Liferay SSO CAS LDAP - ldap

Good evening, I must make an intranet with Liferay, the most important is to integrate a web application (or 2) already ready with the portal that I will make . These web applications are made ​​in php, so in order not to make each authentication, wanted the user to authenticate to the portal and click on the link to one of these web applications, it will not have to authenticate again for its apps. For this reason I used SSO CAS and I integrated it with Liferay, I still used an LDAP directory to be related to the CAS server to identify users.
My problem is how is the procedure for other web apps, is that users must have the same login and password for partail (Liferay) with the others two apps php? Or I can let each application with their users without the change (because in each app, the user has a login and password different from other apps), that is how the coordination between different words and LGIN passes the various apps (this is a problem of SSO, I misunderstood the principle of work I should implement it) ??
Some clarifications and assistance please??

The other webapps need to implement a so called CAS Client. The php one is here:
The php apps will typically redirect non authenticated users to CAS, and after they logged in the webapp retreive a saml token. In that token claims are found that uniquely identify the user. application then typically match the provided claim to their own userstore or apply the concept of a virtual user.
But that is up to the implementer of the webapps.

Related

How to implement authentication based on organization

I'm building a web app using Clojure and ClojureScript and I need it to have authentication based on a white-list of organization. For example, let's say I've added University1.edu to my white-list, and when a student from that university wants to login to my web app, they would be redirected to their own universities login system. After that I would just a confirmation of whether or not they successfully logged in there and maybe create a session, cookies, or or something for them.
Is that possible and if so, how can I implement that?
Some common ways to implement this authentication schemes are OAuth2 and OpenID, which are commonly used in websites were you can log in with your social / Twitter / Facebook / Google account.
Using OAuth for instance, you register your website in some developer portal (depending on the service that you'll use to authenticate) and obtain a token that that you'll use during the login flow and after logging on their portal, users are redirected back to your site.
In order for this to work, every organization (eg. University1) needs to be a provider of this authentication scheme, so that's something you'll need to research.
In Clojure there is a couple of options: the buddy library seems to be a popular choice, but you could also use some Java libraries through interop.

Multiple identity providers

here is my specifications
Some users of my application are employees of the company and must use the Active Directory to connect.
Others are external users who are referenced in the application database.
Once authenticated, the user receives a JWT token and it's this token which gives him access (RBAC) to the services of the application.
So I have to implement an authentication system that manages three methods, LDAP, JDBC, JWT.
How can we do that with quarkus ?
With Wildfly my authentication module tries to validate the login successively on a list of realms.
A simple solution seem be to use keycloak to aggregate different providers
But I'm asked preferably to have only one executable to deploy.
So I'm looking for a standalone solution.
Thank

Liferay user authentication

How to authenticate with liferay by passing the parameters as user email and password. If authentication is success then I will redirect to different web web application.Actually i want to authenticate user without using sign in portlet.Is there any way we can hit a url and it gives a response text so we can identify that user is authenticated. i followed this link but i didn't get proper response.
Liferay integrates with a lot of different SSO (Single-Sign-On) systems on the market. Instead of reinventing the wheel, you should use one of those integrations. This way you're free to use whatever your SSO uses to authenticate the user and it will provide your user's identity to Liferay as well as to any other application.
For Liferay EE, you also have the option to make Liferay your "SSO" by utilizing the SAML plugin and creating Liferay into an IdP (Identity Provider) and by making your other application an SP (Service Provider).
The whole field of forwarding the identity of users has been solved and one shouldn't mock around with redirecting with any self-invented authentication scheme IMHO.

Adding SSO to an existing MVC application

We have an existing MVC application which is used by multiple customers.
Currently, each customer is given a URL to our application e.g. https://myapp/mycustomername.
When they go their, they are presented with a login screen.
For some customers (not all) we want to implement SSO, and authenticate their users against their active directory, so that they never see the login screen (unless the SSO authentication fails).
Most customers won't be using this functionality.
My first question is: is this do-able? Is it possible to have an MVC application which uses both SSO and forms authentication?
If so, can anyone point me to any links explaining the process?
I've seen some good information, such as this tutorial but I can't find anything that matches my scenario.
Thanks.
This is surely a do-able task.
The steps would be
Identify the tenant name from the URL
Get the Identity Setting
If forms authentication, show them the login page
If SSO enabled, redirect to their ADFS URL
When you onboard your tenant, you will have to maintain the following metadata
TenantName
AuthenticationType : {forms / ADFS}
SSO Url
SSO Federation Metadata URL
etc
We did one such implementation that supports ADFS, Social Logins with Forms Authentication too.

Best way for a remote web app to authenticate users in my current web app?

So a bit of background, I'm working on an existing web application which has a set of users, who are able to log in via a traditional login screen with a user name and password, etc.
Recently we've managed to score a client (who have their own Intranet site), who are wanting to be able to have their users log into their Intranet site, and then have their users click a link on their Intranet which redirects to our application and logs them into it automatically.
I've had two suggestions on how to implement this so far:
Create a URL which takes 2 parameters (which are "username" and "password") and have the Intranet site pass those parameters to us (our connection is via SSL/TLS so it's all encrypted). This would work fine, but it seems a little "hacky", and also means that the logins and passwords have to be the same on both systems (and having to write some kind of web service which can update the passwords for users - which also seems a bit insecure)
Provide a token to the Intranet, so when the client clicks on a link on the Intranet, it sends the token to us, along with the user name (and no password) which means they're authenticated. Again, this sounds a bit hacky as isn't that essentially the same as providing everyone with the same password to log in?
So to summarise, I'm after the following things:
A way for the users who are already authenticated on the Intranet to log into our system without too much messing around, and without using an external system to authenticate, i.e. LDAP / Kerberos
Something which isn't too specific to this client, and can easily be implemented by other Intranets to log in
Both of your suggested options are insecure, even if you use SSL. Never pass credentials on a URL, put them in the HTTP request by using POST.
There is a standard called SAML and this can be used to solve your problem. The challenge is choosing which version to implement. I would choose SAML 2.0.
Google Apps implements a flavor of SAML 2.0 and allow you to authenticate using your intranet credentials. In the case of your application, you would be the service provider and your client would be the identity provider. As long as you implement the standard correctly you should be able to support any new client (identity provider). Here is a list of SAML implementations you might want to take a look at. If you need the client to pass over information in addition to the authentication information then SAML can facilitate this with metadata.
You will still need to implement SSL to encrypt network traffic.
I hate to answer my own question, but I hate even more a question with no answer. In the end we went with a very similar implementation of SalesForce's delegated authentication SSO implementation.
http://wiki.developerforce.com/page/How_to_Implement_Single_Sign-On_with_Force.com
Essentially the solution has a trusted site, known as the delegated authentication authority, who has a list of users who are logged into the company intranet.
When the user logs into the company intranet, and they click a link to our application, the company intranet will pass the user name and a generated token (which expires after a set amount of time) to our application.
Our application will then check if the user name is on our site, and if so, send the username / token (along with the source IP and a few other parameters) to the delegated authentication authority. If all those items match on the delegated authentication authority, it returns true and the user can log in. If it returns false the user is denied access.
We've found this system to work quite well, and even implemented a couple of extra security features like SSL, client side certificates, VPN tunnel, and even restricting the IP addresses which can access the site and the delegated authentication authority.
I know it's bad form to answer your own question but I hope this helps someone else who might be having the same problem ...