After going through so many google sites, reading so many QA in stackoverflow, really getting confused how to implement SP using SAML 2 with Java.
I understand the theory concept but not getting a clue how to implement it exactly.
Currently, my client already shared IDP metadata file with me and asking for SP metadata file. This is my first struggling point.
How to generate metadata files actually? Is there a tool to generate it?
How to implement SAMLRequest generation, SAMLResponse parsing using Java libraries.
People recommending so many publicly available sites which supports IDP, SP functionalities but could not be able to choose the right one to proceed. I need some specific example of Service Provider implementation in Java with SAML 2.
Really appreciate if somebody help me in this context. Please correct me if my questions are not clear so that i will try to edit it.
If you need to build a SP in Java I would recommend using Spring SAML module or the OpenSAML library, but these may give you more work. If you end up using OpenSAML I have a book, A Guide to OpenSAML, introducing the SAML and the OpenSAML library.
I also have a blogg with many examples.
I would however recommend that you first look into using a ready product for SAML like Shibboleth which is a free and open source solution for SAML. This will save you from needing to learn the specifics of the SAML protocol and also it will be much safer as different security considerations have already been made by the developers.
#Stefan has some good suggestions.
What you need is a SAML protocol client side stack. Refer : SAML : SAML connectivity / toolkit and the links inside the article.
In terms of your questions, different stack do this in different ways. Some of the commercial stacks that I have used have excellent documentation and sample code to do all this.
Related
First timer here and just starting with (the latest) SonarQube. Are there client libraries to download through the web-api already written and available? And is there a set of JAVA classes established that map to the structure of the JSON that will be returned that already exist? I was able to write my own test JAVA code to connect and to parse using the web api provided for one call I wanted, by building my own classes. But it seems like a lot of work to do this for all the data I hoped to pull and wondered if someone had done it already and/or Sonar provided it. And the web-api is a bit cryptic. Had to hover over values to figure out the exact call. I didn't see what I was looking for in the documentation or here. Or is there a better way to dump the data efficiently out of the GUI? Thank you!
Concerning, JAVA client library to request the SonarQube web services, we do not provide such library. There are lot of great tools to do a HTTP request and parse the JSON (see for instance OkHTTP and GSON).
Concerning "the web-api is a bit cryptic", I would be very interested to hear all your feedbacks about this, please share these feedbacks on the Google Group in order to discuss them and improve SonarQube web services.
1 - Current situation
We've got a REST API (coded with the Play framework 2.5 in Java) and four front-end interacting with it (two web apps: a back office and our site coded with React, and two mobile apps: Android and iOS).
Everything is working correctly, but without user management.
2 - What we want to do
We would like to add user management with two roles: user (can sign up and log in to our site and our mobile apps) and admin (can do everything a user can do plus can log in to the back office). In other terms, administrators can use all web services whereas users can only use some of them.
Firstly, users have to be able to sign up with email and password.
In a second time (this is not part of our MVP), we would like to give the opportunity to register using a Google or a Facebook account.
3 - Technical choice
After reading a lot, we think that an authentication whose authorization step is taken care of by Oauth2 is a suitable choice.
But, during our research, we found articles that have made us hesitate, with sentences like theses ones:
"You should only use OAuth if you actually need it. If you are
building a service where you need to use a user’s private data that is
stored on another system — use OAuth. If not — you might want to
rethink your approach!"
"To be clear, OAuth 2.0 at the hand of a developer with deep
understanding of web security will likely result is a secure
implementation. However, at the hands of most developers — as has been
the experience from the past two years — 2.0 is likely to produce
insecure implementations."
We're not going to implement Google or Facebook authentication right away and don't have a "deep understanding of web security", so we question the relevance of choosing Oauth2.
4 - Implementation
We've understood the way Oauth2 works and are not afraid by the implementation of the client side, it seems straightforward (and many projects exist to facilitate its implementation).
On the contrary, for the server side, we will have to create an authorization server and it scares us a bit because we don't know how to do. Implement the whole by ourselves seems to be a fairly substantial and difficult job (and we didn't find any example using Play Java), we're scared to make a mistake that would create a security hole and don't want to reinvent the wheel. We've found some tools like Apache Oltu or Spring Security (that I've used in another project) but we're not sure if they're suitable for what we want to do.
5 - Questions
Is Oauth2 really a suitable choice for our needs?
If we choose Oauth2, what should we do about implementation? Trying to do it by ourselves? Using a tool like Apache Oltu or Spring Security?
Thank you in advance for your answers!
I'm using the auth0-spring-security-api and I have a scenario where I need to update the app_metadata for a user when they make a request to an endpoint in my API. I've been looking for any sort of example or even method in the source that could give me a clue on how to do this and I just haven't seen anything. Does anyone know how to do this?
After a bit of searching I found a solution. The answer is essentially that you need to connect to the management API via a http request that you can find in the Auth0 management api examples for various endpoints. I was somewhat hoping that they would have some sort of existing java library to make it easier instead of having to roll my own. I did however find this github repo
that explains what is needed to connect to their API.
We have two separate products, both including web app and server.
We want to implement Single Sign On for both of them, so when a user has logged into one product, he can automatically access resources in the other product belonging to him.
I have explored a little bit and find SAML is a good approach that we can take, but we are not sure how we want to proceed.
Is it a good idea to implement our own Service Provider? I have looked at Shib SP, but looks like if I want to integrate it into my products, it won't be that easy too.
So I am just looking for some suggestions from people who have encountered a similar problem before.
Another question is what resource that I can study if I need to implement a SP using OpenSaml? Looks like there is not a lot of tutorials or examples that I can refer to.
I would also be really appreciated if anybody can just point out some big procedures or components that my own SP need to contain.
EDIT 1:
Just try to provide more details about what I want. We have two separate products. Currently we are able to externalize user database. For example, our products can be configed to connect to LDAP server or any other external user DB as long as they implement a service properly.
Now our goal is we want SSO for both of our products. One scenario is we have our own SP component(either implement or integrate) in both products. Customer may have their own IdP. With some configuration, our SP can connect to their IdP, and do authentication from there, and user doesn't need to login twice to access both products. Of cause, we can provide an out of the box IdP if customer doesn't have it.
The biggest difficulty with Shibboleth is that it is, effectively, a reference implementation of the SAML v2.0 specification.
For most routine installations, though, you actually need very little of the SAML spec to enable a couple of web apps for SSO.
But since Shibboleth implements the whole thing, with all of its capability, it can be a bear to configure.
We did a project with Shibboleth (and it was admittedly an on the edge use case), and, for me, a SAML novice at the time, it was really a chore to get everything up and working.
For our next stab, I looked at the SAML spec for SSO via the Web Profile. If you read it, it's actually quite straightforward for this limited use case. And we decided that instead of using Shibboleth again, we'd write our own IdP and SP using the OpenSAML libraries.
Could we have got Shibboleth working faster? Probably. But I don't think we'd have the understanding of it that we do of our own. A bit of Not-Invented-Here, sure, but this stuff is confusing enough when you do understand the software and vocabulary, much less when you don't. And SAML is chock full of new vocabulary.
You can also consider using SimpleSAML as an IdP and writing your own SP for your web apps. SimpleSAML is in PHP, but it's a bit more user friendly. You can just treat it as a self contained apache service.
I will say that our SP weighs in at around 1000 lines of javadoc'd code, but it's mostly wiring OpenSAML stuff together and some utility stuff. In truth it's not that scary. Be prepared to really enjoy reading signed XML blobs though.
It is frustrating that this really isn't simpler, but it's a bit of a chicken/egg thing regarding adoption etc.
And if none of that suits you, you can look at OAuth2 and some of its profiles.
If you only want to implement SSO between 2 products, I think yes, building something from the scratch is easier. If it's Java, Shibboleth's OpenSaml is a very good lib.
As you begin to implement more stuff, and some complex scenarios, going for something already built is the best choice. You should also be aware of several stuff you'll be likely to write on a per-system basis (e. g. assertion generation, xml-dsig, validation, etc).
At a glance, it might seem like the already built products are way too complex or difficult to scale or adapt to your particular needs. But your dev effort writing connectors and implementations can be rewarded when you feel like exploding all of the SAML capabilities.
It'd be very helpful though, if you can explain with more detail what do you want to achieve; I feel your question is quite open...
I don't have personal experience with Shibboleth Service Provider, but I am currently developing architecture which uses Shibboleth IdP, Shibboleth Discovery Service and Guanxi Service Provider. Integrating lightweight Guard module from Guanxi Service Provider with Java webapp is a piece of cake and you can easily obtain Shibboleth based architecture without writing your own modules. There is localhost tutorial for setting up Guanxi SP, just skip the parts about Guanxi WAYF and IdP and use Shibboleth components in their place.
How do I use OAuth within my Java GWT application?
In particular, I want to get a list of users in my Google Aps domain, using this API:
http://code.google.com/googleapps/domain/profiles/developers_guide_protocol.html
I know this sounds like a question, that probably has been asked many times before, but I couldn't find any Java code on how to realize the OAuth steps described in the API above.
I would be glad if someone could share some code, or point me to the right docs.
This tutorial by Matt Raible is easily the best one I've seen so far on OAuth and gwt. He also has a very good picture depicting the authentication flow, which I always find help. However, as Matt himself says, the solution is not 100% reliable, but it might still get you part of the way.
With this in mind, it might be better to just go with a pure javascript implementation of it. You'll find one such implementation right here. This SO thread might come in handy to you if you chose that path.
Best of luck to you.
What do you mean in your GWT application?
Do you mean client-side only?
Because on the server you can easily use the Scribe OAuth library.
It has a good documentation and is fairly simple to use.
For integrating OAuth and GWT, you should start with Scribe which handles the implementation of the OAuth:
https://github.com/fernandezpablo85/scribe-java
Next, you need to create a GWT widget that can handle the user's interactions to acquire permission to access their account. Then grab the response token, and make the API requests to the external site.
No point re-implementing OAuth when scribe already does it for you - you just need to. I'd probably aim to use a GWT Popup for doing the authentication:
http://gwt.google.com/samples/Showcase/Showcase.html#!CwBasicPopup