What's the best way to check if a user is authenticated, and pull her identity & roles for authorization decisions, via AWS cognito within a JAX-RS WebService environment?
I am thinking about the following architecture on AWS:
Server Side: Java EE backend REST-ful services, which requiring authenticated access
Client Side: A variety of apps (mobile / webapps / etc) that consume the services via HTTP
Not wanting to reinvent security, I am thinking about how to integrate AWS Cognito with the JavaEE backend. I am used to Keycloak which provides an AuthAdapter via ServletFilter handling all the integration with the OAuth2 Token Endpoint and leaving me as a developer to work with Java Security Mechanisms.
Related
We have an application running on Tomcat currently and using LDAP as the means to authenticate users to our enterprise AD.
It is required to migrate this application to cloud (on AWS EC2) and to integrate with ADFS over SAML for login with MFA enabled.
Wondering if there are any guides on the the steps to be followed to make this happen ? What are the configurations that I need to enable in ADFS for my application and what configuration changes are needed on tomcat server.xml to have the connector integrate with ADFS rather than LDAP. Thanks.
Regards,
Raunak
Not a Tomcat guru but from the point of view of ADFS and SAML:
You need to use a client-side SAML stack in your application. This provides the SAML plumbing.
You then need to add a SAML RP to ADFS.
For MFA, typically you use Azure AD to provide the MFA.
(There used to be an on-premises ADFS MFA Server - that is now deprecated).
If that is not an option, there are third-party providers.
I have an internal application hosted on AWS with https. I need help understanding how to implement SAML authentication to my web application. I am using Spring Boot for my backend and AngularJS for my front end. I am using ADFS as my IP. From what I gather, the following are the steps.
Get a https URL for your application
Create a basic ADFS trust.
Add the roles on ADFS
Get a metadata URL and enter it in your application.properties.
I am trying to implement SAML for the first time and have confused myself completely. Any thoughts shared would be greatly appreciated.
Your Spring Boot application needs to be a Service Provider (SP) that trusts your ADFS Identity Provider (IdP) and you ADFS IdP needs to trust your SP. This trust is usually done using the SAML2 metadata profile, i.e. the SP and IdP SAML2 metadata files.
You can either design your application as a 'standalone', i.e. no SAML ability and put something in front of it that understand SAML and blocks all requests until the IdP sends attributes. This is how the standard Shibboleth SP works but it needs Apache. The other option is to use the framework to plumb in the SAML capability such as Spring Security SAML
I'm building a SPA (angular) with a back-end api (asp.net core), both are build and belong to the same party.
I would like to use jwt authentication instead of cookie based authentication, because both sides - the back-end and the front-end spa - are owned by the same party I'm thinking to use the OAuth Resource Owner Password Grant flow and there shouldn't be any problem exposing the users credentials to the web app.
After searching on the web, I see a lot that it's not recommended to use this flow, but why should I implement any OpenId Connect flow with a redirection to the auth server if the web client belongs to same party of the api and the auth server?
The problem in your case is not so much in exposing the credentials to the Client since as you mention, all components in the flow are controlled by the same party.
Yet there are advantages to redirection as doing so separates the authentication method and means from the Client itself. And that enables e.g.:
a change of authentication mechanism or an upgrade to multi-factor (or some other advanced form of) authentication without impacting the Client(s)
SSO across different web applications
granular per-Client permissions
easy access revocation without having to change the user's password
less confusion for end-users as to which applications(s)/Client(s) they can trust with their credentials
I have several web services that I want to make available to clients. My clients are split into two groups:
users using a web browser (I serve a web page that uses javascript + AJAX to request data from the web services)
applications (e.g. server app pulling data into a client's system)
1) I can solve the former by exposing my web services to external users using the application server and I can use the identity server to authenticate access (haven't worked how to do this out yet).
2) The latter is nicely satisfied by using the API manager. I can happily tell clients to log in to the API manager and subscribe to APIs. The APIs I create are proxies for the web services mentioned in 1).
I know that an API I create in the API manager can include a username and password for accessing the proxied web service. Is it possible to let an API proxy a web service that is authenticated using the identity manager? Sorry I'm reading documentation and struggling to understand if I can do this. Thanks
". Is it possible to let an API proxy a web service that is
authenticated using the identity manager? "
Currently APIManager supports the service endpoints which are secured using basicauth/usernametoken.
If you use identityserver to secure you service, using any other mechanism, that wont be supported by APIManager.
Stodge,
Default API manager authentication mechanism is Oauth. it uses Oauth token mechanism to authenticate all APIs.
Please refer [1],
Here the authentication component also sits in the AM. This can be delegated to a different AM instance if required.
Hope this helps.
[1] http://docs.wso2.org/wiki/display/AM140/Token+APIs
We have a SaaS system based on SAML 2.0 authentication using an Identity Provider and we want to provide several ways of logging in, Form Authentication, Facebook, etc. Is it possible to connect the SAML system to a remote application using Active-Directory, ideally to gain access to the API also but most importantly to be able to use their authentication with the remote active directory as a means of logging in to the SaaS system?
Check out PingFederate and PingOne from Ping Identity (note: I work for Ping). We have complete IDP and SP support (SAML1.1, 2.0, WS-Fed (Passive)) as well as support for LDAP, SFDC, OpenID and other Cloud Identity providers (LinkedIn, Facebook, etc). We also have support for Web Services security via Oauth2 and WS-Trust.