I have to implement single sign-on in a ReactJs application where it's back-end is in python?
using pingFederation - checking user authentication.
then redirect to "React application" login page with SAML response.
By hitting a POST request on login page
Please help me to handle this SAML response at my application login page. I am stack here to handle/get SAML response.
how do I configure shibboleth as a service provider?
Please share your thoughts.
Thank you
Only React application cannot do that.
You need some backend.
If you are using SAML to connect then Shibboleth SP is a good choice.
Preferably Apache HTTPD server and java application.
Something like this
Related
I have a web app developed using Create-react-app
I host it on IIS, the IIS only response to load the app, there is no server side logic on it (no Express or any other web server)
The app is using a RESTful API on the same IIS, it is out of my control (I cannot make change).
Now one of my client request to add SAML SSO to our app.
I would like to know:
in normal situation, which one is the Service Provider? My IIS Web server? or the API service?
For my case, I cannot implement SAML to API service, my web service only used to load my app without server side logic, how can I implement SAML?
Could any one give me some React implement SAML SSO tutorial or article for reference?
Thanks for any help, any information or suggestion are welcome!
in normal situation, which one is the Service Provider? My IIS Web server? or the API service?
I assume the client wants to authenticate the users using their internal IdP. So your application is the SP. But you will have to define different token service (details below).
With SPA (a single-page-applications) I see the problem, in SAML the user is redirected or posted away from the SAML request and SAML response.
I have a login page to enter id/pw, post them to API server Login endpoint to authenticate and get back a JWT token. After that we use that token in API calls for authentication
The API services are using a JWT token issued based on the provided username/password. I'd recommend to extend the token service (or use a different service) to issue a JWT token based on the provided SAML response - a token swap service. In many OAuth implementations it's called SAML grant type.
I cannot implement SAML to API service, my web service only used to load my app without server side logic, how can I implement SAML?
Usually after the authentication the user is redirected or posted to the SAML ACS endpoint URL, where the server can create sort of session (cookie, parameters, token, ..) and the user is redirected to a URL returned the web page with the session information.
If you are using an SPA, you could use a popup window or SAML with redirect (not with post), where the page could read the SAML response parameters (assertion, signature, ..) and use them in the token swap service mentioned above.
When processing the SAML response, try to use some mature, known, out-of-box libraries, it's a security service and not doing it properly may cause security weaknesses. But you need to do that on the server side, as at the end you need the JWT token consumed by the APIs.
I am working on a webapp, the Front-end is implemented in AngularJS which talks to back-end server by invoking REST API. The back-end is Java REST Server implemented using reslet framework deployed in Jetty.
Currently, when a user logs into a web app, a REST API is invoked which then goes to the Java REST server. The server then authenticates the user.
I want to implement SSO using SAML. So when a corporate user tries to login to the app, the user must be redirected to ADFS. If the user is successfully authenticated he must be allowed to login to the app.
I want to know how do I start? I have seen sam2-js library, however it seems to be for NodeJS based server. I am not quite sure if it can be used with AngularJS on frontend.
SSO with SAML involves browser redirects so the flow is between angular and ADFS.
There's no Java backend.
So Jetty is irrelevant.
SSO has nothing to do with REST. They are two different flows handled in two different ways.
SAML is not a suitable SSO protocol for angular. That's why you can't find any examples.
You need to use OpenID Connect with ADFS 4.0. ADAL is the way to go.
We have a web application where the appThe lication is downloaded to the client using appcache and runnig int the client. It gets data into to via ajax calls. What it differes from the rest it we do not have a web server but the whole application is downloaded to the client is via an unauthenticated API call (via middleware server). Once the pages are downloaded to th client the login page is loaded and upon successful authentication the client will get a token for the session.
Now we want to secure this with SAML. But since we do not have a web server per say there is no way we can specify a URL (ACS) to redirect in SAML.
How do people implement SAML in this type of scenarios?
SAML only works through browser redirects.
You also have to have an IDP that supports SAML 2.0 e.g. ADFS.
The interaction is between the SAML application and the IDP. There is no 3rd party.
SAML is not ideal for mobile. OpenID Connect is a better choice. Either way, you have to add a client-side stack that supports the protocol to your application.
Also, SAML does not have a web API flow. OIDC does.
I am trying to crawl a website, more specifically a Google Site using ManifoldCF that has SAML authentication and index the crawled data into Apache Solr. But as I crawl the URL, it gives me 302 redirection to login page and then says RESPONSECODENOTINDEXABLE.
I am not sure if have I authenticated correctly or not. In manifoldCF we have options for HTTP basic authentication, NTLM authentication and Session-based access credentials authentication method. I used Session based authentication method which more looks like a form based authentication rather than SAML authentication.
Has anybody crawled a website using manifoldCF which has SAML authentication? And if not manifoldCF, has anyone been able to accomplish this via Apache Nutch, because I am afraid, it also provides only HTTP basic , Digest and NTLM authentication.
Any insight would be helpful. Can provide more information regarding the issue, if anyone here thinks it can easily be accomplished. Basically when I crawl https://sites.google.com/a/my-sub-domain.com, it redirects to SSO login page and crawler refuses to crawl any more giving a 302 error. It's an intranet based website.
There is no support in Nutch forSSO authentication using SAML. You need to handle it by writing your custom plugin. We have extended proptocol selenium plugin to handle SAML flows.
Not sure whether this helps, just try it out.
In nutch, we can provide credentials to login to the page, we have httpclient-auth.xml file in conf directory.
There u can provide your host name along with the credentials.
<auth-configuration>
<credentials username="admin" password="admin123">
<authscope host="hostname" realm="login"/>
<default/>
</credentials>
</auth-configuration>
Similarly you can add any number of credentials to this configuration.
To crawl https site, change plugin.includes property from protocol-http to protocol-httpclient in nutch-conf.xml
We have modified logic in Nutch protocol-selenium plugin to handle SSO flows.
You need to wait for redirect to SSO page. Then using selenium you can handle SSO. Again wait for redirection to original page after SSO.
If 2 factor auth is required, then things become complex. In that case you can configure google authenticator (if allowed by your IdP). You can use that to get get TOTP.
For crawling files behind authentication there is no usual way. You can configure driver to always downlaod files and then use the docwnlaoded file.
You can handle the auth flow using another http clients. If you need dynamic page's content (after all JS and Ajax request completed) then selenium is the best choice and if you are using it, you can move auth part to selenium.
I am trying to configure salesforce as idp for my saml2.0 based sp. I have enabled domain, sso, created connected app with appropriate profile. with all this I am able to login into sp using using idp initiated url. idp initiated salesforce url correctly, my sp gets correct saml response. but when I try to use sp initiated flow and post saml request to salesforce endpoint, it give error "Insufficient Privileges". Have anyone faced this issue or knows something about this?
I was able to solve this issue. Apparently salesforce doesn't give what is the error. Here I was using redirect request sending to post url.