Currently I am working with SP initiated SSO using spring security and SAML. Now,during sign in SP forward authn request to IDP and redirect to IDP's login page for authentication. I have used following URL code sample:
https://github.com/wiwengweng/wiwengweng/tree/master/saml2.demo/src/main/java/org/wso2/identity/saml2/demo for SSO.
Now, I want to use local page for user's credential rather than IDP's login page.SO can I post credential during SP--->IDP request in assertion which can validate at IDP and redirect to my home page with SSO ? It is feasible ?
Related
I have a CAS 6 instance that I'm using as a OAuth server to authenticate a Spring webapp, using the endpoints described in https://apereo.github.io/cas/6.5.x/authentication/OAuth-Authentication.html#endpoints to retrieve AT and RT. The login page is on the webapp, not on CAS.
Now I need to add social login features (Google, Facebook and Apple), but I'm struggling to understand how to configure CAS to act also as a OAuth client and manage the redirect from webapp login page to Facebook and then back to the website.
How can I call CAS so that the user is redirected to Facebook login, and then back to the website, while being authenticated obtaining an AT? Does CAS need to act as a sort of proxy?
I am working on integrating Spring Security SAML into our existing security infrastructure, to handle partner SSO. I am looking at the sample app that comes with Spring Security SAML as a template.
I see that in SAML, the SP must specify the AssertionConsumerServiceBinding to provide the return url to which the IdP will send the AuthenticationResponse.
With the Spring Security SAML sample, we set this to:
http://localhost:8080/spring-security-saml2-sample/saml/SSO.
However, after the IdP posts the AuthenticationResponse back to that url, the user's browser is redirected to
http://localhost:8080/spring-security-saml2-sample.
Can I specify a specific url to which the user will be redirected after the SSO authentication succeeds? I am not finding any documentation on this and am not seeing how it happens in the sample app.
One specifies the url to which the user should be routed after successful authentication via the defaultTargetUrl value in the successRedirectHandler bean's definition.
I have successfully integrated my app with OKTA via Spring Security SAML library. The SSO works perfectly fine either from IdP, or from SP side, but the SLO process works only if I perform global logout via {context}/saml/logout call and send LogoutRequest to OKTA. In this case OKTA responds with an LogoutResponse, all my handlers do their job and I am also signed out from OKTA.
I was wondering what is the default behavior of OKTA if I logout from my OKTA account? Should OKTA send LogoutRequest to the configured SLO endpoint on SP side and I will be logged out by my Logout handlers?
After spending good time in Spring security with SAML for ADFs login , I am became fan of framework.
I was able to integrate my web application with ADFS for login. But I am missing few requirement here :
1) When we select IDP ADFS login url on my web application login page ,it is moving out of my web application to ADFS login. Which is not desire behavior for business.
2) Also faced problem that , as on successful login user object sent back to my web application from ADFS but in case of login failure it is staying on ADFS login page with login error message.
With this requirement can you please guide me for below requirements.
1) I want to use my own login page (instead of ADFS login redirect) to capture the username and password
2) Pass on those credentials to ADFS server for authentication
3) User authentication flow:
3.a Once user is authenticated, then redirect user to success page
3.b If authentication failed then redirect user to error page. ( Getting failure response from ADFS)
The core idea of SAML-based single sign-of is to decouple system which authenticates users (IDP - identity provider) from the systems which receive information about user's identity without performing the authentication (SP - service providers).
This model implies that SP does not have access to user's credentials, and therefore cannot contain a traditional login screen with username/password.
You can find more details e.g. in wiki of SAML 2.0 Web SSO
Yes, We can do this if IDP provides the authentication API. Okta IDP provides such API.
Check this:okta authentication api
I have a use case where a web application needs to let users authenticate in two different ways but using the same user data store (aka IDP) via SAML.
User's browser is redirected to IDP and redirected back with SAML assertion (aka WebSSO Profile).
User makes request to SP providing their credentials via Basic Authentication. SP would then need to send the user's credentials to the IDP and the IDP would provide an assertion all through a back channel (server to server).
I'm using Spring Security SAML extension. The sample application in Spring SAML contains both basic authentication with username and password and SAML-based authentication but the Basic Auth portion uses local accounts defined in the securityContext.xml file. I need to use the user accounts on the IDP. Is this possible? If so, how do I configure Spring SAML?
There is no standard SAML WebSSO mechanism which would allow SP to request assertion for a specific user by providing her credentials. You might want to look into WS-Trust standard which covers such use-cases using its Request security token methods (RST/RSTR calls). Another quite standardized way to do this is Client Credentials grant of OAuth 2.0. Both are out of scope for Spring SAML, but can be combined with it.