I am new to CAS and single signon. Please correct me if my understanding is incorrect, below if what I understand about CAS.
I have 2 web applications
I setup CAS, and when I access URL of WebApp1, it shows me the CAS login page
I fill correct username/password
It takes me in WebApp1
From there I access WebApp2, and it works fine
What I need is as follows:
When I access WebApp1, I must see WebApp1 login page, not that of CAS
Let CAS generate some token for the session
Use this token to authenticate WebApp2 (which the way its working now - step 5 above)
Can someone suggest me how to achieve this?
I am using Java 1.6, CAS 3.4.11, Tomcat 6.
I've made a summary recently on how CAS works.
The principles are written there. Basically it is like this
Access The WebApp1
Show the CAS login page and authenticate
redirect to WebApp1
Now subsequently you do the following
Access WebApp2
the access request is redirected to CAS which without showing a login page authenticates the user
Always under the assumption that both WebApps are configured to use CAS as a login provider and CAS is setup to support both WebApps.
Now in the CAS way what you want to achieve is done like this:
exchange the standard CAS login page with your login page and your done
Related
We have integrated KeyCloak server with Azure Active Directory as Identity Provider for SSO Login.
Log-in is working fine. However we facing problem with log-out, When user logs-out from web application, from our backend server side code we are making REST call to Keycloak server for below API.
https://keycloaktest:8443/auth/realms/<realmName>/protocol/openid-connect/logout
for this REST call we are getting 204 status code as response.
However when User tries to log-in in application again from browser it does not ask to enter credentials (active directory credentials).
In order to log-out User. We have access below URL
https://portal.azure.us/#home
and click log-out there.
https://portal.azure.us/Account/SignOut
Is there anyway to achieve this in backend i.e. when User clicks logout from browser
Just ran across this myself. The answer provided here: Logout user via Keycloak REST API doesn't work worked for me. Try adding client_id and refresh_token to your /logout request.
I integrate Google's Auth API in my production website.
When I enter the login page, it throws an idpiframe_initialization_failed exceptions to the console.
I found out that I can fix it by enabling that API / Cookies in my chrome browser, but I want to find a comprehensive solution that will prevent those exceptions in my production environment.
So my two questions are:
What do you suggest me to do in order to achieve that?
In general, what is the meaning of those excpections?
Thanks :)
If you have a production url like http://godaddysite.com etc host your page there with a Webserver.
Opening a htnl page from your computer with javascript doesnot work as it is not hosted on webserver.
Please check your redirect url etc when you created Oauth client.
Go to the Credentials page.
Click Create credentials > OAuth client ID.
Select the Web application application type.
Name your OAuth 2.0 client and click Create
check origins
create new OAuth with correct origins.
What I want to do is this:
I have keycloak integrated with my application. So when my app is launched , keycloak login page is shown to user. Now , I am trying to provide an option to login with PingFedrate. So a button to login with PingFed appears(once a new SAML provider is configured in keycloak). On PingFedrate I tried to integrate SP inititated SSO:
I added a new SP connection and there I configured it as SSP initiated SSO. (It forced me to configure SOAP Authentication , where I selected basic and configured random username password). Then I downloaded metatdata.xml from this SP and imported in keycloak which autofilled the login url as : https://myserver:9031/idp/SSO.saml2 (i.e. without client id). After this when user clickon Login with PingFed - PingFed gives following error:
Unexpected System Error Sorry for the inconvenience. Please contact
your administrator for assistance and provide the reference number
below to help locate and correct the problem.
I found the solution to this.
Firstly, we need to add SP inititated SSO in Pingfed for keycloak.
Secondly, the reason I could not make SP inititated SSO work was that keycloak's entityId should be same as Pingfed SP connection's Partner's Entity Id / Connection Id.
Keycloak, by default keeps entity id equal to url of keyloak server containing your realm. E.g
https://(keycloak-server)/auth/realms/(realm-name)
(and I could not find a way to change it through Keycloak UI)
You need to enter this URL in Pingfed.
To avoid adding this manually, you can download the keycloak config from download export tab of identity provider.
And on Pingfed , import this file.
On a side note, though I was importing it earlier, I was changing value of Partenr id to some other name as I was not aware of above restriction until I started decoding the SAML tokens in request.
I was wondering if it is possible to add a redirect Url to the post-logout action when using the Windows Authentication module of IdentityServer3? Currently, it seems to leave users on a blank page.
If you're using the WindowsAuthentication module, then you don't want to redirect to that STS for signout (since it's all about integrated windows auth, and the only sighout is logging out of the windows machine). I'd suggest to suppress the redirect for signout to the WindowsAuthentication STS in the WS-Fed Katana middleware you're using in IdentityServer. Handle the RedirectingToIdentityProvder (or whatever the event is called) and call the API to suppress the redirect.
According to https://docs.wso2.org/display/IS460/Enabling+IWA+in+WSO2+Identity+Server IS seems to be configured to use WAFFLE which can be used only on Windows.
Did anyone have a chance to successfully install using http://spnego.sourceforge.net/ framework?
It would be appreciated to not limit the environment to Windows only.
If you use Tomcat, you can simply use my library: http://tomcatspnegoad.sourceforge.net/
We have managed to create a custom authenticator where
the authenticator redirects user to a page hosted in Tomcat (Custom logon page
the logon page doesn't display any logon form, but using the Tomcat SPNEGO user is authenticated with SPNEGO / Kerberos and a JWT ticket is posted back to the authenticator (commonAuthId) instead of username and password
the authenticator assumes identity of the user (set the username in the authentication context)
This is de facto a custom claim authentication, do not forget to sign / validate the posted ticket.