Configure Shibboleth SP to allow REST API to not require SAML auth - api

I have an application (Archibus) that can be configured to use SAML for application level authentication and uses OIDC for the REST apis w/in the application.
The problem Im having is that when I enable SAML authentication for the application, the REST API calls are getting stopped by the same SAML login, vs. bypassing SAML and using the JWT token I've already created via OIDC.
Im trying to figure out how to configure Shibboleth to allow a URL to bypass the SAML auth
https://my.site.com/archibus/api/v1/data/?dataSource=Api_Buildings <-- just use the JWT Token
https://my.site.com/archibus <-- use SAML for auth
I configured a RequestMap Path to not requireSession for the archbus/api path and then to requireSession for the rest of application path. When I put the api path first, postman works and returns data, but the application doesnt launch and I cannot login via SAML;
If i put the application first and /api 2nd, the application launches, but the API doesnt work:
<Host name="my.site.com" scheme="https" port="443">
<Path name="archibus/api/v1/data"/>
<Path name="secure" authType="shibboleth" requireSession="true"/>
<Path name="archibus" authType="shibboleth" requireSession="true">
<!--Path name="api" requireSession="false">
<Path name="v1" requireSession="false">
<Path name="data" requireSession="false"/>
</Path>
</Path-->
</Path>
</Host>

Related

Azure API Management: Oauth2 with backend API

I have a backend API I want to proxy by using Azure API Management.
This backend API requires me to provide a Bearer Oauth2 token.
I want to use Azure APIM to handle the Oauth2 flows for me, and I want to expose a very simple API that will be consumed by client apps. I want to avoid my client App to use Oauth2.
How can I handle it with APIM? I found a lot of samples demonstrating how to protect a backend API with Oauth2, but it is not the use case I'm trying to implement.
Thanks.
Here is a policy snippet to make this work:
<send-request ignore-error="true" timeout="20" response-variable-name="bearerToken" mode="new">
<set-url>{{authorizationServer}}</set-url>
<set-method>POST</set-method>
<set-header name="Content-Type" exists-action="override">
<value>application/x-www-form-urlencoded</value>
</set-header>
<set-body>
#{
return "client_id={{clientId}}&resource={{scope}}&client_secret={{clientSecret}}&grant_type=client_credentials";
}
</set-body>
</send-request>
<set-header name="Authorization" exists-action="override">
<value>
#("Bearer " + (String)((IResponse)context.Variables["bearerToken"]).Body.As<JObject>()["access_token"])
</value>
</set-header>
<!-- We do not want to expose our APIM subscription key to the backend API -->
<set-header exists-action="delete" name="Ocp-Apim-Subscription-Key"/>
From: https://github.com/orangetoken/api-management-policy-snippets/blob/master/Snippets/Add%20Azure%20AD%20OAuth2%20bearer%20token%20to%20request%20to%20AD%20protected%20API.xml
And on the APIM policy snippets branch from the APIM team
https://github.com/Azure/api-management-policy-snippets/blob/master/examples/Get%20OAuth2%20access%20token%20from%20AAD%20and%20forward%20it%20to%20the%20backend.policy.xml
What you need to do is add a header to request - use set-header policy to Set Authorization header to a desired value. That would work well if you can hardcode token in policy.
If you cant - the you have to organize OAuth flow inside policy using send-request. In short, what you'll be doing is sending you app id and secret to OAuth endpoint and parsing its response to obtain token and attach it to request.

How to call RESTFul WCF service with Forms authentication

Assumptions:
Client is a Web application (ASP.NET) configured for STS Passive Issue
Server is a MVC Application with 2 services (1. Issues a token and other gets metadata)
Server on the other hand configured for Forms authentication and should redirect to Login page if unauthenticated access is made.
Workflow:
end user tries to load client.
It contact the STS by redirecting to the STS server.
The server is configured with Forms authentication with a redirect URL.
But Server does not redirect to login page. instead it allows to call the Issue end point.
I tried to restrict via authorization tag in web.config. Also, i tried location tag to set authorization explicitly. But it still allows the call.
i referred many blogs
How to: Enable the WCF Authentication Service
How to: Customize User Login When Using the WCF Authentication Service
But no luck.
This is easy to achieve with ADFS. Use the following steps if ADFS is your STS:
Navigate to the folder where ADFS web application is located (normally C:\inetpub\adfs\ls)
Make a copy of the current web.config for safety
Open web.config in notepad
Locate
In , change the order of authentication to assure that it lists Forms Authentication first
The order must look like this:
<add name="Forms" page="FormsSignIn.aspx" />
<add name="Integrated" page="auth/integrated/" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />
Save the changes (you do not need to restart ADFS)
Navigate to your application and click on Login. Instead of sending the login request to ADFS, a page containing a login dialog will pop up. Please enter your credential and click ok. Then, you will get the same result as above.
Reference articles:
Claims Aware MVC4 App using WIF Identity and Access tool in .Net 4.5 Part I
Claims Aware MVC4 App using WIF Identity and Access tool in .Net 4.5 Part II

Spring security provide multiple authentication mechanisms

My RESTful webapplication needs to support multiple authentication mechanisms.
Which mechanism should be applied is not indicated by a specific URL but by using the client application name in a custom header field.
Each client application maps to a specific authentication mechanism.
Currently, we need to support the following:
Username / password authentication
LDAP auhtentication
OAuth2
We defined multiple authentication providers in the our spring-security.xml:
<authentication-manager>
<authentication-provider ref="daoAuthProvider" />
<authentication-provider ref="ldapAuthProvider" />
<authentication-provider ref="oAuth2Provider" />
</authentication-manager>
The problem is that the AuthenticationManager takes the first provider, tries to authenticate and executes the following provider in the chain when authentication fails.
But we 're fully aware which provider should be executed by our custom header field.
We could create a custom Authentication provider but this class doen't have a HttpServletRequest notion. So we're not able to read our custom header field and delegate to some provider accordingly.
Is there any other alternative to execute a specific provider based on a header field?

IBM Worklight 6.0 - Adapter with basic auth doesn't update auth header if client logs out/in

I have a Worklight v6.0 application using adapter-based authentication.
The adapter is an HTTP adapter that calls a backend REST service using Basic Auth.
There is no session or cookies between the adapter and the backend service. In my Adapter descriptor, I have set the cookiePolicy to IGNORE_COOKIES. Each request from the adapter to the backend is authenticated with the basic auth header on that request.
Each of the adapter's procedures has connectAs set to: endUser.
<?xml version="1.0" encoding="UTF-8"?>
<wl:adapter name="MyAdapter" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wl="http://www.worklight.com/integration" xmlns:http="http://www.worklight.com/integration/http">
<displayName>MyAdapter</displayName>
<description>MyAdapter</description>
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType" cookiePolicy="IGNORE_COOKIES">
<protocol>http</protocol>
<domain>localhost</domain>
<port>9080</port>
<!-- Following properties used by adapter's key manager for choosing
<authentication>
<basic />
</authentication>
</connectionPolicy>
<loadConstraints maxConcurrentConnectionsPerNode="2" />
</connectivity>
<procedure name="submitAuthentication"></procedure>
<procedure connectAs="endUser" name="getCurrentUser"
securityTest="MyAdapter-securityTest" />
</wl:adapter>
This all works great. The mobile app calls a secured procedure on the adapter, this triggers authentication, authentication completes successfully, the procedure gets re-invoked, and I can see on the network trace that the correct basic auth header is getting put on the call from the adapter to the backend. If the mobile app makes an adapter call when it is already authenticated, the adapter just makes the call to the back en with the correct Basic Auth header. If multiple mobile apps are connected at the same time and logged in as different users, the adapter uses the correct Basic Auth header for the user that called it.
The only thing that doesn't work is when a mobile app call to the adapter, authenticates as user1, gets the correct result from the backend for user1, calls WL.Client.logout(), makes another call to the adapter, and authenticates as user 2 this time.
In the adapter procedure, I call WL.Server.getActiveUser() to verify the active user, and sure enough, the user is correct (user2). But when the call goes out to the backend, the Basic Auth Header that Worklight adds has the credentials for user1, and so the mobile app gets the wrong results.
If I exit and re-star the app, all is well and I can authenticate directly as user 2 and get the correct results for user2. The only case that is a problem is when I log out/log back in as a different user in a single session between the mobile app and the Worklight Server.
Is this a known limitation of using basic auth with Worklight adapters? Is there any way for me to force the connection between the mobile client and the Worklight Server to reset when I log out? (short of restarting the app)
Since you say that "physically" quitting and reopening the app fixes this for you, then you can use WL.Client.reloadApp() right after the logout so to keep the app flow in case of login-logout-login. See if it helps.

low code, simplistic Azure Website security using windows live provider?

I have this webpage I need to secure on Azure. I want to be the only person who can access it. I don't need a fancy login or error page process. The page/site was formerly running on my home web server and so windows authentication via the web.config authentication tag was "really easy" to implement.
I'm looking at Azure Authentication models with STS, ACS, SAML, Federated... and truthfully am somewhat confused about what I need to do. Also, I'm wondering why MS did not offer a simple control panel interface to secure and maintain access to websites so we don't have to create services and custom web site code to manage all of this.
At a high level, what are the minimum steps I need to perform to accomplish this?
If you are the only one going to use the site, then I'm not sure you need to go through all that trouble.
But, on the other hand, doing what you want is not that complicated:
Get an ACS namespace
Install WIF in your machine
Run "Add STS Reference" in your web project and point to your ACS namespace
(look for Federation metadata endpoint)
Configure LiveID trust in ACS (or any other of the pre-provisioned IdPs)
Configure ACS to issue a token for your app
Since your needs are very simple, the default rules will probably work for you.
Here's an article that explains everything step-by-step.
You could use Forms Authentication which should be pretty straightforward to implement.
Set your application to use forms authentication in your web.config.
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="/myadminlogin.aspx" protection="All" path="/" timeout="120" />
</authentication>
Define the protected folders in your web.config.
<location path="secure">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Within your login area check a condition and set the auth cookie:
'SET AUTH COOKIE
FormsAuthentication.SetAuthCookie(sessionID, False)
Check the session on your protected page:
If User.Identity.Name.ToString = "sessionID" then
'Permit access
End if