I have a Drupal site I am standing up for a client.
I've been asked to use Single Sign on using SAML2 (where I would be the service provider and my client would be the identity provider).
The best thing I have found so far has been either
SimpleSAMLPHP https://ow.feide.no/simplesamlphp:drupal
or
Shibboleth -- http://drupal.org/project/shib_auth
From looking at the documentation from these it looks like the Shibboleth module might be further ahead, but I'm not sure that you can connect Shibboleth to SAML. Can you? Or do you need to connect to a Shibboleth identity provider?
The SimpleSAML module looks good, except it seems to require memcache which I would prefer to not use.
Thanks!
The Shibboleth project is an implementation of SAML, which is a specification of a protocol that deals with exchange of Assertions (AKA security tokens). A shibboleth server is an installation that talks the Identity Provider side of the SAML protocol, and it will be able to talk to any Service Provider as long at they both follow the specifications of SAML. Since this is the case for both SimpleSAMLPHP and the Shibboleth Service Provider modules, you can use either really. So if you don't want to use memcache you can safely choose shib_auth.
Related
I need to implement an Identity provider service (using node.js) that should be able to.
Get, validate and parse (using private key and cretificate) the authentication request from SP example
If everything is valid, respond with a signed XML response example
Is there a tool in node.js that can handle the IdP side of SAML protocol. i'm familiar with samlify, saml2, passport-saml, and all of them seem to handle the Service provider side of the protocol.
If the packages mentioned here can serve to my needs, could you specify how exactly they handle this.
Any other directions and/or hints may be helpful.
Thanks
This is what my research say about this modules .
Passport-saml - Provider service provider only
Saml2-js - Provide service provider
Samlify - Idp in experimental phase , You can check idp implementation here. https://github.com/tngan/samlify/blob/f2b6a2f8c36dc0ff887d0442c48cd0f2c0a4a778/examples
Node-samlp - IDP which provide saml assertion but user authorization we need to do our own
Saml-idp - It says IDP we can create but again it refer to online IDP
I have used samlify to make my existing node js application as identity provider to third party service provider.
It has many configuration options. Intially it took time to successfully implement.
I want to build a server using Node.js, which acts as some kind of proxy. The clients that connect to my server use NTLMv2 for authentication (there is no chance to change this), but the upstream server my server shall connect to requires a Kerberos token.
So, my question is pretty simple: How do I, using Node.js, transform the information provided by NTLMv2 into a Kerberos token? On npm, so far I have found modules for NTLMv2 authentication, but I somehow would probably need to talk to Windows to translate NTLMv2 data of a user into a token for this user.
Any hints on this, how to approach this problem?
Absolutely not! NTLM and Kerberos operate completely different. First of all, I would highly recommend get rid off NTLM as fast as you can.
You can solve your problem in an easy fashion if you can access C interfaces. I also assume you MIT Kerberos on a Unix-like OS like CentOS or FreeBSD, etc.
NTLM will provide you the downlevel logon name. You need first to convert the NetBIOS domain to a DNS domain via LDAP (use libopenldap) then you can construct the Kerberos principal or the enterprise principal for your client. Then create a service account in your KDC and enable protocol transition and contrained delegation on that account for the target service. Now request a TGT on behalf of that user principal and request a service ticket for the user, voila you can access your Kerberos backend.
Here is a decent read: https://k5wiki.kerberos.org/wiki/Projects/Services4User
If you run HTTPd as your reverse proxy, it might handle all the magic for your with mod_auth_gssapi.
On Windows, this is a bit of a pain with the security API and SSPI. While the the principal transformation comes for free with Windows. You'll need LsaLogonUser with KERB_S4U_LOGON, impersonate with that handle and then require SSPI to acquire a cred handle...
If your KDC allows constrained delegation, you can setup your intermedaite server to allow impersonation. This way it can established security context with the client in one mechanism (in your case, NTLM), and talk to the backend server on behalf of the client in another mechanism (Kerberos). Google for "constrained delegation" and "protocol transition" for more information. Hope this helps.
I am making a webpage that need SSO feature with ADFS. I need to know:
1, web server must be IIS or it is also fine with nginx/apache
2, It should be the front end talk to ADFS or backend talk to ADFS?
Thanks in advance.
The architecture and environment are not important.
What is important is that the architecture implements one of the ADFS supported protocols i.e.
SAML 2.0
WS-Fed
OpenID Connect / OAuth (ADFS 4.0)
Your application needs to support a client side stack for one of the above.
e.g. for .NET, you could use WIF or OWIN OpenID Connect or OWIN WS-Fed or OWIN SAML.
For Java, you could use Spring Security (SAML).
I want to configure a WSO2 identity server as security repository for my WSO2 application server. I've read the application server online documentation but I didn't find any reference to this configuration.
Is there any tutorial?
Simple Scenario : I have a Web app configured to use Basic Auth in the web.xml file , and i want to use wso2is as the user store for authentication and authorization.
It is possible to use web service API to integrate with WSO2 Identity Server. WSO2 IS has user-mgt,entitlement APIs.For any user-mgt action and check authorization action, we can call these APIs from any product. Sorry I couldn't find any tutorial describing this.
Hope following blog post may helpful to you at some point, as it is recommend you to have external LDAP user store. It describes how to connect external LDAP with WSO2 Identity Server.
http://blog.facilelogin.com/2009/06/connecting-wso2-identity-server-20-to.html
Do you want to use the Identity Server for authentication?
Or do you just need a user store?
Or do you need a Token-Service to secure the communication between App-Server and Web-Services?
It is not clear what exactly you want to use th Identity server for. In JBoss for example you also can use authentication with an LDAP, thus you wouldn't need the Identity Server.
I am completely new to ADFS. I need to access the ADFS server through node.js. I am searching for good reference notes, with implementation. And suggest me which protocol is best for requesting. Video tutorials are also heplful.
I assume what you want is to authenticate users in AD (via ADFS), for your nodejs based web app. I'd recommend looking first at passport.js.
ADFS supports 2 protocols for web sites: WS-Federation or SAML-P. WS-Fed might be simpler. We open sourced the strategy for WS-Fed and SAML that we use in our product. A strategy is essentially a plug-in for passport.
That strategy should give you a good start.
ADFS v3.0 exposes OAuth2. *
You could use Passport.js with OAuth support or Kong with OAuth support.
You could go the ADFS 2016 OpenId Connect route for ease of implementation (passport.js, only a feature request for kong).
If you're going the Azure route, there's one (passport-azure-ad by the Windows Azure team) specifically for that.
It includes OpenID Connect, WS-Federation, and SAML-P authentication and authorization.
Otherwise, versions disallowing etc., I recommend Eugenio Pace's answer.
Then, check these, is a complete solution (not a video tut)
Using Active Directory Federation Services to Authenticate / Authorize Node.js Apps in Windows Azure
http://seroter.wordpress.com/2013/04/22/using-active-directory-federation-services-to-authenticate-authorize-node-js-apps-in-windows-azure/
pretty fresh tut. (2013/04/22)