I have some some basic questions on Openid
1. Can anyone become an openid provider?
2. If someone signed-up to our site will they be able to use that id in any other website that uses open id ? example Google aps ?
Most sites that do OpenID are just consumers. If you become a provider, you dictate who can become a consumer. Many sites are only configured to accept specific OpenID providers, but those that accept any OpenID provider (e.g. SourceForge) will work with your provider.
For Google Apps, this post may be useful:
How do you delegate your OpenId to Google Apps
Sounds like you have to pay Google money to get access to that feature but a lot can change in three years.
If you are just looking for a generic SSO system, I recommend looking at:
http://barebonescms.com/documentation/sso/
It is "consumer-only" for the moment.
Related
I'm configuring OpenID authentication for a server-based software product. It supports OpenID, but only allows for one OpenID provider at a time. I have Google authentication working, but I want to add Microsoft and perhaps others as well. Is there anything I can sit on top of that would allow me to configure one provider in the settings, but actually connect to multiple OpenID providers?
I hope the question is clear and thank you for any input.
I have successfully configured Google to work, but the software configuration only allows one OpenID provider to be input. I would like to be able to configure multiple providers.
We want to use SSO for a group of apps (this will include GitLab, probably Drupal and a bunch of small apps I will write in Symfony for various tasks). We would like to currently use Google accounts to authenticate all apps, but because there are limits (I know you can increase them) on how many apps you can have and Google sometimes change what features are free, it would be good to have the option of using our own login down the track if needed.
I have used SimpleSAMLphp in the past with GitLab (using a database to store credentials) and it worked well. Is there a way that I can use the Google Auth as an IDP and have SimpleSAMLphp record the email address to link the accounts etc and allow me to add things like groups etc in to send down to the app when a login happens? I would put a password field in the login table in the database as well so that if we decide to move away from Google we can generate random passwords and continue without too many issues.
The information I find online is for using SimpleSAMLphp as the IDP for gsuite etc (we will be using general Google accounts, not ones in gsuite) and not the other way around. I also couldn't see any Authentication Modules for Google authentication. Are there any tutorials or instructions anywhere on this?
You can accomplish what you are asking fairly easily. Instead of integrating your SPs with Google directly, integrate them with an SSP idP you control, then set up your authentication page (i.e. the page redirected to by your authsource module) to be an SP for Google. Here's what that looks like:
vendor sp -> your SSP idP -> your login app -> your SSP SP -> google idP
This way you end up with only a single Google integration configured for all your vendor integrations. There are numerous benefits to this approach:
You aren't affected by # of integration constraints imposed by google
Since your vendor SP integrations are controlled on your own server, you can easily move to a different cloud-based idP for authentication in the future without having to re-integrate all your SPs
You can easily give your users alternate sign-in choices if you want.
You aren't constrained to SAML or protocols supported by Google. Many vendors still use proprietary token based authentication. These can easily be supported with this setup.
Happy to help with implementation details if you need it.
Currently my organization uses a number of web apps/mobile apps/APIs, some of which authenticate against an in-house IdP and others which use a third-party proprietary system (over which we have no control).
We have been asked to implement SSO for these web applications and as a result I have been reading up on OpenID Connect. I believe this would be a better solution than SAML given that (a) end-users are not always enterprise users, and (b) SAML not designed for mobile applications.
I believe I understand the flow reasonably well but have one sticking point. To allow users to authenticate using an external IdP, we would need to map the user back to our internal id. For example, user authenticates using OIDC/Google, resulting in us receiving the user's unique Google idenitifer (and email etc if we queried further), but this is not useful to us until we can map the Google identifier back to our internal customer id.
Is this mapping out of scope for OIDC? If so, is there a best-practice method for doing this? I'm sure we are not alone in this requirement...
Thanks,
John
Is this mapping out of scope for OIDC?
Short answer, yes.! If your backend require a comparison/validation with internal identity details, then it has to be done out-of-scope of OpenID Connect(OIDC) protocol. OIDC simply define the process of obtaining tokens (ID and access token), which are required for authentication and authorization.
is there a best-practice method for doing this?
One option is to use out of band directory synchronization. For example, Google provider Google Cloud Directory Sync (GCDS), which allows you to synchronize identity details to LDAP or MS Active directory. Other alternative is to use SCIM protocol to communicate and provision users dynamically. For example Google provide that support as well.
Alternatively, you can use just-in-time provision at the time you receive tokens. This support will depend on your identity provider implementation. For example, WSO2 identity server support both JIT provisioning as well as SCIM.
We are considering to implement log on facility using SAML 2.0 on our portal. But is the use of SAML 2.0 increasing or should I use any alternative technology ?
From my organization's (Ping Identity) perspective, SAML 2.0 is still going very strong and likely won't be superseded anytime soon. There are plenty of SAML-based products available - more and more popping up every day. Major SaaS providers like Google and Salesforce have standardized on SAML 2.0 SSO, and we've seen over 1500 others do so as well.
There's some evidence to believe that OAuth 2 based SSO - or most likely OpenID Connect (built on top of OAuth 2) - will eventually become as predominant. At the moment it's mostly focused on consumer facing identity providers & applications like Facebook, Twitter, LinkedIn, etc.
SAML still reigns supreme in the business / enterprise world, where strong trust (federation) relationships are required.
Our school recently jumped on board the SAML 2.0 train. All of our students have access to Gmail for their school accounts. Now we are going to be using a cloud storage service for the students as well, employing SAML again for it. We are the Identity Providers (IdP) and our clients are Service Providers (SP).
I'm specifically using simplesamlphp for SSO generation, but that's merely my flavor preference. Java seems to be the other big platform SAML is used on. Either way, I don't foresee its use in the education industry going anywhere soon.
We're a small-ish educational institution whose school email is through Google Apps for Education. We have contracted with an external vendor who is provisioning accounts for Google by getting a list of students from our AD who do not have an email account already provisioned. Once provisioned, the student authenticates to Google services by using their AD account credentials (which is how they access network resources while on campus).
I've been looking into saving a bit of $$ by bringing this process in-house but have been struggling while seeking tangible examples of how to go about doing this. The documentation that I did find has a deprecation warning. Is SAML still how this authentication scheme would be handled? If so, can someone help point me in the correct direction for this?
I've looked through the similar questions and none of them really seem to help.
Python and .NET are accepted solution implementations here.
There are two ways for SSO authentication.
SP-initiated
IDP-initiated
For SP-initiated on google apps you need to:
* Created a certificate and a private key using openssl toolkit or any other tool.
* Upload this certificate to the Google Apps single sign on settings.
* Give login URL to your application etc.
After saving setting on google are done. Now you need to write a code that wil accept request token from google and after parsing send it back to google app.
For code on your side you will use openSAML libraries.
You will also need a keystore(*.jks) in order to make SAML response signed.
These links will help you.
SAML token help.
See this answer.