I have a Java Application running on tomcat server. I am storing the user information in mysql table and for authentication using Java Rest service.
Now when I land on customer.myapp.com I want to check if there is an active session in the browser for customer.com, if so login to my app using that session internally . If no session then redirect the user to customer.com login portal and after login land in customer.myapp.com home page.
How can I implement this using SAML . I have gone through the theory parts and got an idea about SP(in this case customer.myapp.com) and IdP(I assume it will the the customer's login portal customer.com) . I even downloaded the OpenSAML jar. I have no idea how the configuration is to be done. In my case I don't have any access to the IDP.
public class EMSAMLObjectBuilder {
// Get the builder factory
XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
// Get the assertion builder based on the assertion element name
#SuppressWarnings("unchecked")
SAMLObjectBuilder<Assertion> builder = (SAMLObjectBuilder<Assertion>) builderFactory.getBuilder(Assertion.DEFAULT_ELEMENT_NAME);
// Create the assertion
Assertion assertion = builder.buildObject();
}
This is the only piece of code I could find. Any help ?
Sound like a standard use case for the SAML Web Browser Profile. I would suggest reading up on in it. There is a lot of information on the Internet.
Basically the process goes like this.
The SP and the IDP exchange metadataXML. This can be done by any means for example email or by publishing the xml on a webserver. This is only done once between a SP and IDP.
When the SP wants to authenticate the user, it sends it to the IDP using for example redirect together with a SAML Authentication Request.
The IDP authenticates the user.
The IDP send the user back to the SP together with a SAML Authentication Response
SAML is a very flexible protocol so the flow above can vary. How the communication is doen is generally closer specified in the metadata.
There are several ways this could be implemented, OpenSAML is one of them. The OpenSAML official website have some helpful examples.
I write a blog on OpenSAML with lots of helpful post on the subject. I have also written a book, A Guide to OpenSAML, that details step by step the implementation of a SAML Web Browser Profile service provider.
Coincidently the sample application in the book runs on embedded tomcat.
My feeling is that you should never directly use libraries like OpenSAML which are really low-level and complicated to master.
If you want to secure your web application with a SAML login process, you should certainly use a security library for that.
Disclaimer: I'm the creator of pac4j, so I can recommend using one of the pac4j implementations: http://www.pac4j.org/implementations.html for SAML: http://www.pac4j.org/docs/clients/saml.html
Related
I have a Java Web Application and I want to serve it as a Service Provider and implement SAML. I am not sure about the workflow of how to do it.
I have read this SO question and still not able to understand completely.
In the question they are saying they need to send request to IDP, called as Assertion if I am right.
How do I create assertion? I saw the sample there. But where to pass the login credentials with that?
Also how do I register my application with IDP and do I need to install some certificate given by IDP for that? what is the workflow?
Thanks
Typically you use some kind of third party software to provide SAML integration. Examples of this is OpenAM and Shibboleth. It is a good idea to use software like this becaouse SAML is a complex protocol and it is easy to make mistakes, leaving your solution vulnerable.
I have a blog post on SAML and the work flow you can have a look at.
This one about SAML and this one about the SAML Web profile flow that you want
If you insist on doing the whole integration yourself in code. OpneSAML is one library you can use. This will require you to have a good understanding of SAML.
My book, A Guide to OpenSAML, gives a good introduction to SAML and the OpenSAML library.
I also have some blog posts on OpenSAML
About your questions. The Assertion is something that is sent to you from the IDP, this is the proof of an authentication of a user. What you need to do is to send a AuthnRequest to the IDP to start and authentication.
The registration on the IDP depends completely on what software is used to implment SAML in the IDP side. Usually it involves you sending a SAML Metadata XML to the IDP. This is a configuration file containing certificates, endpoint and more. Here is a post on SAML Metadata
In return the IDP send you metadata the you use to communicate with it.
I have created Java Web Application by using Netbeans IDE. I have created entities with relationships. Webpages are simple dashboards where I can add new entities, change them and delete them.
I have added Restful web services to my entities. So web page will be available only for admin and I want to create client application that will have access only for his own data. That means client must login or register to my server.
When user logins/registers on website, server will create session for this user. I know that in RESTful service there is no sessions. My thought is to pass login and password every time when client wants to do some operation with server.
Question: is there any other method to create something like session between client and server? I hope it is not connected with encryption.
There are many options for authentication as well as authorization. If you want to use simple authentication then 'Basic Auth' of HTTP. Check out https://www.rfc-editor.org/rfc/rfc2617 for details. Remember that this is unsafe because the username/password flows on wire. Anyone can sniff username/password. This is updated by new RFC7235 - https://www.rfc-editor.org/rfc/rfc7235#section-4
Safer choice is oAuth. Explained in RFC6749 https://www.rfc-editor.org/rfc/rfc6749. In this case an access token goes with each request.
In both the cases the credential details travel with headers. No interference with parameters.
We are implementing Single Sign On [SSO] across multiple applications, which are hosted on different domains and different servers.
Now as shown in the picture, We are introducing a Authenticate Server which actually interacts with LDAP and authenticate the users. The applications, which will be used/talk to Authenticate Server are hosted across different Servers and domains.
for SSO, I can't use session variables, as there are different servers and different applications, different domains, a domain level cookie/session variable is not helpful.
I am looking a better solution which can be used for SSO across them. Any demonstrated implementation is existing? If so, please post it or point me in the right direction for this.
You can achieve this by having all your log-ins happen on the auth server. The other applications can communicate to the auth server through a back channel. The general principle is like this:
User accesses application 1.
Application 1 needs the user to sign on, so it sends a token to the auth server through the back channel. Application 1 then redirects the user to the log in page on the auth server with the token as a parameter on the request.
User logs in to auth server. Auth server sets a cookie, flags the token as authenticated and associates the user details with it. Auth server then redirects user back to application 1.
Application 1 gets request from user and calls auth server over back channel to check if the token is OK. Auth server response with user details.
Application 1 now knows that the user is authorised and has some basic user details.
Now this is where the SSO bit comes in:
User accesses application 2.
Application 2 needs the user to sign on, so it sends a token to the auth server through the back channel. Application 2 then redirects the user to the login page on the auth server with the token as a parameter on the request.
Auth server sees that there is a valid log in cookie, so it can tell that the user is already authenticated, and knows who they are. Auth server flags the token as authenticated and associates the user details with it. Auth server then redirects user back to application 2.
Application 2 gets request from user and calls auth server over back channel to check if the token is OK. Auth server response with user details.
Application 2 now knows that the user is authorised and has some basic user details.
There are some existing implementations of this method, for example CAS (Central Authentication Service). Note that CAS is supported out of the box in Spring Security. I would advise you look at using an existing implementation, as writing your own will be hard. I have simplified things in my answer and there is a lot of potential for introducing security holes if you're new to this.
I will recommend you check out OAuth. It is a good Authenticaiton and Authorization protocol used by several large organizations including facebook, google, windows live and others. It may have an initial learning curve, but it is a production grade solution.
It also has libraries for Java, Ruby, PHP and a range of other programming languages.
For example, the following server side implementations are available for Java.
Apache Amber (draft 22)
Spring Security for OAuth
Apis Authorization Server (v2-31)
Restlet Framework (draft 30)
Apache CXF
Following client side Java libraries are also available:
Apache Amber (draft 22)
Spring Social
Spring Security for OAuth
Restlet Framework (draft 30)
Please refer here for more details:
http://oauth.net/2/
http://oauth.net/documentation/
The bigger question is how you are implementing single sign on. Many open source and even proprietary (IBM Tivoli) offerings worth their salt offer cross domain single sign on capability. This would be the easiest and best way to implement cross domain sso. You can configure the LDAP server you use in the sso server you choose.
Taking for instance open sso, here is an article to configure cross domain single sign on
http://docs.oracle.com/cd/E19681-01/820-5816/aeabl/index.html
To configure LDAP in open sso,
http://docs.oracle.com/cd/E19316-01/820-3886/ghtmw/index.html
Reference on the issue is presented in a neat diagram here
http://docs.oracle.com/cd/E19575-01/820-3746/gipjl/index.html
Depending on which offering you use, you can configure cross domain single sign on.
With this, your diagram will look like this, with the auth server being your utility to interact with sso server of your choice.
Having an auth server that communicates with sso is a sound architecture principle. I would suggest making calls to authenticate as REst end points which could be called via http from different applications.
You cannot use Rest Service .
You could use what i call a Refferer Url Authentication
Say you have a Authentication application running on www.AAAA.com
In the applications , where you want to authenticate , you could have a filter which looks for a authenticated cookie in its domain else redirect to www.AAAA.com for authentication
On Successfull authentication , you could pass the user profile information as encrypted GET / POST data back to the application
Since I have built a Java application, I have been looking for an SSO solution for it. I found a free Java SAML Connector using which you can achieve SSO in java based applications built using any java framework.
Here's the link to it - https://plugins.miniorange.com/java-single-sign-on-sso-connector
I have a customer who wants to implement SSO using SAML2 assertion based approach. The customer will be the Identity Provider (IDP) and my application will effectively be the Service Provider (SP).
In the past I've implemented SSO solutions where the IDP was Oracle Access Manager and therefore we were provided with the idp.xml file which allowed us to configure our SP environment using the supplied Fedlet. This conveniently created a relevant WAR file which, when deployed, allowed me to distribute the sp.xml file to the customer who imported it into their IDP. This all worked fine and I understand the concepts i.e. We receive the initial request, the fedlet handles this and takes the user to the IDP where they authenticate, then they're passed back to our SP with a SAML response which the Fedlet allows us to parse and extract some data identifying the user. I then do what's required to sign them into our application.
However the current requirement is not using any backend framework to provide the IDP, they've stated that it's custom built one. They've given me the IDP URL and a cert file and are asking for our "AssertionConsumerServiceURL" and "AudienceURI".
The application which I'm enabling SSO for is largely Java based. My investigation so far has led me to Forgerock's OpenAM solution as well as Shibboleth's OpenSAML. However I'm struggling with the first step, essentially where do what I start building a custom SP application connecting to a third party IDP using OpenAM/Shibboleth/AnotherFramework.
Any pointers would be very useful.
Thanks,
Lee
Depends on what what you requirements are. OpenAM feldlet or Shibboleth i probably the best approach since you don't have to do so much coding on your own.
OpenSAML is a very low level toolkit for handling SAML messages. I would not recommend it if, not really needed.
As for the things they are asking for, the AssertionConsumerServiceURL is the service endpoint where you recieve your SSO SAML messages.
Defenition of AudienceURI is quite gray. Basically you send them an identifier, they include this in their messages and you validate that identifier is the same you gave them. I my self do not understand the difference between this and Destination...
I'm a bit surprised that they ask you for this. The standard way to do this first exchange of information is by SAML metadata documents.
As you may know OpenAM also provides the FedLet, which is a lightweight SAML2.0 SP implementation. If you want to do it all yourself you have to build an SAML2.0 SP yourself.
If you want to mess around with Spring you could also use Spring Security SAML2 extension ..'http://static.springsource.org/spring-security/site/extensions/saml/index.html'
Why roll out those heavy SAML solutions? Have you taken a look at PingOne APS (Application Provider Services) or PingFederate from Ping Identity? You can implement APS in less than a day and you first customer config is free. Includes dashboard reporting, IDP self service functionality for config and a dead simple REST API integration for your application. [Note: I work for Ping.]
You can setup the Spring Security SAML Extension. The extension creates an AssertionConsumerServiceURL and if they want to access your metadata just as you are accessing theirs, they would just need to go to www.yourwebsite.com/saml/metadata and your SP metadata will be downloaded by them.
Has anyone had any experience creating a JAAS LoginModule that uses SAML to authenticate and authorize a user? As I understand JAAS, this would likely require a custom CallbackHandler that understand and can parse a SAML message.
In my case, the authorization is defined as a set of roles in a database, but like your typical Database Login Module. There are, however, no passwords stored in this system. Instead users are authenticated on another site and a SAML exchange is used to pass that authentication event to our system.
My hope is to enable our application code to not have to deal with SAML directly and to be able to leverage standards JAAS techniques for managing permissions/roles/etc.
An example would be most welcome, but any links you may have found would also be wonderful.
The main issue you'll run in to is that there is no standard way to send the user's credentials to the IdP. In the SAML Web SSO flow you have the browser so the IdP can just put up a page asking for the credentials. In the ECP flow, which does not assume browser, does not provide a standard way for delivering the credentials. HTTP BASIC auth? WS-Security? Something else?
So, before you go further you'll need to know which SAML profiles the IdPs support and, if ECP is supported, which mechanisms are available for accepting the user's credentials.