We are planing to use PingFederate-Server as our central identity managment solution. What are the steps to integrate the ping server oauth-endpoint to our wso2 landscape.
Is there already a solution available?
I read the blog-post https://amilasnotes.wordpress.com/2015/05/19/integrating-with-a-third-party-oauth-provider-overview and it looks like that this task is possible.
Has someone experienced replacing the internal wso2 key-manager?
And is it possible to use both keymanagement solution (interal and ping), so that we don't need to migrate the current applications/access-tokens?
Thx, in advance
Marty
You have to write a custom keymanager implementation to connect to Ping identity server. Overall implementation steps can be found in https://amilasnotes.wordpress.com/2015/05/19/integrating-with-a-third-party-oauth-provider-overview/
There are two sample keymanager implementations you can look into. Surf Oauth and Mitre-ID Connect.
You can checkout the API manager default keymanager implementation as well. See AMDefaultKeyManagerImpl .
Regarding using both key managers, It won't be possible since default KM implementation is also written using the same keymanager interface. So only one keymanager implementation can be used.
Related
I am trying to find some information about using Apache syncope (Identity management system) with OAuth 2 authorization.
I see there is no implementation in AS yet as written here: https://issues.apache.org/jira/browse/SYNCOPE-534 so AS is "pure" Identity Manager - not directly involved in authorization operations like oauth 2.0
I have found I should use some Access Managers to implement such scenario.
What access managers should I use? Could you give some advice? thanks
On the page Access Managers you can see that there exist several ones, just not for OAuth 2.
For OAuth 2 an Access Manager had to be developed, perhaps it's possible on base of the existing ones.
Having a look at some commits concerning OpenID there exist the following list:
[SYNCOPE-1270] implementation for OpenID Connect for Admin Console and Enduser
[SYNCOPE-1270] OpenID Connect Logout implementation
[SYNCOPE-1018] self registration for OpenID Connect
It seems being mixed in core though, so probably it's impracticable to do it in the same kind as core can't be updated anymore without problems.
On the other hand, if you are willing to provide the new Access Manager directly to core-development it wouldn't matter, but then it's advisable to contact the core-developers on github first.
While REST might serve as interface for a separated module, the authentication process is technically explained as Provisioning Service.
In Extensions you get an impression which extensions exist and you'd to verify them to get knowledge how to solve your approach in an own extension. I'd chose perhaps SAML 2.0 Service Provider as it's also related to authentication.
Concerning OAuth 2 itself there exist a few implementations in github, regrettable only in PHP, but perhaps that helps you a bit.
We have a legacy Identity Provider which only supports two authentication mechanisms:
Oauth 1.0.
A custom service I can call with a user and password and
obtain a session token which then has to be placed in a custom
header of every other call to the IdP —to get user info and such.
I’d like to know whether there’s any plugin that will allow configuring Jenkins to delegate authentication to such an IdP through either mechanism. I'm starting to look at the Oauth Credentials Plugin, but it doesn't look like it'll do the trick.
By itself, this library has no user visible changes, it is intended only to surface new extension points on top of which OAuth providers may surface their own OAuth2Credentials implementations.
If not, then what are my options here? I’m thinking of writing a plugin to implement one of these. Is there a good guide I can use? Or an existing plugin I should extend?
As it turns out —and just in case anyone else is wondering how to do this— the Oauth Credentials Plugin is not for delegating Jenkins authentication to an Oauth Identity Provider. It's for creating Jenkins credentials which can then be used by jobs.
At this point in time, there's no plugin which will allow you to delegate Jenkins authentication to an identity providier exposing the deprecated Oauth 1.0 spec. You'll have to implement your own. The right way to do this is to extend this class:
hudson.security.SecurityRealm
I started doing this by following the examples set by Github's and Google's Oauth 2.0 plugins. But these both take very different approaches to the same problem — which filled my head with questions. So I did some more research and found this nice article which explains the basics and also points to a bare bones security realm example of how to do this. It helped me a lot. I hope it'll help others as well.
I'am looking at the capabilities of WIF in terms of SSO. Actually we have a "legacy" users & rights management database under SQLServer and we like to build a brand new SSO system on top of this exsting database.
In many tutorials I found they talk about using existing STS like ADFSv2 for Active Directory authorization, but It did not fit my needs because my users/rights are not exposed through AD but in a custom a specific business oriented SQL Server database.
So, I thing I need a custom Security Token Service in order to be able to emit my own custom tokens, but I don't know how to do this.
I need some little help or an example about how to achieve this.
Thank you
You can find STS example in WIF SDK. It contain an example with custom token. Look here
More detail information about SSO I seen in a book 'Programming Windows Identity Foundation'
You can build your own Custom Security Token Service leveraging the underneath SQL Server database. You will have to define your scopes and Claims that needs to be shared after user does a Single Sign On. Here are some links to some articles below that has helped me build mine. I am pretty sure by following the below links you will be able to build a custom STS catering to your needs.
WIF : http://chris.59north.com/post/Building-a-simple-custom-STS-using-VS2012-ASPNET-MVC
http://www.primaryobjects.com/2013/08/08/using-single-sign-on-with-windows-identity-foundation-in-mvc-net/
Care to explain why #paullem's answer was deleted?
It is in fact the correct answer!
The question is about an STS that authenticates using a SQL DB. That is EXACTLY what IdentityServer does.
Since it's open source, you can customize it any way you want or else use it as a guide.
So to repeat the answer - "Take a look at Thinktecture.IdentityServer........".
Update
You want a custom STS that supports SAML protocol and authenticates against a SQL DB?
WIF won't do this for you.
You need to look at something like Shibboleth or simpleSAMLphp but they are not .NET based.
Or take IdentityServer and add a SAML stack to it.
Refer: SAML : SAML connectivity / toolkit.
Be warned: This is not a trivial exercise!
Is there any sample of implementation of OpenID Connect Provider in .NET?
DotNetOpenAuth doesn't seem to support this standard.
Yes, IdentityServer is an openid connect provider. There are lots of samples of relying parties, provider configurations and a resource server api. See here for the examples: https://github.com/IdentityServer/IdentityServer3.Samples/
It seems to currently be the only "certified" open source .NET (C#) implementation. See http://openid.net/developers/libraries/
I would expect Microsoft to release their OP pretty soon, named WAAD - Windows Azure Active Directory Server: http://www.gluu.co/waad-interop
Are you sure you need an OpenID Provider? If you need Relying Party code, I recently saw this quick article: http://www.gluu.co/simple-connect-client
If you really need an OP, perhaps you should consider OX: http://ox.gluu.org
Who really cares what language the OP is written in? What you want is an easy way to administer the thing... and OX provides an excellent management Web UI (oxTrust).
I am beginner of authentication and authorization but I have to connect to a openid connect provider on my job. I know a little about how to use Spring Security.
First, I got UserInfo object thanks by following nice direction.
https://oauthssodemo.appspot.com/step/1
And then I found a great implementation named "spring-security-oauth" below. I could run the app on tomcat and connect to facebook successfully.
https://github.com/SpringSource/spring-security-oauth
As next step, I want to connect google by using "spring-security-oauth" but I do not know how to do that completely. (To be honest, I do not know how differences openid connect and aouth2..)
give me a clue. Any help will be appreciated.
here is a sample minimal project integrating Google Open Id Connect with Spring Security: https://github.com/fromi/spring-google-openidconnect
The key point for me was to rely heavily on Spring OAuth2 to minimize the configuration required.
The OpenID Connect basic essentials specification is for the time being at http://openid.net/specs/openid-connect-basic-1_0.html
For Spring specific details to implement individual steps, frame new questions further detailing the exact task w. r. t. this procedure.
You could use the spring-social-google projet to implement a "Sign in with Google" functionality. It's use OAuth 2.0 under the hood but right now it's use to Google+ API to retrieve profile informations. I did a fork to make it use the Google Authentification and Authorization API which is basicaly the openconnect Id standard