I have successfully integrated my app with OKTA via Spring Security SAML library. The SSO works perfectly fine either from IdP, or from SP side, but the SLO process works only if I perform global logout via {context}/saml/logout call and send LogoutRequest to OKTA. In this case OKTA responds with an LogoutResponse, all my handlers do their job and I am also signed out from OKTA.
I was wondering what is the default behavior of OKTA if I logout from my OKTA account? Should OKTA send LogoutRequest to the configured SLO endpoint on SP side and I will be logged out by my Logout handlers?
Related
I have a CAS 6 instance that I'm using as a OAuth server to authenticate a Spring webapp, using the endpoints described in https://apereo.github.io/cas/6.5.x/authentication/OAuth-Authentication.html#endpoints to retrieve AT and RT. The login page is on the webapp, not on CAS.
Now I need to add social login features (Google, Facebook and Apple), but I'm struggling to understand how to configure CAS to act also as a OAuth client and manage the redirect from webapp login page to Facebook and then back to the website.
How can I call CAS so that the user is redirected to Facebook login, and then back to the website, while being authenticated obtaining an AT? Does CAS need to act as a sort of proxy?
I have a really interesting and difficult task. What I need is to realise next authentication chain.
Imagin, that you have a secured application, lets it's going to be java Spring Boot app, but it's not matter. And the authentication flow is going to be next:
User goes to my Spring Boot App in the first time and see login form.
User types his username and password.
My app takes this data and send REST-request to openAm instance.
OpenAm instance recieves request, takes user credentials and send another authentication request to another identity service via SAML.
If identity service says, that user exists, OpenAm configures JWT-Token and send it back to my app in response.
My app send this JWT back to client, and client sends this jwt-token with every next request to my backend, which validates this token.
My problem is that I am new in SSO and OpenAm particulary. But what I'v already done is I cinfigured two instances of OpenAm. One works as Identity Server, and the second works as Service Provider. But I have no idea what to do next.
How to configure OpenAm instance which works as Service Provider to be able to recieve simple REST request with user credentials and send it to Identity Provider via SAML next? And is it even possible to implement my case?
Thank you!
This does not work when you use OpenAM REST based authentication, however it would work when you just do SSO from your App with OpenAM ,e.g. via SAML or OIDC or REST SSO call.
OpenAM could then act as a 'federation hub'. At OpenAM you can delegate the Authentication via SAML or OIDC to an upstream IdP where the actual authentication happens.
I'm working on a java Spring Boot project that manages users and sessions internally. It relies on OIDC, AWS Cognito being the Identity Provider, for sign-in and, I would hope, sign-out of the users.
What I understand from the OIDC Spec for backchannel logout is that:
I must provide an endpoint for logout in my backend application. I am using Pac4J as my OIDC library in a java Spring Boot application, and have enabled the logout endpoint as per the Pac4J Spring Security documentation
The Identity Provider AWS Cognito should send a request to the logout endpoint if the user is signed out from the Identity Provider
When I receive a valid call (as per the OIDC spec) on this endpoint, I must destroy the user's session with my application.
However, the user being logged out of the Identity Provider (AWS Cognito) does not seem to result in a call to the logout endpoint of my application.
I am unable to find documentation for this backchannel behaviour in the AWS Cognito docs.
Have I understood the backchannel logout correctly?
Is this currently unsupported as OIDC logout is still (as of March 12, 2019) in draft status?
I contacted the main developer of Pac4J who was very prompt to reply.
AWS Cognito:
Currently does not seem to support backchannel logout
Pac4J:
Backchannel logout is currently not supported by the library for OIDC, and it isn't on the roadmap either: https://groups.google.com/forum/?fromgroups#!topic/pac4j-users/SD_IgKVZWvM, the /logout referenced in the documentation is for internal (to the app) logout + (if configured) forwarding a logout request to the identity provider. It is NOT a OIDC-backchannel-logout endpoint.
Currently I am working with SP initiated SSO using spring security and SAML. Now,during sign in SP forward authn request to IDP and redirect to IDP's login page for authentication. I have used following URL code sample:
https://github.com/wiwengweng/wiwengweng/tree/master/saml2.demo/src/main/java/org/wso2/identity/saml2/demo for SSO.
Now, I want to use local page for user's credential rather than IDP's login page.SO can I post credential during SP--->IDP request in assertion which can validate at IDP and redirect to my home page with SSO ? It is feasible ?
Accoriding to the Spring SAML Extension document :
Local logout terminates only the local session and doesn't affect neither session at IDP, nor sessions at other SPs where user logged in using single sign-on. Local logout can be initialized at scheme://server:port/contextPath/saml/logout?local=true.
For global logout, we have to hit the scheme://server:port/contextPath/saml/logout URL, but for me, it only logs out from the local session, but doesn't logout from the IDP.
This is the [WebSecurityConfig] (https://github.com/vdenotaris/spring-boot-security-saml-sample/blob/master/src/main/java/com/vdenotaris/spring/boot/security/saml/web/config/WebSecurityConfig.java) , that I'm using to create the SAML SP.
My question is, am I doing something wrong here? or is this a problem because of the IDP I'm using (can't mention the IDP as it's one of my firm's SAML SSO).
Or do I have to define any global logout handler here? If yes, How?
Global Logout in case of Single Sign On (SSO) needs support from both the service providers (SP) as well as the Identity Providers (IdP). What you are doing is only enabling the Global Logout endpoint from the SP side which only ensures that the SP will generate a Global Logout request to itself & to the IdP (depending on the SAML profiles/bindings you are using), now how the IdP handles it depends on IdP as well.
In SSO a session at IdP, a session at SP and cookies at user-agent is set on login. To facilitate a single global logout there comes a gap between user expectations and technical limitations. I suggest you to read about SLO issues here: https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues
Shibboleth IdPv3 has provided partial support for Single Logout using both front-channeling (user-agent involved in sending logout to all SPs & IdP) as well as back-channeling (user-agent sends logout request to current SP & IdP, the IdP in turn sends logout request to all logged-in SPs). You can read how Shibboleth IdP v3.2.0 handles logout here: https://wiki.shibboleth.net/confluence/display/IDP30/LogoutConfiguration
I would check the IdP metadata that you have configured. It sounds like an endpoint specified is wrong so it's not receiving what it needs.
With that said, you ought to confirm whether there has been any activity on your IdP's logs regarding any form of logout. Consider DEBUG or TRACE level.