where you have no user involved.
My web application is integrated with a portal that use cas authentication.
Logout is possible in two ways: on my web application (I first invalidate my session and then logout on portal page) or directly by portal (in this case session on my web application continues to exist - there are no single signout mechanisms implemented). In this last case there's a problem..if I logout on portal and then write directly URL of my web application the page is shown to me! So..I would like the validation of ticket for each request in order to understand that the ticket is no longer valid..but I don't know how I can do it.
Can someone help me?
If I logout on portal and then write directly URL of my web application the page is shown to me!
Yes, because as you noted there is no SLO. Just because you kill the portal session, it does not mean that your app session will be destroyed. The most ideal solution would be to implement SLO, such that the portal can reach out to registered applications and ask them to logout by sending them a logout notification. Then, in your app you just need to intercept that notification and kill the app session.
I'm not really interested in API authentication - all I want to do is authorize a user who has access to one or many applications from a kind of portal I am designing. We are hosting the all the web applications, some are just Javascript and HTML, some are MVC.
I have created a diagram below with a user called Bob. He is a valid user and is allowed to use an application called "JS" but not MVC. How can this be implemented using Identity Server. Obviously when inside the JS application it still needs to talk to the Identity Server to make sure the current user is valid or else somebody could just copy the url of the app and use the application.
NOTE - the JS application is just a plain old HTML5 and Javascript application it is nothing fancy like an .NET MVC app.
One way to achieve this is by registering individual applications (JS and MVC app) as separate clients in IdentityServer (assuming each application has different redirect URI’s) and restricting access between those clients.
In order to restrict access between clients for an authenticated user, you need to use ICustomRequestValidator interface.
More details in this discussion board and a similar post in SO thread
I'm try to implementing SSO in my existing web applications with using OpenAM by refer following link
http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity_21.html
PS. my web applications have their own login page already
Now what is got after implementation is, openAM login page are protected in my web applications and i need to make login again to my application
what i need is, want to skip the login page of my application to become single sign on.
so, can anyone tell me what tasks need i do left?
do i need to revise my Login page of my application?
do i need any database or datastore to keep user login information?
Now that an OpenAM agent is in place on top of your app, your web app can work under the assumption the there is already a valid logged-in user - you need to remove the login page from your web app.
To get the current user details just alter your OpenAM agent config to set HTTP headers with relevant fields like username, full name, etc. Then instead of a web app login page you just check HTTP headers (should be safe from spoofing as long as the only route into your web app is coming through the OpenAM agent).
Another way is to grab the OpenAM cookie and use it to make REST calls directly to the server. Makes things a little more fragile though because you now need to maintain additional config.
You don't necessarily need any additional user tables / datastores for your web app, only if you need to map their login name to whatever it is your web app is doing (saving preferences, etc) in which case you need to check that the username you've been given already exists inside your app. If not then add it.
We were able to implement single sign on using openam with a JSF web application using Spring SAML extension and Openam.
Instead of agent we used fedelet that way we can port to ant application server
Please see my articles on generic info related to Openam concepts
http://reddymails.blogspot.com/2013/03/sso-for-java-or-net-web-based.html
Steps to integrate JSF 2 web application with Openam using Spring SAML extension and Spring Security.
http://reddymails.blogspot.com/2013/06/integrating-jsf-web-applicataion-with.html
-Ram
I am developing a web application where i wish to achieve stateless communication between the client and the server.The server serves out a web page template to a client.Now from the client side i wish to know the identity of the user of the application so that i can print his name on the page.
Since it is a facebook app so i am not providing the option of user to login or logout through my application.
How would i be able to do it?i can not use JSP to serve dynamic web pages and also i can not use cookies.
That leaves localStorage, I guess.
But I do have to wonder what the point is of said application, with only client-side state.