I am new to openAM, I have sso url, username and password. My question is how can I land to openAM/idm/EndUser page from my .net application without going to openAM log in page? what kind of service or API should I use for that. Is there a sample demo?
not at all
EndUser page is part of OpenAM console, which is 'protected' by OpenAM itself. Without an OpenAM SSO tracking cookie you can not access it.
What would be the intention to hit the OpenAM console (which should not be made public in Internet space)? Password Change? Identity Management?
Note OpenAM is NOT really an identity management / provisioning 'tool' (and is not a web-frontend to LDAP-based Directory Servers).
Related
The case: A client asked for SSO to access their internal SharePoint applications externally (They will add Exchange later on), they do not care if the device is on the domain and they want the experience to be seamless, so anyone with a valid user name and password regardless of whatever device they are using can access the apps.
I have followed the tutorial on WSO2 website to use WSO2 Identity Server 5.3 (passive STS) as an identity provider for SharePoint 2016, and after some tinkering it worked.
https://wso2.com/library/tutorials/2015/05/tutorial-sso-for-microsoft-sharepoint-web-applications-with-wso2-identity-server/
Then I added another application in sharepoint, added it as a second service provider in WSO2 Identity serverand, added the second realm to the sharepoint trusted provider.
Now the 2 applications only work if I start a new session in my browser or clear cookies, after looking into it, when I open the second application in a different tab it is taking the URI of the first application I opened rather than the its own, and it fails as the realm setup in the second service provider does not match the realm for the application in SharePoint.
So here are my questions:
1- Am I doing the SSO using WSO2 incorrectly (Thus the tutorial title is misleading) , and is the passive STS federation , simply that, a federation and not the way to do the SSO in WSO2 Identity Server? If not, could you please tell me what exactly I need to do to fix my issue?
2- If the above is the wrong approach is using SAML Web SSO configuration the right answer? If so, what is the realm that I should use for the sharepoint applications, and is passive STS needed at all in this case?
I was trying to register an Application Login Module in Websphere but I don´t find any easy example in web.
There are a lot of IBM documents, but too much complex, and I can´t figure out how to register an Application Login Module.
I already have success with a System Login Module bounded to WEB_INBOUND, it works, but affects all my system. I want a Login Module to serve only my applications web, with JAAS authentication.
I´ve tried to bound a login module to existing WSLogin but it doesn´t seems to be working.
Any help ?
tks[]
You need to setup security domains to get the separation you are looking for wrt to the login configurations. The security framework uses the WEB_INBOUND login configuration to authenticate the user for all web applications irrespective of adminConsole or user applications. When you create a security domain and customize the WEB_INBOUND configuration at the server/cluster domain level, it will be used for all the user web applications deployed in those processes. You need to setup the multidomain in a cell topology and assign the domain to the server/cluster where you applications are deployed.
Once you setup the domains, the WEB_INBOUND configuration at the server/cluster domain will be used by the user applications hosted in that server/cluster while the WEB_INBOUND configuration at the admin/global domain will be used for the adminConsole application at the Deploymener Management process where it is deployed.
The application JAAS login configurations are meant to be used by the applications directly. One can create an application login configuration and programmatically use it in the application to perform direct login -
LoginContext lc = new LoginContext("myAppLoginCfg1", callBackHandler);
I asked around and this is the answer that comes from the owner of container security:
The WEB_INBOUND is a JAAS system login that is always configured by default. However, you can specify your own JAAS application login or customize the existing WEB_INBOUND system login. If you want only one application to use a different JAAS login from all your other applications, you can use a security domain that has those different security configurations. The only catch is that application server has to be in a separate server from the other apps. That way, you can map your security domain to that server.
Here's an info center article about security domains:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/tsec_sec_domains_config.html?cp=SS7K4U_8.5.5%2F1-8-2-33-1
And one on application logins:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/rsec_logmod.html?cp=SS7K4U_8.5.5
And system logins:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/usec_sysjaas.html
And here is a much more practical answer that comes from the security dev lead:
So an additional question is - why would you want to do that? Do you want to do anything specific for just one app during login that you do not want for other app logins? (I would think so) You can get the app name in your custom login module and can use that to provide your own app based login requirement in your login module (or skip it) if needed.
Me: Ya, this is what I would do. You can also implement this based on what is in the request. I did one where it would request a SAML token from an STS and put it on the runas subject if I could tell that the request came from WebSeal (and not if it didn't).
If what you need to do for the 'app-specific' case requires skipping what is done in ltpaLoginModule and wsMapDefaultInboundLoginModule (that should run for the other apps), you can't really do that. However, you can modify their behavior.
Read through the task I've given a link to below. Yes, I understand it is a WS-Security task, but its about using APIs. You'll get what I'm talking about if you read closely, particularly the 3rd ("When a caller...") and 5th ("To use a..") paragraphs. The parts that you should be concerned about in the code is the WSCREDENTIAL* stuff.
http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/twbs_config_wssec_caller_no_reg.html
Can someone please help me in finding the solution for below question? I have been struggling for last 2 days and am not able to reach conclusive decision. [Disclaimer: I am still in nascent phase ..:(]
Whether it is possible to launch our own web application(portal) log-in page instead of openAm log-in page. Right now I are able to access protected page after successful authentication on openAm log-in page.
I was able to customize the openAm pages (according to our look and feel) in openAM portal ,but this added dependency on openAM version. I will again have to redo/copy paste the changes in new openam version.
Any lead/pointer will be highly appreciated.
If you do not want to rely on OpenAM you have to create an auth-wrapper/interface used by your portal. The implementation can use either OpenAM's REST API or SDK to perform authentication. If you want to do SSO as well be sure to send OpenAM's SSO tracking cookie back to the client.
But if OpenAM's API changes for some reason you have to adopt the implementaion as well ... so you still have some OpenAM dependency there.
If you do not want to customize OpenAM directly you could deploy OpenAM DistAuth along with your portal app ... and customize this. This allows you to customize Login pages independent from OpenAM.
My employer has a local ADFS server. We are using o365/SharePoint Online with ADFS so when you attempt to access a SharePoint cloud site you are take to login page on our network.
I need to develop a simple ASP.NET C# website hosted locally on a server on a network.
At a high level what is entailed in using ADFS on asp.net/iis websites? And can it be set so that the same login page is used?
If I have a webpage on a local webserver authenticated by the same ADFS and Iframe that page inside a sharePoint web page authenticated by the same ADFS. Should the page with render without authenticating?
1) I'd recommend checking into Windows Identify Foundation (WIF). Although your app will need to run under TLS/SSL, you probably will just need to run the FedUtil.exe application to generate your application's metadata for ADFS to consume when creating an RP.
2) In theory this might work, but the Iframe'd page will still redirect to ADFS momentarily to get an authentication token. It is just that the login page won't be displayed.
I have a website which uses Azure ACS for federated authentication, which published in the cloud. Once I logged off from google provider as one gmail user and tried to loggin with other gmail credentials, the website is not providing me an option to login, it is directly accessing the previous gmail credentials and redirecting me to the gmail home page.How to solve this issue?
You have to also log-off from your application. Signing out from Google will only affect if you are being redirected for log-in to Google again.
But once authenticated with Google, you now have a new session in your own web site. And will be logged-in in that very our own website until (a) your session expires or (b) you explicitly sign out.
When using WIF/ACS, to explicitly sign out of a web application you need to execute following method:
var wsFedModule = FederatedAuthentication.WSFederationAuthenticationModule;
wsFedModule.SignOut();
You can read more about FederatedAuthentication here and the specific SingOut method here.
Please pay attention to the references - they are all from .NET Framework 4.5 and in System.IdentityModel.Services assembly, version 4.0.0.0! I strongly advice to use that framework version and assemblies, as opposite to using the .NET Framework 3.5 (4.0) and the WIF assembly Microsoft.IdentityModel.