We have a Java web application (using struts and hibernate) and want the users to automatically log into the Google apps domain accounts.
We have set up the Google apps for Education domain accounts and created the users in it and we have the same users in our java web application also.
The requirement is that when the users log into our application portal, their is a link to go to Google apps, once they click on this link, it should log them in without asking for password.
We are using Tomcat 7 as our server for the web application. Which SSO tool should we use for doing this? Oracle's SSO is paid, Shiboleth doesn't work with Tomcat 7.
Any help highly appreciated? Is SSO the only option or another way to do this.
Thanks
Any SSO solution that supports the SAML2 protocol should work. Apart from the expensive solutions that Oracle, IBM, CA and others provide, you can find the following solutions that definitely work well with Tomcat7 and are open source :
Apereo (ex Jasig) CAS : Used quite a lot in the education community. Simple to setup but specific configurations (like an advanced authentication module) might require some programming effort. It supports Google Apps authentication, but none other SAML2 service. If you really want to only login to Google Apps, that's a great and simple solution.
Forgerock OpenAM : Formerly Sun OpenSSO, this is used in education and industry. Many more features, supports most of the SAML2 service providers out there including Google Apps, but more complex.
Note that if you already have a portal solution, you should check if that portal does not already support SAML2 federation and could act as the SSO server.
Note also that you will need to link the portal authentication and the SSO server authentication, to make sure that your users do not authenticate twice. This can be done in two ways :
Tell the SSO server to delegate the authentication to your portal solution. This might require some light custom coding depending on your portal.
The opposite : tell the portal to use the SSO as an authentication solution. Most portals support some kind of authentication delegation so it should only be configuration?
Lastly, if your authentication is setup on Tomcat itself (that is if your portal already delegates the authentication to the Tomcat container), then you can do the same for the SSO server.
Related
We are developing a Java based product. We need to make the authentication part to fit for major authentication services, like LDAP, OpenID, Oauth2, SAML. The idea is, when we deploying the product for a company who is having LDAP, our product should be able to cater it. If the company has OAuth2, then our product should be able to cater that as well.
I want to know, what are the better approaches and tools. I'm looking for a open source solution which support all these protocols in one place. Please share the knowledge.
I'd suggest Spring Security. It is completely independent to the Spring Core framework and with some simple configuration and some additional libraries (also developed by the same team), you can get a simple solution for most of the popular authentication methods.
With a couple of annotations, you can configure which methods or endpoints you want secured either.
You can create spring profiles, who decide which authentication method to be used.
Simple approach is to use an IAM (identity and access management) solution. Kecloak is a good open source one (and is written in java but you shouldn't mind).
By the way, your question is off-topic (recommending software or tools). Post it here
You need to separate out Identity repositories and Identity protocols.
LDAP and AD are repositories.
OpenID, OAuth2, SAML are protocols.
You need an IAM system that handles all the protocols and sits on top of the repositories.
For your product to talk to your IAM, you need a protocol stack in your product e.g. for SAML.
You then federate your IAM with other vendors e.g. if a vendor comes along and wants to authenticate with their AD, they would install ADFS and then ADFS federates with your IAM system.
So the logical flow goes:
User --> authenticate on their IAM --> trusted by your IAM --> access to your application granted.
You could also look at Identity as a Service e.g. Azure AD, Auth0, Okta etc.
I am about to start developing a REST service and security is an important aspect of this project but I can't find some definitive information on how to implement it. My service will be consumed by an Android App at first, but could be used by other platforms later. Controlling user access is critical, so Authorization and Authentication control of the REST services is very important.
Although I can find topics on how to make a secure REST API, like here, here and this big one here, to my surprise, all of them fail to point to a famous standard or framework or time tested solution, which usually is the "way to go" in securing software applications, where we avoid as much as we can to "roll your own security solution".
So far on my research I think OAUTH 2.0 (or even OAUTH 1.0) is the best way to go, it's a public widely used protocol and supports Authorization and Authentication and we can control the lifetime of keys and even have a special refresh key allowing the client to not store password information for acquiring a new key if needed.
I also think Apache Shiro is the best framework for Security, Authorization and Authentication in java, so it comes to a surprize for me when I can't find any integrations between Shiro and OAUTH 2.0...ok there is one that's 5 years old, and doesn't inspire much trust to me.
Even more curious is the fact that Les Hazlewood, the Apache Shiro PMC Chair, owns (ok, owned, he just sold it to Okta) Stormpath, a company made for Identity and User Management, so I would expect him to have provided some easy integrations between OAUTH 2.0 and Shiro, unless this would disrupt Stormpath business plan too much I guess (which I don't believe, since the Apache Foundation won't allow this kind of behavior).
So the final questions are:
1 - Are there any easy integrations between Shiro and OAUTH 2.0 or will I have to code my own?
2 - Does everyone implement their own OAUTH 2.0 solution for dealing with REST APIs access control or am I missing something?
I know the Buji project uses Shiro and supports Oauth2. I haven't used it, but you can check it out.
You definately don't need to code your own. There's some great java libraries and apps that you can use for oauth2 and you can choose from a low level library that you use to build your own oauth2 server up to a full featured standalone openid connect server.
Spring security provides oauth2 that you can use to embed an oauth2 server in your application. A tutorial is available at http://www.baeldung.com/rest-api-spring-oauth2-angularjs.
There's mitreid openid connect https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server, which has a war overlay that you can use to add a user and client admin app into your webapp.
Keycloak (https://www.keycloak.org/) provides a full featured standalone openid connect server.
I've used Keycloak for authentication in services that are consumed only by web browsers, but now I'm facing the problem of building a JAX-RS application that will be consumed by native mobile apps on iOS and Android.
Keycloak provides a lot of the features I need, like: built-in support for combining multiple social logins and LDAP and/or Kerberos, self-service user registration and excellent management of authentication tokens and roles for different applications.
I'm aware of libraries from Aerogear that would allow me to add Keycloak to a mobile app, but I have a few concerns:
Aerogear doesn't implement an AccountManager+SyncAdapter on Android. This seems completely wrong and makes me want to use something else, but I'm not aware of anything else that is designed to be quite so "plug and play" with Keycloak as Aerogear's Authz.
If I implement my own authentication and authorization mechanism, I end up needing to do a lot more testing in order to ensure security of services and lose a lot of the benefits of operating in the Java EE environment to begin with.
What is the best way for me to implement native mobile access in Java EE 7? If it helps, I'm using Wildfly 10 and most clients will be on Android with some on iOS.
UPDATE: The best option I've found so far is to use an offline access token with Keycloak accessed with a custom account manager+sync adapter. Is this the best solution for me to go with?
Our product is a hosted Web application which needs to be accessed by a client X using SSO.
The client credentials are maintained on a Azure Cloud platform, and users are authenticated when they login to their Windows PC.
What is the best way for us to integrate our application on the client's Windows environment, so that all users are authenticated without logging in to our application?
The client has pointed out that we could use ADAL but i'm not sure if that works as we do not have our own AD based or LDAP based user management platform. We currently store all the user management data in the DB.
I'm a newbie to this topic so any guidance is really appreciated.
Based on my understanding, the issue is that the authenticated user from a portal access a url link of Java Web Application working with SSO when the Java webapp and the portal are not identical.
Per my experience, I think you can try to use Azure AD Application Proxy to solve the issue. You can refer to the document https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-sso-using-kcd/#working-with-sso-when-on-premises-and-cloud-identities-are-not-identical to know the application scenario of Application Proxy.
You can try to follow the steps below to implement the needs. And as references, there are some documents explained how to do for each step.
Enable the Azure AD Application Proxy on Azure Portal, and install & register the proxy connector for your application. Please refer to the doc https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-enable/ for more details.
Publish your application using Application Proxy, please follow the wizard steps of the doc https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-publish/.
Enable SSO for your application and the portal, please review the section Working with SSO when on-premises and cloud identities are not identical of https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-sso-using-kcd/#working-with-sso-when-on-premises-and-cloud-identities-are-not-identical.
If some issue encounted in implementing the plan, you can firstly refer to the doc https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-troubleshoot/ to troubleshoot.
Any concern, please feel free to let me know.
I'm looking at a SSO (Single Sign On) solution to fit our relatively simple use case.
Website1 - currently authenticates with database user table.
Website 2 [new] - wants to use the same authentication information and when user clicks link to website1 they shouldn't have to re-login.
Website1 is J2EE based running on Websphere.
Website 2 is .Net based hosted by external company.
Ideally looking to keep the current user table as the user directory and have time out of session across applications and password expiry.
Any suggestions on 'simple' SSO solution, trying to justify it against rolling our own.
I used the Central Authentication Service project (CAS) on a couple of projects. It was simple, easy to grasp and implement as of version 1.x.
CAS is an authentication system originally created by Yale University but now part of the Jasig Community.
Jasig Community CAS homepage
DeveloperWorks article on CAS from 2003
If you can run both services under Apache, this worth a look: http://www.openfusion.com.au/labs/mod_auth_tkt/
I am sure below solution will meet your expectation.
http://webmoli.com/2009/08/29/single-sign-on-in-java-platform/
A slightly more general solution that is very popular these days is OpenID. You can use your user table as an OpenID provider, and set up all your websites as OpenID consumers.
Benefits:
Simple
Widely used
Extensible, later you can allow more providers or add more consumers
Implementations in many languages