Can anyone verify that liferay supports CAS for cross domain SSO? Or any suggestion for cross domain SSO ?
CAS uses a ticket based form of authentication that supports cross domain SSO.
The client application redirects to the CAS server and upon initial, or verification of, authentication the browser is redirected to the original/client server with a ticket appended to the URL. The client application takes the ticket and itself connects to the CAS server to retrieve the credentials. It can then start an authenticated session for the user.
As long as the url/domain is permitted in the CAS Service Registry, CAS is more than happy to authenticate the client application.
Yes,Liferay supports CAS SSO. You can find more information here: Liferay 6 CAS integration
Related
I have multiple sub-domains listed in a SaaS app. The app provides options to configure SSO with Onelogin, however it provides the option to Enter only one SAML Endpoint(to which users will be redirected) and One certificate.
In this specific case with Onelogin, the certificate with One login is same across different apps that are setup at Onelogin, however each app has a different SAML endpoint. This makes it impossible to configure SSO with multiple sub-domains of the SAML app.
Tried using SAML Connectors (Advanced) in Onelogin, however when multiple connectors are setup each still has a different SAML endpoint.
Any help in configuring an app in Onelogin using same SAML Endpoint would be very helpful.
You're at the mercy of your SP here. If it only supports one IdP, then there's nothing you can put in place in Onelogin to mitigate that. To extend #todaynowork's answer above, the RelayState parameter might be of use to you but your SP will need to support it. The RelayState parameter allows the SAML request to include the resource your user was initially requesting. When the SAML response is verified at the ACS URL, you can then use the RelayState parameter to redirect the user to their requested resource across any of the subdomains. Assuming your SP side sessions are consistent across all subdomains, that could work for you.
Suggest you use the SP initial SSO. That support deep link. Deep link means you could pass the return url while you do auth request. After success login, it will return to 'return url' you passed.
The case: A client asked for SSO to access their internal SharePoint applications externally (They will add Exchange later on), they do not care if the device is on the domain and they want the experience to be seamless, so anyone with a valid user name and password regardless of whatever device they are using can access the apps.
I have followed the tutorial on WSO2 website to use WSO2 Identity Server 5.3 (passive STS) as an identity provider for SharePoint 2016, and after some tinkering it worked.
https://wso2.com/library/tutorials/2015/05/tutorial-sso-for-microsoft-sharepoint-web-applications-with-wso2-identity-server/
Then I added another application in sharepoint, added it as a second service provider in WSO2 Identity serverand, added the second realm to the sharepoint trusted provider.
Now the 2 applications only work if I start a new session in my browser or clear cookies, after looking into it, when I open the second application in a different tab it is taking the URI of the first application I opened rather than the its own, and it fails as the realm setup in the second service provider does not match the realm for the application in SharePoint.
So here are my questions:
1- Am I doing the SSO using WSO2 incorrectly (Thus the tutorial title is misleading) , and is the passive STS federation , simply that, a federation and not the way to do the SSO in WSO2 Identity Server? If not, could you please tell me what exactly I need to do to fix my issue?
2- If the above is the wrong approach is using SAML Web SSO configuration the right answer? If so, what is the realm that I should use for the sharepoint applications, and is passive STS needed at all in this case?
I am new to openAM, I have sso url, username and password. My question is how can I land to openAM/idm/EndUser page from my .net application without going to openAM log in page? what kind of service or API should I use for that. Is there a sample demo?
not at all
EndUser page is part of OpenAM console, which is 'protected' by OpenAM itself. Without an OpenAM SSO tracking cookie you can not access it.
What would be the intention to hit the OpenAM console (which should not be made public in Internet space)? Password Change? Identity Management?
Note OpenAM is NOT really an identity management / provisioning 'tool' (and is not a web-frontend to LDAP-based Directory Servers).
I want to configure a WSO2 identity server as security repository for my WSO2 application server. I've read the application server online documentation but I didn't find any reference to this configuration.
Is there any tutorial?
Simple Scenario : I have a Web app configured to use Basic Auth in the web.xml file , and i want to use wso2is as the user store for authentication and authorization.
It is possible to use web service API to integrate with WSO2 Identity Server. WSO2 IS has user-mgt,entitlement APIs.For any user-mgt action and check authorization action, we can call these APIs from any product. Sorry I couldn't find any tutorial describing this.
Hope following blog post may helpful to you at some point, as it is recommend you to have external LDAP user store. It describes how to connect external LDAP with WSO2 Identity Server.
http://blog.facilelogin.com/2009/06/connecting-wso2-identity-server-20-to.html
Do you want to use the Identity Server for authentication?
Or do you just need a user store?
Or do you need a Token-Service to secure the communication between App-Server and Web-Services?
It is not clear what exactly you want to use th Identity server for. In JBoss for example you also can use authentication with an LDAP, thus you wouldn't need the Identity Server.
We have a SQUID reverse proxy and a MOSS 2007 portal. All sites are using NTLM.
We cannot get it working with SQUID as a reverse proxy.
Any ideas where to start?
Can you switch to Kerberos instead of NTLM?
You're encountering the "Double-Hop Issue", whereby NTLM authentication cannot traverse proxies or servers.
This is outlined at this location:
http://blogs.msdn.com/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx
And over here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
Double-Hop Issue
The double-hop issue is when the ASPX page tries to use resources that are located on a server that is different from the IIS server. In our case, the first "hop" is from the web browser client to the IIS ASPX page; the second hop is to the AD. The AD requires a primary token. Therefore, the IIS server must know the password for the client to pass a primary token to the AD. If the IIS server has a secondary token, the NTAUTHORITY\ANONYMOUS account credentials are used. This account is not a domain account and has very limited access to the AD.
The double-hop using a secondary token occurs, for example, when the browser client is authenticated to the IIS ASPX page by using NTLM authentication. In this example, the IIS server has a hashed version of the password as a result of using NTLM. If IIS turns around and passes the credentials to the AD, IIS is passing a hashed password. The AD cannot verify the password and, instead, authenticates by using the NTAUTHORITY\ANONYMOUS LOGON.
On the other hand, if your browser client is authenticated to the IIS ASPX page by using Basic authentication, the IIS server has the client password and can make a primary token to pass to the AD. The AD can verify the password and does authenticate as the domain user.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
264921 (http://support.microsoft.com/kb/264921/) How IIS authenticates browser clients
If switching to Kerberos is not an option, have you investigated the Squid NTLM project?
http://devel.squid-cache.org/ntlm/
you can use HAProxy for load balancing