identity provider - Build identity provider manual on local - spring-security

I'm using spring security saml to implement SSO. For testing, I used ssocircle as idp. But now, I want to control authenticating by myself, that means, can I build idp host on my local by using spring security (user info will be stored in my database).
Note: OpenAM is not my expectation.

It is not advisable to build your own IDP because it is a complicated process, even if you use a library like opensaml, your best option would be to install Shibboleth Idp, there are many tutorials online, some on the shibboleth.net website and some on other websites. These two are very good tutorials:
1- https://books.google.ie/books?id=AeBaAQAAQBAJ&pg=PA3&lpg=PA3&dq=Investigation+and+implementation+of+Shibboleth+SSO+authentication+mechanism&source=bl&ots=g6A_kstwJ2&sig=Nr4AR6WKillYyIl5UQaUszkTDB8&hl=en&sa=X&ved=0ahUKEwibtvL51tvJAhUI_A4KHb18DUYQ6AEIKTAB#v=onepage&q&f=true
2- https://tuakiri.ac.nz/confluence/display/Tuakiri/Installing+a+Shibboleth+3.x+IdP

Related

Keycloak and spring security usage

I have used spring security in the past and understand that most of the features of keycloak can be achieved by using spring security ( ldap integration etc ).
Apart from easy social media login validation, are there any other unique features in key cloak which cannot be done using spring security?
With spring-security you would have to create Spring authentication server and explicitly configure/code certain things for integration with LDAP, OAuth2/OIDC providers.
Keycloak is already OAuth2/OIDC/SAMPL compliant IAM provider. It provides features like User Federation with options like LDAP, integration with other OIDC provider etc.
Keycloak provides SPI integration points where you can customize the request flow, use OTP, perform two factor authentication, add google CAPTCHA, or even your CAPTCHA. It provides role based authorization too if you need.
It also provides event handling integration points for events like Login, logout, refresh token, etc.
Keycloak Community will keep adding new features or keep supporting it w.r.t. changes in OAuth2, OIDC, SAML. You don't need to worry about updating your code time to time. Along with this, security updates will be there.
There are many more features.
Most importantly, why reinvent the wheel, if you get these many features and good support.
Keycloak allows you:
to use multiple user storage and get users from multiple LDAP/AD or Kerberos or use without any LDAP.
to login once (SSO) and forget about to login from another application with GUI;
to use one authorization server for multiple application by separation them by realms. One thing should be noted: keycloak could be installed on multiple nodes for better reliability; This also could helpful when application become big and once you decide to separate it on multiple.
to add user additional attributes and fields during get user info without coding (trivial example - set phone number) or specific roles (on realm or even client level) or groups and use all this on the top of an AD attributes;
to configure password rules like password expiration, e-mail validation and so on;
to set up 2-factor authorization with SMS or Email.
These things I think could be implemented using Spring Security, but it takes more time than Keycloak installation and configuration. Personally, I am using Keycloak in multiple commercial projects and could claim that Keycloak is good.

Java Spring Application - Integration with Azure AD for SSO

I have a Java Spring MVC application (note that its not spring boot).
We have a requirement to implement SSO for the users of our application. I did some research, the identity provider (IDP) in our case is Azure AD. The service provider would be my application in this case. I am thinking of using SAML protocol for SSO.
Also note - The application is http based (not HTTPS)
What I've done so far -
I've created an Enterprise Application on Azure and configured entityId and replyURL. I also added a user for this application.
Where I'm stuck -
Although I did read the related Spring documentation to achieve this, since I'm a newbie here, I still don't have a clear path as to how can I take this forward in my application. I found some solutions, they seem to be examples for spring boot. Can someone please help me with guides as to how this can be done in Java Spring? Which maven dependency I could use and any sample example to start working with SAML? A step by step explanation would be highly appreciated, thankyou.
Also, any other options than SAML would also be fine.
The Spring Security SAML extension (https://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/index.html) had an example web app. You may read the referenced doc and apply it to Spring Security SAML. It should not be too much difference.
I’m very glad to register the flow in the event of implementing Azure AD B2C OIDC/OAuth protocol with existing Spring MVC architecture.
Below Spring docs reveal that how was our existing project's spring-security layer being served in the context of filter-chain.
Pre-requisites
Authentication Filter - Form Based Login with Legacy IDP
Authentication Manager – Providing the user details authorities along with http session object
For accomplishing this Azure B2C Integration, we've gone thro' lot of repos but most of them are relying with Java config based but we were interested on Spring namespace with limited code/architectural change.
Then finally we came to the conclusion that how to extend the spring default auth-filter/manager for getting valid session object from security context based on the Azure provided (id/access) token after the successful user authentication.
Customizing Spring-Security
The detailed documentation on how to extend auth-filter/manager is available here with © reserved by terasoluna.org
We customized the spring security in such a manner that auth-filter will carry the token_validation against the given token from Azure and authentication manager will extract user details such as roles/privileges w.r.t to the object-id mapped in our DB's user entity.
Once the Spring security customization is done then we can able to integrate the Authorization-server [Azure in our case] and Resource-server [Existing Spring Application] by following the conventional methods.

Spring Boot 2, Cloud Netflix and username/password authentication architecture

This is an architecture question. I want to implement an application that processes two kinds of users (admin and clients). Each role can register in the following ways:
admin: username/password registration
client: Facebook/Google/username&password registration
Based on the user's role each of them has a specific action to which he's authorized.
From a technology stack, I want to use Java 8, Spring Cloud Netflix and later on Docker and Kubernetes (in order to have auto-heal and auto-scale).
I've implemented Eureka discovery, Config server, Zuul Gateway and I have two microservices for each role (to get me started). I don't know at all how to approach the user's authentication/authorization, from what I see Spring Security 5 is no longer supporting Authorization server and I am supposed to use Keycloack? Should the gateway be the authorization server or should I create another component that is responsible for authentication? What do I use, how to implement, how to approach redirection between my authorization server and the business microservice?
I can't really find a proper documentation that uses username/password, social login and Spring Cloud Netflix, together with Spring Security 5.
Your gateway shouldn't be responsible for handling authentication.
One possibility is using the cas project. It can run as a micro service to handle the whole authentication process. It can handle multiple auth methods like database (for username / password) and social media like Google or Facebook.
It comes with a basic setup having a login page and a configured DockerFile. You can customize everything. Just add the related dependency and add the config in the application.properties. You can customize the frontend.
https://apereo.github.io/cas/6.1.x/planning/Getting-Started.html
By the way: if you use kubernetes you don't need a gateway or service discovery with eureka. Kubernetes does this for you.
For api security, after moving to #Kubernetes, you can use Envoy or similar solution
For authentication and authorisation, you need an identity management system (like #Okta or PingFederate or an open source version like #OpenIAM) and then integrate using Spring & OAUTH2.

SAML IDP implementation to support multiple SPs in a single IDP

I have been working with SAML IDP implementation using saml_idp gem in Ruby.
My user-management is already acting as IDP for a ServiceProvider. All the configuration is totally set for that Service Provider alone. Now, I want to support one more Service Provider where the configuration is different from the existing one.
The question is how would I support multiple SP with different signatures, certificates in IDP to act separately for different service providers.
I have saml_idp_initializer.rb in my project. As mentioned earlier, it is more specific to a SP.
I found a workaround solution where I can set up the SAML IDP configuration in the runtime which solves serving the requests to SP by the new IDP configuration.

How to use LDAP on window azure?

Am new to ADFS and LDAP, our project is mixed of technology mongoDb, nodeJS and rails. we are planning on deploying mongodb, Nodejs or Rails on Windows Azure, as LDAP is been used for active directory on ruby.how LDAP used in window azure. is there any performance change in using ADFS in ruby compare to LDAP in ruby. if yes, how can i implement ADFS on RUBY
Is anyone know how its possible. thanks in advance.
Is your LDAP server going to stay on-premises? Just to be clear, ADFS is not equivalent to LDAP. ADFS is a "Security Token Service" (STS). LDAP is a Directory.
Since you mention ADFS, presumably your apps will authenticate users on (on-premises) Active Directory. ADFS can only authenticate users on AD, not on arbitrary directories.
To connect your node.js and ruby app to ADFS you would need to implement either WS-Federation or SAML Protocol. These are the 2 protocols supported by ADFS. You can read more about it here.
Alternatively, you can implement your own STS and connect it with whatever you want (ADFS or LDAP). If you do this, then you have more control on what kind of protocols to implement in your app (e.g. OAuth2 or something else). It seems there are more libraries you can leverage compared to WS-Fed / SAML.
There are many open source STSs you can look at. IdentityServer is one of them, and people have successfully built solutions on it. You will have to host this yourself.
Another alternative is to rely on a 3rd party service like Auth0 (which is available on the Windows Azure store). (Disclaimer: this is a product I'm working on).

Resources