When to use Provider and when to use Signer?
When to use Provider and when to use Signer?
Related
We are using the ITfoxtec SAML2 library for Single Sign On with SAML2 authentication for some of our external Clients.
So far we only have one client that wants SSO, but we anticipate that we will get more clients that want to use SSO, so my question is that can we store the setting in a Database rather than read from a Configuration file.
We would like to look up the values for each client from a data store and then build the SAML2 Configuration and then do the binding.
var binding = new Saml2RedirectBinding();
binding.SetRelayStateQuery(new Dictionary<string, string> { { "RelayState", relayStateReturnUrl ?? Url.Content("~/") } });
//The bindingResult is a SAML2 redirectBinding - this create a browser redirect to the IDP.
var bindingResult = binding.Bind(new Saml2AuthnRequest(_samlConfig));
So we would build out the Saml2Configuration our selves (Or perhaps store those in a Database table and look it up based on the client.
The idea is to pass in a custom SAMLConfiguration rather than reading it from the App settings.
Would this approach work, would the ITfoxtec have a sample for this approach ?
Multible IdP and RP support is implemented in FoxIDs in the SamlConfigurationLogic.cs class. You can either implement you own version of the SAML config logic or user FoxIDs to handle the multible IdP connections for your application.
Related questions and answers:
ITfoxtec SAML 2.0: Dynamic configuration
Load SAML2 configuration on the runtime instead of loading it on the Startup
I have an amplify application built using React JS, I have a scenario for which I am manually storing API keys in my SSM parameter store in my AWS account. However, I want to retrieve/get those values(JSON object) based on a key from my React JS app (client side). So, I have installed the aws-sdk, the AWS JavaScript sdk, and using the below code snipped I am trying to access the ssms parameter store
const AWS = require('aws-sdk');
AWS.config.update({region:'us-east-1'});
const ssm = new AWS.SSM();
const getSecret = async (secretName) => {
console.log(`Getting secret for ${secretName}`);
const params = {
Name: secretName,
WithDecryption: true
};
const result = await ssm.getParameter(params).promise();
return result.Parameter.Value;
};
module.exports = {getSecret};
I am receiving this error on running my application and while accessing the store using the getSecret function.
Unhandled Rejection (CredentialsError): Missing credentials in config,
if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
I believe that amplify configures the environment implicitly but since, the SSM Secrets manager is not supported yet by Amplify hence, I have to use the JS AWS SDK for this purpose. Can anyone help me spot the issue while configuring the service using AWS SDK? Or is there another or a better way to access parameter store from the client side?
Also, after surfing I have found a package named dotenv
Is it okay to store aws credentials in such a way?
Your code to fetch parameter store keys/values shouldn't be at client side considering security implications. It should be done at server-side and functionality can be exposed over endpoint for client-side.
You can read the credentials programmatically something like below:
var AWS = require("aws-sdk");
var credentials = new AWS.SharedIniFileCredentials({profile: 'profile name'});
AWS.config.credentials = credentials;
Refrence:
loading-node-credentials-shared
global-config-object
I'm using IdentityServer4 and have a scenario where I need to initiate a call to a secured API during a password reset process. IdentityServer4 does provide IdentityServerTools for the purpose of calling a secured resource from an extensibility point, however there is currently no documentation or examples for the indented usage.
How does one go about creating the necessary token using the provided methods in IdentityServerTools?
IdentityServerTools is available from DI. Simply inject it into your class and call the method to create a client token.
https://docs.identityserver.io/en/latest/topics/tools.html
I am implementing single sign on with multiple SPs. Here is my basic understanding:
1) Browser(User) requests resource from Service Provider (SP).
2) SP Redirects (with SAML Request) to Identity Provider (IdP).
3) Since it is first login, User gives the (IdP) his/her valid credentials.
4) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page.
Now let's say I have Service Provider A and Service Provider B. A user has completed the step about for Service Provider A. From service provider A (salesforce.com in my scenario), I have written a server-side method which instantiates a callout to an endpoint on Service Provider B. Is it possible to re-use the SAML assertion in this case? I.e. will service provider B trust the backend method?
You would have to customize Service Provider B in order for it to accept, understand and interpret the Assertion obtained by Service Provider A. It would certainly not work out-of-the-box.
The SAML Assertion included in the SAML Response to Service Provider A contains pieces of data which correlate it with the original SAML Request and define recipients of the message (for example using elements SubjectConfirmationData and Audience). The Service Provider B would need to ignore values in these fields, as it is actually not the indented recipient of the Assertion.
The problem of how to broker trust between two machines where user's identity is asserted by an identity provider can be solved with multiple standard approaches. One is to use a Session Token Service (based on WS-Trust) which defines how to request and issue tokens to 3rd party services. Another is to use OAuth 2.0. You could of course also simply authenticate Service Provider A to Service Provider B using a custom scheme with a password, HMAC, ...
The short answer - no if Service Provider B is implemented as a standard SAML 2.0 SP.
SAML 2.0 assertions are "targeted" and signed. They have a specified audience and a recipient URL. You cannot change them without breaking the signature.
The assertion received by SP A contains the name of SP A as audience and the ACS end point of SP A as recipient URL. Such an assertion will not be accepted by SP B.
What prevents you from just calling SP B in a standard way and let it initiate its own SAML 2.0 flow? Another option would be to perform an IDP-initiated SSO flow for SP B. Not all IDP implementations support it though.
I'm learning AngularJS and I noticed that A Factory is a short-hand for a Provider.
Can you tell me specific scenarios where I should/must use a Provider instead of a Factory? The codes stays much more readable if use a Factory method instead of the provider.
A Provider is necessary when the provider itself has methods that you want the user of your service to call during the configuration phase of the application.
See for example the $location service: it has a $locationProvider which allows setting it to html5 mode, while the application is being configured (using module.config()).