We have a vendor membership management solution to manage our members, Netforum Pro. They provide a Web API via Rest or Soap for external applications to authenticate.
We would like to use Moodle as Learning Management System for our members. However, Moodle has an authentication plugin for SAML.
Can we use OneLogin as a middle agent in this situation?
Thanks
Linh N.
OneLogin acts as Identity Provider and has toolkits that will help you authenticate requests when used by application providers. In your case it looks like Moodle has already the functionality that you would implement with the OL toolkit and that NetForum is the Identity Provider. So using OneLogin won't help much.
You should look into http://documentation.abila.com/netforum-enterprise/2017.1/Content/Admin/Security/SAML.htm
Related
Current State: I have a mobile application that signs users into Azure AD via OAuth using the PKCE flow. Once authenticated, the app uses a token to get various forms of data from some APIs.
As the application has evolved, the need to integrate SSO with another web application has come up (and there will be further service providers added as we move forward). It will act as a service provider and it supports IDP initiated authentication via SAML.
Question: once this service provider is configured under the AD tenant, is there a way to exchange or translate our OAuth token for something that can be passed on to the the SAML SP without having to re-authenticate? Am I even thinking about this in the right way? I'm mainly curious if we will need to re-implement authentication in the mobile app to support SAML (i.e. stand up some sort of web-based SAML service that can act as a proxy for the mobile application)? If that route is a necessity to accomplish our requirements, I'm assuming there's a way to still get a valid OAuth or equivalent token we can use to send to our APIs.
Apologies if this is a repeat question, but I couldn't find anything with similar specifics. Thanks in advance!
You can surely use the OAuth 2.0 OBO flow that allows an OAuth2-based application to access web service API endpoints that consume SAML tokens. You can read more here and it has some really good guidance on how to achieve the same:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flow
Make sure that you SAML request is well formulated per the details mentioned here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol
So I recently started exploring Azure Identity Platform for this user authorization use case I'm trying to implement. After a bit of research I came across using Graph API and creating ROPC flows to handle SingUp and Login via REST API from my application. My requirement is also to allow users to use login credentials from another app (I'm not sure yet if it implements a SAML based Identity Provider method) to use services in my application. This is a typical SSO requirement, but I'm not sure if it is possible to implement alongside username-password based authentication using Azure AD B2C.
I would appreciate any leads. Thank you.
Edit: To be more precise, I am working with Java-Spring. The demo application mentioned in Azure AD documentation (Woodgrove groceries) is exactly what I'm trying to achieve. A quick google search for the same provides me with github repos with sample code that uses .Net I believe. Are there any Java sample codes that demonstrate the same?
ROPC does not support SSO if that's what you want to achieve.
Kinda new to this area of customizable sign-in/sign-up.
I'm currently planning to use social sing-in/sign-up in my Web API project, that handles backend process for my Web App and Desktop Client. I found it is easy to add a OpenID Connect provider to my Identity Provider, but am not sure how can I add OAuth2 provider. Is there a good example or tutorial on this topic?
Also, according to this and that post, it is recommended to use OAuth2 for native apps and OpenID Connect for Web API/Web Apps. Unfortunately the organization whose authentication I'd like to let customers use doesn't provide OpenID Connect. Is this still fine for my scenario?
This sample should be able to help you achieve what you are looking for. It uses the OAuth2.0 authorization code grant with confidential client and ADAL to obtain access tokens for the web app to call the Graph API with the user's identity.
This reference on authentication scenarios should also be useful to you.
I am new to OpenAM and trying to secure my webservices using OpenAM. I have installed J2EE policy agents using below information in the link.
https://wikis.forgerock.org/confluence/display/openam/Installing+Tomcat+6.0+Policy+Agent
I need to provide security for my REST APIs. So where should we need to configure the REST APIs in the OpenAM console.
Please provide me some links where i get some information.
OpenAM policy agents are the OpenAM proprietary way to achieve (Web)SSO and authorizations. You could configure URL policies as described in the docs https://backstage.forgerock.com/#!/docs/openam/13/admin-guide#chap-authz-policy, however the REST client must obtain an SSOToken and send this along when accessing the REST service.
You could also use OAuth2 which would be a standards-based approach.
I am looking at Windows Azure ACS as an alternative to implementing my own username / password scheme in my app. This will be a publicly available website.
In addition to using SSO providers such as Google or Facebook, can I use Windows Azure ACS to support username/password authentication?
I see that it supports Active Directory as a provider. I am not sure this is the right thing as I have always thought of Active Directory as an "enterprise" provider.
Windows Azure ACS does not support username/password authentication in the form you need. Shahin outlined it in details.
Your options really are:
Windows Azure Active Directory (WAAD)
Identity Server (IdSVR)
While classic on-premises Active Directory deployed with a Domain Controller option is indeed quite enterprisy, WAAD is not exact copy of the same in the Cloud. I would actually recommend that you give a shot and try out. Using the WAAD Graph API you can fully automate user management in WAAD.
Your second option is based on IdSVR. This is full-featured Identity Server and Security Token Service. It is developed against the best practices in security and is quite easily extensible! While it does not provide out of the box support for user management (user registration, password reset, etc.) it is ASP.NET MVC 4 application. So you can very easily add this features yourself. There actually is an open enhancement planned for User Management API and UI.
Both WAAD and IdSVR integrate well with ACS, so you can provide seamless support for social identities along with own login.
Another service that is still in Beta/Preview is the SocialSTS project. It is kind of extension to Azure ACS and is designed to help you add more identity providers (such as LinkedIn, Twitter, GitHUB, Amazon Login, etc) to your Access Control Service.
You can authenticate directly with the ACS by using Service Identities, but they are not intended to be used for end-user authentication, as the page explains:
Service identities are not intended to be used as end-user credentials. In ACS, service identities are most commonly used in REST web service scenarios, over the OAuth WRAP protocol, where a client requests a SWT token directly from ACS to present to the web service.
I believe this is the only way to directly get a token from the ACS.