I am making a webpage that need SSO feature with ADFS. I need to know:
1, web server must be IIS or it is also fine with nginx/apache
2, It should be the front end talk to ADFS or backend talk to ADFS?
Thanks in advance.
The architecture and environment are not important.
What is important is that the architecture implements one of the ADFS supported protocols i.e.
SAML 2.0
WS-Fed
OpenID Connect / OAuth (ADFS 4.0)
Your application needs to support a client side stack for one of the above.
e.g. for .NET, you could use WIF or OWIN OpenID Connect or OWIN WS-Fed or OWIN SAML.
For Java, you could use Spring Security (SAML).
Related
Our project have a requirement to implement SSO in legacy application(Running in Weblogic) and New microservices/angular application - using PF OpenId/OAuth 2.0.
New application is using OpenId/OAuth 2.0 end point to authenticate/authorise. When I navigate to legacy application from new application , I should be able to pass the jwt token without asking for login and create user session in legacy. Also when I login first in legacy application running in Weblogic then I should be able to authenticate the user using openId/OAuth 2.0 and pass the token to new application.
Question: Is it okay to call the OpenId/OAuth 2.0 end point configured in PF from weblogic and create the user session or PF has any weblogic integration kit to achieve this?
Yes, I would suggest using Weblogic's OIDC functionality. Ping used to have a Weblogic integration kit, but with the addition of OAuth and OIDC to the Weblogic identity provider functionality, you're far better off using it than one of the kits.
If you don't want to use that functionality, another avenue is a WAM tool (such as Ping's PingAccess) or some functionality in a proxy like nginx or Apache in front of your application servers.
Within our organization, our applications are registered as RP’s to our organizational ADFS server, which is v2. Traditionally, apps in the org have been built as single, monolithic apps using WS-Federation (passive authentication). Web API’s, also hosted within each app, are secured simply by the fact that the same FedAuth cookie is being sent over the wire when making the ajax calls from the app’s client-side code in the browser.
We are moving towards building a set of backend Web API’s, which we want to secure so that these are callable by any client, not just a web browser and not just by the hosting application itself. As such, we want to move towards using JWT tokens for these Web API’s. We've also started using ThinkTecture's IdentityServer (v2) to help in this regard.
We have just a few questions which I'm hoping the community can help provide us with some answers/pointers:
How should we configure IdentityServer and apps so that the apps use
the existing organizational ADFS login page?
How can we configure/integrate ThinkTecture IdentityServer v2 with
the organizational ADFS so that our API's can be secured using JWT
tokens but without forcing the user to provide their credentials
again (once they have a SAML token via WS-Federation)?
Are there any features in IdentityServer v3 which are compelling
enough to upgrade from IdentityServer v2 to v3?
1 & 2 - You might want to check out how to establish Relying Parties. Here's a whole article from BrockAllen (the genius behind IdentityServer) that walks you through the ADFS/IdentityServer2 integration.
http://brockallen.com/2013/04/14/getting-json-web-tokens-jwts-from-adfs-via-thinktecture-identityservers-adfs-integration/
3 - As far as I know, IdentityServer3 (IS3) was written to support newer authorization frameworks OpenID for the modern stack better than IS2 (which doesn't support OpenID). Either is fine for use. I personally started with IS3, mainly because of the support and documentation involved. It also integrates very well with OWIN/Katana, so it can self host reasonably well with no hiccups during implementation and deployment. One advantage IS2 has over IS3 is that IS2 has an admin UI you can use configure and register sites, IS3 doesn't. More info about this along with the thought process behind IS3 can be found here:
http://leastprivilege.com/2015/01/25/identityserver3-1-0-0/
We are building an application with following attributes:
Consists of a web app, a web API, and mobile apps in future
The web app will contain HTML pages (multiple features that behave
like single pages applications)
The web app will talk to the web API (communicates in JSON, using
JQuery AJAX Calls)
The web app + web API do not follow the standard MVC architecture
Need to support SSO (will be using client Identity Provider) and
forms authentication
mobile will be consuming the same web API
My question is around what approach we should follow for securing the application. Two of the approaches that we are contemplating on are:
Securing the web API only: the web app is purely HTML and all the
data (that needs security) will come from the web API
For this, we thought of using OAuth for securing the web API
Both, the web app and the mobile app will first perform
authentication, generate an access token (follow the OAuth flow)
Securing the web app using forms authentication/SSO, and using HMAC
authentication for authenticating the API consumer (web/mobile app)
This delegates the user authentication to the consumers (web and
mobile app)
The API consumers will use HMAC for authenticating themselves
How can we pass the authenticated user details to the web API? Don’t
want to pass it as a parameter in API calls
Or is there any other approach that is better than the ones we evaluated above? Has anyone handled a similar situation where an HTML web app uses a Web API, and authentication happens using SSO + Forms/custom authentication?
If you have any comments agreeing/disagreeing the two approaches, that would be welcome as well.
We understand that the web app cannot be purely HTML, and some of the SSO authentication part will have to be handled on the server side and that is ok. But the core application will be HTML + Web API.
Here is some additional information related to this:
- Using ASP.Net with Framework 4.0 (with VS2010 IDE)
- Using Web API 1, but open to switch to Web API 2
You may benefit from building an external authentication/authorization identity management component in your architecture. Your current use cases can probably be covered by the tools that come with ASP.NET, but the architecture will be hard to extend as you start adding different types of clients and SSO scenarios. Look at this and this articles for a more detailed explanation.
Azure ID and Access management offering can be a good option. If you don't want to use the cloud, there are some third party and open source identity servers available.
Here is a good free book to help you understand federated identity concepts in the context of Microsoft technologies.
I am completely new to ADFS. I need to access the ADFS server through node.js. I am searching for good reference notes, with implementation. And suggest me which protocol is best for requesting. Video tutorials are also heplful.
I assume what you want is to authenticate users in AD (via ADFS), for your nodejs based web app. I'd recommend looking first at passport.js.
ADFS supports 2 protocols for web sites: WS-Federation or SAML-P. WS-Fed might be simpler. We open sourced the strategy for WS-Fed and SAML that we use in our product. A strategy is essentially a plug-in for passport.
That strategy should give you a good start.
ADFS v3.0 exposes OAuth2. *
You could use Passport.js with OAuth support or Kong with OAuth support.
You could go the ADFS 2016 OpenId Connect route for ease of implementation (passport.js, only a feature request for kong).
If you're going the Azure route, there's one (passport-azure-ad by the Windows Azure team) specifically for that.
It includes OpenID Connect, WS-Federation, and SAML-P authentication and authorization.
Otherwise, versions disallowing etc., I recommend Eugenio Pace's answer.
Then, check these, is a complete solution (not a video tut)
Using Active Directory Federation Services to Authenticate / Authorize Node.js Apps in Windows Azure
http://seroter.wordpress.com/2013/04/22/using-active-directory-federation-services-to-authenticate-authorize-node-js-apps-in-windows-azure/
pretty fresh tut. (2013/04/22)
I have a Drupal site I am standing up for a client.
I've been asked to use Single Sign on using SAML2 (where I would be the service provider and my client would be the identity provider).
The best thing I have found so far has been either
SimpleSAMLPHP https://ow.feide.no/simplesamlphp:drupal
or
Shibboleth -- http://drupal.org/project/shib_auth
From looking at the documentation from these it looks like the Shibboleth module might be further ahead, but I'm not sure that you can connect Shibboleth to SAML. Can you? Or do you need to connect to a Shibboleth identity provider?
The SimpleSAML module looks good, except it seems to require memcache which I would prefer to not use.
Thanks!
The Shibboleth project is an implementation of SAML, which is a specification of a protocol that deals with exchange of Assertions (AKA security tokens). A shibboleth server is an installation that talks the Identity Provider side of the SAML protocol, and it will be able to talk to any Service Provider as long at they both follow the specifications of SAML. Since this is the case for both SimpleSAMLPHP and the Shibboleth Service Provider modules, you can use either really. So if you don't want to use memcache you can safely choose shib_auth.