I have Auth0 as SAML IdP, connected to an AWS Cognito User Pool used as Service Provider (SP).
Login works fine, but I am having trouble getting Auth0's SAML logout callback to fire at all.
I've followed the guide found here: https://auth0.com/docs/authenticate/login/logout/log-users-out-of-saml-idps#configure-slo-when-auth0-is-the-saml-idp
So far, I have configured a random URL hosted in AWS API Gateway, set up to log all incoming data so I can investigate further usage and payload. I have yet to get any data within this log. FYI, I have tested the endpoint using other means and it is working properly, logging all requests.
Should that work?
Does it have to match the Application's allowed logout URLs for it to work?
Should it be triggered when I call my logout endpoint with client_id properly defined (https://<account>.auth0.com/v2/logout?federated&client_id=XXX)?
What am I missing?
Thanks in advance.
PS: Question originally posted at https://community.auth0.com/t/when-is-the-saml-logout-callback-invoked-with-auth0-as-the-saml-idp/94504
Related
I have an application that I need to do the authentication to an IDP (Azure) and if the authentication fails I want that the IDP to send back a response to my application that user is not authorise .the issue is that IDPs are not sending any information regarding the authentication failed and is just remaining on login screen.
Any ideas?
Best regards,
Mircea
Regardless of the SSO protocol used, Azure AD will always return an error code, message and debugging information.
If that's not the case, then Collect a network trace with Fiddler and post the results here minus any confidential information for additional debugging.
Optionally, you may try to Test SAML-based single sign-on from the Azure Portal to verify your application correct configuration.
Most likely it is an issue with the Redirect URI being used in the application for the event when user is not found on the IDP (Azure AD). This seems to quite similar to the following issue: Redirect not working for SAML login, php-saml with Azure Active Directory
We have a website where users authenticate themselves using AWS Cognito. That has been implemented using Next Auth with the Cognito provider based of their example code. That is working fine. However, whenever a new potential lead (customer) fills out a particular form we ship that information off to an external API. That API is connected to the same Cognito client and user pool in AWS, and it creates a new user and performs some operations. In the response of this API we receive the newly created user's access token, refresh token and identity token. The reasoning behind this is that whenever a new lead is created they automatically gets assigned a user and we log them in behind the scenes. It is far from an ideal solution, I know, but our assignments doesn't allow for rethinking and rewriting the current setup.
My questions is how we should implement such a custom login flow. We want to validate the tokens in the API response and create a session using those tokens, much as a regular login flow would do.
I've included this simplified chart trying to explain the process. See link:
Login flow chart
For anyone encountering a similar issue, this is how we solved it: After receiving the id_token from the external service we do a router.push(...) (next/router) to our own authorization callback API endpoint with the id_token. In our case, it became:
/api/auth/callback/cognito?id_token={ID_TOKEN}
i am trying to add authentication to my app using OAuth2 & also secure the back-end so only logged in users can access it.
Im just trying to wrap my head around the process and some clarification would be great. To my understanding here is how i would do it.
User logs in with oauth2 provider in app.
App sends the returned code to the back-end.
back-end fetches access token and returns to the app to be saved.
now, for all secure requests. I send the accesstoken as a parameter to the back-end which checks if it is valid or not.
would this be the correct way of creating a secure dashboard type app with oauth2?
thankyou.
It's correct except that in step 2 you send the authorization code back to the OAuth2 provider - as part of an authorization code grant message.
Here's an example of the message workflow during a user session. For a mobile app the same OAuth messages are used:
https://authguidance.com/2018/01/18/desktop-app-technical-workflow/
If it helps there are some code samples of mine to demo this behaviour - it is tricky to implement though:
https://authguidance.com/home/code-samples-quickstart/
I'm trying to write a small bitbucket plugin that enables SAML 2 SSO authentication.
I've been looking at the source code of sample authentication plugins in bitbucket, and it looks quite straightforward.
However, my question is what is the best approach to handle authentication that spans over separate requests.
To do SAML SSO, you have to send a POST to the IdP via the user's browser, and then it sends a SAML token back via POST's again, but then you're no longer in the middle of authentication. So I'm trying to figure out the cleanest way to kickstart the authentication process again, my current thought is as follows:
Have my authentication handler that implements com.atlassian.bitbucket.auth.HttpAuthenticationHandler do a check to see if SAML authentication has happened in the authenticate() method, and then redirect them to the IdP if necessary. (Authentication process has stopped because of the redirect)
Receive the SAML token from the IdP on a separate servlet and check SAML token is good to use. Presuming it's all good, set a servlet request attribute (or session attribute) with the username that has been validated, and then forward the user to the original page they tried to access. This should start the authentication process again.
My authentication handler runs again, checks for the request/session attribute, and this time creates the ApplicationUser that is necessary for authenticate() to complete successfully.
Does this sound like a good approach? I had a look at the bitbucket source code for how the Crowd SSO handler works, but with Crowd SSO it doesn't need to redirect you an external login page, so it doesn't have an example of this flow.
Ideas?
Created a web based application which needs to integrate forms authentication and SSO. Currently forms authentication will validate all the registered users.
What I need is to integrate SSO as well in to the application. ie, If the user not authenticated then redirect to identity server (Okta) configured with WS-Fed and added the application, validate and response to landing page. Please can you help on this. Please let me know if any more information is required.
Can you please explain this statement " If the user not authenticated then redirect to identity server (Okta) configured with WS-Fed and added the application"?
Please see this link https://github.com/okta/okta-music-store. Under section "Adding Single-sign on to your Music Store" you can see how C# sdk can be used to implement single sign on.
Essentially what you need is a cookieToken from Okta. Using cookieToken as one time token and a redirect url (Can be your app url) you can use /login/sessionCookieRedirect?token=&redirectUrl=. This will create active session with Okta and redirect your user to your app or redirect uri.
Cookie token is obtained via series of two calls. Authentication that gives you session token in response. Session token is exchanged for cookie token via create session call.