We have to integrate Microsoft ADFS authentication into our Odoo applications and broaden the scope of current SSO.
I seriously have no idea of how this work as I have no experience with ADFS. Can anyone with experience of this explain it with a scenario of how it works so that I can understand it and think of a solution to it.
Odoo supports SAML:
https://github.com/xcgd/auth_saml
So I figured you can set the ADFS to communicate with SAML:
http://wiki.servicenow.com/index.php?title=Configuring_ADFS_3.0_to_Communicate_with_SAML_2.0#gsc.tab=0
Related
I have to integrate Websphere Application Server with OKTA. After googling I have configured snoop application as now I access OKTA(https://myorg.okta.com) and see the application there click there and I am logged in to the application successfully.
But my question is this at most of the tutorial after OKTA integration the url(https://washost/snoop) is mentioned for testing.
Can you please guide me which approach is right and why?
Many Thanks
Rama Sohaib and Xsurgent,
I have googled it more and understood my issue.Actually there are two types of Web SSO.
IDP(OKTA) Initiated where the URL becomes like this https://okta.com and SP(Websphere) Initiated where URL is like this https://washost/snoop. Websphere do not support SP Initiated SSO. It only supports IDP initiated SSO.
Thanks alot guys for helping me.Since I have successfully verified OKTA Integration with snoop I can easily integrate with any custom application.
Many Thanks,
Umar
Excuse my ignorance but can PicketLink be implemented as an IDP within weblogic?
I am looking to create a light weight IDP Proxy to be able to accept SAML requests and issue SAML Assertions based on simple authentication handled elsewhere so not looking for anything that provides too much.
I wondered if picketlink offered a simple API to do this and whether it would work on a welbogic domain.
Weblogic has its own, built-in SAML implementation that is tightly integrated with the rest of their platform. It is fully configurable from their admin console. Use that instead of PicketLink.
http://docs.oracle.com/cd/E28280_01/web.1111/e13707/saml.htm#SECMG252
Good morning,
First thanks a lot for the helps.
I have a problem in my organization because there are legacy applications that to use an LDAP Server to authentication.
The problem is that the model to authenticate the applications this different. For example:
The applications to authenticate with the attribute cn=user (only this) and not cn=user,ou=XXX,dc=YYY,dc=WWW ie using the complete DN and the worst is that we have no codes of these applications.
Could someone help me?
Thanks a lot,
I've been scratching my head over this issue for over a week. We have a web app that we would like to implement SSO for. SSO with windows active directories of our clients (i.e. we essentially need to authenticate against our clients' active directories without much trouble)
The only thing I am 100% sure about is that I will needed a security token service that will have to communicate with an Identity Provider. My question:
Which service is most suitable for the above scenario (AD FS? OpenID & OAuth 2.0? SAML 2.0 and shibboleth?)
How will I connect to the active directories of the clients? Maybe I'm not understanding how the STS is to be used, could anyone clarify? I'm working with an Azure Web App
Will there have to be a different IdP for each client? Will the client have to do more than just give us standard information? What would this info be?
...should I be using Windows Identity Foundation?
HELP :( ... this is an SOS
If anyone could clarify at all, I will forever be grateful. I normally upvote anything I find helpful and accept whichever answer is the best so feel free to answer with what you think might be useful in helping me understand how I can achieve what I am after.
These are the three options I know:
As you mention one option is ADFS this solution means that your customers should install and expose Adfs. ADFS means Active directory-Federation Services, so in this case your application needs to speak WS-Fed (not oauth). Typically if the user is inside the LAN adfs uses integrated auth, if not it will prompt credentials.
WAAD is a new service from Azure, it allows companies to expose their directories to use in cloud applications. With this approach your customers need an account in Azure, create a directory and use the dir sync agent. Your application will talk SAMLP with WAAD.
Auth0 is an authentication broker that allows developers to use social but also enterprise identity providers like AD but also google apps, waad, adfs, salesforce, etc. if your customer only has AD you will provide him an msi for a windows service, that will bridge the company AD with your auth0 account, you can have as many AD as you want. Your application speak oauth with Auth0. This agent supports kerberos authentication as well. The following graph explains this solution:
Disclaimer: I work for Auth0.
WIF doesn't support SAML or OAuth.
Your application is in Azure.
Suggest add WIF to the application and then "bind" to Azure Active Directory. In VS 2013, use the "Change Authentication" feature for this.
Make the application multi-tenanted.
Each customer has their own tenant. User DirSync to sync. each customer AD with their AAD tenant. (That gives same sign-on). Adding ADFS to each customer gives single sign-on.
However, the customers will probably push back on this because of perceptions around security.
The problem is I have an standard SAML 2.0 Web-Profile IDP (a customized Shibboleth) that I can authenticate to Google Apps, nicely, but Microsoft decided to embrace-and-extend again, with WIF, so it seems things doesn't work off-the-shelf to have web SSO (SingleSignOn) with Sharepoint.
At least all the documentation show only how to integrate with AD FS STSs, or how to write your own STS as the protocols around claims exchange aren't standard.
From the overviews it seems feasible to have my IDP being called (redirected to) and returning the SAML response as a forced post, as usual, but it seems hard to tell WIF to just process the simple response we serve.
Thanks,
ADFS v2.0 does support SAML 2.0.
If the SP STS doesn't support this, then simply add ADFS as a trusted provider to the SP STS.
I believe that ADFS 2010 only supports WS-Federation Passive Requester Profile -- ie, no SAML 2.0 Web SSO support.
SAML 2.0 Web Profile support is possible I believe but you'll need to use a 3rd Party product like PingFederate for SAML 2.0 support unless you want to write quite a bit of custom code.
Hope this helps -
Ian