We need to support the following Authentication flows
User 1 logs into Salesforce using Salesforce Credentials
User 2 logs into Salesforce using Arcot +Ping + Siteminder credentials
User 2 logs into Custom App using Arcot + Ping + Siteminder credentials
Since all the authentication methods above are SAML, I need to find a way to address home realm discovery that is a unusual "mesh" of authentication flows.
Question
How should I set up the IDP and RPs to handle this scenario?
How would home realm discovery work?
I'm going to assume that you have My Domains setup and SAML 2.0 setup in your org, and you're trying to route an unauthenticated page request to its appropriate authentication source.
Since you can't distinguish between users 1 and 2 in the original unauthenticated request, you'll need an interstitial page that asks for user input, i.e. "Let me login with username/password" or "I login with single sign on". Point to this page in the "Identity Provider Login URL" section of your SAML settings. If the user chooses username/password, redirect the user to the My Domains login page where they'll login with un/pw. If they choose SSO, then send them to your IDP and propagate the SAML Request & RelayState to initiate the SAML protocol.
Similarly, unauthenticated requests to the custom app need to redirect to the IDP, so that they will initiate SAML. Is the custom app inside of salesforce (as a different tabset), or hosted outside of salesforce? If the custom app is separate from salesforce, you'll need to setup the identity provider so that it has 2 RPs: one for salesforce and one for this custom app. If the custom app is in salesforce, how is the user going to express intent to access salesforce vs the custom app?
Related
I’m workin in a project with React JS that needs authenticate user from a redirect using a url with the “login_hint” param. There is a federation in AD and a Cognito User Pool with SAML configuration referenced to that federation domain. I can authenticate user normally with oAuth configuration and use Amplify Hub for listening data, but a I can’t found a solution to solve the authentication by redirect.
Example:
User login on Site A using federated AD account;
User click in a link to access the Site B, under same federation
URL to site B in site A href attribute is “https://www.siteb.net/?login_hint=user#domain.com
Site B reads URL and get “login_hint” value to request the user token or session to AD
Finally, the Amplify sends silent authentication to Cognito
So, it’s possible using Amplify, or combination of the Amplify and MSAL… or that is not possible this way?
So, we are developing a public rest api that is protected by our own Identity server through an authorization code flow. Somewhere in the middle of the flow, we also implemented a consent step (with a different web app) to grant the Api access to some data that belongs to a user's account of another web app of our own. Currently, the consent page is protected by OpenIdConnect, which login page is implemented in the Identity server itself. However, we want expose as little as possible of the Identity server to the public.
With that in mind, is it possible to implement a login page outside of the Identity server that can still authenticate the user in identity and grant the consent? If so, how?
I will start with just explaining the flow.
When an app redirects a user to Identityserver, they come to authorize endpoint to validate the request.
When request is not valid, that triggers an error.
When request is valid and user is authenticated (has auth cookie) they just go back to the client app with the code.
When request is valid and the user is not authenticated, the next redirect would be to login page. It is the place to check the credentials, set the cookie (for the Identityserver app) and redirect back to the authorize endpoint to go further with consent or final redirect to the client app.
Is the answer crystal clear already? Login page is almost the only vitally needed for Identityserver to make possible setting the auth cookie for any further SSO.
Nevertheless you can delegate the login handling to an external app (one more Identityserver instance?). In that case your front login app will perform the steps (1-2-3-4), set the first level cookie, redirect back to the client Identityserver app, which will set the second level cookie on external auth callback action and finally redirect to the original caller. Is this the scenario for you? Possibly so. The original explanation is a bit uncertain.
We want develop few different services (React Apps) with the same users database and Rest API.
Some users might have access to APP 1, some for APP 2, some for both depends on their role.
We decided to go on multiple subdomain apps method.
We want SSO so only one page/app to authenticate all the apps and not a local login component for each app. using JWT mechanism in our backend.
STRUCTURE:
AUTH FLOW:
There are two main problems in this flow which are marked as 1 and 2:
Lets say i go to the login app and log in, getting accestoken from the backend.
How do i deliver the token to app1.company.com? should react login APP redirect with token in url param?
local storage is subdomain scoped.
iframe has problems with Safari.
I don't wanna save jwt in cookies for now because the flask REST can serve non-browser retailed clients.
Lets say the user want to go to app2. if we aren't able to share the token from app1 with iframes or any other method, then this app should be redirected to login and make the process again as app1, which is fine for us.
But is this really the way? if token is invalid anymore and we get Error from backend, should we redirect to the login app in the other subdomain (embed the url we wanna go back to after login success)?
Can i just use 3rd party Open id connect service?
Should i consider microfrontends approcah to make the all the "apps" on the same domain?
How "Attlassian" as an example handles this process?
What am i missing and what is the best way to solve this flow?
Lets say i go to the login app and log in, getting accestoken from the backend. How do i deliver the token to app1.company.com?
It is not a problem that login.company.com delivers the token as a parameter in the URL, because the site can verify the authenticity of the token by verifying the digital signature or with a specific endpoint in the central authentication domain. This is how openid/oauth2 does it using the "implicit" flow, although they also allows to send the token as POST, or use a 2-step flow ("authorization_code" flow)
Lets say the user want to go to app2. if we aren't able to share the token from app1 with iframes or any other method, then this app should be redirected to login and make the process again as app1, which is fine for us. But is this really the way?
You can share the token between domains using an internal iframe, but in your case I would recommend that each domain use its own token.
if token is invalid anymore and we get Error from backend, should we redirect to the login app in the other subdomain (embed the url we wanna go back to after login success)?
Yes, in the number 2) of your drawing, just redirect from app2.company.com to login.company.com and follow the same flow as in 1). You will need some type of cookie on login.company.com to avoid requesting credentials from the user again
Can i just use 3rd party Open id connect service?
Yes, you can use an external OpenIdConnect service, or deploy at login.company.com an OpenIdConnect server like IdentityServer or KeyCloak
Should i consider microfrontends approcah to make the all the "apps" on the same domain?
It is not necessary having a central authentication domain
How "Attlassian" as an example handles this process?
I don't know exactly how Attlassian does it, but currently most web services support OpenIdConnect
Scenario:
Browser(User) requests resource from Service Provider (SP).
SP Redirects (with SAML Request) to Identity Provider (IdP).
Since it is first login, User gives the (IdP) his/her valid credentials.
IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page.
Application has a link to different application. The Second application needs to validate the user credentials with the same IdP.
User clicks on that link and browser opens the second application. Browser contains the same SAML response from SP.
In Step 5 how can I authenticate the user with SAML response and allow the user to be logged in automatically.
Do I need another SP?
I will not be able to use the SP from step 1 as it is external application.
Appreciate your help
If the second application is in a different administrative domain, it should be done through its own SAML SP starting another SAML request/response exchange with the IDP. If it is in the same domain you may be able to pass an intra-domain credential such as a cookie between the first application and the second (or rely on full SAML as well). You would never reuse the same SAML response because that is meant to be one-time use only.
I'm trying to integrate sales force with my application,I'm using oauth2.0 authorization for getting refresh token.I'm redirecting to salesforce login page.I dnt want to show this page in my app.Is there any way for that.
The key concept behind using the OAuth 2.0 Web Server Authentication Flow or the OAuth 2.0 User-Agent Flow is that the users authentication details only go to Salesforce. Your application doesn't need to handle their username or password. This, combined with the authorization of your app in Salesforce gives the user a greater level of security.
You can't store the username/password details and they can revoke authorization access for the app.
If you don't want to redirect via the Salesforce login page you can use the OAuth 2.0 Username-Password Flow. Here you will handle the username and password (plus potentially the security token). This is less secure from the users perspective, but bypasses the redirect to the Salesforce login page.
Incidentally, there is a dedicated StackExchange site for Salesforce that is a great place to ask these sort of questions.