I have a Silverlight application that calls a REST service. I want to enable single sign on with another website so I'm inclined to implement passive authentication. When the browser navigates to the XAP file, it will get redirected to the STS. After presenting credentials, the browser downloads the XAP file.
At this point the browser has 2 cookies: 1 identifying a session with the STS and 1 indicating a session with the RP that hosted the XAP file. All HTTP traffic generated by the Silverlight app goes through the browser so the STS session cookie is automatically included outgoing requests even though I don't have direct access to it. The other website trusts the same STS so it respects the existing STS session and everything's grand.
But now I want to implement an iOS client which will probably be active. Can this client consume the same REST services, and if so, how?
Related
I was implement the Identity management server by help of the documentation.
I am running the following applications:
I run the Identity server
I run the API
I run the MVC client
My MVC client gets opened in a Chrome browser. After open I click on Login and provide username and password and click submit. I got successfully logged in and it redirects me to the home page.
The problem is, after I open open another Chrome window, then I try to open the MVC Client and it asks me again to login. How can I solve this?
If you are running the MVC client from the Visual Studio debugger, it creates a brand new browser session (no old cookies, application data etc.). As IdentityServer is keeping the logged user information in a cookie, by running your application like this, you are loosing this cookie, and this is why you are forced to re-login.
I recommend you to deploy your MVC client to a local IIS site and try again. You will see that no such issue occurs (as long as you are not opening the site in an incognito mode of course).
We are trying to achieve SP-Initiated SAML SSO with ADFS(our IDP) from WebSphere applications. We have used Liberty server which acts as the Service Provider/Relying Party. Using Liberty as a bridge we are able to do Sign-In for all applications deployed in classic WebSphere. But we are stuck at Logout process.
As of now WebSphere does not provide any SAML Logout feature. We tried using session.invalidate() method, also tried removing all cookies and request.logout() method. Though request.logout() removes the Authentication object, still we are able to access the application in the same browser session without any need to enter credentials.
We tried using ADFS WS-Federation Sign-Out URL mentioned here:
https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0
But as because Liberty is not able to handle Logout request and response, sign-out does not happen for WebSphere applications.
Are we following the correct approach? Is there any other work around for achieving Sign-Out?Is there a way to programmatically send SAML Logout request to ADFS from WebSphere?
Finally we are able to achieve logout after the addition of logout functionality in Websphere Liberty by IBM as mentioned here. Liberty is working as SP/bridge for SAML login and logout and applications are deployed in Websphere Application Server.
I'm working on creating an MVC Web application backed by an API which uses IdentityServer3 and is compatible with Windows Authentication, but I'm losing my custom claims in the process.
To this end, I've deployed this project: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/MVC%20Authentication
When I deploy it to IIS7 I cannot access either of two pages which display claims information until I turn on Windows Authentication. When I do this, I have access to the secure Web Page that shows claims and the API that shows claims. This is promising, but these displayed claims are SidGroups, and Default claims, respectively. I lose my custom claims.
Monitoring traffic in Fiddler, I notice that when hitting the protected claims page, there are two failed attempts which 401 followed by the successful attempt but which displays the wrong claims.
Has anyone encountered this? Does any one know the location of a working example of a Windows Auth compatible IdentityServer? I've looked over several tutorials which imply it's possible but I don't think they are compatible with IdentityServer3.
In our current setup we have about a dozen web applications that deploy to a single Tomcat server. One of these applications is CAS which is used for all authorization.
This works pretty well and in our jRuby web application we use the rubycas-client gem, point to CAS and we're done.
Now we have a requirements where, in a Java component, we need to be able to call out to another web application via a rest service that resides on the same server. My first thought was to use CAS proxy tickets but the web application we have to hit currently doesn't have this enabled and, due to the nature of the environment, this cannot be changed.
So as far as I can tell we're left trying to impersonate the user by using an iframe in our web application that points to the other one (we're all on the same domain and server) and scrape its sessionid for impersonation and pass it down to the Java layer. But I really, really don't want to do this.
Am I missing anything? Is there any better ways of doing this? Is there a way to get the sessionid without an iframe maybe?
Thanks!
If you want to call a web service from a web application using CAS identity, you certainly should use the CAS proxy feature.
If you can't cassify your web service, there is another option for you : you could use the Apache module for CAS : https://wiki.jasig.org/display/CASC/mod_auth_cas.
New to JAVA. I developed Web application(JSP) successfully delpoyed on TOMCAT 6.0. Now the client want to use external SSO to authenticate users. As of now when the users are authenticated the website is displayed with Login Page where the user has to login again.
I am using the Login.jsp to bring the user roles from the SQLDB for Website.
What I want to accomplish now is when User is authenticated login.jsp should retrieve the credentials from the SSO and display the website thus accomplishing the purpose of Single sign on process.
I read a lot from this forum and other websites but kinda lost in the process.
Any help would be appreciated.
thank you
We developed a Tomcat extension (valve) which does just that. Basically you use standard J2EE security (role-ref etc) in your app and our Tomcat valve then acts as a bridge between Tomcat and our SSO platform. You can find out more at www.cloudseal.com
Of course you may not want to use our SSO platform :-( but you can still use our Tomcat valve and modify it to fit your needs. It's released under an Apache 2 license and you can grab the source from Github