I have one application with onelogin SAML 2.0 configured using Spring boot Java and REST web services (microservice architecture) and angularjs in front end. I am getting SAML response in java code. From there how to redirect to UI and pass the token in the browser.
I have a web app developed using Create-react-app
I host it on IIS, the IIS only response to load the app, there is no server side logic on it (no Express or any other web server)
The app is using a RESTful API on the same IIS, it is out of my control (I cannot make change).
Now one of my client request to add SAML SSO to our app.
I would like to know:
in normal situation, which one is the Service Provider? My IIS Web server? or the API service?
For my case, I cannot implement SAML to API service, my web service only used to load my app without server side logic, how can I implement SAML?
Could any one give me some React implement SAML SSO tutorial or article for reference?
Thanks for any help, any information or suggestion are welcome!
in normal situation, which one is the Service Provider? My IIS Web server? or the API service?
I assume the client wants to authenticate the users using their internal IdP. So your application is the SP. But you will have to define different token service (details below).
With SPA (a single-page-applications) I see the problem, in SAML the user is redirected or posted away from the SAML request and SAML response.
I have a login page to enter id/pw, post them to API server Login endpoint to authenticate and get back a JWT token. After that we use that token in API calls for authentication
The API services are using a JWT token issued based on the provided username/password. I'd recommend to extend the token service (or use a different service) to issue a JWT token based on the provided SAML response - a token swap service. In many OAuth implementations it's called SAML grant type.
I cannot implement SAML to API service, my web service only used to load my app without server side logic, how can I implement SAML?
Usually after the authentication the user is redirected or posted to the SAML ACS endpoint URL, where the server can create sort of session (cookie, parameters, token, ..) and the user is redirected to a URL returned the web page with the session information.
If you are using an SPA, you could use a popup window or SAML with redirect (not with post), where the page could read the SAML response parameters (assertion, signature, ..) and use them in the token swap service mentioned above.
When processing the SAML response, try to use some mature, known, out-of-box libraries, it's a security service and not doing it properly may cause security weaknesses. But you need to do that on the server side, as at the end you need the JWT token consumed by the APIs.
I am developing the web application using ReactJS(Front-end UI) and Scala(Back-end API). I have implemented the backend services as microservices.
Here I have integrated OAuth2 authorization framework and used OAuth Access Tokens. After user authentication, I am passing the OAuth access tokens in every sub sequent request headers.
I did see in some website links, we should use JWT token in the OAuth2 flow instead of "OAuth access tokens" to delivering a Secure API.
Should I integrate JWT token in the existing OAuth2? Please share your suggestions. Thanks.
OAuth2 ia an authorization protocol and does not dictate the format of the access_token so you could return a JWT from the authorization server containing the scope/permissions and the expiration.
Would recommend to go through this
https://auth0.com/blog/ten-things-you-should-know-about-tokens-and-cookies/#token-oauth
I need to integrate a client application written with react and redux (spring boot backend) with WSO2 Single Sign-On (SAML 2.0) IDP
Do I need to make use of few node.js based packages such as "passport-saml" etc to achieve single sign-on with wso2 IDP?
Appreciate if you could share your thoughts/expertise/any reference links.
Thanks.
You can use OpenSAML(no longer maintained though) or a similar Java SAML assertion library for this.
Passport-js is specifically designed to work with nodejs. One way u could make use of passportJs is by implementing the authentication and authorization business logic of the application as a NodeJs based micro-service. AFAIK WSO2 IS works perfectly with passport-js.
I'm trying to implement WebSocket support with Angular+SockJs on front-end, and Spring on backend. We are using Spring Security with OAuth 2.0 token based authorization.
Spec tell us that i should pass token via STOMP client at connect time and use Interceptor on backend to provide Principal. But i don't like this approach because i need to copy logic from Security configuration to get Principal from Token.
Is it possible to catch SockJs request in Angular Interceptor and add Authentication header?