I am using Apache Shiro as a security framework for my application which also need SAML for SSO integrations. And with possible Oauth in the future.
Do I only need buji-pac4j to cover both SAML and Oauth?
With buji-pac4j, do I need to write any SAML code at all or all are taken care of by buji-pac4j framework?
If I have the buji-pac4j and use CasServer for authentication would it be possible to integrate other Identity management server such as WS02 Identity Server (which act as a federation hub) to the CasServer?
1) pac4j is a generic security engine and buji-pac4j is an adapter of pac4j for Shiro. For SAML and OAuth, you need the buji-pac4j library, but also the pac4j-saml and pac4j-oauth modules
2) you don't need to write code for SAML, it's just about configuration: https://github.com/pac4j/buji-pac4j-demo/blob/master/src/main/resources/shiro.ini#L33
3) you can use the buji-pac4j and pac4j-cas libraries to integrate your application with your CAS server, though I'm not sure it's exactly what you want to do
I highly recommend to take a look at the demo: https://github.com/pac4j/buji-pac4j-demo
Related
I have an internal application hosted on AWS with https. I need help understanding how to implement SAML authentication to my web application. I am using Spring Boot for my backend and AngularJS for my front end. I am using ADFS as my IP. From what I gather, the following are the steps.
Get a https URL for your application
Create a basic ADFS trust.
Add the roles on ADFS
Get a metadata URL and enter it in your application.properties.
I am trying to implement SAML for the first time and have confused myself completely. Any thoughts shared would be greatly appreciated.
Your Spring Boot application needs to be a Service Provider (SP) that trusts your ADFS Identity Provider (IdP) and you ADFS IdP needs to trust your SP. This trust is usually done using the SAML2 metadata profile, i.e. the SP and IdP SAML2 metadata files.
You can either design your application as a 'standalone', i.e. no SAML ability and put something in front of it that understand SAML and blocks all requests until the IdP sends attributes. This is how the standard Shibboleth SP works but it needs Apache. The other option is to use the framework to plumb in the SAML capability such as Spring Security SAML
I am looking with Apache shrio framework. Looking at it authentication and authorization features can i build Identity server provider using shrio framework.
Is it possible to have features like,
Single Sign On
SAML support
Federation based on attributes
Do we need to write everything from scratch or shrio has some API's to handle such kind of features.
I read the documentation where they say about having SSO features based on Sharing of user session with multiple organizations . But i did not see any direct support API's to handle this.
To act as an IDP what shrio gives and what it does not support?
Please suggest.
Thanks,
Sohan
Shiro is a security layer that sits in front of your application. It is a security framework for a (SP) Service Provider that will issue an Authentication Request to your IdP (Identity Provider).
Open source IdP implementations that support SAML:
http://www.gluu.org/docs/
https://shibboleth.net/
This Stack Overflow question covers a way to use SAML to authenticate your user before they reach the application and provide the user's credentials as part of a http header.
Integrating Java Web App with SAML SSO
An alternative to installing and maintaining your own IdP.
https://stormpath.com/
The cost of developing, securing, and maintaining your own identity provider are likely much higher than paying a monthly fee.
Excuse my ignorance but can PicketLink be implemented as an IDP within weblogic?
I am looking to create a light weight IDP Proxy to be able to accept SAML requests and issue SAML Assertions based on simple authentication handled elsewhere so not looking for anything that provides too much.
I wondered if picketlink offered a simple API to do this and whether it would work on a welbogic domain.
Weblogic has its own, built-in SAML implementation that is tightly integrated with the rest of their platform. It is fully configurable from their admin console. Use that instead of PicketLink.
http://docs.oracle.com/cd/E28280_01/web.1111/e13707/saml.htm#SECMG252
Planning to use ADFS to federate. One big challenge that we find is that not all applications are claims aware, also every application has a different role based access. In such a how can we achieve 100% SSO Authentication and Authorization using Identity Claims.
In case ADFS cannot support such a requirement, What other vendor solutions are available which can supports such a requirement.
A claims-aware application in the .NET world uses WIF / WS-Federation to get a set of claims in a SAML token which are then used to control user access and functionality.
ADFS only answers to WS-Federation or SAML requests.
So to get a non claims-aware application to use AFDS, the application needs to be changed to add support for either of these protocols.
Refer: SAML : SAML connectivity / toolkit and the links inside the post.
Or you could go the other way and put something like an OpenAM agent around the applications and then federate OpenAM and ADFS.
ADFS on Server 2012 R2 has a new feature as part of the Web Application proxy, refer Create a Non-Claims-Aware Relying Party Trust.
There's a walkthrough here - Walkthrough Guide: Connect to Applications and Services from Anywhere with Web Application Proxy
and a good example here - First Impressions – AD FS and Window Server 2012 R2 – Part II.
We are looking at IDaaS offerings (OneLogin, Okta, etc.) When we've asked if they support CloudBees they said they do not, but they said if you support SAML authentication that they can add support for CB very easily. Do you know if you support SAML?
There is no specific support for SAML - however applications that are hosted on the platform would well support it.
CloudBees supports SAML integration with any SAML IdP endpoint. The SAML IdP endpoint could be running on your premises or you can use IdP providers such as OneLogin, Okta, Centrify etc. they also provide CloudBees app that you can configure for SAML. Both flow - SP initiated or IdP initiated flows are supported as well.
See, http://developer-blog.cloudbees.com/2013/09/cloudbees-now-offers-saml-20.html
Centrify definitely has a pre-built SAML app for CloudBees.
You can sign up for free here to test it.
https://www.centrify.com/free-trial/