I am trying to setup SSO for PSM application as per this link - https://www.ibm.com/support/knowledgecenter/en/SSL5ES_2.3.2.0/intel/iwd/aat_sec_sso.html
It says I should - upload the IdP metadata XML file received from the Identity Provider.
The Identity provider available in-house is Active Directory.
How to get the metadata XML for Active Directory ?
I am unable to find it .
Thanks,
ADFS does not provide SAML IdP meta data alone, but Federation meta data. Typically you can get it from https://FQDN_OF_THE_ADFS_SERVER/FederationMetadata/2007-06/FederationMetadata.xml
Then you need to extract the SAML IdP meta data from it. Alternatively you may reach out to the ADFS admnistrator and request it. Judging from my experience, you mostly also get the Federation meta data, instead of the SAML one.
Related
Can someone explain Saml2 authentication process? I have installed ckanext-saml2 extension for ckan.I have a extra button in login form which is called login with sso.But I donot have any sp metadata(sp.xml).Also I have idp.xml but what should I write to the this file.Do you have any idea about these files?Should I create a sp.xml file?Also should I change idp.xml file?When I click the button where should I read user information ?
You shouldn't change the idp.xml.
Basically ckanext-saml2 is used to allow Users to enter CKAN portal from other places, rather than only CKAN.
In order to do that, you'll need an idp.xml and sp.xml files.
idp.xml - file that consists of a unique path to the remote Portal where all Users already exists (usually it marked as entityID) and X509 Certificate.
sp.xml - file that is generated by CKAN portal and has pretty much same data as the idp.xml.
Both of those files are used to allow Users to log in into CKAN from other portals. In other words, sp.xml file is provided to the IdP (Identity Provider) and the idp.xml file is provided to the CKAN portal (Service Provider) that is going to use it.
According to the ckanext-saml2 documentation, all configuration should be done in ckanext/saml2/config/sp_config.py file. Configuration should consist entityID URL from idp.xml, path to the idp.xml file, path to logs, data about the CKAN portal, fields that should be taken from the response, their mapping and so on...
After the configuration done, according to documentation, you will be able to generate the sp.xml from the sp_config.py file by using python make_metadata.py sp_config.py.
The button on the login page should redirect you to the IdP login page, where you should log in and be redirected back to CKAN. CKAN will automatically create a User for you if it not exists on the CKAN Portal using the response from the IdP.
For more details, you can check out the Datashades SAML2 CKAN repo or at the original once.
if you are not sure about SSO then you need to have a good reading about that.
Can you tell us what kind of IdP you integrate with? AD FS?
Your sp.xml should be generated by the ckanext-saml2 extension, have a look their git hub page. Then you need to upload sp.xml (sp metadata to your IdP)
I am managing an SAML2 enabled idP, and now I need to import an SP into the idP server.
Usually I will just download the xml from the SP, and import it into our idP.
However, I was reading a documentation which said it is possible to just use HTTP(s) to load the metadata to our idP. (https://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/configuration-metadata.html#configuration-metadata-idp-http)
Which seems more convenient (no need to manually re-cert), but I am concerning whether this will lower our security.
So my question is, is it safe to load SP/idP metadata by URL? If so, any reason behind it? Thanks!
how you get it is secondary to how you validate it. The metadata should be signed by the issuer and your IdP, when it automatically downloads it, should verify the signature on it. A lot of IdPs use the UK Federation metadata url to automatically ingest/update SP metadata. The metadata is signed by the federation so the IdPs can verify its integrity.
I need to set up Shibboleth IdP to validate user name and password against a custom application.
Our application exposes a REST API to which one can pass a user's credentials and either returns a 401 on failure or a JSON object with some user metadata on success.
I was able to achieve this in SimpleSamlPHP IdP with a 30-line class, but having to switch to Shibboleth, I am having a hard time finding directions to do the same there.
Reading through the documentation the suggested solution seems to be to create a custom back end for the password login flow but the Wiki does not explain in detail how to do this.
Can somebody point me out to some tutorials or sample code on which files need to be created or changed in order to do this (even basic examples of checking against a credential file or database would be fine)?
You are looking for an [External Authentication Flow] (https://wiki.shibboleth.net/confluence/display/IDP30/ExternalAuthnConfiguration)
For an example, see the shib-cas-authn3 project (https://github.com/Unicon/shib-cas-authn3). It uses the CAS Server to authenticate the users. It then creates an IdP session from information retrieved from CAS.
Our current process is BizTalk expose a web service for vendor to call in, where the request header contains pre-assigned user name and password. Upon receiving service call, BizTalk validates the credential against the database, extract and attach some metadata from db record to the inbound message (e.g. city, vendor level etc)
Question,
can we replace this process with Azure Active Directory? Heard it does provide a restful API, but get confused everytime reading the documentation when talk about JWT token... Does it have a straight forward restful endpoint to call to validate and extract user information?
can we customize the metadata within the AAD user?
Thanks for the help!!
1 - sure you can. There is no endpoint to perform validation, but it's easy to validate incoming tokens - we offer components that automate it. See https://github.com/AzureADSamples/NativeClient-DotNet for an example. The same location on guthub has lots of other samples demonstrating different scenarios.
2 - I am not certain I understand what you mean with metadata here. If you are referring to the info you can specify about the user: you can customize the user scheme. See https://msdn.microsoft.com/en-us/library/azure/dn720459.aspx
I am just getting started with SAML. AFAIK, in the authentication step, there is no direct communication between the IdP and the SP and the assertion happens via the browser.
In my applications (which will be the SP), I would like to store some user specific data (stuff like page size, other UI preferences). When the user is deleted from the IdP, I would like to purge this data from my application as well ? Is it possible to get this "event" from the IdP to the SP for such tasks ?
PS - My app is PHP based and I am likely to simplesamlphp.
Thanks,
~preetham
There is no support in the SAML 2.0 spec for having the Identity Provider call out to the Service Provider for events related to user provisioning or deactivation.
However, there is a SAML protocol called SubjectQuery and a request called NameIDMappingRequest which might serve the purpose if you had a nightly batch job or something that would query users which haven't logged on in x days to see if they still exist on the Idp.
You can find the details on these in the Profiles Section of the SAML spec but I don't know what support (if any) simplesamlphp has for these profiles.