Is there a way to use adfs with saml 2.0 protocol to work with active client (non-browser based) service provider?
Is there any equivalence to WSTrust (on WS-Federation protocol) for saml 2.0 protocol?
If it is possible can you give me an example?
You will need to create your channel with an ActAs token and pass that token along for the active to work properly.
Related
How does OIDC based SSO works? Is it recommended to store OIDC token on browser? Is it safe enough? If OIDC token is stored at server side, how to pass this when browser redirection happens in order to access other SPA application?
The article "Identity Federation by OpenID Connect" explains how OIDC-based SSO works.
Implementing SSO in my application and from app-1 i need to make a rest call to app-2. Login in app-1 with SAML and authenticated successfully and trying for rest call from app-1 with openid but since authentication is using saml only so not able to get the access/bearer token. Please help how to get the access/bearer token from saml request/response. I'm using Keycloak Server for SSO implementation.
You can't.
REST API need a JWT token not a SAML one.
Change SAML to OpenID Connect and it will work.
(1) OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
(2) Presently there is no IETF draft document regarding SAML 2.0 Profile for OpenID Connect client.
We can refer to the IETF draft document SAML 2.0 Profile for OAuth 2.0 client.
The OAuth 2.0 Access Token using SAML Assertion filter enables an OAuth client to request an access token using a SAML assertion. This supports the OAuth 2.0 SAML flow, which is used when a client wishes to utilize an existing trust relationship, expressed through the semantics of the SAML assertion, without a direct user approval step at the authorization server. For more details on supported OAuth flows, see API Gateway OAuth 2.0 authentication flows.
(3) Both Auth0 and open-source WSO2 Identity Server implement the SAML profile for OpenID Connect/OAuth to convert SAML token to OpenID Connect/OAuth token, as demonstrated by Auth0 SAML Configuration and WSO2 Adding and Configuring an Identity Provider. In other words, Auth0 and WSO2 Identity Server can relay SAML authentication provided by SAML IdP to either OpenID Connect client or OAuth 2.0 client.
Just started POCing KeyCloak to hook up LDAP for user federation (really easy!) and set up a SAML Service Provider with Node.JS (took a bit more time to get the config right). See POC
Question:
Using KeyCloak as the sole Identity Provider, is it possible to set up a 3rd party service (Appian) as a SAML Service Provider, and use the SAML Username and/or Token(session_index) it receives to request an OAuth Token?
Preferably the 3rd party (trusted) service, behind the scenes, would make the OAuth request (with a client id?) to get an access token, and use the token to make API calls.
Seems like there could be two KeyCloak clients, one for SAML, one for OAuth, but then KeyCloak would be able to coordinate the auth under the covers.
You can exchange a SAML assertion (NOT its decoded contents) for an oAuth access token. This flow is described in RFC 7522 (SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants). In practice, this is an exotic use case and it's hard to implement. It assumes that the requester (client) has a way to acquire a SAML response from the IdP and wield it to grab an oAuth access token. To top it off, there are precious few IdPs that support RFC 7522 exchange. At the moment, Keycloak does not support it.
A more straightforward variation of the use case you're thinking about is an ability of a client to request any token (SAML, oAuth, ...) from an identity provider/authorization service without reauthenticating. This is possible with some providers but these mechanisms are proprietary to each provider. For example, Salesforce Identity service allows various tokens to be obtained if you send a request with a Salesforce session ID in a specific format.
I am using DotNetOpenAuth libraries to implement OAuth 2.0 client side to communicate with SalesForce authorization server. I have finished first two steps of OAuth 2.0 communication that ends with obtaining of access token from SalesForce authorization server.
Now I want to get some resource form SF. Is that possible only over REST service infrastructure ? Can I can send http request with access token and specified parameter to be retrieved to SF ?
Thank you,
Rastko
I am developing web application which consists of a Silverlight application and a REST API. An optional use case is that the customer may also want to integrate with Salesforce. By "integrate" I mean utilize SSO with Salesforce when logging into my application as well as access data via Salesforce's REST API. The current hurdle I can't seem to get over is that SSO uses WS-Federation while Salesforce's REST API uses OAuth 2.0. What is the best way to being these two authentication mechanisms together?
My knee-jerk reaction was for my Federation Provider STS to acquire an OAuth access token from Salesforce and add it as a claim to the security token received from Salesforce's Identity Provider STS, but I think this might require me to write a custom STS. I'd rather not do that. Is there a better way?
This question is old but comes up often, so ...
There is now information on how to do this here
Configuring-SSO-to-SharePoint
This approach uses WS-Fed.