I want to implement SSO with SAML tokens in JBossAS.
The scenario is as follows.
I have 2 applications app1 and app2 running on 2 JBoss instances.
Login into app1 and enter username / password using form based auth.
Once login, click on the link that should be redirected to the app2 page.
This should use SSO with SAML tokens on JBossAS for authentication and authorization of users.
Can anyone let me know how to do this?
I just now found your question and noticed it is still not answered.
You can take a look at JBoss picketlink. Said page describes the federation support in JBoss 5+ and Tomcat 5.5+.
Supported protocols are SAML2, WS-Trust and Open ID.
Since SAML2 users Assertion after authentication, using pure SAML2 on both apps would require you to register both apps as Service Providers - I believe.
I did a workaround using JBoss/Tomcat SSO valves: My (Seam) app 1 uses SAML2 for authentication and my other apps simply reuses that Principal (username, roles) created in the first app. I believe this corresponds to your situation. Log in at app 1, security constraint in app2, no log in in app2.
I had to create a custom valve to achieve this
https://github.com/jensaug/jbossweb-customsso
/Jens
Related
There is an existing mechanism to log into a website. Now, external / remote SAML IDP is being added to facilitate SSO. The website uses other micro-services and components that provide data and functionality to the website.
Is there a way to have an existing mechanism of local identity username password credentials to continue to co-exist as an alternate strategy for authentication alongside remote IDP SSO while keeping rest of the services handling authorization in a semantic way (using a saml token)?
P.S. I looked at the options to implement existing auth mechanism as saml IDP, but building it seems complex even with the likes of shibboleth or openSAML libraries.
P.P.S. I haven't looked at possibility of reimplementing existing auth mechanism with openId connect to co-exist with remote saml idps.
Sure: one can provide a landing page to the user that gives a choice between using a local account or an account at a remote IDP.
I have a Java app running under Websphere Liberty on IBM Bluemix. I need to be able to authenticate users 3 different ways - Basic Auth, SAML SSO, and OpenAuth SSO, in that order.
I can set up the app to do Basic Auth (using custom code) or SAML SSO (using the Bluemix Single Sign On service), but can't figure out a way to configure it to handle both at once. (I haven't even looked into how to do OpenAuth yet.) If I configure the app to use the Bluemix SSO service, then my app never sees the incoming requests to check for a userid and password to try Basic Auth before the SSO service grabs it.
I tried changing the redirect URL in the SSO service to an endpoint inside my app, but then all I get is
CWOAU0062E: The OAuth service provider could not redirect the request because the redirect URI was not valid. Contact your system administrator to resolve the problem.
I can't be the only one that needs to do this. Can anyone tell me how they did it?
We are starting a project for SSO and using wso2 to do all SAML , OAuth and keep our Webapplications as service providers.
I have been through the online documentation but need some help .
When user tries to Access to any resource in our webapplication i would send user to wso2 to get Authenticated in case of OAuth /openid connect , how would i form this url ?
I have configured IDP and SP in WSO2 console, after authentication how does WSO2 give credentials of authenticated users to service provider , i see as per document or sample app , this should be SAML or any other sso protocols like oauth etc. documentation is not clear or any examples i can find
i want to redirect the user after OAuth or SAML with my own created Authn cookie , what is the provision for that .
any help would be appreciated
Yes, You can configure your application as service providers and wso2 IS as Identity provider.I guess, You can implement saml sso for your scenario and its simply documented here.There is another blog which describe the same configuration
You can download travelocity sample code and war file .Analysing the code you can get some idea about implementation.
By following above blogs, You can implement the complete SSO flow.
Q. > When user tries to Access to any resource in our webapplication i would send user to wso2 to get Authenticated in case of OAuth /openid connect , how would i form this url ?
Answer :
https://localhost:9443/oauth2/authorize?response_type=code&client_id=wCmphfs69oaN3JhqO3d9FFgsNCMa&scope=openid&redirect_uri=http://localhost:8080/Samplespapp/googleauth.jsp
client_id : is that if which we get on UI oof wso2 console after we finish configuring Service provider in my case i configured Inbound Authentication Configuration as OAuth open id .
redirect_uri is the url where we want to go after authentication , this should match callbackback url in View/Update application settings
Answer 2: I still dont see any valid reason why inbound authentication has to be sso protocol but this is how wso2 works , to put it in laymans term i have a client to connect to using SAML and Other OAuth . i opt for a SSO vendor who takes that headache from me to implement SSO protocols but i Still have to implement atleast one SSO protocol as after SSO handshake wso2 has to communicate userX with role as Admin to service provider app this is done again using SSO !!
ping federate makes it simple it makes an encrypted request header that had data in key value pair. may be i am not understanding but i dont like this inbound Authentication in SSO .
Q. 3.>i want to redirect the user after OAuth or SAML with my own created Authn cookie , what is the provision for that
documentation is poor in this area just some java classes but no end to end example , every one will point to travelocity .
We are building a SaaS application (enterprise oriented).
We have to be able to log-in the users against the saml2 IdP of their company with SSO functionality (so multi-tenant context)
We prefer to manage it in a isolated component and so not directly on the application it self.
We think to use a kind of "proxy".
We have two questions :
- Does WSO2 IS is able to act as proxy, delegating the authentication to an extern IdP ?
- Our SaaS application will be offered via UI relying on REST ful services, so we need to manage SSO
also with the services, so for example :
. The user comes on the UI without any log-in before
. The company IDP login-page is shown for authentication
. Once logged , the UI will perform some calls to REST service and we need to secure those service call, to be sure
the user is allowed to call this service
How to manage it ?
Does the "proxy" API can act also as "proxy services" in order to call the extern IDP API ?
Tks
Nicolas.
If i got your question correctly, There is an existing IDP in "foo" company. In "bar" domain you have applications. You are not going to integrate application directly with IDP in "foo". And you are wishing to install an another IDP in "bar" domain where this "bar" domain IDP can talks to existing IDP in "foo" domain. Yes. WSO2IS can be used to implement such use case. It has "Authentication Framework" for SAML2 SSO logon... Let me explain it bit. When user is directed to WSO2IS SAML2 IDP, user can be authenticated by verifying user/password which is the default behavior. (default authenticator that is picked by "Authentication Framework"). But there can be any other authenticators such as SAML2 SSO (where WSO2IS can call to another SAML2 IDP and authenticate the user), OpenID and so on. I guess, same scenario has been discussed here. I found blog on implementing this.
UPDATE:
I was able to get ADFS to forward my user to the relying party application. I used ComponentSpace's SAML2.0 library and RelayState. Even though it successfully forwards to the WIF application, it doesn't recognize my user as having been authenticated. It instead initiates a SP-initiated SSO scenario by redirecting to the IDP STS. I'm not too sure how I should proceed.
Original Message:
I have configured a single-sign-on setup in the following manner:
IDP - A portal website that posts SAML2 responses to my SP.
SP - ADFS 2.0 configured with a claims provider trust configured as a SAML2.0 endpoint (with my IDP of course)
RP Application - An ASP.NET application which is configured as a Relying Party trust in ADFS (WS-Fed).
When I log into my IDP and click on the link that posts the SAML2 token to ADFS, everything works fine. I am taken to the IdpInitiatedSignOn.aspx page and am told that I have been logged in. The problem is that where I would normally expect to see a drop down list of applications to choose from (which should only include my single RP Application) I see nothing. I only have two buttons allowing me to sign out of all applications or a single application. Is there some trick to configuring the RP Application trust that I'm not aware of? It was my understanding that ADFS 2.0 would accept this configuration of SAML2 and WS-Fed. (See http://blogs.technet.com/b/askds/archive/2012/09/27/ad-fs-2-0-relaystate.aspx under "When can I use RelayState?")
I would greatly appreciate any advice on this.
IdpInitiatedSignOn shows the list of RP's that support SAML.
Your RP is WS-Fed so won't appear in the list. In your case, the path is:
RP -> WS-Fed -> ADFS (Home Realm Discovery) -> SAML -> IDP -> Authenticate.