CAS server with SAML.2 - cas

I'm starting to work with CAS on my company. This is totally new for me, so I had to read lot of documents and how to's to have an idea of how CAS works.
So, we have to provide a single sign on service in our server to a company with two different applications. One of those, uses SAML2.
My CAS server is now working against a MySQL database, so I'll have the users of those 2 apps on my database to provide authentication service.
What I don't get clear is about SAML. All the tutorials I've read about SAML2 integrated with CAS 4.0.0 are using Google Accounts. I don't know why! I have some SAML2 configuration on a xml on my CAS directories, but I don't know how to prove if it's working or not.

If you are going to authenticate both of the applications using your single database, CAS is enough, SAML not required. With SAML you can connect to an external application(which supports SAML), both might be having their own internal authentication, but they will commnicate each other through SAML2 protocol/agreement
CAS is ideal ,if you want to setup a web single sign-on to different web applications (exclusively for a single institution), which all use the same authentication (DB, LDAP or whatever). With this the authentication will be centralized for all these different applications.
For users from another external institution to use your web application, SAML would be the choice, provided the External application also should support SAML.

Related

Apereo CAS overlay Idp saml generate on Openshift

Has anyone came across this scenario?
Since we have to deploy the IDP/CAS server on microservice architecture on Openshift.
We don't have local storage, every time we generate the idp metadata when the pods deploy.
however, SP also need to handle the idp metadata x509 cert. Is there anyway to handle this situation?
As a general guideline, always ensure you have enough diagnostics data in your report and report the exact CAS version numbers that exhibit the seemingly-faulty behavior.
Since you don't mention this, I am going to point out a few resources to you:
This link describes strategies where SAML SP metadata can be managed without local storage.
An updated version of the same page for the next CAS version describes strategies where SAML IDP metadata can be managed without local storage.

How can I map the user of Wirecloud with the user of my own mysql database?

Since I am making an android application that has its own mysql database in my server, how can I map the user of wirecloud with the user of my own database? The point of this is to recognize which user is consuming a widget deployed on the wirecloud.
I suppose that Wirecloud uses mongo db?
The best way for mapping the users of WireCloud with the ones of you own database is the use of a single authentication source.
WireCloud is based on Django so you can use any of the method supported by it for customising the authentication. This include the use of third-party modules (e.g. django-auth-ldap for authenticating using a LDAP server) and the use of the integration with the FIWARE IdM provided by WireCloud.
It's technically possible to make WireCloud use your database directly, but I don't recommend you to do that because will be a pain to maintain such integration. In my opinion, the best options are migrating your app for using the FIWARE IdM or creating a custom authentication backend for authenticating users using your database.

Cross Domain sessions and web sockets

I am working on a site that will be using HTML5 sockets to communicate with other server. At that time our users will be logged in , I can't code on other server . I am using PHP at server side. I don't know whether other server has even PHP or not. Client says PKI is a solution. So if user login on our server then I start their communication with HTML5 sockets towards other server to send and receive data. So how can other server authenticate them? I also think that I can have a userkey (like 32hash format) that is sent with HTML5 socket while communication that other server validate and then start working with that user. So client says that hacker can see data over network so I think SSL can work for it. What you guys suggest in such scenario? Please advise
More details:
There will be connection made between our users and another server using apache thrift(will be using TCP), and scenario is that user will login to our site, then we will connect them via HTML5socket to apache thrift on different domain, so in HTML5socket communication we will be forwarding userid to tell thrift server that which user is this, so it is fine. But there are two problems,
As HTML5sockets are at client side then a hacker can create his/her own socket and connect to that server in same way and use some one's id as these are just simple integers.
If we will append some thing in data then a hacker sitting on the network can get it like some hackers do this for session hijacking.
So that's why I am not sure that whether using a sort of SSL or TLS will solve the problem or some PKI or some other digital certificate. So that's why I am asking that here.
thanks
SSL cannot solve this problem. SSL is about creating a secure link between the client and server, it does absolutely nothing to protect the server from a malicious client. SSL cannot solve the problem of SQL Injection or in your case Insecure Direct Object Reference relating to the user id. Judging by this SSL suggestion you probably have never heard of TamperData, which allows you to read/intercept and modify all HTTPS traffic generated by your browser (Including components like flash and JavaScript), BURP is more advanced but does the same thing.
The right way to do this is to have a shared session store that your collection of servers can access. The client is issued a very large random number or cryptographic nonce that it uses as a verification token, which is kind of like a session id. This verification token is used to look up session state in the data store. The communal session store could be as simple as a PHP page that accepts the verification token as a parameter and tells you if its linked to a valid session.
Having 3rd parties issue a callback to verify the session is really the "right way" to do this. It is possible to do this with cryptography, although it is a misuse of cryptography because it introduces the possibility of an attack, where as a callback is absolute. The PHP server can issue the JavaScript client an HMAC token consisting of the user id, a timestamp and the message authentication code. The tricky part is that both the PHP server and any 3rd party will have to share a secret in order to verify the message authentication code. If done properly you can transmit the client can transmit the token, and 3rd parties can verify that the session hasn't expired based on the timestamp and that your servers issued the token (instead of a hacker's forgery) based on the message authentication code.

Can one easily 'plug-in' an existing credentials repository to use when authenticating users on a DotNetNuke web site?

Can one easily 'plug-in' an existing credentials repository to use when authenticating users on a DotNetNuke web site and can we then take advantage of the DNN authorization framework?
More specifically: we have a database of user credentials (mySql) used to authenticate users. We're investigating using DNN for a new web site but are restricted to using the existing credentials repository. We can easily make the repository accessible but will we need to do any 'tweaking in the MS-Sql database that DNN uses etc?
Btw, am complete DNN newbie and just investigating feasability.
Pointers appreciated.
DotNetNuke has an authentication provider and membership provider, both of which you would probably need to implement to be able to use a separate database for credentials (though if it's just for credentials, you would just write an authentication provider to check that database upon login, then user regular DNN users for the membership part, if you're not pulling profile info from there).
As Brian Dukes mentioned there is a provider model that makes this really easy. And I might be able to get your 99% of the way there. I have a commercial product External Database Authentication Provider that connects to any external SQL Server for this type of thing. Now it only communicates to SQL Server, but you can either grab the source and make 2-3 changes and be set, or I know other users in the past have actually created a SP in SQL Server that went to MySQL and used my module as is.

Hosting a Silverlight database application that works with MySQL

I have a basic hosting package that gives me access to create a MySQL database. I can of course host silverlight applications on any site. But how can I work with a database from within Silverlight? I cannot run any service on my hosting provider, they only allow php or perl scripts.
You can use the C# webclient to make HTTP calls to a PHP page hosted on the server. The PHP page can proxy queries/results between the silverlight client and the mysql database.
remember, just because it's not a SOAP/WCF "service" does not mean that it's not a web service. Look into PHP based REST solutions for some nice alternatives that can easily be invoked via silverlight:
http://www.bing.com/search?q=PHP+REST
Edit: As #Spencer Ruport correctly points out in the comments, you of course have to be wary of the fact that the web service will be exposed to the public, and anyone can easily sniff the http traffic between your silverlight application and the server. This enable them to call your service directly so be sure to think about authentication and what it means in the context of your app/data
You can use the WebClient class in silverlight to communicate to a php service. Here is the first google result I found: link