SAML authentication - cloudbees

We are looking at IDaaS offerings (OneLogin, Okta, etc.) When we've asked if they support CloudBees they said they do not, but they said if you support SAML authentication that they can add support for CB very easily. Do you know if you support SAML?

There is no specific support for SAML - however applications that are hosted on the platform would well support it.

CloudBees supports SAML integration with any SAML IdP endpoint. The SAML IdP endpoint could be running on your premises or you can use IdP providers such as OneLogin, Okta, Centrify etc. they also provide CloudBees app that you can configure for SAML. Both flow - SP initiated or IdP initiated flows are supported as well.
See, http://developer-blog.cloudbees.com/2013/09/cloudbees-now-offers-saml-20.html

Centrify definitely has a pre-built SAML app for CloudBees.
You can sign up for free here to test it.
https://www.centrify.com/free-trial/

Related

Authentication/authorization provider: which one to choose for a 1 day project?

For a 1 day project (call it a hackathon) we will be looking into replacing a custom built authentication and authorization system with one that we can buy.
After all, there are people who are better at this stuff than we are.
Non-cloud, hard requirement is on-premise installation possible
Can authenticate against Active Directory using LDAP
Can authenticate using SAML against ADFS
Management of users, roles etc without a directory is an option (most likely option to actually use during the hackathon)
Use open standards, SAML, OpenID, OAuth2
There are so many SAML-based products, but many are cloud-only, which unfortunately for us is not an option (reason: our products run on closed enterprise networks), so services like Okta are unfortunately not an option :(
The following list is quite complete, but doesn't give me any indication on how hard it is to install + get up and running in a few hours:
https://en.wikipedia.org/wiki/SAML-based_products_and_services
Any suggestions for products to try?
My eye caught these ones:
miniOrange, Ping Identity, 10duke
[addition]
I am using a Java stack for web apps.
How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the instruction on building a SAML-based Authentication/Authorization Provider using Shibboleth SAML IdP and OpenLDAP.
Shibboleth SAML IdP is responsible for identity federation.
OpenLDAP is responsible for identity authentication.
I have validated SAML Single Sign-On (SSO) provided by Docker-running Shibboleth SAML IdP (Identity Provider) and OpenLDAP for the following enterprise applications. In other words, I leveraged Docker-running Shibboleth SAML IdP and OpenLDAP to log in to the following enterprise applications successfully.
Microsoft Office 365
Google G Suite
Salesforce
Dropbox
Box
Amazon AWS
OpenStack
Citrix NetScaler
VMware vCloud Director
Oracle NetSuite
Another StackOverflow question Setting up a new Shibboleth IdP to work with an existing SAML SP discusses the SAML configuration between IdP and SP.
OpenLDAP is not OpenID Connect or OAuth 2.0
Have a look at identityserver4.
It's OpenID Connect / OAuth2 by design and it does have a plug-in SAML stack.
Or if you have a Windows server, use ADFS.
FOSS - Shibboleth or KeyCloak
The definition of 'closed' (network) might be interesting to examine. No access to outside at all, not on any port, noway/nohow? In that case, yes, you want an on-prem service. If there's gated access to outside, it's likely that many hosted identity services could work.

ADFS as OAuth2 provider / Authentication server possible?

We want to setup ADFS 3.0 to enable OAuth2 based authentication. I have read lots of documentation, but am still unclear if this is supported.
Can ADFS be used as an authorization server for oauth, or is oauth2 support in ADFS only meant to work as a client to another authorization server?
Any help for setting up adfs as oauth provider/server is appreciated.
in ADFS 2012R2 (aka ADFS 3.0), we only support the authorization grant flow. The only scenario is for public clients (say a mobile app on iOS/Android/Windows) to access a RESTful service and authorizing via JWT tokens. You can see this at https://msdn.microsoft.com/en-us/library/dn633593.aspx
With ADFS 2016 (which will release imminently), you have the full Oauth/OIDC support. With this you can build web apps, single page apps, API's, multi-tiered app systems that require On-behalf-of support, confidential clients (with support for windows service accounts acting as confidential clients). You can check this out https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/ad-fs-development

Can I integrate Apache Shiro and CAS and WS02 Identity Server

I am using Apache Shiro as a security framework for my application which also need SAML for SSO integrations. And with possible Oauth in the future.
Do I only need buji-pac4j to cover both SAML and Oauth?
With buji-pac4j, do I need to write any SAML code at all or all are taken care of by buji-pac4j framework?
If I have the buji-pac4j and use CasServer for authentication would it be possible to integrate other Identity management server such as WS02 Identity Server (which act as a federation hub) to the CasServer?
1) pac4j is a generic security engine and buji-pac4j is an adapter of pac4j for Shiro. For SAML and OAuth, you need the buji-pac4j library, but also the pac4j-saml and pac4j-oauth modules
2) you don't need to write code for SAML, it's just about configuration: https://github.com/pac4j/buji-pac4j-demo/blob/master/src/main/resources/shiro.ini#L33
3) you can use the buji-pac4j and pac4j-cas libraries to integrate your application with your CAS server, though I'm not sure it's exactly what you want to do
I highly recommend to take a look at the demo: https://github.com/pac4j/buji-pac4j-demo

Can apache Shiro be used to build an Identity Provider?

I am looking with Apache shrio framework. Looking at it authentication and authorization features can i build Identity server provider using shrio framework.
Is it possible to have features like,
Single Sign On
SAML support
Federation based on attributes
Do we need to write everything from scratch or shrio has some API's to handle such kind of features.
I read the documentation where they say about having SSO features based on Sharing of user session with multiple organizations . But i did not see any direct support API's to handle this.
To act as an IDP what shrio gives and what it does not support?
Please suggest.
Thanks,
Sohan
Shiro is a security layer that sits in front of your application. It is a security framework for a (SP) Service Provider that will issue an Authentication Request to your IdP (Identity Provider).
Open source IdP implementations that support SAML:
http://www.gluu.org/docs/
https://shibboleth.net/
This Stack Overflow question covers a way to use SAML to authenticate your user before they reach the application and provide the user's credentials as part of a http header.
Integrating Java Web App with SAML SSO
An alternative to installing and maintaining your own IdP.
https://stormpath.com/
The cost of developing, securing, and maintaining your own identity provider are likely much higher than paying a monthly fee.

How do I authenticate users to Sharepoint 2010 site, using a standard SAML IDP (not an STS)?

The problem is I have an standard SAML 2.0 Web-Profile IDP (a customized Shibboleth) that I can authenticate to Google Apps, nicely, but Microsoft decided to embrace-and-extend again, with WIF, so it seems things doesn't work off-the-shelf to have web SSO (SingleSignOn) with Sharepoint.
At least all the documentation show only how to integrate with AD FS STSs, or how to write your own STS as the protocols around claims exchange aren't standard.
From the overviews it seems feasible to have my IDP being called (redirected to) and returning the SAML response as a forced post, as usual, but it seems hard to tell WIF to just process the simple response we serve.
Thanks,
ADFS v2.0 does support SAML 2.0.
If the SP STS doesn't support this, then simply add ADFS as a trusted provider to the SP STS.
I believe that ADFS 2010 only supports WS-Federation Passive Requester Profile -- ie, no SAML 2.0 Web SSO support.
SAML 2.0 Web Profile support is possible I believe but you'll need to use a 3rd Party product like PingFederate for SAML 2.0 support unless you want to write quite a bit of custom code.
Hope this helps -
Ian