To replicate the potential production scenario of an IdP initiated SAML request, I'm trying to set up a local (docker-based) version of OpenAM to serve as an IdP for an application (an SP) that I am developing.
The application is written in Django and is reliant on its ability to resolve groups associated with the user whose identity is being asserted in the SAML response from this IdP.
Specifically, I'd like to receive the names of groups for each user in SAML response in the following format:
<Attribute name="groups">
<AttributeValue>groupOne</AttributeValue>
<AttributeValue>groupTwo</AttributeValue>
<AttributeValue>groupThree</AttributeValue>
<AttributeValue>groupFour</AttributeValue>
</Attribute>
Does OpenAM have an ability to create a multivalue attribute list like that and if so, could someone please point me to the documentation describing how it's done via it's IdP management console (or otherwise).
And, by the way, I've attempted to ask the question on OpenAM IdP Forum, however their system doesn't seem to accept new topics (I'm not seeing my question displayed there, after multiple attempts).
Thank you in advance.
Related
I was asked by a potential client if I can have my software interact with Esri/ArcGIS Online.
Use case: users is logged into SomeRandomSoftwareApp and is looking at a Widget, this Widget includes an Esri asset id, the user clicks a link that passes that ID to Esri/ArcGIS Online and behind the scenes the user is logged into Esri and they see the data associated with the Esri/ArcGIS Online.
Thanks, Keith
If I understand correctly, you have two options for this: API Keys or Application Credentials.
The first one, is a permanent token generated by the owner of the data that will allow the application easy access to it. This is still in beta, and it was not ready for use the last time I check some time ago.
The second one, the owner of the data will generate credentials for your application. With this credentials you will have to request a token each time you want to access the data, all this via OAuth 2.0.
Check the docs for more details ArcGIS Services - Security
I have a working implementation of SAML (OneLogin) within an enterprise architecture.
When a guest user arrives at my application they are redirected to the company login where they enter their username / password. After that the user identity is passed back to my application and we log them in.
However, I notice that in other applications within the company I do not have to login at all. Somehow the website "knows who I am" and seems to authenticate me automatically. I presume there is some form of certificate on my pc / browser which the other applications are passing to the SAML??
Can somebody tell me the technical term or process? Is there a process whereby I simply pull the certificate from the browser or PC and pass it to the SAML? I would like my users to be able to auto-login without entering their credentials.
Thanks
There's a number of mechanisms that support an "automatic" authentication like what you describe. In the Identity and Access Management (IAM) realm, we have all sorts of names for it, but many of us call that "seamless single sign-on (SSO)".
Within a corporate environment, I would suspect that you are dealing with a one of two mechanisms: Kerberos authentication (especially if you're a Microsoft shop and log in to a domain-joined machine on a daily basis), or your machine is in an MDM-type of system, which uses a machine- and/or user-based certificate (aka PKI) to authenticate the user or user/machine combination.
Within your enterprise, if there are other applications whose users are immediately authenticated to the application without entering their username and password, then you should talk to your IAM team or your Single Sign On (SSO) administrators to understand why that doesn't work for yours.
I will also say that it's possible that your security team evaluated what information your application offers (insider financials? source code? your secret recipe? credit card data?) and decided that they would still require the user enter their username and password to get access to the data. So when you go to your SSO admins to ask, if they say that it's intentional, you should feel free to ask why and who you should talk to about it.
After a LOT of research and testing I finally have the answer to this question, and it is incredibly simple!
In summary:
I have a working solution with OneLogin that sends me to a page like this:
https://sts.companyname.com/adfs/ls
The url is specified in the config: saml->config->idp->singleSignOnService->url
However, this page requires the user to enter their username and password and, instead, I would like the system to be fully seamless.
The solution, it turns out, is simply to hyperlink to the following url:
https://sts.companyname.com/adfs/ls/IdpInitiatedSignon.aspx?LoginToRp=https://mypage.com/saml/metadata
where "loginToRp" url is the url provided in saml->config->sp->entityID
The ADFS IDP Initiated Signon will connect to your metadata schema and automatically log the user in (without the user needing to provide any credentials)
NOTE: this only applies to intranet sites in a corporate environment
I have created a simple incoming webhook for Teams that will send information to a channel when a new high-priority ticket is generated in our ticketing system. I want to add a button to the connector card that will allow a user to directly assign the ticket to themselves from Teams via an HttpPOST request.
I have the button and everything else in place, but I am having trouble determining how, if possible, I can send the user's account ID back to our ticketing system. Our system is connected via LDAP so usernames are the same across both platforms.
Is there general info on what is sent by default with an HttpPOST request? I looked through the Teams connector reference information, but could not find what I was looking for.
You need to include that account id you referred as a parameter in your url or JSON (if you post the it).
Microsoft Teams does not know anything about actions your use will attempt to make.
We want to provide seamless access for all our users to SP's like publishers. The SP's are independent and provide services to a lot of different companies, i.e., we each have independent IdP solutions.
We want it to work as if there were no authentication, i.e., the user find a link on the Internet and follow it. If the site provide special services (that we pay for) for our users we would like them to use our own IdP (but only for our own users) to authenticate them.
Our current SAML setup requires that the SP support IP-address recognition and/or use specific domain names, i.e., the user access a specific domain name or come from our IP-ranges so the SP knows which IdP to redirect to but if our user comes from any other IP-address and don't access a specific URL the system is lost.
How is this solved?
I think a cookie given by the SP every time the user gets authenticated (from our network which the SP recognizes) can solve this but is that the standard? And it is not really a solution as it requires that our users have visited them at least once from our network!
This isn't so much a SAML question as it is an identity provider discovery problem which isn't specific to the protocol. How is a publisher supposed to know / decide that a particular user should be redirected to your IdP via SAML or any other protocol? This isn't a tractable problem in a general sense. The publisher and you will need to agree on a contract between two entities (you and these publishers) when it comes to these special users / services.
One possible implementation of IdP discovery that doesn't involve domains or IP ranges is a dynamic lookup of the IdP based on the user's identity. User clicks a link, navigates to the publisher site and attempts to login with (for example) his identity of myname#mycompany.com . The publisher can then do a lookup of mycompany.com in their identity store of special users / services / IdPs and determine that this user should not be allowed to login with local (publisher-managed) credentials. Instead, the user should be sent to some 3rd party IdP via a SAML authentication request. The publisher can do this at the time of user login but before the user has a chance to enter their publisher-managed credentials, be it via your favorite AJAX technique or some other form of UI gratification.
The publisher could use a persistent cookie so that the next time this user comes to this publisher they'll know that this user "belongs" to a 3rd party IdP and redirect accordingly.
I want to modify CAS 3.5 to store some data in Session right after the authentication is correct. (not sure if it's the right method)
My CAS server is linked to a Kerberos one, which is connected to my Active Directory. I want to retrieve data from AD when authentication is successfully done. Then to store this data in a session attribute to easily use it in a controller.
Does someone have a clue about where to do thing in this very large CAS server project ?
Thanks,
CAS has a mechanism for retrieving and associating user attributes with a user's SSO session.
The implementation is based on the Jasig Person Directory project:
https://wiki.jasig.org/display/PDM15/Person+Directory+1.5+Manual
You can then use the built-in services management tool to "release" those attributes to particular clients: https://wiki.jasig.org/display/CASUM/Attributes
Certain clients (the Java client, PHP, etc.) have built in capabilities to read and extract the attributes from the CAS server validation response. The link above as well as the specific documentation for each client should list them.
To enable attribute loading, you need to replace the "attributeRepository" bean in your "deployerConfigContext.xml" with one of the provided PersonDirectory implementations and link it to your backing storage.