We are using WSO2 Identity server for our product. As for as our applications are concerned, we're authenticating the users with the IDS. We now want to integrate with third party product. And we suggested them also to use WSO2 IS for their identity service [auth/auth]
When I send a request to third party application, their application should authenticate our application request and accept the request. Can they add our identity provider as their trusted authentication provider, and that would help the user request getting authenticated against our identity source?
Is this possible? If so, please point me to sample where it is done!
Yes. It can be done in different ways. As an example, Your 3rd party application is a liferay, You can use WSO2IS as openid provider. Because liferay allows to login to it portal using openid. Else your 3rd party application supports for SAML2 sso, WSO2IS can be used as SAML2 SSO provider. If 3rd party app, is IIS hosted application, you can use Passive-STS.
Also, if 3rd party application does not support any common standard, there may be extensions that can be used to extent their authentication mechanism. If that case, you can write extension to 3rd party application, to call WSO2IS API. Because all APIs are web service APIs.
You can find more detail of integration
[1] OPENID : http://www.soasecurity.org/2010/08/sign-up-with-openid-providered-by.html
[2] SSO : http://tanyamadurapperuma.blogspot.com/2013/09/configure-wso2-identity-server-saml2.html
Related
I'd like to setup an integration with a third party vendor for which I have to provide services, which need to be customer-aware.
The main flow is on the third party, that already have a service provider and an identity provider; the third party service provider then have to call my service, but then I need to check the authentication, for which I would like to rely on their identity provider, gaining so also access to the user identity (name, mail, other data).
basic flow
Does a flow like this can work? Do I have to receive the authentication infos cookie? Are other ways for which I can integrate with the third party identity provider?
Current web standards would likely dictate OIDC, especially if you want your service to be open to direct consumers as opposed to, or in addition to enterprise users. Were I building something today, I would choose to build out only OIDC, because it doesn't limit the Identity Providers I may want to use. In addition to enterprise, you could consider social logins as well, such as Facebook, Google, etc. If your users are ONLY enterprise users, then yes, you could consider SAML.
The identity data is usually returned to you in a JSON Web Token, or JWT.
I would suggest looking at OIDC implementations on your favorite stack, or look to a cloud provider.
I'm building an API that my public mobile app (xamarin forms) will call to get information. However to delimit the users of the API to just my app for security reasons, I want the public mobile app (xamarin forms) to pass a key to be able to call the API. Is basic authentication the best option then ? Or is there another approach ?
You can use any Auth based mechanism in your web api project. The best would be the latest Identity 2.0 using Owin.
OAuth is an open standard for authentication, and enables a resource
owner to notify a resource provider that permission should be granted
to a third party in order to access their information without sharing
the resource owners identity.
In your Xamarin client project (mobile app) use the Xamarin.Auth SDK to authenticate your users. It provides many features and also helps you to scale and use Social authentication as well.
Xamarin.Auth is a cross-platform API for authenticating users and
storing their accounts. It includes OAuth authenticators that provide
support for consuming identity providers such as Google, Microsoft,
Facebook, and Twitter.
The authentication flow when consuming an OAuth identity provider is as follows:
The application redirects a browser to an identity provider URL. The
URL query parameters indicate the type of access being requested.
The identity provider handles user authentication, and returns an
authorization code to the application.
The application exchanges the authorization code, client ID, and
client secret for an access token from the identity provider.
The application uses the access token to access APIs on the identity
provider, such as requesting basic user data.
The application uses the OAuth2Authenticator and OAuth2Request classes, provided by Xamarin.Auth, to implement the application side of the authentication flow.
The detailed explanation of Authenticating Users with an Identity Provider
Using the Xamarin.Auth component for authentication implementing is available here.
I'm using Azure ACS for authentication to my Web API project and it's working great with IP's such as Google and Live. I have a requirement to allow third party (partners) to develop against my API but I'm not exactly sure how to authenticate them. I'm thinking I may have to write a custom STS and manage usernames and passwords for each partner. In this scenario the partner would request an access token from my custom STS via a username/password and than use that token to access my API. Also I see Azure ACS has Service Identities, I'm wondering if I can use them in order to authenticate to my API?
Yes, you can.
Create Service Identity with authentication by x509 certificate
Create Rule Groups with rules where mapping Service Identity Name to selected claim
In your application in Relying party applications check new Rule Group in Authentication Settings.
We have an Internet facing Web Application running, and recently our company made some agreements with a 3rd-party company which owns another web site. The idea is to provide access to this external web site to our current customers. Our users will click on an internal link in our solution which will open a new browser window with the third party site. User will not need to authenticate again in the 3rd party company site.
We have agreed to issue SAML2 tokens for our users, with a set of claims used by the 3rd-party site to query an present a personalized view to our users
Something important in our scenario is that users are already authenticated in our web site when they decide to access the 3rd-part web site.
What is the best way to implement all this?
I am thinking on implementing a custom-STS using the WIF SDK to generated those SAML2 tokens and pass then using HTTP POST (cookie) to the 3rd party site. If this is the right approach, then any pointers, tips?
Will ADFS make any difference?
Thanks for any help
Sounds like you'll be playing the role of Identity Provider - responsible for handling the "manual" authentication of the user and generating SAML responses to give the user SSO to the 3rd party website.
Implementing your own IdP is not trivial (there are a handful of specifications to understand), so unless you have your heart set on this as a development project, you may want to consider a COTS like Microsoft ADFS, PortalGuard (for whom I work) or Ping Identity.
Since you asked about ADFS specifically, it has native support for Active Directory as the user repository and has some interesting features with its claims transformation engine (if you get into a complex SP-IdP chaining scenario). Besides SAML it also supports WS-Federation which is important for integration with the other offerings in the Microsoft stack.
If your application is ASP.NET, then connect your application to ADFS.
So to get to your application, the user has to log in.
Then for the link to the 3rd party application use the IDP Initiated scenario (IdpInitiatedSignOnPage Class Overview). This sends a SAML2 token to the 3rd party application. ADFS will handle SSO for you.
To do this, you will have to configure the 3rd party application as a SAML one rather than a WS-Fed one.
We are working in an iOS application and we use back-end in azure. We have 2 types of login, one is Facebook login (using Fb as identity provider) and the other will be login directly to our system.
We decided to use ACS but we had a bunch of technical problems. My question is is it possible to create custom identity provider, which will be a service (for example WCF or WEB API) to generate a token that we pass the ACS to get the claim token. Does ACS support that kind of service interface? If so what what is the practice of generating tokens in our custom identity provider?
Thanks in advance,
Deuce
ACS can support any identity provider that speaks a protocol it understands. Depending on the backend behind your identity provider, you can use something like ADFS or write your own identity provider using WIF. ACS doesn't support mixing and matching web-based identity providers with WCF-based ones, which means that you'll need to expose a website that ACS can redirect a browser to using the WS-Federation protocol. The only external contract you have is that ACS will redirect users to you and you need to log them in (what that means for your IdP is up to you) and issue a token back to ACS.
There are literally whole books on how to write your own STS using WIF, to get started there are a number of resources that can help, including the WIF SDK (which provides a template for the STS), this whitepaper (see the section "Using Windows Identity Foundation to Build a Security Token Service"), or this blog post.