Basically I just want to know how does StackExchange's single signon system work?
In the SE network you need to login only once in one of the websites to be automatically logged in to the other sites upon visiting.
How should I implement such a feature in my own network of sites?
I assume it uses the cookie which resides on the user's browser and then authenticates it with the originating site. If it is legit then it logs the user in automatically.
You have to implement SAML or oauth2 to allow sso on your network.
In case of SAML your child websites will be service providers or resource servers.
While you need to setup and identity provider.
The sequence of events will be like this.
1. User hits a url of songs website, this site is resource server and does not handle authentication.
2.To authenticate resource server will construct a SAML authrequest and redirects to identity provider after signing it.
Idp verifies the signature after receiving authrequest.
3. User will be presented with a login form, user has to end login credentials.
4. After user authentication idp will generate a SAMl token and redirect back to resource server.
5. Resource server will extract identity information from SAML token, resource server will login the user with session or cookie.
Depends upon which technology you are working in i have implemented it in php using simplesamlphp.
Related
How can I authenticate multiple applications with a single authentication mechanism?. These applications are having existing authentication within them, perhaps I need to authenticate these apps into my system which is isolated from others. Please suggest a better approach
When using OpenID Connect, the first application the user logs in to, will redirect the user's browser to the authorization server (AS). Since the user does not have a session between the browser and the AS, it will present the login screen. The user signs in and is redirected to the application (client) with an ID token and access token. The application will then establish a session between the browser and the application (typically a cookie)
When the user navigates to the second application, it will also redirect the user to the AS, but now the user already has a valid session between the browser and the AS, so the AS won't show the login screen (it may show the consent screen if the user has not consented to the requested scopes), and will issue an ID token and access token to the second application.
Now the user has a authenticated session with both applications with a single sign on (SSO).
If you use OAuth 2.0 with OIDC, you can authenticate your user once and verify the access token at each app the user visits. This is a typical single sign-on flow (SSO).
Background:
I have a basic user database with username(email) and password. The users are able to sign in to a website of mine with these credentials. From the website they get a link to different services they have access to, but with different username/passwords. So they click the link "Open My Service X" and they have to login with their service unique login credentials. I do have the users service login-username. So I can map local-user <=> service-user.
I want SSO between service X which has support for SAML and my website.
Question/Problem:
I want the users to login with their user/password in my database, then single sign on towards service X where service X has support for SAML. I don't want a user to be able to sign up for a new user account to my website using the SAML support in service X. The user must already have an account in my database.
So my question might be rather vague, but I'm having a hard time to grasp how this can be achieved?
I was thinking of letting my webapp become a SAML identity provider, so that the SSO request are transferred back to my webapp and verified for their service-user. Would that be correct approach?
You're on the right track with your SAML IdP. There are basically three parts involved. Your email database (the identities), your existing application front end and the remote services which support SAML. Usually it's SAML2 these days.
To get single sign-on (SSO) across your portfolio of apps (your own app and the remote services) you could install an IdP like the Shibboleth IdP and convert your app to use it instead of using email/password to login. That would take a fair amount of work as you'd have to convert your app into a SAML SP, just like the remote services.
An easier way might be to only use the IdP for SAML to the remote services and get the IdP to recognise that your users are already logged in with their email/password. Cookie? So the IdP should never display a login page as it would recognise your app's cookie and match that with a user in the database. It then releases SAML attributes to the remote service based on that user's information. That also covers your use case of not allowing account creation via SAML from a remote service.
That would mean you might end up with the following URLs:
https://yourapp.com/
https://yourapp.com/idp/
Your users login with the first URL as normal and the remote services use the second URL. That way your app cookie will be visible to the /idp endpoint but you'd need to write code to match that with a user in the database.
Our system architecture has this setup. We have an API that is used by a WebApp Client. We allow users to authenticate using an Identity Provider (IDP) that returns SAML.
The problem is how would you setup authentication? Which of the flow below would be more suitable?
WebApp Client controls the flow
When a user needing authentication visits WebApp Client, redirect user to IDP.
User authenticates with IDP
IDP redirect user back to webapp client with SAML response
WebApp client passes the SAML to the API.
The API will decrypt and read the attributes.
API then gives access token to the WebApp client it can use for subsequent requests.
API controls the flow
When a user needing authentication visits WebApp Client, redirect user to a special endpoint of API.
API redirects user to IDP
User authenticates with IDP
IDP redirect user back to API with SAML response
API decrypt and read the attributes
API redirects user to the WebApp client passing an access token to the WebApp client it can use for subsequent requests.
I'm currently asking myself the same questions with google idp. I thought about passing the returning code from idp to my API and then authenticating the user from my API.
If you have some return on your experience let me know :)
Created a web based application which needs to integrate forms authentication and SSO. Currently forms authentication will validate all the registered users.
What I need is to integrate SSO as well in to the application. ie, If the user not authenticated then redirect to identity server (Okta) configured with WS-Fed and added the application, validate and response to landing page. Please can you help on this. Please let me know if any more information is required.
Can you please explain this statement " If the user not authenticated then redirect to identity server (Okta) configured with WS-Fed and added the application"?
Please see this link https://github.com/okta/okta-music-store. Under section "Adding Single-sign on to your Music Store" you can see how C# sdk can be used to implement single sign on.
Essentially what you need is a cookieToken from Okta. Using cookieToken as one time token and a redirect url (Can be your app url) you can use /login/sessionCookieRedirect?token=&redirectUrl=. This will create active session with Okta and redirect your user to your app or redirect uri.
Cookie token is obtained via series of two calls. Authentication that gives you session token in response. Session token is exchanged for cookie token via create session call.
We are running a website where users need to be authenticated from the SAP Enterprise Portal.
Scenario:
User logs in into SAP portal via SAML Authentication. This user can view a link in the Portal he can click the link and will be transferred to a website on another domain. This domain will receive the a "ticket" and the user will be able to login.
Information from a friend:
If you have a setup that uses SAML, there are mechanisms to transfer that session between domains that basically rely on passing a ticket through the URL to the client from the authentication server, and that ticket is then passed to the site you want to authenticate against, which can use that to establish the identity of the user with the authentication server and establish the session.
Question:
Is this possible in SAP? If so, can anyone provide me some documentation for this?
The normal scenarion for SSO between domain in SAML is based on relayance on the same IDP. This is a typical flow for a SSO with two domains.
Sign-on on domain1
User accesses domain1
User is forwarded to IDP for authentication.
User authenticates and a session is created at the IDP
User is redirected back to domain1 and gains access
Sign-on on domain2
User accesses domain2
User is forwarded to IDP for authentication.
The IDP already as a session for the user and is considered as authenticated
User is redirected back to domain2 and gains access
This way the uer does not need to authenticate the second time.