The case: A client asked for SSO to access their internal SharePoint applications externally (They will add Exchange later on), they do not care if the device is on the domain and they want the experience to be seamless, so anyone with a valid user name and password regardless of whatever device they are using can access the apps.
I have followed the tutorial on WSO2 website to use WSO2 Identity Server 5.3 (passive STS) as an identity provider for SharePoint 2016, and after some tinkering it worked.
https://wso2.com/library/tutorials/2015/05/tutorial-sso-for-microsoft-sharepoint-web-applications-with-wso2-identity-server/
Then I added another application in sharepoint, added it as a second service provider in WSO2 Identity serverand, added the second realm to the sharepoint trusted provider.
Now the 2 applications only work if I start a new session in my browser or clear cookies, after looking into it, when I open the second application in a different tab it is taking the URI of the first application I opened rather than the its own, and it fails as the realm setup in the second service provider does not match the realm for the application in SharePoint.
So here are my questions:
1- Am I doing the SSO using WSO2 incorrectly (Thus the tutorial title is misleading) , and is the passive STS federation , simply that, a federation and not the way to do the SSO in WSO2 Identity Server? If not, could you please tell me what exactly I need to do to fix my issue?
2- If the above is the wrong approach is using SAML Web SSO configuration the right answer? If so, what is the realm that I should use for the sharepoint applications, and is passive STS needed at all in this case?
Related
I am Using Sharepoint2019 On-Premise
I am looking to use separate .aspx page for authenticate users for Sharepoint2019,
I tried the Form-Based Authentication(https://learn.microsoft.com/en-us/previous-versions/office/sharepoint-server-2010/ee806890(v=office.14)) and it works for authentication but the user profiles are not getting synced from our current Active Directory, so i would like the go back to the windows authentication but instead of pop-up should i would like the .aspx
I want to Use this page for Windows Authentication :-
I Do Not Want This SIgn in pop-up
can any one please guide me to accomplish this task.
One suggestion to look at would be to use AD FS and Web Application Proxy. This solution would require you to configure Kerberos Constrained Delegation for the SharePoint Web Application. In addition, the WAP server(s) need to be joined to Active Directory. Finally, on AD FS you would set up a non-claims aware relying party.
DNS for your Web Application would be pointed at the WAP server (or load balancer routing to WAP) and users would log in there using an FBA experience but still using Windows auth on the back end.
You need an external system that can pass non-Windows auth and translate it to Windows auth. AD FS + WAP is one example of doing so. Because the back end is still Windows auth, other services that leverage Windows auth will continue to work without any changes to your farm.
See here :- https://learn.microsoft.com/en-us/answers/questions/153678/how-to-use-custom-login-page-aspx-as-link-fba-for.html
See https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-non-claims-aware-relying-party-trust on how to create a non-claims aware relying party.
For TLS setup, see https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383662(v=ws.11).
it is quite tricky, as Microsoft Designed in that for the windows authentication, but any how if you can use the Form Base Authentication.
Here is the Link where Microsoft posted how to implement the Form Based Authentication.
Configure forms-based authentication for a claims-based Web application
I want to implement login and logout functionality and retrive user details like username and user role using Azure Active Directory.
We are using Docker to deploy Spring cloud microservices project on Azure cloud. Could you please suggest me steps to get user details?
Do we need to secure all microservices edge points using Spring cloud OAuth2 security using JWT or just we can secure one web microservice ? Do I need any permission ,specific user roles to implement this?
You can find Azure's documentation about OAuth 2.0 support for AAD here
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-protocols-oauth-code
I've got an application that's using OAuth 2.0 with a different Authentication Server, and I'm about to see if I can use AAD as the Authentication Server. But, whatever ends up being your Auth Server, the rest of the application should be the same...
The Auth Server handles the log in (typically as a Single-Sign On pattern)
The Auth Server will return a Json Web Token (at some point, depending on the Grant Type being used to retrieve it)
The JWT should be included in each subsequent request to ensure the caller has authorization
From a Spring perspective, you'll need at least a SSO Client (denoted by the #EnableOAuthSSO annotation). If everything in hosted by that process, you'll need that JWT to call subsequent methods. If you have processes hosted in other processes, it's likely you'll want them secured as well. Using the #EnableResourceServer annotation will configure Spring Security to look for the JWT, just not attempt to retrieve one if the request does not have it.
Unless the endpoint is meant to be publicly accessible, you will want to secure it. Of course, I really don't know the context of your application, so this statement is purely an uninformed opinion based on zero knowledge of what you're trying to do with your application. Take it for what it's worth.
EDIT
This has become a little more complex than I originally thought. I have been able to write some code to dynamically retrieve the public key from Microsoft in order to validate the returned JWT.
But, the main issue is the fact the Azure AD supports Open Id Connect when acting as an Identity/Authentication Server. And, at the moment, spring-security-oauth2 doesn't support Open Id Connect.
I was able to make some small changes to the spring code, but I did ask the question to the Spring group and they are actively working on adding support for Open Id Connect. They hope to have a release two months (ish?).
For the short term, the oauth2 support doesn't support Open Id Connect. Given this is the protocol used by AAD, the current version of oauth2 won't work with AAD. That said, I will be happy to wait for the official support which shouldn't be too long.
I have a project which has a asp.net mvc based portal which manages user authentication/authorization using Asp.net Identity API.
The project also consists of a windows service/EXE which would poll an MSMSQ queue to get new users information and would save them into the Asp.net Identity Database(used by web project mentioned above).
so my question is - "Can we use Asp.net Identity API in desktop applications too?". The requirement only arises, because user's password hash has to be created, and I am using the default one which is provided by .net framework. So if I am creating a new user into the Asp.net Identity database, then I would need to create the password hash there too.
Any ideas guys?
Identity does not take dependency directly on MVC, but it relies on OWIN to set the cookie and authentication. But if you need to check user password against stored hash, manipulate user records, etc. Why not?
You might experience a big pile of dependent packages (ASP.Net) added to your desktop project, but if you don't mind this - there is a possibility you can make it work.
On the other hand, there is Identity Server which can work with MVC project and with Desktop project - without having to add Identity directly into your desktop application - also have a look into that.
we would like to develop a new node.js based application using some SSO technology.
More applications will join then after using the same SSO infrastructure and logic.
We do not have specific requirements on the SSO itself, but it need to authenticate users
via a local DB (managing user name and passwords)
via our enterprise AD
via some external/federated SSO (I guess via SAML or so)
Also if it would support XACML it would be great.
I believe one of the most complete solutions on the market is the WSO2 Identity Server... but we would be open for others too.
The main question though is simply:
Is it possible to have such a solution in node.js?
Or do we need to shield node.js behind some (Apache) server to get SSO?
What would be the best approach?
Any inputs would be appreciated.
I've used azure active directory in my node.js projects for authentication, this might work as you are using active directory. Here is a sample.
I want to configure a WSO2 identity server as security repository for my WSO2 application server. I've read the application server online documentation but I didn't find any reference to this configuration.
Is there any tutorial?
Simple Scenario : I have a Web app configured to use Basic Auth in the web.xml file , and i want to use wso2is as the user store for authentication and authorization.
It is possible to use web service API to integrate with WSO2 Identity Server. WSO2 IS has user-mgt,entitlement APIs.For any user-mgt action and check authorization action, we can call these APIs from any product. Sorry I couldn't find any tutorial describing this.
Hope following blog post may helpful to you at some point, as it is recommend you to have external LDAP user store. It describes how to connect external LDAP with WSO2 Identity Server.
http://blog.facilelogin.com/2009/06/connecting-wso2-identity-server-20-to.html
Do you want to use the Identity Server for authentication?
Or do you just need a user store?
Or do you need a Token-Service to secure the communication between App-Server and Web-Services?
It is not clear what exactly you want to use th Identity server for. In JBoss for example you also can use authentication with an LDAP, thus you wouldn't need the Identity Server.