We have a java based STS service .We would like to use this STS for claims based authentication provided by WIF . Can someone provide some insight into how this can be acheieved ? All the examples I have come across use C# based STS and C# based RP . In my case the RP can be C# but the STS has to be in Java .Specifically,I would be interested in knowing how SAML requested is passed to the STS and the format of claims passed backed to the RP .
Thanks,
Somnath
It depends what protocols your Java STS supports for requesting tokens.
In principle, if your Java STS implements the token request protocols from public standards WS-Trust & WS-Federation, and issues SAML 1.1 or SAML 2.0 tokens, a C# RP using WIF should be able to interoperate with it.
However, if your STS depends on some other request protocol such as SAML 2.0p then WIF doesn't currently support this directly. I believe ADFS does, however, and so there may well be a solution using ADFS as an intermediate STS federating with your Java-based STS in this case.
Related
I am trying to enable OIDC authN and authZ workflow for my spring-java-web application. Ideally I wanted to do it in a IDP agnostic way.i.e.This application could be integrated with only and any one of the Azure AD,OKTA,AWS SSO,Google-auth by deployment admin.And I want users to be redirected to whatever provider the application is integrated with.
With OIDC as a standard, my understanding is i should be able to write a OIDC auth processing filter that should work with any of the providers. The necessary config that varies per provider ( auth url,client id,secret,JWKS url to get the provider keys etc) will be passed to this filter/rest template as parameters.
Q.1 Is it possible to implement provider agnostic OIDC filter? Can someone give any pointers?
I am aware that Spring natively provides Oauth2 libraries/apis like AuthorizationCodeResourceDetails, OAuth2ClientAuthenticationProcessingFilter . However I do not see any OIDC native processing filter in built. Is there any?
I tried and understood the workflow as given in https://www.baeldung.com/spring-security-openid-connect .However when i try to tweak this code to make it work with Azure AD it fails. Thats because Azure AD requires
The response_type parameter must include id_token.
The request must include nonce parameter to be set in request.
AuthorizationCodeResourceDetails does not support such param. Given that OIDC is a common standard ,
Q-2. I fail to understand why every provider still has different requirements? Doesn't it defeat the purpose of OIDC . Infact I read that google throws error if you pass nonce
Q-3. Are there any spring native ways to configure these additional provider specific params like nonce , promt, additional response-type ,preferable with examples?
I think your problems with Spring Security OIDC are that you're using the legacy OAuth library (at least that's what the baeldung article is illustrating). OAuth2 and OIDC are part of Spring Security 5.x now and not a separate project. There's an OIDC client "login-client" in this example: https://github.com/jgrandja/oauth2-protocol-patterns that might show different. Yes, OIDC should allow you to swap providers in and out although not all OIDC providers will implement everything (e.g. discovery, etc.)
I have an Angular application(ex. https://localhost:44301) that is
using Web API(ex. https://localhost:44302) to interact with data.
I have an Identity Server 4 (ex. https://localhost:44303) for authentication in which we have even
configured external login with Azure AD.
Our Architecture is something like below :
Now I want to add ADFS 3.0 (even ADFS 4.0 i.e. multiple ADFS) as a external login provider
So as per my research I have to go for only OAuth 2.0 with
Authrization Code Grant.
ref: https://github.com/nordvall/TokenClient/wiki/OAuth-2-in-ADFS
For that what type of configuration should I add into ADFS server. I am mainly confused about:
what should add as relying party trust identifier ?
what should as a resource into authorization request ?
what configurations for custom claims ?
There are three ways you can do this.
You can add ADFS via:
SAML 2
WS Fed
OpenID Connect
So:
SAML or you could use the Rock Solid Knowledge stack described in that blog
WS-Fed - use the built-in ASP.NET Core SP option
OIDC is doable but rather go with above
In both these cases, ADFS is a CP to idsrv4. idsrv4 is an SP to ADFS.
If you go with OIDC, it's an application group.
We have a requirement that our MVC client application provides an SSO ability to multiple customers by logging to their own IDP.
But some of these gives SAML 1.1 which we are already supporting using the WSFederationAuthenticationModule and some of them recently are sending SAML 2.0 token which is causing our MVC application to fail.
Can I use WSFederationAuthenticationModule to support SAML 2.0 token also?
What are any other alternate suggestions?
The problem is that 1.1 enforces the full URI e.g.
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
whereas 1.2 allows just "emailaddress".
You can use GetOutputClaimsIdentity
and have something like:
outputIdentity.Claims.Add(new Claim(ClaimTypes.xxx, "rest of URI" + emailaddress));
I think i found the solution to my problem.
Extending the Saml2SecurityTokenHandler solved my problem. WsFedAuthenticationModule is able to successfully transform the saml2 token to saml 1.1 assertions.
I am looking for Single sign on (SSO) with SAML2 tokens and I have to used ADFS. I can't use WIF.
I googled a lot to understand SSO, SAML2 and ADFS, now I have some doubts which I am not getting.
Scenario: The applications are asp.net MVC application
1. App-A(Windows Authentication) : hosted and it is using ADFS.
2. APP-B(Form Authentication): authenticates the user using the UID and PWD stored in DB.
Do I need a intermediate application to accept the SAML2 token and process it(similar to Identity provider) or it can be done in the App-A itself?
In the App-B what are the things I have to implement to make it aware of SAML2 request(do i need to implement custom handler)?
please help me to choose the right things for the implementation.
--Thanks--
You need a SAML stack for your application.
Refer SAML : SAML connectivity / toolkit and the links in that entry.
For A, perhaps you can use the WIF SAML extension mentioned in the article above?
For B, you need to rip out the DB authentication and add the SAML functionality as for A or else have a look at Identity Server which you can federate with ADFS and which also authenticates using a DB (but doesn't support SAML itself).
Our partner is trying to setup a PicketLink STS which according to spec is based on WS-Trust. I can't find any information whether or not WIF is supporting this. I know it supports WS-Federation which is an extension on WS-Trust. Most of the time both terms are used in conjunction so I don't know if WS-Trust alone is supported as well.
Thanks in advance.
Yes, WIF supports WS-Trust. The docs: http://msdn.microsoft.com/en-us/library/ee748475.aspx
It'd help if you explained the scenario a little bit more. Are you building a website? Are you trying to authenticate users on "PicketLink".
WS-Trust is generally used for "rich clients" (used for "active federation"). WS-Federation (and SAML 2.0) are typically used for web sites (used for "passive federation").
WIF can do WS-Trust and WS-Federation. It can't do SAML (the protocol). Confusion is often augmented by the fact that people use the word SAML to refer both to the protocol and the token format. WS-Federation uses SAML tokens. WIF understands SAML Tokens.