Our project have a requirement to implement SSO in legacy application(Running in Weblogic) and New microservices/angular application - using PF OpenId/OAuth 2.0.
New application is using OpenId/OAuth 2.0 end point to authenticate/authorise. When I navigate to legacy application from new application , I should be able to pass the jwt token without asking for login and create user session in legacy. Also when I login first in legacy application running in Weblogic then I should be able to authenticate the user using openId/OAuth 2.0 and pass the token to new application.
Question: Is it okay to call the OpenId/OAuth 2.0 end point configured in PF from weblogic and create the user session or PF has any weblogic integration kit to achieve this?
Yes, I would suggest using Weblogic's OIDC functionality. Ping used to have a Weblogic integration kit, but with the addition of OAuth and OIDC to the Weblogic identity provider functionality, you're far better off using it than one of the kits.
If you don't want to use that functionality, another avenue is a WAM tool (such as Ping's PingAccess) or some functionality in a proxy like nginx or Apache in front of your application servers.
Related
I am making a webpage that need SSO feature with ADFS. I need to know:
1, web server must be IIS or it is also fine with nginx/apache
2, It should be the front end talk to ADFS or backend talk to ADFS?
Thanks in advance.
The architecture and environment are not important.
What is important is that the architecture implements one of the ADFS supported protocols i.e.
SAML 2.0
WS-Fed
OpenID Connect / OAuth (ADFS 4.0)
Your application needs to support a client side stack for one of the above.
e.g. for .NET, you could use WIF or OWIN OpenID Connect or OWIN WS-Fed or OWIN SAML.
For Java, you could use Spring Security (SAML).
Can I use spring-security-rest as a replacement of Oauth?. My app has server side part and java script client side part where I found that spring-security-rest plugin fits most. But I want to be able to authenticate other apps who want to consume my service (I want to be something like Oauth provider). Does spring-security-rest plugin support this? or should I use another plugin?
The plugin is not a fully OAuth provider. Or said in OAuth terminology, is not a full Authorisation Server.
In that case I recommend you Spring Security OAuth 2 Provider Plugin
If you are looking only for a simplistic token based authentication for your service, you could leverage the spring security rest plugin and tweak it a little bit based on your need without having to implement the full blown Spring Security OAuth2 Provider plugin. I managed to accomplish something similar with by extending some of the base classes of spring security rest plugin to modify the login payload and authentication and exposed a token/validate as a REST endpoint. I put up this as an independent authentication service that uses the /api/login API for token generation in tandem with the /token/validate to accomplish some kind of validation on token. Not a full blown Oauth scenario but serves the purpose of authentication between consumer and provider services.
we would like to develop a new node.js based application using some SSO technology.
More applications will join then after using the same SSO infrastructure and logic.
We do not have specific requirements on the SSO itself, but it need to authenticate users
via a local DB (managing user name and passwords)
via our enterprise AD
via some external/federated SSO (I guess via SAML or so)
Also if it would support XACML it would be great.
I believe one of the most complete solutions on the market is the WSO2 Identity Server... but we would be open for others too.
The main question though is simply:
Is it possible to have such a solution in node.js?
Or do we need to shield node.js behind some (Apache) server to get SSO?
What would be the best approach?
Any inputs would be appreciated.
I've used azure active directory in my node.js projects for authentication, this might work as you are using active directory. Here is a sample.
I am completely new to ADFS. I need to access the ADFS server through node.js. I am searching for good reference notes, with implementation. And suggest me which protocol is best for requesting. Video tutorials are also heplful.
I assume what you want is to authenticate users in AD (via ADFS), for your nodejs based web app. I'd recommend looking first at passport.js.
ADFS supports 2 protocols for web sites: WS-Federation or SAML-P. WS-Fed might be simpler. We open sourced the strategy for WS-Fed and SAML that we use in our product. A strategy is essentially a plug-in for passport.
That strategy should give you a good start.
ADFS v3.0 exposes OAuth2. *
You could use Passport.js with OAuth support or Kong with OAuth support.
You could go the ADFS 2016 OpenId Connect route for ease of implementation (passport.js, only a feature request for kong).
If you're going the Azure route, there's one (passport-azure-ad by the Windows Azure team) specifically for that.
It includes OpenID Connect, WS-Federation, and SAML-P authentication and authorization.
Otherwise, versions disallowing etc., I recommend Eugenio Pace's answer.
Then, check these, is a complete solution (not a video tut)
Using Active Directory Federation Services to Authenticate / Authorize Node.js Apps in Windows Azure
http://seroter.wordpress.com/2013/04/22/using-active-directory-federation-services-to-authenticate-authorize-node-js-apps-in-windows-azure/
pretty fresh tut. (2013/04/22)
The official Web Agents user documentation does not state what version of SAML is supported. I am trying to integrate this with a Policy Server that is not running Sun's OpenSSO policy server, so my only requirement is to support SAML 2.0. Has anyone had experience with this type of setup?
Generally, no, you can't use an agent from one with a policy server from the other. The Agent <--> Policy Server protocol is not a standard protocol.
However, if you are looking to set up federation between a SiteMinder instance and an Open SSO instance you might have more luck. Here is an article from Sun describing one scenario for setting it up.
Open SSO supports both SAML 2.0 and SAML 1.1 if this helps.