I'm migrating my struts2 + ejb3 + Weblogic 12.2.1 + JAAS - Form based web application to SSO SAML based.
For Form based authentication I implemented javax.security.auth.spi.LoginModule LoginModule. And it worked fine for years.
Now, for my migration, I removed Form Based j_security_check and related stuff in my login page.
Instead of Form based user name and password, I'm using iframe where the user name and password are posted to Web based SSO application and the response I'm receiving to my action class.
SSO authentication is happening fine and I'm able to get the roles from idp aswell.
Now since I'm using sso based authentication, request.getUserPrincipal() I'm always gettin null.
Also in my EJB sessionContext.getCallerPrincipal().getName() Im getting
<anonymous>
Do I have to set my Principal after SSO authentication done and after I got the response from IDP.
Related
I currently have a solution with three projects
Identity Server 3 with web host
MVC Application with UseOpenIdConnectAuthentication
Asp.Net Web Form Application with UseOpenIdConnectAuthentication
Both the Mvc and WebForm are pointing to the same Identity Server and both are configured to use the same client. The Client is setup as a Hybrid flow and has both the MVC and Web Form urls registered against the client.
Both can authentication with the same user account details and the claims identity is working fine within the applications. Both are setup using the OpenID Connect Authentication with the same
Client ID
Authority URL
Response Type
Scopes
SigninAsAuthenicationType (Cookies)
Both the Mvc and Web Form are set up as UseCookieAuthenicationType (Cookies).
However when I transfer via a hyperlink from the WebForm application to the MVC application, it does not recognise that I am already logged in.
Can anyone tell me what I have configured wrong?
Can you please provide some code snippets from clients UseCookieAuthenicationType/UseOpenIdConnectAuthentication -configurations? Is Authority -property setted with valid endpoint? With security cookie it is case sensitive - this is important
After spending good time in Spring security with SAML for ADFs login , I am became fan of framework.
I was able to integrate my web application with ADFS for login. But I am missing few requirement here :
1) When we select IDP ADFS login url on my web application login page ,it is moving out of my web application to ADFS login. Which is not desire behavior for business.
2) Also faced problem that , as on successful login user object sent back to my web application from ADFS but in case of login failure it is staying on ADFS login page with login error message.
With this requirement can you please guide me for below requirements.
1) I want to use my own login page (instead of ADFS login redirect) to capture the username and password
2) Pass on those credentials to ADFS server for authentication
3) User authentication flow:
3.a Once user is authenticated, then redirect user to success page
3.b If authentication failed then redirect user to error page. ( Getting failure response from ADFS)
The core idea of SAML-based single sign-of is to decouple system which authenticates users (IDP - identity provider) from the systems which receive information about user's identity without performing the authentication (SP - service providers).
This model implies that SP does not have access to user's credentials, and therefore cannot contain a traditional login screen with username/password.
You can find more details e.g. in wiki of SAML 2.0 Web SSO
Yes, We can do this if IDP provides the authentication API. Okta IDP provides such API.
Check this:okta authentication api
In my current project i have following arcitecture
MVC application wrapping angularJS application (one action is provided to load templates for TemplateUrl in angularjs. Views are .cshtml instead of simple HTML pages which gives me flexibility to use Razor engine and do simple things like checking if users is in role and not render HTML template part.
second project is Web API project. once AngularJS application is loaded, it makes direct calls to API endpoint and uses MVC only for template loading.
MVC+AngularJS is hosted on -> subdomain.mydomain.com
WEB API is hosted on -> subdomain2.mydomain.com
currently app works without any issues, but i need to add authentication so the problem is;
how can i implement authentication flow in a way, that, If user is not authenticated it is redirected to the MVC login page,
Once it gets authenticated it gets authenticated in Web API as well.
If request is made to load template i can access authenticated user
roles.
if API call is made to API WEB API can check for authentication as
well?
how can i implement authentication flow in a way, that, If user is not authenticated it is redirected to the MVC login page,
You can do this by enabling Forms Authentication in you application. You can get number of documents online if you google that out.
Once it gets authenticated it gets authenticated in Web API as well.
WebApis are designed to be stateless. For authenticating there, use token based authentication where once user is authenticated, pass in a token with each webAPI request which can be validated at server before processing the request.
If request is made to load template i can access authenticated user roles.
Once user is authenticated you can cache user roles associated with the user's session and use that to identify his roles.
if API call is made to API WEB API can check for authentication as well?
Use Authentication token for this for identifying each request that will be sent from client.
we are implementing a Single Sign On process using WSO2 Identity Server. We have both Microsoft and Java web applications involved and we are facing a problem during the Single LogOut processing with Microsoft based web apps. The issue is related to session invalidation on Identity Provider initiated SLO.
This is the scenario:
WSO2 Identity Server with a single Identity Provider configured
an Asp.Net MVC application using ComponentSpace SAML2 assembly and Forms authentication marking controllers with the [Authorize] attribute to ensure that users are authenticated to access them.
the DEMO Java Web application provided by WSO2 to test SSO
The login process works fine. We get a session ID from WSO2 and the user is authenticated landing on WSO2 login form in the first app, and transparently in the sencond one.
In the Asp.Net webapp, when a successfull login occurs, we authenticate the user to access [Authorize] marked controllers calling FormsAuthentication.SetAuthCookie(userName, false); . When the user logout from one of the apps, WSO2 sends a SLO request to other partecipants on a configured URI. When this request is reveived by the Microsoft one, we call the FormsAuthentication.SignOut(); method but the session is not destroyed. If the user refresh the browser page its User.Authenticated property is still True so he can still access [Authorize] marked controllers. This makes sense in my opinion because the caller is WSO2 and not the user browser.
We performed some investigation in the code of the JAR provided by WSO2 for Java applications and it creates a filter on Tomcat implementing a singleton to store WSO2 Session ID relation with Session objects each time a success login operation occurs. When WSO2 request a SLO the filter gets WSO2 Session ID as parameter, accesses the singleton HashTable to retrieve the Session object and calls the Session.Invalidate() method of the session object. If the user refreshes the browser, he gets redirected to login page. We tryied to implement something similar on Asp.Net side but even if we get the Session object on server side and call the Session.Abandon() method nothing happens when the user refresh the browser. He is still marked as authenticated.
I am not very familiar with Cookies and I have the feeling that is something related to them.
Had anyone faced a similar issue?
Any advice or suggestion will be very appreciated.
Thanks
Calling FormsAuthentication.SignOut should clear the authentication cookie. I suggest capturing the HTTP flow and confirming whether the authentication cookie has been deleted. The default name for the authentication cookie is .ASPXAUTH. Alternatively it will be the name specified in your web.config's section. For example, forms name="mycookie" would rename the cookie to mycookie. You shouldn't have to delete the ASP.NET_SessionId session ID cookie.
We are devloping application looks like Google login. for example if you login Gmail and open Play Store in another tab it will automatically login playstore.
we want to develop similar application using ASP.Net MVC 4 and WEB API & JQuery.
User Flow (Login using username and password) - after login access member details
Client Flow (Client Secret and Client Id) - Authenticate HTML, Javascrip and CSS
If you have any suggestions on below approach.
1. OAuth 2.0 and Owin Middleware
2. Token base approach
3. to get HTML and Javascript using token by site.
4. cross domain token handling
if you have any sample for Resource server, here resource server is HTML, Javascript and CSS
For the User Flow, you can use OpenIdConnect Middleware: https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet. There are many additional samples in AzureADSamples.
Fore the Client Flow, this sample give a good example: https://github.com/AzureADSamples/WebApp-WebAPI-OAuth2-AppIdentity-DotNet.