Can I use one SSO server (Apereo CAS) for authentication web apps with different protocols (e.g. app 1 uses SAML, app2 uses oAuth2.0)?
Yes, you can. Some additional notes:
https://apereo.github.io/2018/02/26/cas-delegation-protocols/
Related
We have an existing MVC angular application enabled with ADFS WS-Fed authentication. The application has many API's hosted as a part of the solution which is internally accessed by views. Now, We have a requirement for the API to be published to other developers.
I am thinking of enabling OAuth/OpenId for the endpoints and enable other developers to access. I need your inputs regarding my approach.
There is no support in ADFS 2.0 for OpenID Connect and OAuth.
The only API option you have is via WCF.
I have an existing CAS4 instance that is in use for SSO across several web applications using the CAS protocol. CAS4 and later CAS versions, including CAS5, support other SSO protocols as well. CAS4 has support for SAML, OAuth2 and OpenID 2.0. CAS5 has support for OpenID Connect, etc.
I am wondering if one application authenticates with CAS via the CAS Protocol and a second subsequent application requests access via SAML or OAuth2 if the second application will be prompted to login, i.e. defeating the "Single Sign On" feature/capability?
I would really hope that the "Single Sign On" pseudo session spans different protocols. My worry is that it does not.
CAS4 has support for SAML, OAuth2 and OpenID 2.0. CAS5 has support for OpenID Connect, etc.
Let's be slightly more accurate that CAS4 has basic support for SAML1.1 and OAuth2 and its SAML2 support is limited only to handling an integration with Google Apps. Some have managed to extend it beyond that capability and turn it into a more general-purpose SAML2 integration strategy
CAS5 on the other hand as you note has support for SAML2 and OpenID Connect and a more improved version of OAuth2. The CAS protocol and related REST API implementations also gain quite a number of improvements in the way of working with JWTs as service tickets, etc.
I am wondering if one application authenticates with CAS via the CAS Protocol and a second subsequent application requests access via SAMPL or OAuth2 if the second application will be prompted to login, i.e. defeating the "Single Sign On" feature/capability?
No. That is the purpose of Single Sign-On. Regardless of what protocol you use, SSO/Authentication will continue to work fine because these are different subsystems. The thing that speaks a protocol language and the thing that validates credentials and the thing that creates and manages an SSO session all are very much independent of each other. If you find the opposite to be true in practice, that is a defect that needs a diagnosis.
I recommend you take a look at this blog post:
https://apereo.github.io/2018/02/26/cas-delegation-protocols/
I have developed an API using ASP.NET Web API 2 to be consumed by applications in my domain. I want to secure the access to the API endpoints. I've decided to use the OAuth token based token authentication for mobile app clients and web app clients.
However there are some non-interactive windows service clients that need to consume the API. I do not want to store login credentials to get a token in the service config, however a Windows authentication suits this type of client.
Is it possible to use a hybrid - windows and token-based authentication in ASP.NET WebApi? How?
I think the Windows authentication service from Identityserver might be a good solution for your problem
You can find more information on : WindowsAuthentication repo
I have decided to break up the API into two. One for normal OAuth based access and the other with specific resources using Windows authentication to be consumed by non-interactive windows service clients.
Currently I have 2 relying parties setup in the same ADFS server; one for my web api and one setup for MVC application. When I get the token for authenticating in MVC app I capture this token to send it to my web api for authentication as well. This token does not work for the web api.
If I specifically make a new call for that relying party(web api) it will work so i think that it is setup correctly in ADFS...
Is there a configuration issue in ADFS not not allow the same token to work for both?
Is this even possible?
Is this the wrong architecture in ADFS?
Should I use one relying party for both apps?
You can use Identity Delegation which helps in scenarios like this where an app calls a service instead of a user.
This similar question has some good resources:
Pass ADFS Token to a Service
is the SAML protocol (Sing Sign ON) used soley for web apps and web services, or is it also used for standard applications?
REVISED:
I am looking for some windows (Standard Applications (not web based)) protocols for Single Sign On
If you are looking at Windows specifically, why not use Kerberos and Integrated Windows Authentication? It's built into Active Directory and Domain Controllers. It doesn't really work once you start crossing into the Internet and different security domains but it works well behind your firewall in a corporate environment.
However, SAML can be used for desktop applications. I've run into applications before that would retrieve the Kerberos ticket from the Desktop, make a WSTrust/RST call to an STS to validate the Kerb token and get back a SAML token in the RSTR that would be embedded into a Web Services call that the desktop application needed to make.
SAML allows secure web domains to exchange user authentication and authorization data and by definition would require an internet connection to do so. So no you would not want to use it for a desktop application.
Revised
here are the links for active directory implementation with Delphi.
http://www.agnisoft.com/white_papers/active_directory.asp
http://adsi.mvps.org/adsi/Delphi/index.html