I have a CAS 6 instance that I'm using as a OAuth server to authenticate a Spring webapp, using the endpoints described in https://apereo.github.io/cas/6.5.x/authentication/OAuth-Authentication.html#endpoints to retrieve AT and RT. The login page is on the webapp, not on CAS.
Now I need to add social login features (Google, Facebook and Apple), but I'm struggling to understand how to configure CAS to act also as a OAuth client and manage the redirect from webapp login page to Facebook and then back to the website.
How can I call CAS so that the user is redirected to Facebook login, and then back to the website, while being authenticated obtaining an AT? Does CAS need to act as a sort of proxy?
Related
I read about saml and openid connect on the web.
I am trying to implement asp.net mvc project with following requirements.
User logins my website.
User clicks external site link(ex trello.com) and redirected to external site login page.
After sign in a consent screen opens with predefined scopes.User approves and return back to my site.
Id token and access token are received.
To my knowledge, until now you can proceed with openid connect.
However I can't figure out how I can accomplish following requirement with openid connect.
After granting access (previous steps via authorization code flow) whenever user logins my site and clicks external site link, user will be automatically signed on external site. (Like Appdirect and Telstra do)
I know I can implement requirement 5 with SAML but I couldn't find a way to do with openid connect.
This is essentially SSO and SSO works like:
Application A authenticates with IDP X
Application B authenticates with IDP X
When user goes to B, they are already signed on with the same IDP and so they don't see a login screen.
But if user goes to:
Application C authenticates with IDP Y
they will not get SSO.
Here is my Problem statement:
I want to do OAuth authentication with external Authorization Server(say External Identity Provider) But user should provide credentials on my custom login page. I know when we do Oauth user must be redirected to Identity provider to authenticate and complete OAuth dance. But in my case, I want user to provide credentials on my login screen. No where in the process, user should see the identity provider login page. Any thoughts?
If the user enters his credentials on your login page, how will your app verify these creds with the identity server?
The idea of oAuth is that you app (the client app) will not be exposed to the user's creds.
Note: If there is a tight relationship between the client app and the identity-provider (e.g. Facebook and the Facebook app for mobile) so you can perform this with Resource Owner Password Credentials grant type.
After spending good time in Spring security with SAML for ADFs login , I am became fan of framework.
I was able to integrate my web application with ADFS for login. But I am missing few requirement here :
1) When we select IDP ADFS login url on my web application login page ,it is moving out of my web application to ADFS login. Which is not desire behavior for business.
2) Also faced problem that , as on successful login user object sent back to my web application from ADFS but in case of login failure it is staying on ADFS login page with login error message.
With this requirement can you please guide me for below requirements.
1) I want to use my own login page (instead of ADFS login redirect) to capture the username and password
2) Pass on those credentials to ADFS server for authentication
3) User authentication flow:
3.a Once user is authenticated, then redirect user to success page
3.b If authentication failed then redirect user to error page. ( Getting failure response from ADFS)
The core idea of SAML-based single sign-of is to decouple system which authenticates users (IDP - identity provider) from the systems which receive information about user's identity without performing the authentication (SP - service providers).
This model implies that SP does not have access to user's credentials, and therefore cannot contain a traditional login screen with username/password.
You can find more details e.g. in wiki of SAML 2.0 Web SSO
Yes, We can do this if IDP provides the authentication API. Okta IDP provides such API.
Check this:okta authentication api
I'm building an app that requires users to authenticate with Salesforce. However, the problem I'm encountering occurs when Okta (SSO) steps in to authenticate the user automatically. The user is authenticated and redirected to the Salesforce home page, rather than the OAuth callback redirect as configured in the connected app (and passed as query param).
This is happening between steps 3 and 4 on this diagram:
Question: Is there a way I can prevent Okta from automatically authenticating a user on a page?
Just wanted to circle back and post my answer. It was simply the authorization server url. Instead of directing a user to a specific Salesforce instance (i.e., "na17.salesforce.com"), use the Salesforce auth server (i.e., "login.salesforce.com"). This keeps Okta from identifying the specific subdomain and trying to authenticate.
I have employees on google apps id like to authenticate (with their google apps username and password) at login.mydomain.com > authenticate without being redirected to the google login page > send them to gmail.
Would I do this via Oauth 2.0 or OpenID? A simpler method perhaps?
Of course you can use oAuth.
you could use Google Accounts as your identity provider, and configure your resource-server (your application, I guess) to redirect your users to Google account, and give their creds there.
The flow: your users will try to access your resource-server (your app?), then, since it is protected by oAuth, they will be redirected to Google Accounts for authentication and authorization. after authentication, oAuth mechanism will redirect your users back to the original URL (your app)
HTH