Setup:
My web application has OpenAM + OpenDJ interacting with a federation server in order provide SSO service through SAML2. The list of users who are authorised to access my application are part of the OpenDJ.
How it works-
When the user launches the link for the first time and the application determines that he has not logged in, the user is redirected to the IDP URL to authenticate. The IDP provides the SAML2 response through the Consumer URL exposed. On receiving the SAML2 response my application determines if the user is part of my LDAP and thereby allowed to access and shows up a home page if he has access.
Problem
When the user is not part of my LDAP, I would like to throw up an Access Denied Page, however, I find that OpenAM throws the default IDP initiated login page with a goto parameter to my URL.
I've tried to have success and failure URL configured but it result in the application not being completely accessible. The users are not shown even the IDO login screen.
Is there a property or configuration I need to set to enable OpenAM to show the Access Denied page instead of IDP Login?
I was able to get this working through changes/redirection on the web server. Though I am not sure if there is a place within OpenAM config to solve this.
Related
We have a Java application running on Wildfly. We use the Redhat keycloak adapter to authenticate against Microsoft Azure via SAML2.
This works fine for users. For example, If a user opens the application
The keycloak saml2 adapter redirects the user to the Microsoft login page (https://login.microsoftonline.com/...) with the SAMLRequest.
The user can login with userid/password
And the user is redirected back to the wildfly app. The user is now authenticated in wildfly and a JSESSIONID is used for further requests as usual.
But how can I login programmatically? I have for example backend services which need to request data form the app. I already tried to implement a java RequestFilter but this works only until the point I get redirected to the Microsoft Login Page for users. This login page consists only of JavaScript (!) and I can not post my UserID/Password to get redirected back.
Does somebody knows how to do a Azure AD Login in java or with curl? Or is there any alternative URL for the Login not based on Javascript - maybe some Rest API?
I have an application which has multiple frontend SPAs (mostly React). They allow the user to sign in if they want to access privileged features, but an unauthenticated user is still able to access the site. Each SPA will access some backend apis using a token if they are authenticated. All of these sites should function transparently when it comes to login, so if you login on one site, it should be automatically propagated to all the sites (SSO)
When a site first loads we want to get the token for the user if they are logged in with SSO. If we use the redirect flow and the user isn't signed in we will end up on the sign in page, which isn't what we want as we allow anonymous access. We only want to show the login page if the user explicitly clicks the login link on a site.
Is there a way to check if the user is logged into sso without redirecting to the login page?
We have looked at ssoSilent (from msal) which functionally does what we want however its only supported via third party cookies which don't work in some browsers.
I have thought perhaps we could redirect to a silent login page which if the user isn't logged in will just redirect back with an anonymous flag in the queryString, but I don't know if theres a way to do this with azure b2c.
The only method is ssoSilent(), or your own implementation of it via iframe. It should work as long as your app is on the same root domain as the AAD B2C login page, which you can do with the Custom Domain feature.
There is no API endpoint available to do what you want.
I have created azure ad b2c custom sign-in policy with KMSI(keep me sign in) option, and using it in blazor server application,
But automatic sign in not working after browser close, Need to click 'Login' button.
After click login button no need to enter credential again, if at the time of previous sign-in KMSI check box checked.
But I want to sign-in automatically if at the time of sign in KMSI check box checked.
Could you check the authorization request the app sends to Azure AD B2C, whether it contains the prompt=login query string parameter? If yes, please make sure to remove this param.
This is expected, your app cookie is not persisted, so the app has no idea you’re still logged in at B2C. Therefore you have to click login in the app and then you get SSO through AAD B2C.
You could maintain a cookie set by the app to automatically send the user via the login endpoint if they had signed in previously with KMSI. You can use a claims resolver to send the KMSI claim into the token so your app can understand the user logged in with KMSI.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview
I tested KMSI functionality on my side, and I can repro your symptom. My test is based on this demo: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi
This is my test process below:
Registering a local account.
Login by this account, and enabled KMSI
I logged in successfully:
Close the browser, reopen it and got to my app index, my index page is allowed to be visited by anonymous, so it not knows who am I: I think this is the issue that you are concerned about:
But when I click “Claims” tag which users are needed to be authenticated, it redirected to my b2c domain :
As I enabled KMSI, so there is a cookie under my b2c domain:
As this cookie exists, B2C will provide me with the resource I requested for: b2c side sends a request to redirect URL with id token and code :
Finally, it redirected to “Claim” page and this app knows who am I :
In a word, there are two kinds of sessions here: a session between user and B2C and a session between the user and your application.
Once you close your browser, by default, you will lose the cookie that user on your application, so users access to some page with no auth needed of your app after reopening the browser, there will be no cookie, your application not know the user. But on the B2C side, this cookie will be persisted there due to KMSI. Only users request some functionality needs to be authenticated on your app, users will be redirected to the B2C domain and B2C will send users’ information to your app will make KMSI work.
In my opinion, maybe extending the lifetime of your application cookie will be a solution here. At the same time, you also need to expand session timeout to make sure that your application could recognize that long lifetime cookie. But as we know, it will be a high consumption for server RAM if it holds lots of sessions.
I have a website, call it "Site One" in which users create accounts with a username and password. For security, I then salt and hash the user's password and store it in a SQL Database. It all works great.
Now enter "Site Two" which is written by a different company. We would like to integrate the two apps so that if a user is logged into Site Two, they would be able to:
Create an account on Site one through a Web API.
Have a one click seamless login from Site Two back to Site One.
Is this achievable without Site Two being able to Store and Retrieve the password from the user account that they created? The only way I can think of this working is that after Site Two makes the WebAPI call to Site One to create an account, Site Two would have to be able to store the password which was used to create that account in the first place, thus opening a big security hole in case someone was able to get a hold of the password.
I supposed as an added security layer, I could prevent that password from being used except when the login info is posted from a known IP address, but I'm not sure if this is enough protection.
Consider implementing single sign-on (SSO) using SAML 2.0, where Site One is an Identity Provider (IdP) a Service Provider (SP), and Site Two is a Service Service Provider.
Assuming that users will visit Site Two first, then you would want to implement Service Provider initiated SSO on Site Two. The effect of this would be that whenever a user requests a secured resource on Site Two, the user would be directed to Site One, which would prompt them for the user for a username and password. Once authenticated, the user would be re-directed back to Site Two to access the secured resource that the user originally requested.
An overview taken from OASIS SAML 2.0 documentation:
The user attempts to access a resource on sp.example.com. The user does not have a valid logon session (i.e. security context) on this site. The SP saves the requested resource URL in local state information that can be saved across the web SSO exchange.
The SP sends an HTTP redirect response to the browser (HTTP status 302 or 303). The Location HTTP header contains the destination URI of the Sign-On Service at the identity provider.
The Single Sign-On Service determines whether the user has an existing logon security context at the identity provider that meets the default or requested authentication policy requirements. If not, the IdP interacts with the browser to challenge the user to provide valid credentials.
The user provides valid credentials and a local logon security context is created for the user at the IdP.
The IdP Single Sign-On Service builds a SAML assertion representing the user's logon security context. The Single Sign-On Service sends the HTML form back to the browser in the HTTP response.
The browser, due either to a user action or execution of an “auto-submit” script, issues an HTTP POST request to send the form to the SP's Assertion Consumer Service.
An access check is made to establish whether the user has the correct authorization to access the resource. If the access check passes, the resource is then returned to the browser.
I configured azure AD as an identity provider for my organization's application
as specified in the below blog
Bring your own app with Azure AD Self-Service SAML configuration
I created an application under activity directory and configured single signon (SAML2) for the same as below
SIGN ON URL
https://abc.xxxx.com/myapp/saml/ssoRequest?ticket=kcflmlmnpgg
ISSUER URL
https://abc.xxxx.com
REPLY URL
https://abc.xxxx.com/myapp/ssoResponse
whenever i try to access the application its redirecting the request to azure login. But I am getting a bad request error and its showing the below message
AADSTS50003: No signing key is configured.
Whenever I try to access my application, it is redirecting me to azure login page. It asks me to login , if I am not already logged in and after login the above error is thrown. If I am already logged in; the error is shown directly
Am I missing something in the configuration
The request was not signed. After sigining the request it started working.