I have been trying to bypass shibboleth sso for a specific user. Only one user need password authentication to an application running behind Apache reverse proxy. Rest all users need to go through the SSO login.
I tried tweaking few attribute-map files, but in vain.
Any idea on the shibboleth config file to modify for bypassing sso for a single user. Any suggestion on this is greatly appreciated.
Do you have code that constructs an "application session" from headers/environment variables within the app, or does the app directly access the existence/absence of the headers/environment variables set by Shibboleth?
If you have an external application session, then you just need to deploy some code to a separate path that's not protected by Shib, but some other means (maybe even Apache Basic Auth), that'll construct the relevant session cookie for the application and do the redirect.
If you're using the existence of the Shibboleth session info directly in the app, then you're probably better off just asking the IdP for an account.
Regardless, you're in the territory of building a back-door... so you must exercise extreme caution to not implement a vulnerability that can be leveraged in some way, and frankly StackOverflow doesn't know the intricacies of your application well enough to give more than general suggestions.
I suppose the short answer is... I don't think you're going to find a short answer.
Related
So i'm tasked with implementing SSO for our Windows application. Currently, after a user logs into the machine, he or she has to re-log in to our app when he or she loads the application. The application validates the user by querying a LDAP server.
What we're looking to have is for the user to automatically be logged into the app when they click on it. My understanding is that the LDAP authentication must still happen, but Im not exactly sure what the workflow would be, and how exactly we can validate a user without requiring them to re-enter a username / password. Note that this is not a web application so I can't use tools like SAML or OAuth (unless i'm mistaken about this too..?)
So my specific question is as follows:
Is it possible to use LDAP for SSO, and if so, how? Is it possible for me to authenticate a user with just his or her username, or is a password also required?
Any guidance would be appreciated, and am happy to provide further clarification if needed.
First of all, LDAP is a protocol, which you use to communicate with databases that implement this protocol.
So LDAP databases (commonly called directories) are ... databases and so do not provide SSO functionality.
To deploy a SSO solution, you need a SSO service. All your applications will have to be "compliant" with this service in a way or another.
The only way I can think of to make a "Windows SSO" without adding a third party application is that the applications can retrieve NTLM informations in requests made by the client and uses the user data to identify him. (but in term of security, I let you judge what you think about it ;) ) . See this php example
Some LDAP implementations, including OpenLDAP, provide some level of support the Generic Security Service Application Program Interface (GSSAPI) or SPNEGO (a specific GSSAPI implementation)
Although not trivial, it is possible to perform SSO from a "browser" that supports GSSAPI. AFIK, IE, Firefox, Safari and Chrome all provide some level of support for GSSAPI although each browser requires specific configuration (typically whitelisting of Servers).
There are many SSO Products that implement these features in a "probably" more secure and easier process than doing it yourself.
There are many known vulnerabilities details that have been exploited with GSAPPI/SPNEGO typically due to implementation issues.
I'm almost driving crazy looking for the right way to implement appropriate authentication functionality for my OWIN/Katana project using SignalR.
I already read about writing an own OAuth2.0 Service, I heard about using cookie authentication, and using SignalR's [Authorize] attribute. Yet, I am not quite sure about whether any of these approaches meet my requirements.
I have the following scenario:
I've got a host application that performs a WebApp.Start() for let's say TWO owin hosts.
Each owin host has various middlewares.
What I want to do: At the beginning of each OWIN pipeline I want to add an OWIN middleware that presents a login-page and allows the user to authenticate. If the user has been successfully authenticated, he is able to reach any other middlware in the pipeline. If the user browses to a further pipeline before authenticating, he should be redirected to the login page.
The problem: I found plenty of articles describing how to write an OAuth 2.0 server and so on. What I did NOT found is a step-by-step tutorial showing how to authenticate using JavaScript and after that, share and use the authentication data in each middleware that has to check if the user is authenticated.
Does anyone have a good tutorial of how to achieve something like this?
Or, is it even possible to share the authentication data between multiple OWIN IAppBuilder instances. (Each middleware is a separated DLL, in my case.)
Please don't blame me for not reading any documentation or something, I really did already spend a looot of time investigating in how to approach something like this. IMHO there is no really good article describing how to achieve something like that.
Or, at least, can anyone explain to me how to work something out?
Thanks in advance!
Ronald
Project structure: https://pl.vc/2y86u
I have a project OWIN.Framework that allows you to have multiple OWIN pipeline segments with routing. This would allow you to have some middleware that runs first, and multiple pipelines behind this configured with different middleware in each pipeline.
We're trying to evaluate a solution to implement "true" SSO for multiple (already existing) web solutions. True SSO here means to login on any service, and be authenticated on all, without further actions from the user.
All of the applications we're going to use support OpenID and/or have plugins that allow OpenID, so this seems like something worth looking into. However, as I understand OpenID, the users would still be required to enter their OpenID credentials in each service.
Is there a sane way to implement SSO with automatic login once the OpenID provider has authenticated the user?
In an earlier project, we hacked up the PHP session data in the login procedures of two applications (both running on the same domain and server) so a login in the first application creates the session data for the other application as well. However, this is a very hacky solution and is prone to break when either application is updated, so we're trying to avoid it this time.
Are there any other SSO solutions that we could look into?
i am assuming that you have the control on the SSO implementation
there are some things you can do to make sure that once the user has been recognized by the SSO application, he will virtually automatically be logged in to your other applications
in your SSO application, create a whitelist of service providers. authentication request from those websites will be automatically approved. thus, user won't be asked to approve the request manually
in your application, set the return_to parameter as the page the user is intending to immediately open. don't simply set the return_to to that application homepage
by the way, the most standard openid implementation accepts any url. however, if you want to use the sso in a controlled environment, you can set the service provider to have a whitelist of trusted identity providers. after all, it's the service provider which initiated openid authentication.
Yes, there is a means to do this. Run an Application Server, Node Based, and register cross-domain techniques to offer cookie-credentialed (backed up by site-handshakes as each new user arrives, to scale better and minimize resource expenditure per-session).
I am working on such a beast right now, and I'm 5/6th done.
I have taken care of several annoying variables up front- including the means to assure unique user logon- and I've taken a stand on other issues- one just can't get everything done in one system. However, one can have a true SSO if one is willing to pull out some stops. It is YOUR stops which will define your solution. If you have not accurately portrayed your limitations then there isn't a solution which can be offered for implementation here, and the nature of your problem is ENTIRELY implementation- not theory. In theory you have 4-5 different options. In practice you will find your answers.
// I'll try to improve the question a bit to see if I can get help.
We have a set of applications in our glassfish server, and we'd like to use SSO across them. So, we came up with a "authentication" web application, which simply contains the form to authenticate users. This user is then routed by this application to the whichever application he wants to acess.
The problem is that, when using the FORM authentication method and the programmatic login through ServletRequest.login(), the SSO cookie is not created. Only through BASIC authentication or through j_security_check we are able to see the SSO session cookie being created.
Similarly, the ServletRequest.logout() method is also unable to log the user off the SSO session, leading to nasty security bugs.
I'd like to know whether the approach using programmatic login/logout and SSO does not work at all (and thus, we're doing it wrong); or, if we're missing something altogether about SSO and security in Glassfish.
Guess I've found the reason: http://java.net/jira/browse/GLASSFISH-18356
The bug is open, likely to make it into the new version... but voting it up would help make it happen. If you came across this question with the same problem, please help voting for it!
I'm just wondering how cross-site authentication is handled for completely external companies?
e.g. My site acts a "portal" onto another completely external site.
Is there a standard way of doing this so the user is not prompted to log in again?
I know with e.g. eBay-> PayPal you have to re-authenticate, but is this the only/most sensible way?
It's going to depend on what that other site uses as an authentication method.
Look at SAML (which in essence a way of saying to the other site that they can trust your assertion that this user is who you say he is). OpenID is another system doing much the same thing.
In general, this is federated identity management,
In my opinion the best way to do this is to create a third application which is responsible for authentication and permissions. I've written a blog entry about one such application I've created for my own pet projects.
http://www.netortech.com/Blog/Entry/12/Web-passport-services