Please note I am new to the applications I am mentioning so I might use the terminology incorrectly. I've added a few diagrams to explain myself as best I could.
I am trying to setup a web service authentication policy in APIMAN (which uses Keycloak internally)
So far I know the Identity Provider (OpenAM) I created in Keycloak is configured correctly since it is working on the Login page (see image 1 below)
I have also successfully used an access_token via Keycloak's OpenID API to access a web service; but only if the user credentials are in Keycloak (as oppossed to OpenAM) (see image 2)
What I'd like to achieve is to authenticate this web service client via Keycloak but using the Identity Provider's credentials, but I do not know how to do this or if it is even possible. (see image 3)
Please note I also tried User Federation with the LDAP behind OpenAM and it worked correctly, but I would like to know if there is a way to do it via OpenAM.
The way you used keycloak and openam is quite unusual, however if i understand correctlly your question, you want keycloak to redirect the webservice request to openam, not ldap,
You can either:
configure openam as a identity provider using saml:
Openam would be your source of identity, and keyclaok would be his clients, you can do this by configuring keycloak: identity provider -> saml IDP -> and here you will place openam metadata.
configure openam as OIDC provider:
In keycloak you go to identity providers -> create -> oidc v1 provider -> and you will place your openam info.
As i said, its can be done, but its not the way its suppossed to be, openam and keycloak are both Access management software, they both do exactly the same thing, in your configuration keycloak play a role of an API gateway, which is not exactly what keycloak should be doing, you can get get rid of either one of the solutions, both can provide you the same functionnalities (OIDC, OAuth2, SAML, LDAP, ...)
Related
I'm working with WSO2 Identity Server 5.3.0 (it's installed on a VM in a server).
So, I would access to my application using WSO2IS login page.
I've already set the Service Provider by Management Console.
I've not set the IdP because I've thought that must be the Resident one.
It's enought like thta? Should I modify some files?
I cannot find the related page on the Documentation.
Hope to be clear.
After doing all, the /authenticationendpoint/login.do doesn't returns the possibility to introduce username and password.
Edit:
#Bee I add here the screenshot
and this is my url:
http://myurl:9763/authenticationendpoint/login.do?response_type=code&scope=openid&client_id=my_clientID&redirect_uri=/myuri/
Here you have multiple options. You can use either basic auth, OpenID Connect, SAML SSO, Federated authentication etc to authenticate to your app. Some useful links are below.
https://docs.wso2.com/display/IS530/Authentication
https://docs.wso2.com/display/IS530/Basic+Client+Profile+with+Playground
https://docs.wso2.com/display/IS530/Writing+a+Web+Service+Client+for+Authentication+and+User+Admin+Services
https://docs.wso2.com/display/IS530/Authenticators+and+Provisioning+Connectors
We have requirement of build .NET based plugin/component for enabling Authentication against multiple IDP providers like ADFS, Azure AD and Shibboleth based on DB configuration. i.e, depending on the configurable parameter the anonymous user will be authenticated against any one of the IDPs like ADFS, Azure AD or Shibboleth IDP.
Our application URL ("https://www.contoso.com/ProcessToken.aspx") will be registered as RP Identifier in all of the 3 providers.
We won't make any web.config changes for any of the providers.
At run time, User will access common page(Proesstoken.aspx) who needs to get redirected to the any of the Login page URLs at the provider (ADFS, Shibboleth, Azure) for Authentication based on User Organization. (For ex: User A to ADFS, User B to Shibboleth etc)
After Successful authentication at the IDPs the user needs to get redirected by the provider (ADFS/ Shibboleth/ Azure AD) to the RP Url registered.
In the redirected page (ProcessToken.aspx), we are planning to get the security token and decipher the claims required.
The main intention is to decouple authentication away from application logic and it should be extendable to other providers in future.
PS: Considered options like OWIN Authentication Middle Tier, .NET Component etc.
Need guidance on How and where to start.
Have a look at IdentityServer 3 which implements this multi-auth scenario or OWIN : ASP.NET MVC application with multiple authentication options.
The main point is that you use NuGet to download all the protocols you require and than use OWIN to pull them all in via app.use.
You can configure ADFS to have Claims Provider Trust with the other IDP's Owin will acknowledge the authentication. The difficult part will be reading the attributes from the tokens. ADFS under the covers in conjunction with the Owin framework use ws-federation, I have not figured out how to read the SAML.
What gets confusing is that at one time the answer was WIF but now that 4.51 has been released, WIF was moved into Owin. The documentation for a multi-tenant application is sketchy at best.
How to authenticate with liferay by passing the parameters as user email and password. If authentication is success then I will redirect to different web web application.Actually i want to authenticate user without using sign in portlet.Is there any way we can hit a url and it gives a response text so we can identify that user is authenticated. i followed this link but i didn't get proper response.
Liferay integrates with a lot of different SSO (Single-Sign-On) systems on the market. Instead of reinventing the wheel, you should use one of those integrations. This way you're free to use whatever your SSO uses to authenticate the user and it will provide your user's identity to Liferay as well as to any other application.
For Liferay EE, you also have the option to make Liferay your "SSO" by utilizing the SAML plugin and creating Liferay into an IdP (Identity Provider) and by making your other application an SP (Service Provider).
The whole field of forwarding the identity of users has been solved and one shouldn't mock around with redirecting with any self-invented authentication scheme IMHO.
I have successfully configured a SAML 2.0 Identity provider in a separate Weblogic domain
We have an ADF application deployed in Weblogic in another domain with non-SAML form-based authentication (ReadOnlySQLAuthenticator is used to verify credentials)
I want to configure the second domain as a Service Provider (to enable the existing application to login with the Identity provider.
I did the folowing:
Configure a SAML 2.0 Identity Asserter
Enable the Service Provider in the federated services for the server
Add and enable the "service provider partners" and exchange metadata on both IDP and SP side
Configure the "redirect URI" on the SP side
Add the SAML 2.0 Authenticator (the documentation doesn't mention this, but some blogs do)
This should be enough to make the SSO work, but it doesn't.
opening the application doesn't trigger a redirect to the IDP (even when the URL is configured in the provider partner config)
after logging into the application, other applications still have to log in with the IDP (SSO doesn't work)
The "other application" is the Spring SAML sample application and I verified that SSO works with 2 different instances of that app (which means the IDP side should be configured correctly).
We've had some Oracle experts come over to our company to solve various issues.
In the end even they could't help with this and suggested that SAML support may not really work that well.
They suggested that we try to use Oracle Access Manager, that's supposed to support both OAUTH and SAML. We didn't get to that yet and maybe never will.
Still if you need SSO in Weblogic, you could give it a go.
We are working in an iOS application and we use back-end in azure. We have 2 types of login, one is Facebook login (using Fb as identity provider) and the other will be login directly to our system.
We decided to use ACS but we had a bunch of technical problems. My question is is it possible to create custom identity provider, which will be a service (for example WCF or WEB API) to generate a token that we pass the ACS to get the claim token. Does ACS support that kind of service interface? If so what what is the practice of generating tokens in our custom identity provider?
Thanks in advance,
Deuce
ACS can support any identity provider that speaks a protocol it understands. Depending on the backend behind your identity provider, you can use something like ADFS or write your own identity provider using WIF. ACS doesn't support mixing and matching web-based identity providers with WCF-based ones, which means that you'll need to expose a website that ACS can redirect a browser to using the WS-Federation protocol. The only external contract you have is that ACS will redirect users to you and you need to log them in (what that means for your IdP is up to you) and issue a token back to ACS.
There are literally whole books on how to write your own STS using WIF, to get started there are a number of resources that can help, including the WIF SDK (which provides a template for the STS), this whitepaper (see the section "Using Windows Identity Foundation to Build a Security Token Service"), or this blog post.