We are totally new to SAML and Okta. We are a Java based SAAS web application which will be used by multiple customers. We are looking forward to implement SAML integration with Okta and we need the details to get started with.
How do we register ourselves as third party application in Okta ? if so, can we support multiple customers IdPs with single SP.
How do we develop SAML integration in Java and integrate that with Okta.
Any pointers would be greatly appreciated.
Thank you.
Welcome Vasantha,
as you probably know, your app will act as a SAML Service Provider, so you just generate SAML SP meta data and hand it over to Okta admins. It actually does not matter which SAML IdP implementation the 'SSO partner' is using. SAMLv2 as an 'internets body' standard is product agnostic.
You can support multiple IdPs, but most SAML SP libs may not support this out of the box.
You should not try to implement a SAML SP yourself. It's way more than just handling SAML messages. You may choose one of various SAML Java SP implementations.
Related
We are developing a Java based product. We need to make the authentication part to fit for major authentication services, like LDAP, OpenID, Oauth2, SAML. The idea is, when we deploying the product for a company who is having LDAP, our product should be able to cater it. If the company has OAuth2, then our product should be able to cater that as well.
I want to know, what are the better approaches and tools. I'm looking for a open source solution which support all these protocols in one place. Please share the knowledge.
I'd suggest Spring Security. It is completely independent to the Spring Core framework and with some simple configuration and some additional libraries (also developed by the same team), you can get a simple solution for most of the popular authentication methods.
With a couple of annotations, you can configure which methods or endpoints you want secured either.
You can create spring profiles, who decide which authentication method to be used.
Simple approach is to use an IAM (identity and access management) solution. Kecloak is a good open source one (and is written in java but you shouldn't mind).
By the way, your question is off-topic (recommending software or tools). Post it here
You need to separate out Identity repositories and Identity protocols.
LDAP and AD are repositories.
OpenID, OAuth2, SAML are protocols.
You need an IAM system that handles all the protocols and sits on top of the repositories.
For your product to talk to your IAM, you need a protocol stack in your product e.g. for SAML.
You then federate your IAM with other vendors e.g. if a vendor comes along and wants to authenticate with their AD, they would install ADFS and then ADFS federates with your IAM system.
So the logical flow goes:
User --> authenticate on their IAM --> trusted by your IAM --> access to your application granted.
You could also look at Identity as a Service e.g. Azure AD, Auth0, Okta etc.
I am starting with new Spring project where i am planning to use SSO. I have red the blogs and come to know spring security SAML will be best solution for SP.
So i have implemented Spring Security SAML sample application provided by spring site https://github.com/SpringSource/spring-security-saml as SP along with Shibboleth IDP.
IDP connects with LDAP server. I am able to execute the Spring security sample application.
I am confused how can i use this Spring security SAML extension along with multiple spring projects.
Any example link or suggestions on architecturing the Spring SAML project integration with multiple Spring MVC application will be helpful.
Provided your REST APIs are only called by the web application which is deployed together with them (in a single war and therefore sharing the same HTTP session) you can use Spring SAML + Spring Security to secure them.
Spring SAML will be used to authenticate the users against a remote IDP and populate their entitlements (granted authorities); Spring Security can then be used to define security policies for the APIs called from the UI.
In case you want to be able to call the REST APIs from remote clients, you may want to look into the Spring Security OAuth project - as this is no longer about web single sign-on.
It is possible to create a central installation of Spring SAML which handles all SSO logic. Of course you will need to implement a mechanism in which Spring SAML relays information about the authenticated user and her attributes to your other applications, and do so in a secure way. One possible way to approach it (provided the applications are deployed on the same domain and therefore can share cookies) is to:
after authentication in Spring SAML set a shared cookie which is visible to all the other applications and which is e.g. signed by the Spring SAML's key, or encrypted using a shared key, the cookie should also contain user's attributes
this can be done in a custom AuthenticationSuccessHandler which is subsequently expected to redirect user to the correct application (e.g. based on some custom logic or relay state)
the target application needs to verify the cookie (by checking the signature or decrypting using a shared key, possibly performing other checks), parse the attributes and start own session which is pre-authenticated based on the content of the cookie
All of this can be done with implementations to standard interfaces of Spring Security and Spring SAML. But it's not a trivial task - mainly considering that any security vulnerability in your implementation might compromise security of your applications.
I was trying to learn JAAS, then i came up with the terms SAML and Realm, and now I am confused.
In any of the basic tutorials of JAAS, we are pretty much configuring the basic that a normal Realm configuration is. If I read configuration of SAML then it looks similar as JAAS. I have absolutely no idea why different names. May be SAML is built on Realm and JAAS on SAML, not sure can any body please clearly state the difference.
Please a humble request if you share any link, Please define a bit of it, so that it help me when i am reading them.
I have successfully configured, JAAS's BASIC and FROM based authentication on both JBOSS and Glassfish. It helped me to protect my JSP and Servelets (Web Project). where to look if I want to protect an EJB as part of my application.
JAAS is a set of standard APIs for Java SE and EE which provide basic ways to achieve authentication and limited authorization. The typical use of JAAS for authentication is through LoginModules. Implementation of a LoginModule interface (javax.security.auth.spi.LoginModule) is able to authenticate user based on credentials provided by the caller in CallbackHandler. Most application servers allows you to plug-in your own LoginModules. Other key concepts of JAAS are Subject (a collection of information about a user) and Principal (a single attribute of a user - an ID, a password). Capabilities of JAAS for authorization are rather limited and are rarely used directly.
The standard authentication mechanism for Java web applications (like FORM, BASIC or DIGEST declared in your web.xml descriptor) typically delegate verification of the provided credentials to the configured JAAS LoginModules.
Realm is a concept used to denote separation of authentication and authorization policies for different applications/systems. E.g. if you want to authenticate users in application A using LDAP and applicaton B uses database table, you can put them into different security realms, so that their security requirments are isolated and correctly enforced. The typical system which uses this term is Tomcat, but you will find similarities in othe containers/application servers too. In most cases (e.g. when depoying a single application) you don't need to worry about Realms too much.
Java EE provides standard mechanisms for securing of EJBs using role based access control (RBAC). You first define which roles are applicable to your application, then define which users accessing your application belong to which roles. You can then use either declarative authorization (= annotate your methods with security annotations such as #RolesAllowed, #PermitAll, #DeclareRoles, or do the same using XML descriptors) or programmatic authorization (= test whether user belongs to a role by calling isCallerInRole on EJBContext directly in your code). A basic tutorial can be found here http://docs.oracle.com/javaee/6/tutorial/doc/bnbyl.html
SAML is a very different beast from the previous ones. In a very simplistic way you can see SAML WebSSO as an authentication method. Generally SAML is a standard which defines an XML-based protocol used to transfer information about users, their authentication events and security attributes between remote systems in a secure way. Apart from the protocol itself SAML standard defines typical use-cases for the protocol, the most common being Web Single Sign-On (a possibility to authenticate user externally from the application at an entity called Identity Provider and login to an application - Service Provider without revealing user's credentials to it). In these use-cases SAML is similar to OpenID or OAuth 2.0 authentication you can see provided by Facebook or Google to 3rd party developers.
Hope this helps,
Vladimir Schafer
See if this helps you. A realm is a area where a specific configuration is in place. JAAS and SAML are both authentication modules that can be configured to handle authentication on that reaml. SAML is an authentication scheme. http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
To add to the other answers, I found the following explanation from this article to be helpful:
In reality, SAML and JAAS are two distinct security frameworks. SAML is an XML framework for exchanging authentication and authorization information. SAML provides a standard XML schema for specifying authentication, attribute, and authorization decision statements, and it additionally specifies a Web services-based request/reply protocol for exchanging these statements.
JAAS, on the other hand, through implementation-specific login modules receives information about the user, authenticates the user, and verifies that they are a valid subject.
So as I understand it, JAAS can be used to implement custom authentication and authorization for your app, and there are many possible ways to do this, some of which involve SAML. For example, you could use SAML to get the user's identity and role/group information; this would be stored in XML tokens that your JAAS module would need to parse.
I need some suggestions on how to secure REST APIs and web based internal system using a single authentication system.
I am looking into the possibility of using:
oAuth 2.0
JA-SIG CAS
Custom Implementation (implement two separate APIs)
To secure REST APIs and redirect calls to specific API instance
To authenticate web application users.
I assume you have a UI for your webapp and want to share your identity between your webapp and your web service.
You can achieve that by :
"cassifying" your webapp (For example : https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml)
proxifying your calls from your webapp to your web service (https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough).
Here are a few suggestions in how to secure REST APIs. They are related to iPhones but they are generally applicable to client/server REST API implementations. Without more information I don't know how applicable they are, but they might help you out a bit:
Security When Using REST API in an iPhone Application
https://stackoverflow.com/questions/15390354/api-key-alternative/15390892#15390892
Can i use adfs2 with java application? I want to implement single-sign-on in java. I have read some articals where they have mentioned that you need .net framework .
There are two ways of doing this.
You can protect your Java application with a Java Identity Provider such as OpenSSO, OpenAM, Ping Identity etc. This will take care of the SSO for you. You then federate this provider with ADFS.
Or you can use the OpenSSO or OpenAM Fedlet here or here which is essentially a SAML 2.0 stack. In this case, you could communicate directly with ADFS.
Or (as #Scott states), use one of the other products.
Update:
Using the Fedlet follows the normal SAML integration flow of exchanging metadata (ip / sp .xml). From an ADFS point of view, just install the sp.xml as a RP using the file. Just follow the Fedlet documentation substituting ADFS for OpenAM. There is no sample code (other than what's in the Fedlet). You don't actually have to write anything - it's a configuration exercise.
Yes. Communication can be via SAML 2.0 which is widely supported by many toolkits and products.