I am looking for a way to customize the SSO (using SAML) login page in openam for each service provider. Tried searching the web but could not find a way to do the same. looking at Login.jsp, there is view bean being used but that does seems to have any public methods to identify the SP in context.
Is there any way this can be achieved?
If I'm not mistaken the Login.jsp should have access to the spEntityID request parameter, which should tell you exactly which SP is involved in the authentication process.
Related
Integrated a web application(SPA) with azure B2C for user authentication. During logging from web app, I’m seeing this b2c exception code (AADB2C99059) on the UI instead of actual b2c login screen. Please suggest me on this scenario, whether I have to make any changes in b2c configuration or the backend application code to make any changes.
The Error (AADB2C99059: The supplied request must present a code challenge) generally comes when you are missing your code challenge in run now URL. You can test the user flow without implementing it in an application by appending a static value for the code_challange on the run now url.
For example, you can append &code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl to the url and it should work for you.
If above code challenge is not working for you can also generate your code challenge using C# code and pass it to the request URL.
You can refer this document to know how to generate the code_challenge
This should be automatic in an SPA.
It's part of the "Run Now" flow.
for various business reasons our login progress is basically a workflow composed out of a variable number of steps (where the ID provider login - ie google, facebook etc ) is only a very small part of the entire workflow.
we have an identity server instance set up for various 3rd party integrations (using the client credentials flow).
we have a current new requirement to expose an oauth version of our authentication flows.
i'm wondering if this is somehow supported?
in essence use identity server to validate the client and it's return url and the like - but keeping the actual act of login completely seperate.
if not - I'm guessing that we should self validate client and return url - using a custom grant to return access & refresh tokens to the 3rd party.
IdentityServer and "login application" can be separate. Unfortunately we don't have good documentation for that.
But the specs are basically
Configure the login page URL on the options in startup
We hand you a return URL to the login page
When you are done, call a custom API in the IdentityServer app that sets the sign-in cookie
redirect back to the return URL you got in the first place
As I said, right now you are pretty much on your own. But it has been done before - if you get it working, feel free to contribute that back to the docs.
I have written an angular js app that I am using angular-adal.js to authenticate against Azure AD. I have configured all routes to requireADLogin and also added
extraQueryParameter: 'nux=1,scope=openid'
in the init method.
My question is where can I pull the logged in username or email etc from to store against the records they are creating after they've logged in. Because I am not manually authenticating in code I don't have a token object or anything to play with. Any pointers would be appreciated as although I've searched all the exmaples seem to be when you are making the calls yourself rather than letting UI Router do the authentication.
I'm sure this must be a common thing to do though!!
Thanks in advance!
After we sign-in the Angular application using ADAl library, it provides userInfo object which we can get the information about the user. And we can get the userName from this object directly.
Here is the code and figure for your reference:
$scope.printUserName = function () {
console.log(adalAuthenticationService.userInfo.userName);
};
The Microsoft also provide a code sample for the Angular application, you can refer it from here.
I have seen lot of examples where, there is a custom Login page with Angular JS, and then we make a rest POST call with the username/pwd, and then Spring authenticates based on whatever Auth Service we provide. Then we receive a success, grab the user object from Spring Security and then create a Session cookie in Angular.
https://github.com/witoldsz/angular-http-auth/blob/master/src/http-auth-interceptor.js
I also have seen, integrating Siteminder with Spring Security where we install a policy agent on the web server, and then grab request headers with Spring Security, and then pull the roles and build a user profile object.
I'm looking for a solution where I can combine both the above. This is the scenario :
When the user requests for index.html (Angular), the policy agent on the web server intercepts, authenticates with a Siteminder login page and then passes the headers to the app server. The Spring Security on app server will read the headers and pull the roles from our app database and then build a userprofile object. Now here, I want to continue the flow and display angular page, but Im trying to figure out, how do I send the user profile object to angular, because angular is not making a POST call at this point. Also, how do I get the http-auth-interceptor in play, because I need to keep checking if the user is still authenticated on the change of every view/state in Angular.
Help appreciated ! Thanks !
You may implement a tiny JSON REST service "/your-app/profile" which is protected by SiteMinder, reads and evaluates the headers and returns the result as a JSON object.
Your Angular App (e.g. /your-app/index.html) should better also be protected by SiteMinder so you receive an immediate redirect to the SSO Login when accessing it without session. In addition, it must read the JSON REST resource "/your-app/profile" when loaded. It must also expect that SMSESSION is missing when reading "/your-app/profile" and react accordingly - perform a reload of the protected index.html page to trigger a SM SSO re-login (if "/your-app/index.html" is protected, otherwise you must trigger login by a redirect to some protected resource).
If you want to constantly check to see if SiteMinder session is still present, you may either access the "/your-app/profile" or check for the presence of the SMSESSION cookie (only in case it is not set as HTTP-only).
One SECURITY NOTE: If you rely on the seamless SSO which is provided via SMSESSION cookie, be aware of the possible CSRF (Cross-Site Request Forgery) attacks!
Apparently both roles and the username will be available in spring if the integration is done as this describes
Integrating Spring Security with SiteMinder
We have an OpenSSO (OpenAM) instance set up at our end to work as a Service Provider (SP). It's been working well so far in an SP Initiated SSO scenario, however, I recently had to set it up for an IDP initiated scenario and am unable to get it to work successfully. To explain, in this scenario, the IDP would like to send the SAMLResponse directly to the Assertion consumer service at my end and our OpenAM instance should be able successfully digest the response and send the user to our underlying application. My questions are:
Is there any other configuration required in this scenario except for exchanging/uploading the metadata between the IDP and us (SP)?
Can I upload the metadata of the iDP in the same COT as the other IDPs that are currently working in the SP Initiate Scenario? Or should there be a new COT for each IDP provider?
What URL should I provide to the IDP to send the SAMLResponse to? Is it the AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" from our metadata? I tried this a few days back and OpenAM reported an error - "this is not the right consumer service for this request" or something.
I got an answer for this on an OpenAM forum -
http://lists.forgerock.org/pipermail/openam/2012-August/007872.html