I'm trying to create a completely custom external authenticator for WSO2 IS. The idea is this:
1. A service provider forwards the user to WSO2 IS with a SAML2 request (Inbound authentication configuration = SAML2 Web SSO Configuration).
2. The local authentication configuration for said service provider is my custom authenticator.
3. The custom authenticator redirects the user to an authentication service.
4. The user logs in.
5. The login service forwards the user back to the WSO2 IS custom authenticator (using the same URL as before "/samlsso".
The problem is that the parameters used and returned by the login service are completely proprietary, ie. not SAML2. However, WSO2IS expects a SAML2 request when accessing the custom authenticator.
How can I create a custom authenticator which uses completely proprietary paramters towards the login service, but normal SAML2 towards the service provider?
In the step5, it should forward to the /commonauth endpoint. So, it will be identified the correct context from getContextIdentifier method in your authenticator.
You can use Facebook authenticator as an example [1]
[1] https://github.com/wso2/carbon-identity/blob/master/components/application-authenticators/org.wso2.carbon.identity.application.authenticator.social/src/main/java/org/wso2/carbon/identity/application/authenticator/social/facebook/FacebookAuthenticator.java
Related
Alright, so I'm having a hard time understanding a proper flow here for my setup.
Goal
I want to have a proper SSO flow for my SPA app that can authenticate users into an API.
Context
I have a React application that is intended to use an Okta porta that offers both SAML (preferred) and OIDC for SSO flows. I've wrapped my static sources in a web server that serves them, and that server has a middleware that checks for cookies, and if one doesn't exist, I redirect to the IDP (Okta) for login. This all works fine for now.
Currently, my API sits on that same server, which I intend on moving to a separate server to scale independently of the website. My API must also allow other machine clients (services) to call into it, so I implemented a service account flow that uses client ID and secret as the authentication measure.
In general, my intended flow looks like this:
User navigates to my website (unauthorized) -> Web Server -> Redirect to IDP -> Assertion Callback flow -> Generate JWT session cookie -> Web Application makes API call -> API Server auth middleware validates cookie / bearer token.
The problem.
The details of how the JWT access token is generated is where I'm stuck. Currently, my webserver receives the SAML assertion and generates a JWT, which is not the same JWT claims logic as the service accounts (bleh). I'm thinking of implementing an Auth service instead to centralize the token generation flows.
For the Auth Service, I've looked into OAuth2.0 and it seems like just the right approach for what I need. With that said, I can't find much information on patterns to follow for SAML assertion -> OAuth2.0. I saw an IETF draft for saml2-bearer grant-type, but it seems dead in the water. I'm also unsure about the general consensus on custom implemented OAuth2.0 grant types.
What does a proper flow look like? I have a couple of scenarios in mind:
SAML Service Provider within the same service as the Auth
Service. On lack of SSO session, my application redirects to my Auth service, which then redirects to my IDP. The IDP calls my SP (the auth server) with the assertion, the auth service generates a token, then my auth service redirects back to the webserver with a cookie placed in the response headers.
SAML SP as the webserver Since the webserver is the only system that needs to use the SSO, I could just keep the SAML flow within that process. Once my webserver receives the SAML assertion callback, my server makes a call to an endpoint service with the assertion claims, and then my auth service returns the access token in a JSON response.
Something else, like OAuth2.0 authorization code flow with PKCE for the web application. Or OIDC instead of SAML for SSO.
OIDC sounds like the right choice for you as APIs are involved. OAuth is designed to secure APIs' compared to SAML which is built for enterprise SSO.
You can integrate your SPA with Okta using OIDC. Okta provides SDK's for varies platforms to make it easier for you to do so. You can find SDKs' here:
https://developer.okta.com/code/angular/okta_angular_auth_js/
Once you get an ID token and Access token from Okta after OIDC flow, you can use the access token to access external API's. Your API resource server or the API gateway can validate the access token. Again Okta provides SDK's to verify access tokens: https://developer.okta.com/code/dotnet/jwt-validation/
I have an internal application hosted on AWS with https. I need help understanding how to implement SAML authentication to my web application. I am using Spring Boot for my backend and AngularJS for my front end. I am using ADFS as my IP. From what I gather, the following are the steps.
Get a https URL for your application
Create a basic ADFS trust.
Add the roles on ADFS
Get a metadata URL and enter it in your application.properties.
I am trying to implement SAML for the first time and have confused myself completely. Any thoughts shared would be greatly appreciated.
Your Spring Boot application needs to be a Service Provider (SP) that trusts your ADFS Identity Provider (IdP) and you ADFS IdP needs to trust your SP. This trust is usually done using the SAML2 metadata profile, i.e. the SP and IdP SAML2 metadata files.
You can either design your application as a 'standalone', i.e. no SAML ability and put something in front of it that understand SAML and blocks all requests until the IdP sends attributes. This is how the standard Shibboleth SP works but it needs Apache. The other option is to use the framework to plumb in the SAML capability such as Spring Security SAML
I am using Wso2 Oauth2 password grant for authenticating the user in my application. I need to implement two factor authentication using sms and email in my existing workflow. I have gone through the Wso2 documentation found authenticator for Email and SMS.
https://docs.wso2.com/display/ISCONNECTORS/Configuring+EmailOTP+Authenticator
https://docs.wso2.com/display/ISCONNECTORS/SMSOTP+Authenticator
But these documentation deals with SAML.
Is there any documentation for Oauth2 workflow or How it can be achieved ?
Need help on this
Thanks
I assume you have configured a service provider with OAuth/OpenID Connect Configuration type in WSO2 Identity Server. You need to do the Local & Outbound Authentication Configuration in this OAuth Service Provider. Hit edit for that SP and expand Local & Outbound Authentication Configuration. Click on Advanced Configuration and do necessary configuration there.
Refer https://docs.wso2.com/display/ISCONNECTORS/Configuring+EmailOTP+Authenticator and follow the steps starting from Step 9 in Configuring the Service Provider section.
Please note I am new to the applications I am mentioning so I might use the terminology incorrectly. I've added a few diagrams to explain myself as best I could.
I am trying to setup a web service authentication policy in APIMAN (which uses Keycloak internally)
So far I know the Identity Provider (OpenAM) I created in Keycloak is configured correctly since it is working on the Login page (see image 1 below)
I have also successfully used an access_token via Keycloak's OpenID API to access a web service; but only if the user credentials are in Keycloak (as oppossed to OpenAM) (see image 2)
What I'd like to achieve is to authenticate this web service client via Keycloak but using the Identity Provider's credentials, but I do not know how to do this or if it is even possible. (see image 3)
Please note I also tried User Federation with the LDAP behind OpenAM and it worked correctly, but I would like to know if there is a way to do it via OpenAM.
The way you used keycloak and openam is quite unusual, however if i understand correctlly your question, you want keycloak to redirect the webservice request to openam, not ldap,
You can either:
configure openam as a identity provider using saml:
Openam would be your source of identity, and keyclaok would be his clients, you can do this by configuring keycloak: identity provider -> saml IDP -> and here you will place openam metadata.
configure openam as OIDC provider:
In keycloak you go to identity providers -> create -> oidc v1 provider -> and you will place your openam info.
As i said, its can be done, but its not the way its suppossed to be, openam and keycloak are both Access management software, they both do exactly the same thing, in your configuration keycloak play a role of an API gateway, which is not exactly what keycloak should be doing, you can get get rid of either one of the solutions, both can provide you the same functionnalities (OIDC, OAuth2, SAML, LDAP, ...)
We have an existing Java EE application running under WebLogic and I want to authenticate a user programmatically as though the user was logged in via the existing web login process. That is to say, in the end, I want to have a valid session (cookie) that can be returned to the caller and later returned back the server without re-authentication. (This is to enable JAX-WS stateful Web Service calls).
We have a custom LoginModule that, when the user logs in via Forms Authentication, is eventually called via j_security_check. I guess what I'd like to do is to somehow get WebLogic to invoke that LoginModule on my behalf, ask me for the credentials, and yield an authenticated session and a valid subject etc. (i.e. all the JAAS goodness).
Is this a JAAS thing? Is there a WebLogic call?
You can do this using the HttpServletRequest#login method. This will trigger the same kind of login chain that would otherwise be executed if your used accessed a protected resource.
WebLogic security uses a security service plug-in (SSPI) architecture that allows you to implement security providers. Container (such as servlet) authentication is handled by authentication providers that use the SSPI. An authentication provider wraps a JAAS login module.
Writing and configuring security providers is extensively documented.
If you implement an authentication provider to wrap your login module and configure it for the WebLogic domain, it will be called automatically by the WebLogic security framework for all container authentication.