I've created an app using JHipster with Okta integration. I have it working against my own free Okta server, and now it is time to integrate with my customer's server. They are asking me for my SP metadata xml, the List of attributes to be sent in samlresponse, and the Unique identifier to be passed in saml subject nameid. I had thought that the unique identifier was something that they would give to me, and I would put in my config file. I don't know where to find the other pieces.
Where do I find or generate the pieces they are looking for?
JHipster supports Okta, but only via OIDC. It does not support Okta's SAML integration out-of-the-box.
Related
I am very much new to IBM Cognos. I want to fetch the metadata from Cognos env.(cloud/on-prem) to my java application. Metadata like reports, dashboards, data sources, namespaces and etc. I am ready to use Java SDK or REST Services. So I want to know how to Authenticate from Rest Interface and is there a way to create client id and client secret or should I just have to just get the Authorization token based on Username and password and use that token in consequent calls. Or if in Java SDK, please let me know from where can I get the sdk. Whatever the way, please help me to get forward.
Thanks,
Kranthi kiran.
There is a host of knowledge about accessing Cognos via the SDK available in the Cognos SDK documentation. The SDK JARs can be found in the Cognos installation itself (<Cognos root>/sdk), but you will probably want a little orientation from the docs to get started.
The above references the traditional Cognos SOAP SDK (accessible via Java). Cognos does offer a REST API, but it does not access all the various objects' metadata yet (as of 11.2).
For authentication, specifically, this will depend a little on whether you have a traditional namespace like LDAP or Active Directory (or even a Custom Authentication Provider). In this case, you'll wind up logging in to Cognos using the username and password, at which time Cognos will issue a CAM passport token. This token can be used for the remainder of the session. If you have an OpenID Connect namespace (e.g. Okta, ADFS, IBMid, etc.) things get a little more complicated.
IBM Cognos Analytics introduced support for two factor authentication protocol through OpenID Connect (OIDC) namespace. More information on Cognos OIDC configuration can be found here: Configuring an OpenID Connect namespace. Many Customers have existing automation applications or integrations through Cognos SDK or REST APIs. When moving to two factor authentication they struggle to implement logon to their OIDC namespace through the SDK. Depending on the OIDC provider, there are two main cases:
OIDC provider supports password grant, like OKTA:
...
OIDC provider does not support password grant, like IBMId.
Source
I'm trying to configure a SAML Authentication with Azure in a Flask web service.
Is the first time I'm doing this and I'm bit lost.
I'm trying to use the 'SAML_METADA_URL' provided in AZURE but I don't know what to configure in python side.
In Azure seems to be all setup, the app was added, have the client ID and CLIENT SECRET, ETC.
Anyone knows a good and specific tutorial for this?
Thanks in advance
You can refer to the SAML-enabled Python application guide, which explains how to use PySAML2 to add Okta support (via SAML) to an application written in Python, And refer to the steps for implementing a SAML SP in Python/Flask.
In addition, OneLogin also provides a SAML Python toolkit, I believe it will also be helpful to you here.
I am using Saml SSO with ADFS (as IDP), in ADFS UI I configured all the needed data for my SP (third party) application including roles (claims).
Now in ADFS there is an option to copy a link of the federation metadata xml with all of my configured data.
My problem is: in this metadata xml link ADFS gave me I can’t find the roles (claims) that I defined (I can see them in the profile respond object that returned after a successful authentication but not in the metadata xml).
My questions are:
1. Does the ADFS metadata xml should include my claims?
2. If yes, can you explain me please how can I include them?
3. Else, can you suggest a way for me to know which claims (keys) are going to return in the profile object in front?
Thanks.
No - metadata is server specific not user specific
You only get the claims you configure on ADFS
I want to implement login and logout functionality and retrive user details like username and user role using Azure Active Directory.
We are using Docker to deploy Spring cloud microservices project on Azure cloud. Could you please suggest me steps to get user details?
Do we need to secure all microservices edge points using Spring cloud OAuth2 security using JWT or just we can secure one web microservice ? Do I need any permission ,specific user roles to implement this?
You can find Azure's documentation about OAuth 2.0 support for AAD here
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-protocols-oauth-code
I've got an application that's using OAuth 2.0 with a different Authentication Server, and I'm about to see if I can use AAD as the Authentication Server. But, whatever ends up being your Auth Server, the rest of the application should be the same...
The Auth Server handles the log in (typically as a Single-Sign On pattern)
The Auth Server will return a Json Web Token (at some point, depending on the Grant Type being used to retrieve it)
The JWT should be included in each subsequent request to ensure the caller has authorization
From a Spring perspective, you'll need at least a SSO Client (denoted by the #EnableOAuthSSO annotation). If everything in hosted by that process, you'll need that JWT to call subsequent methods. If you have processes hosted in other processes, it's likely you'll want them secured as well. Using the #EnableResourceServer annotation will configure Spring Security to look for the JWT, just not attempt to retrieve one if the request does not have it.
Unless the endpoint is meant to be publicly accessible, you will want to secure it. Of course, I really don't know the context of your application, so this statement is purely an uninformed opinion based on zero knowledge of what you're trying to do with your application. Take it for what it's worth.
EDIT
This has become a little more complex than I originally thought. I have been able to write some code to dynamically retrieve the public key from Microsoft in order to validate the returned JWT.
But, the main issue is the fact the Azure AD supports Open Id Connect when acting as an Identity/Authentication Server. And, at the moment, spring-security-oauth2 doesn't support Open Id Connect.
I was able to make some small changes to the spring code, but I did ask the question to the Spring group and they are actively working on adding support for Open Id Connect. They hope to have a release two months (ish?).
For the short term, the oauth2 support doesn't support Open Id Connect. Given this is the protocol used by AAD, the current version of oauth2 won't work with AAD. That said, I will be happy to wait for the official support which shouldn't be too long.
I'm doing a sample webapp that authenticates against WSO2 Identity Server through SAML. It works fine but now I wanted to retrieve user attributes and roles for authorization and I'm completely lost.
Reading some SAML docs I know that I must send an AttributeQuery request but not how and I've made up that I should use a SOAP request but I don´t know how the server works. I don´t know if WSO2-IS offers a web service or other method. If yes, which would be the wsdl URL to generate the client? And if not, which method should I follow. It could be also possible that the same authentication response includes the user attributes.
Thank you for your help and sorry if the solution is obvious. I haven't found anything about this in your docs and I'm not familiar with security enviromnents and I don´t understand all the options the admin console shows.
While attribute request can be sent to get the details of one or more user attributes, you can get all the information through one call (authentication request) - all the attributes of the user (attributes in the default profile) and the roles of the user.
There is a basic demo application available.
To get attributes, you should use WSO2 4.0 M8 release (which supports the attribute profile).
Once a Service Provider is registered, we can select the required attributes that should be returned. More information about this and the link to get the WSO2 4.0 M8 release can be got from the comment section of "SAML2.0 SSO with the WSO2 Identity Server".
This article provides a detailed description to get user details after SAML Authentication