Where can I find useful documentation about using Shibboleth and SAML for SSO besides the Shibboleth Wiki pages, preferably for Ruby applications? Ruby-specific documentation for Shibboleth seems to be very sparse. Does anyone know good resources, tutorials or HowTos?
Unfortunately, the only useful documentation I found is the official documentation from the creators of Shibboleth and SAML themselves. This seems to be a good technical overview about SAML 2 in general from the standards organization OASIS: Security Assertion Markup Language (SAML) V2.0 Technical Overview. One can also read the complete SAML specifications, but I doubt this will be a good start. The only authorative source for Shibboleth seems to be the Shibboleth Wiki itself.
These links will help you.
http://www.imrantariq.com/blog/?s=saml
https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUsrManJavaInstall
Related
I am building my own API in .Net Core 2.2 for fun and to learn more. I am at the point I want to secure it with JWT tokens. I have built my own authentication and validation with JWT to understand what's going on. But I thought I would use some of the already established frameworks for this instead of inventing the wheel again. I was thinking of Identity server 4 and OAuth2. So my question is, does anybody have any good resources, guides or tutorials that cover both the Identity server and OAuth2 and how the work together.
I have found this article and I searched PluralSight and found some but nothing that covers both technologies. I thought I would ask the community here before I dive in.
OAuth2 and Identity Servery 4 do not work together.
What OAuth2 is, is a specification. I was at a point you are and you have to get it through your head that OAuth2 is an idea/blueprint/schematic/plan/specification/framework which just describes how to make authentication with JWT possible. If you want to understand the idea of OAuth2 you got to read the spec there is no easy way about just read it.
Part of IdentityServer4 takes the OAuth2 spec and abstracts it into an easy to use API that integrates with the dotnet core framework. Saying 'part' because IdentityServer4 provides so much more than just an implementation of OAuth2. To learn IdentityServer4 read the docs.
Furthermore you can read the oidc spec. This is the spec for authenticating the client with JWT.
I'd also recommend watching this video, where Brock Allen gives a tour of IdentityServer4.
Here is a guide on how to stand up a simple OAuth2 server using IdentityServer.
https://identityserver.github.io/Documentation/docsv2/overview/simplestOAuth.html
They also released all the source for the example here:
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Simplest%20OAuth2%20Walkthrough
The IdentityServer online documentation is extensive and is also a good reference and resource as you move through setup.
http://docs.identityserver.io/en/latest/endpoints/authorize.html
Good luck!
I just want to know brief explanation of OIDC standards that all the applications must follow. I have found a book https://openid.net/specs/openid-connect-core-1_0.html#RFC2119 about OIDC standards but I just want a brief explanation if anybody can provide
Thanks
Unfortunately the answer is "it depends". It depends on what you are protecting, how you decide to implement this protection, and if you choose to use the OIDC compliant aspects or not.
A good entry point into this discussion in regards to Auth0 is with their OIDC Adoption Guide. That will link you to many other resources based on what you're looking for.
What options do I have to enforce authentication/authorization in a java web app ?
From my research, there's:
JAAS
JNDI
Spring security
Any others ? Does JEE5 or JEE6 have anything new ?
if you do not want to implement the identity-provider by yourself, you can consider using OpenID. This way, you can use any OpenID provider to provide the authentication/authorization.
In addition, you can consider OAuth2.
Do not mix between the two, there are many posts here that can explain the differences...
See Securing Web Applications chapiter for JEE6. Also you can consider Apache Shiro as alternative for Spring Security. If you already use Spring Framework then just go with Spring Security.
I cannot find a complete example anywhere of a Spring Security Web App with Open Id registration similar to stackoverflows.
I would say I'm pretty techy guy but I find Spring Security extremely intimidating with its weird Spring XML DSL.
I have found bits and pieces of how one would do the good ole' stackoverflow registration using:
Spring Security Open ID sample WAR
Hillerts Blog 3 part blog posting
Spring Security Official Doc on OpenId (the email attributes are wrong see next link)
Stackoverflow posting about email attributes
JQuery OpenId library for picking your OpenId provider Stackoverflow has a modified one that seems to include Facebook
Best Article on the subject but a little long winded
Another example like previous one for Google App Engine
But no complete examples (WAR). Does anyone know or have a working example (ie WAR) that does more than just authenticate with an in-memory openid urls?
UPDATE: The latest version of Spring Social does a very good job of managing Oauth registration. We ended up using it instead. Although its not OpenId I have grown to prefer Oauth over OpenId. For those interested in there is a project to use OpenId with spring social: https://github.com/molindo/spring-social-openid
Have you looked at the latest version of the sample code (for the 3.1 release)?
It has several improvements to make it simpler to use Google and Yahoo authentication together (with different attribute exchange configurations simultaneously), uses a similar login dialog to stack overflow and performs simple registration in the case of users who have not previously accessed the app.
See this issue https://jira.springsource.org/browse/SEC-1431 (and the linked one) for more information.
I know this is not really helpful in answering your Question but I am currently building a Grails based web application and initailly started using Spring Security but also found it difficult to setup.
I then changed to Apache Shiro and it is much simpler to implement. But it doesn't have support for openid out of the box, but the nimble grails plugin does so you may be able to use that as an example to write your own.
Yes,
There is a war to download on http://repo1.maven.org/maven2/org/springframework/security/spring-security-samples-openid/3.0.1.RELEASE/
Maybe it can help you.
It's not exactly OpenID, it uses Facebook Connect, but checkout Spring's GreenHouse. That's great code written by the guys from Spring you can use to jumpstart your app.
Yes, In spring application, user can authenticate into your application with open ID provider.
1) Here is the sample example of spring open ID login application.
2) Here is the sample example of spring security social login application and blog here.
I see a similar question for Ubuntu, but I'm interested in hosting my own OpenID provider through my Rails-based site that already has an identity and authentication system in place.
Note that I'm not looking for the delegate method to use the site as an OpenID.
What's the best way to do this properly?
This "No Shit Guide To Supporting OpenID In Your Applications"
seems to be a step-by-step tutorial for what you want to do.
Railscasts episode 68 OpenID authentication describes how to do exactly this. It's about a year old, so you may have to do some stuff differently. I'd also strongly for either an updated or newer OpenID plugin (the link for the one in the video is labeled "outdated").
Err, wait, that is to support OpenID authentication in a Rails application you are writing, not to have run an OpenID endpoint in rails.. Here is a guide to implimenting an OpenID server/endpoint in Rails pretty-much form scratch.. gem install openid-server might be easier, but you'll learn more implementing it yourself, and the code is pretty simple.
This reminds me that the overview docs for ruby-openid server are still missing. But you can see the example, and until the docs are ported over, see the docs for the python implementation which follows the same object model.