Is it possible to use Spring Security SAML module for enabling SAML 2.0 Service Provider functionality with CAS? Native SAML support in CAS does not support this. We have a web application which already uses CAS for authentication and now there is a requirement to enable SAML SP and IdP Initiated federated SSO into this application. CASShib makes this possible but we would have to use Shibboleth in addition to CAS and there are also some issues with CASShib.
If you want to use Shibboleth as your SAML Idp, you can use CAS for authenticating users using this method: https://github.com/Unicon/shib-cas-authn2
Related
Implementing SSO in my application and from app-1 i need to make a rest call to app-2. Login in app-1 with SAML and authenticated successfully and trying for rest call from app-1 with openid but since authentication is using saml only so not able to get the access/bearer token. Please help how to get the access/bearer token from saml request/response. I'm using Keycloak Server for SSO implementation.
You can't.
REST API need a JWT token not a SAML one.
Change SAML to OpenID Connect and it will work.
(1) OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
(2) Presently there is no IETF draft document regarding SAML 2.0 Profile for OpenID Connect client.
We can refer to the IETF draft document SAML 2.0 Profile for OAuth 2.0 client.
The OAuth 2.0 Access Token using SAML Assertion filter enables an OAuth client to request an access token using a SAML assertion. This supports the OAuth 2.0 SAML flow, which is used when a client wishes to utilize an existing trust relationship, expressed through the semantics of the SAML assertion, without a direct user approval step at the authorization server. For more details on supported OAuth flows, see API Gateway OAuth 2.0 authentication flows.
(3) Both Auth0 and open-source WSO2 Identity Server implement the SAML profile for OpenID Connect/OAuth to convert SAML token to OpenID Connect/OAuth token, as demonstrated by Auth0 SAML Configuration and WSO2 Adding and Configuring an Identity Provider. In other words, Auth0 and WSO2 Identity Server can relay SAML authentication provided by SAML IdP to either OpenID Connect client or OAuth 2.0 client.
I'm running Keycloak 4.8.3 server for identity brokering, and I need to add an external OIDC identity provider that does not support client_id/client_secret authentication. This identity provider only supports private_key_jwt and PKCE authentication.
Unfortunately, Keycloak server only allows me to add OIDC identity providers with client_id and client_secret authentication. Is there any way around this? Maybe a plugin I can install for Keycloak server that allows me to add an identity provider with private_key_jwt authentication?
I have requested this feature and it has been identified as a legitimate feature request for which support should be added:
https://issues.jboss.org/browse/KEYCLOAK-9809
1) I don't concretely underdstand fundamental differences between SAML and OAuth. OAuth is for authorization but OpenId for authentication too and SAML both authorization and authentication ? And why to use a combination of both technologies ?
2) Inside SAML tehcno, what is the difference between shibboleth and OpenSAML ?
I know OpenSAML has been developped by Shibboleth and is used for Shibboleth solution but why to not use it directly without Shibbloeht ? What does Shibboleth bring ?
Thank you,
They are two different protocols and you would never use them together.
SAML is older - not good for mobile - mainly for enterprise - XML tokens.
OpenId Connect is newer - good for mobile - JWT tokens.
OpenID Connect is a standard for how to use OAuth for authentication. OAuth is for authorisation.
SAML is a protocol definition - you can't use it as such - it's a document.
OpenSAML is an implementation of the SAML protocol.
Shibboleth is an identity provider that uses OpenSAML to deliver the SAML functionality.
I have a use case where a web application needs to let users authenticate in two different ways but using the same user data store (aka IDP) via SAML.
User's browser is redirected to IDP and redirected back with SAML assertion (aka WebSSO Profile).
User makes request to SP providing their credentials via Basic Authentication. SP would then need to send the user's credentials to the IDP and the IDP would provide an assertion all through a back channel (server to server).
I'm using Spring Security SAML extension. The sample application in Spring SAML contains both basic authentication with username and password and SAML-based authentication but the Basic Auth portion uses local accounts defined in the securityContext.xml file. I need to use the user accounts on the IDP. Is this possible? If so, how do I configure Spring SAML?
There is no standard SAML WebSSO mechanism which would allow SP to request assertion for a specific user by providing her credentials. You might want to look into WS-Trust standard which covers such use-cases using its Request security token methods (RST/RSTR calls). Another quite standardized way to do this is Client Credentials grant of OAuth 2.0. Both are out of scope for Spring SAML, but can be combined with it.
I have a Spring application already using Spring security with a local store of users. I want to also allow an IDP login via SAML assertion, but only for people who already have an account with my application.
1) Can I configure spring security to optionally use SAML authentication provider OR an LDAP authentication provider? 2) When someone authenticates via SAML, can I populate their session principle with information from the local user store? 3) Finally, can I do this through Spring configuration, or do I need to do it programmatically?
Yes, you can freely combine different authentication methods together with SAML in a single application
Yes
You will need to write your own implementation of SAMLUserDetailsService interface which will do the population