Currently we are evaluating a SAML solution as a corporate user authentication system.
The goal is to have only SAML as the main system without any redundancy of user data throughout different platforms.
Even if SAML authenticates the user how can the domino server create a session without mapping it to a user in the nab.
Is it somehow possible to have domino session without having the actual entry in the NAB?
And is it possible to retrieve group membership from SAML without having the actual group document in the nab?
Even if all of that works is it still possible to use these users and groups in the ACL and in readers and author fields?
The combination of SAML, and configuring Directory Assistance on the Domino server to integrate with an LDAP service that is provided by your corporate systems would allow you to accept SAML credentials for users who do not have a Person document in the Domino Directory.
But no, you can't use SAML to retrieve group membership. You can't use SAML to retrieve anything. It's not a directory query mechanism. It's only an authentication mechanism that communicates trusted identity information. You can, however, configure Domino Directory Assistance to use an external LDAP source for groups, and your local groups, ACLs and Reader/Author fields can also refer to these users.
Related
I wanted to know if there are provisions in SAML based Single Sign-On wherein I could authenticate using token provided by IdP and then once authenticated the authorization i.e. what roles/privileges the user has must be handled at the application end. This is entirely from an Azure Active Directory perspective.
Provisions in SAML based Single Sign-On
If users exist in your IdP but are not in your instance, SAML user provisioning can automatically create the users in your instance's User [sys_user] table.
SAML user provisioning is supported for SAML 2.0 Update 1 when
Multi-SSO is enabled.
How SAML user provisioning works
When SAML user provisioning is enabled and the system encounters a new user that is not in the instance, the instance automatically creates a record in a temporary table with the name u_import_saml_user_, where is an automatically generated text identifier. The system also creates transform map that specifies the data relationships between the import table and the User table. Each IdP in identified in the system has its own transform map. The transform map is created once for each IdP. Administrators can update it as necessary.
When the user logs in, they access an IdP to log in.
The system presents a list of all IdPs that are able to use SAML
user provisioning. If there is only one IdP that can use SAML user
provisioning, that one is used automatically.
If none of the above conditions are true, the system uses the
default IdP.
Administer SAML user provisioning
To update the User table with the users in your IdP, you must first set up field mapping and then enable user provisioning through Multi-SSO IdP settings
Roles/privileges
For roles privileges and User administration you could refer here
Some Benefits of Provisioning
Implementing Just-in-Time provisioning can offer the following advantages to your organization.
Reduced Administrative Costs: Provisioning over SAML allows customers to create accounts on-demand, as part of the single sign-on process. This greatly simplifies the integration work required in scenarios where users need to be dynamically provisioned, by combining the provisioning and single sign-on processes into a single message.
Increased User Adoption: Users only need to memorize a single password to acces
s both their main site and Salesforce. Users are more likely to use your Salesforce application on a regular basis.
Increased Security: Any password policies that you have established for your corporate network are also in effect for Salesforce. In addition, sending an authentication credential that is only valid for a single use can increase security for users who have access to sensitive data.
To know some more idea You could also have a look on here
Some key resource for your reference
Configuring Azure AD as a SAML IdP
SAML Guide Line
How does SAML work? IDPs & SPs
SAML terms and their purpose
Hope It would guide your way around regarding SAML implementation. Thank you very much.
We have a web application where users have to authenticate against our active directory. This works fine. But when a user already has session with another Azure Active Directory say a corporate office 365 or something, the user gets an error trying to authenticate to us.
Is there some sort of setting (a domain ID, or some sort of token ID which makes it possible to differentiate these two sessions and make it possible to use our waad as a stand alone authentication service?
Can you provide the actual error and the services you are authenticating against?
In general you can easily differentiate between different logged in users by using the login_hint in ADAL and passing the UPN of the user who you wish to access from the cache. ADAL will do the heavily lifting of looking in to the cache and prompting the user for credentials if the tokens for that user has expired.
I want to set up a website on Azure according to the following requirements and are wondering if it is even possible?
As a internal team member, I must be able to login to the site with Windows Authentication
As a external customer, I must be able to login to the site with user name and password
As a external customer, I must not be able to access a subset of the site
As a unauthorized user, I must not be able to access anything on the site
I guess I have to set up a VPN connection between Azure and the Active Directory in my company. How do I do that?
Is it at all possible to meet my requirements?
Background Information
We are a small project with about 10 team members.
We have four large customers who need access to the site, and there are a few people in each customer who needs to have access to the site.
Customers will just have read only access to static, non-sensitive information.
The team members will have write access, and will also handle some sensitive information.
** Edit **
I have now managed to create efficient synchronization of our projects local AD to Azure, thanks user18044. Unfortunately, the accounts for the team members is located in the company's AD (corp.mycompany.com), and out AD has one-way trust with it.
We have groups in the project-AD pointing to our accounts in the company's AD, but the members in the groups is not synchronizing over to Azure.
Can this be solved?
Yes, I think what you are describing is doable.
Your first two bullet points are about authentication. As Azure Active Directory does not directly support Windows Authentication, federation is the way to go here.
When you as an internal team member log on, you land on what is called a home-realm discovery page, where you pick the realm you want to authenticate in. Picking the realm of your company, you get redirected to the STS (for example ADFS) your company has set up to authenticate you. If you are in the same Windows Active Directory network as the STS is authenticating against, you should be able to use Kerberos to be issued a token.
An external customer would be redirected to another STS that would use forms authentication against a credential store to issue security tokens.
Both security tokens are then posted back to Azure Active Directory which is configured to trust both STS's and issues a token of its own. See here for an example.
As for the second two bullets, the authorization part you can do based on roles you assign to your users. Depending on which STS authenticated your user, you assign them a certain role. Based on that role you can give access to certain parts of your website or not. How to implement this depends on what stack you are using for your web application, but a Google search should give you some leads.
I've imported a bunch of users into my Active Directory with some custom fields. Then I did a profile import from Active Directory to Sharepoint with all the custom fields and regular fields. After this, I needed each user to be in a site collection with a MySite set up for them. I did that by writing some code that ensured the user existed and then checked the profile attribute "personalspace" to see if a MySite had been created. Everything worked great until some of the users needed to login from outside the network.
I'd like to get rid of the windows authentication pop-up that a user would get if they hit from outside the network (or haven't added the site to their trusted zone in IE). I've extended my web application to create an internet zone. Then I edited the web.config of the internet site to do active directory forms authentication, along with editing the Central Administrator's web.config so that it can see the data source. This is all well and good, the user can login through a nice interface. The only problem is that now the user is detached from their user profile. Essentially Sharepoint views a windows authentication user and a forms authenticated user as two separate users.
Is there a way to link the profiles? Do I have to write a custom membership provider to log a user in and then link them up to their windows account? Is there a way to log a user in from the internet web app and then spoof their windows credentials and pass it to the intranet? Do I need to recreate all the user profiles based on the forms authentication data source?
Is this what are you looking for .. http://grounding.co.za/blogs/brett/archive/2008/01/09/setting-up-dual-authentication-on-windows-sharepoint-services-3-0-forms-and-ntlm.aspx ?
See ya
I've been trying to accomplish the same thing, with exactly the same problem - the "forms-authenticated-me" is not the same as the "windows-authenticated-me" to sharepoint, and I can't see how to map the two.
After a lot of frustrating efforts, I think I've finally realized it's not possible. In retrospect, this isn't too surprising.
here's an excerpt from http://msdn.microsoft.com/en-us/library/bb975136.aspx (my emphasis added)...
Deciding to Use Forms Authentication
Some organizations want to use Windows
users and groups in SharePoint
Products and Technologies, but enter
credentials via forms authentication.
Before using forms authentication,
determine why to use forms
authentication in the first place:
What is the business driver? If user
accounts are stored in a location
other than an Active Directory domain
controller, or if Active Directory is
not available in a particular
environment, using forms
authentication with a membership
provider is a good choice. But if you
want to force logon only via forms
authentication, but still use Windows
and all of the integrated features it
provides, you should consider an
alternative such as publishing the
SharePoint site with Microsoft
Internet Security and Acceleration
(ISA) Server 2006. ISA Server 2006
allows users to log on by using a
forms authentication Web form, but
treats them like Windows users after
authentication. This implementation
provides a more consistent and
compelling experience for end users.
You can set up the Forms Authentication to use the Active Directory Forms Authentication provider. You'll get the best of both worlds.
The login prompt will be the Forms Authentication prompt that you want, but the profile and login info will come from Active Directory.
Follow these instructions to configure the provider:
How To: Use Forms Authentication with Active Directory
I want to use MOSS 2007's single sign-on feature, but read that the server needs to be in an Active Directory environment. This I understand, but does this mean all my users HAVE TO be Active Directory users? Can I not use MOSS2007 Single Sign-on if my users are authenticated using Forms Authentication (using a custom membership provider?).
You can, but you'd have to write your own SSO provider. The default one only works with Windows identities.
Edit: There's a walkthrough on MSDN for creating them, if you want to go that way.
when i connect SP server with CS server using SSO, does the roles and user permissions for SP users transfered with the user, so if i created new sp user with read role, then i accessed cs server, i will find that a role created for that user in the cs with read permissions?