I am trying to connect to a web service (WSDL file) in .NET from Java, but I am unable to authenticate. The authentication is based on ADFS SAML.
I have used all the libraries: Axis, Axis2, JAX-WS, Metro but none of them are working for me.
So then I just made a SOAPEnvelope in SAAJ and am just sending it without any other 3rd party library. Now I know exactly what is being sent.
What I don't know, is how to populate the header message correctly? The server is using TransportWithMessageCredential security mode with clientCredentialType="UserName".
Since its SAML, I need to send a message with credentials that will send be back a token that I can use in my subsequent messages.
How do I make that request message that returns me the SAML token?
In order to talk SAML to ADFS, you need a client-side SAML stack.
So you can authenticate via the SAML stack to ADFS and get a SAML token back.
There is a SOAP binding for SAML but it is not supported by ADFS.
Related
Issue description:
Assuming I have one web application(Java+Saml2.0) who has a Sign in button to call ADFS(an identity provider) to authenticate.
It's using Javascript(Ajax has same issue) to call one endpoint of ADFS 2016. Since the request if sending from Javascript/Ajax, the browser would throw CORS error. (The ADFS2016 server side doesn't support modifying CORS header/response/origins)
And I heard from someone that one way to avoid the CORS error is to use redirect instead of using Ajax/Javascript to directly call one URL/endpoint.
Can someone give some insights for this situation? How can I modify my code to do such redirect without causing CORS?
PS: I don't want to lower browser security level to bypass CORS and I also don't want to upgrade to ADFS2019 though it supports customizing CORS origins.
Im not sure if you are trying to achieve some special case by using javascript like this. But normally when authenticating a using using SAML you issue a HTTP redirect from the backend as a response to the user clicking the login button.
To understand it all it is important to first understand the SAML authentication flow as I go through in this post.
The user triggers authentication by navigating to a protected page or in this case clicking a button
The application, or Service Provider(SP) in SAML speak, builds a SAML authentication request and sends it to the IdP by adding it as a URL parameter and sending a backend HTTP Redirect to the user. The authentication request can also be sent using HTTP POST explained here
The IdP authenticates the user in the way it sees fit.
The IdP send the user back to the SP using HTTP POST together with a SAML Response and SAML Assertion. This contain the result of the authentication as well as any extra information about the user.
The SP, you application, interprets the SAML Response and lets the user through to the protected application.
This redirect contains a encoded SAML authentication request in the URL that is parsed by ADFS to understand where the authentication request is coming from and how authenticates the user.
There are several libraries and frameworks for managing SAML trafic including the sending the messages using redirect or other methods. If you are using Java, Spring has SAML management as a part of their security framework. Another library is the PAC4J which provides a SAML module
While both of these work well for the most general use case of building a SP to integrate with a existing IdP, if you need to do more custom cases or build a IdP on your own OpenSAML can be an alternative.
OpenSAML is a more low level library for handling SAML. In this write up on my blog I show how to build and send a SAML authentication request using redirect from OpenSAML.
Below is a simplifies example for using OpenSAML. For a full example see the sample code here and here
The authentication request is build using OpenSAML
AuthnRequest authnRequest = OpenSAMLUtils.buildSAMLObject(AuthnRequest.class);
authnRequest.setIssueInstant(Instant.now());
authnRequest.setDestination(IPD_SSO_DESTINATION);
authnRequest.setProtocolBinding(SAMLConstants.SAML2_ARTIFACT_BINDING_URI);
authnRequest.setAssertionConsumerServiceURL(SP_ASSERTION_CONSUMER_SERVICE_URL);
authnRequest.setID(RANDOM_ID);
authnRequest.setIssuer(ISSUER);
authnRequest.setNameIDPolicy(NAME_ID_POLICY);
Add the message to a message context and set set destination
MessageContext context = new MessageContext();
context.setMessage(authnRequest);
SAMLPeerEntityContext peerEntityContext = context.getSubcontext(SAMLPeerEntityContext.class, true);
SAMLEndpointContext endpointContext = peerEntityContext.getSubcontext(SAMLEndpointContext.class, true);
endpointContext.setEndpoint(MESSAGE_RECEIVER_ENDPOINT);
Send the message using HTTP Redirect
HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
encoder.setMessageContext(context);
encoder.setHttpServletResponse(httpServletResponse);
encoder.initialize();
encoder.encode();
For those who want to dig in deeper I have have written a book on working with OpenSAML, A Guide to OpenSAML, as well as book on SAML as a framework, SAML 2.0: Designing secure identity federation.
I also have a ton resources on my blog
I am using Play framework and PAC4J to authenticate WSO2 via SAML SSO. I need SAMLResponse back to generate cookie and access WSO2 APIs. How to get SAML response from PAC4j?
Did you take alook at play-pac4j-scala-demo? There is an example showing the creation of a JWT token using the ProfileManager.
I have developed a custom web application (WAR) that would need to retrieve the SAML response from request object and extract the user profile attributes from it. Deployed the same on WebSphere (Service Provider)
Trying to implement the below approach wherein::
- OneLogin (Identity Provider) sends the SAML Response and Relay State
- The SAML response is processed by the ACS application
- The ACS application redirects the user to the custom web application (set in RelayState of IdP)
- This application will then retrieve the SAML response object from request, populate the dynamic cache with user profile attributes and redirect the user to the main application home page .
Currently, the SAML response (once received and processed by WebSphere TAI and ACS application) does not seems to be available when the ACS redirects to the custom web application (set in Relay State). Is it possible to preserve and pass on the SAML response from ACS application to the custom web application?
Any help/pointers would be appreciated.
Warm Regards,
Ekansh
It is not possible to get the original SamlResponse message in your application. However, it is possible to get the SAML Token (the SAML XML file) from application. Typically, one could use this SAML token to make web service call either over SOAP security header or Http header, or makes WS-Trust call to exchange SAML token for a new SAML token for downstream service call.
Can you make web service call (either JAX-WS or JAX-RS) instead of browser redirect? If web service call works for you, I can help you to make it working.
Preserving and passing over the SAML response is meaningless. Essentially as the protocol defined , once the user is Authenticated # OneLogin it sends back the SAML Token in the SAML Response to ACS . The ACS validates the SAML token and allows the user to proceed further .
Now if you are redirecting the user to the custom web application and would like to use SAML , then you should ideally implement a SAML service provider library in your application and your custom Web Application will act as another SAML Client , registered in OneLogin . The user in this case will get an SSO like experiance in case SSO is turned on at the Identity provider in this case OneLogin , since he has already authentication himself/herself when doing a login to ACS .
When a html page makes a call to a rest webservice, how can the service credentials be sent in the request?
The username and pwd needed by the service can be sent in the request itself by using (usename:pwd#service.com) notation, but that would not be wise sending in the creds in the request itself.
Any other ways to solve this problem?
If it uses BASIC authentication, it is sent along the request as a header (in clear). Have a look at:
http://en.wikipedia.org/wiki/Basic_access_authentication
This can be hardened by using a secure protocol (https), with which you encode your request (basic authentication included).
http://en.wikipedia.org/wiki/HTTP_Secure
This requires additional configuration on the server-side
I'm developing a html5+jquery+phonegap application. Server side is written in java and Spring MVC.And I hope to implement an authentication model as follows.
client signs up using his email which would be used as his userID.
A token is sent to his email.
He is given a screen to enter the token.
That token is stored in the local storage of the client.
everytime the client calls a webservice, his userID and token is sent by the app over https.
Server authenticates him and responds.
What are the options available to implment this kind of security from the server side? can Spring-security be used in this way? I tried to find any implmentation with Spring-security, but couldn't find any implmentation other than basic authentication.
You can use PreAuthenticationProcessingFilter to achieve this requirement, have a look similar case and spring security doc