Deep Linking Issues - saml-2.0

I am attempting to access a link to a document within an application. When I click on the link I am directed to authenticate via SAML (Ping Federate). Once I am logged into the application the link is lost and it takes me to the application's home page. Does anyone know how I need to configure SAML to remember the link after I authenticate. I am under the impression that it has some thing to do with Deep Linking and/or RelayState. I have Deep Linking turned on in the app and my relay state variable is "RelayState". Any help would be appreciated. Thanks!

#andy-k-ping-identity is right in his comment. When your app that is deeply linked to determined that it doesn't have a session, it needs to redirect to the PingFederate SP's start SSO endpoint w/ the deeply linked page as the TargetResource. After all the SSO is done, PingFederate will cause the user to be redirected to that page. So, for example, the deeply linked app should return a 302 like this if the user doesn't have a session:
HTTP/1.1 302 Found
Location: https://fs.sp.com:9031/sp/startSSO.ping?TargetResource=https://sp.com/deep-link&...
HTH!

Related

Autodesk forge oauth2.0 auth code in redirect uri. How to extract that code and use it to exchange for an access token safely?

I am using react.
I have a link in my App.js:
Grant Access
When a user clicks on the link, it brings them to a login page. Once successfully logged in, the user will be redirected to http://localhost:3001/.
However, the authorisation code will be within the url:
'http://localhost:3001/?code=8FNFZAJoEu10gqVxxW_NKw0EDj31XacCApZN1E4z&state='
How would I extract that code and use it for a GET request with axios from my nodejs?
I simply do not know where to start.
Please look at one of our tutorials, for example, https://forge-tutorials.autodesk.io/tutorials/hubs-browser, where we explain the process of extracting the temporary code and exchanging it for an access token. For that particular tutorial, the important line of code is this one: https://github.com/Autodesk-Forge/forge-hubs-browser-nodejs/blob/develop/services/forge/auth.js#L12.

At the login of SAM2 itself can claims attributes be saved?

Checking all the available libraries, we decided to use ItFortec SAML library. The login happens without any issues, but it redirects to destination page. Before it redirects is there a way to capture the SAML response and store claims attributes in a variable.
You can use free tools like Fiddler (https://www.telerik.com/download/fiddler), or use Saml Tracer for Chrome browser (extension). Both have numerous tutorials how to capture the full trace of the saml flow between IDP and SP. Hope this gets you started, if not post your question.

Incorporate Keycloak login into SPA

We're currently evaluating Keycloak as our SSO solution and while it works for our servlet-based applications there's a question regarding our (React-based) SPAs.
What our designers want: as an example let's say we have an email client spa. The user is in the process of writing an email but then gets distracted. When he returns the SSO session has already timed out and a re-login is required. The user should now be presented with a login form and after login it should be possible to send the email that's still in the SPA's local storage (i.e. re-login without restarting the SPA or losing data).
AFAIK Keycloak doesn't provide an authentication-api (for good reasons) and uses a redirect to the login page and back to the application (as I understand it for mobile apps the system browser would be used). If I'm not mistaken that redirect would then mean the SPA is then reinitialized and thus the data would be lost.
So here's the question: is what our designers want possible to do with Keycloak?
If yes, how would it be done? Directly posting to the login-url that Keycloak is using seems like a bad idea since the tokens would probably not be stored correctly and there might be same-origin policy problems. Would doing it inside an iframe or popup-window work?
For someone who comes back to this question,
I think it's better to stick to the best practice for oAuth2/OpenId Connect for SPAs which is currently "Authorization Code Flow" with PKCE.
https://oauth.net/2/pkce/
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13
A normal flow here needs a complete redirect to the auth server and back so your app will completely re-initialize. Or you use check-sso like Sébastien already mentioned with silent mode.
https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/javascript-adapter.adoc
You can configure a silent check-sso option. With this feature enabled, your browser won’t do a full redirect to the {project_name} server and back to your application, but this action will be performed in a hidden iframe, so your application resources only need to be loaded and parsed once by the browser when the app is initialized and not again after the redirect back from {project_name} to your app. This is particularly useful in case of SPAs (Single Page Applications).
This way the login will happen in an iframe and the app initializes only once and should preserve state.
Even if it's not considered as a best practice you can turn on Direct Grant Access for your client which enables to login through a REST call.
Anyway, about not loosing the state of your app, this is a bit outside the scope of Keycloak but you should be able to achieve that with having the state in your redirect URL for instance ?
Also, if you don't want your app to automatically reidrects to the login page you can use : keycloak.init({ onLoad: 'check-sso' }) instead of login-required

Can you force a refresh token to expire in Salesforce?

I have an application that uses Salesforce services using a Remote Access Application. This is working fine so far.
However, my understanding is that even a refresh token will eventually expire, and I believe will return the following as part of a 404 (?):
"error_description":"expired access/refresh token"
My question is this: What is the best practice to test this scenario? I obviously know that the normal refresh token flow is working fine, but how do I appropriately test the negative result?
You can login to the web interface and goto setup -> my personal information. one of the related lists on this page is called remote access, here you can see what refresh tokens have been issues, and revoke any of them.
Go To the Setup and search for the apps
->Go to the connected apps under the managed apps
->select your app, there you can see the edit policies
->click on edit policies -> check for the refresh token policies under OAuth policies

CakePHP 2.0 Problems with loginRedirect - https removed

I have the following problem.
A reverse proxy is used to establish a secure (https) connection to a server in an internal network. So the address is https://<url>. If I am now on my login page (https://<url>/users/login) and hit "submit" the https is removed (by the loginRedirect) and it's trying to connect to the url via http. Of course that is running into an timeout but the users is logged in. If the user is then accessing a page directly it's working.
Once the users is on the page he can do everything that is necessary and the other links are showing up with https as expected.
How can I avoid that the loginRedirect is removing the https? One solution is to use simply $this->redirect('<url>'); instead of $this->redirect($this->Auth->redirect()); but then I would lose the handling of direct links if somebody is not logged in and tries to access a specific part of the page that requires authentication.
I just got help in the CakePHP lighthouse forum and I would like to share the solution with you. It was actually pretty easy. In a reverse proxy scenario you have to edit the bootstrap.php (in the config folder) and add the following base URL:
define('FULL_BASE_URL','https://your base url');

Resources