I am developing a LDAP web application to access windows active directory contents. I am new to LDAP and single sign-on authentication. At first step, I have developed log in service using "unboundid" java sdk, but now I want to change it to work with single sign-on or open-id authentication. Could any one suggest me solutions/resources for how to perform user authentication of LDAP web application using single sign-on mechanism?
I have gone through some posts out there on internet, but all they are related to open-id authentication using LDAP server. No one has mentioned how to do it for LDAP web application. Thanks in advance for your suggestions!!
LDAP (or any auth abomination formed with it) won't provide you with true SSO (Single Sign On), you will need to implement it using the WWW-Authenticate header and negotiating for kerberos.
This is one idea that will work with an existing AD Server.
Here is an excellent question regarding authentication
Related
We have an application running on Tomcat currently and using LDAP as the means to authenticate users to our enterprise AD.
It is required to migrate this application to cloud (on AWS EC2) and to integrate with ADFS over SAML for login with MFA enabled.
Wondering if there are any guides on the the steps to be followed to make this happen ? What are the configurations that I need to enable in ADFS for my application and what configuration changes are needed on tomcat server.xml to have the connector integrate with ADFS rather than LDAP. Thanks.
Regards,
Raunak
Not a Tomcat guru but from the point of view of ADFS and SAML:
You need to use a client-side SAML stack in your application. This provides the SAML plumbing.
You then need to add a SAML RP to ADFS.
For MFA, typically you use Azure AD to provide the MFA.
(There used to be an on-premises ADFS MFA Server - that is now deprecated).
If that is not an option, there are third-party providers.
I'm currently developing a API to commercialized in a B2B SAAS fashion.
The goal is to authenticate the worker of the company. We have an SDK that should be able to do that. There is the possibility to force each user to set credentials specific for our service, but that will hurt integration with companies applications.
The idea would be to have some kind of authentication (client independent) that make it easier to authenticate users.
The question is: There is a easy way to create an automatic process that does not depend on the client type of authentication methods, for this type of task?
Thanks in advance.
Have you taken a look at Azure AD? It specifically supports multi-tenant scenarios.
Tenants can use Azure AD Connect to sync their on-premise directory to the cloud. Clients can use ADAL to acquire a token which your service trusts. The issued token contains a tenant-id claim indicating via which tenant the user logged in.
Just to add to MvdD answer, in Azure AD support three ways to sign in:
Federated Single Sign-On enables applications to redirect to Azure AD
for user authentication instead of prompting for its own password.
This is supported for applications that support protocols such as SAML
2.0, WS-Federation, or OpenID Connect, and is the richest mode of single sign-on.
Password-based Single Sign-On enables secure application password
storage and replay using a web browser extension or mobile app. This
leverages the existing sign-in process provided by the application,
but enables an administrator to manage the passwords and does not
require the user to know the password.
Existing Single Sign-On enables Azure AD to leverage any existing
single sign-on that has been set up for the application, but enables
these applications to be linked to the Office 365 or Azure AD access
panel portals, and also enables additional reporting in Azure AD when
the applications are launched there.
We have several custom developed online applications as well as open source application such as KOHA, moodle and bugzilla.
We are attempting to integrate their authentication using a Single Sign-On service. So far we have tried JASIG CAS and this seems to solve most of our issues.
However we would also like to link the authentication to an LDAP compatible directory service.
My questions are:
1. Why do we need to use CAS with LDAP?
2. Can a LDAP only service work? (all of our application either directly supports LDAP or can be modified to work with LDAP)
3. Assuming CAS is running on a MySQL database, can LDAP compatible sysmtem such as Active Directory, contact the CAS server to login?
With CAS, you centralize your security in one place, instead of having each application integrated with your LDAP
Yes, it's generally more work and a lot less secure (see 1)
CAS relies on your LDAP for authentication, applications connected to CAS benefit from SSO, but applications can directly authenticate users via your LDAP (without SSO)
Planning to use ADFS to federate. One big challenge that we find is that not all applications are claims aware, also every application has a different role based access. In such a how can we achieve 100% SSO Authentication and Authorization using Identity Claims.
In case ADFS cannot support such a requirement, What other vendor solutions are available which can supports such a requirement.
A claims-aware application in the .NET world uses WIF / WS-Federation to get a set of claims in a SAML token which are then used to control user access and functionality.
ADFS only answers to WS-Federation or SAML requests.
So to get a non claims-aware application to use AFDS, the application needs to be changed to add support for either of these protocols.
Refer: SAML : SAML connectivity / toolkit and the links inside the post.
Or you could go the other way and put something like an OpenAM agent around the applications and then federate OpenAM and ADFS.
ADFS on Server 2012 R2 has a new feature as part of the Web Application proxy, refer Create a Non-Claims-Aware Relying Party Trust.
There's a walkthrough here - Walkthrough Guide: Connect to Applications and Services from Anywhere with Web Application Proxy
and a good example here - First Impressions β AD FS and Window Server 2012 R2 β Part II.
Good evening, I must make an intranet with Liferay, the most important is to integrate a web application (or 2) already ready with the portal that I will make . These web applications are made ββin php, so in order not to make each authentication, wanted the user to authenticate to the portal and click on the link to one of these web applications, it will not have to authenticate again for its apps. For this reason I used SSO CAS and I integrated it with Liferay, I still used an LDAP directory to be related to the CAS server to identify users.
My problem is how is the procedure for other web apps, is that users must have the same login and password for partail (Liferay) with the others two apps php? Or I can let each application with their users without the change (because in each app, the user has a login and password different from other apps), that is how the coordination between different words and LGIN passes the various apps (this is a problem of SSO, I misunderstood the principle of work I should implement it) ??
Some clarifications and assistance please??
The other webapps need to implement a so called CAS Client. The php one is here:
The php apps will typically redirect non authenticated users to CAS, and after they logged in the webapp retreive a saml token. In that token claims are found that uniquely identify the user. application then typically match the provided claim to their own userstore or apply the concept of a virtual user.
But that is up to the implementer of the webapps.