Im trying to make my Bonita account authentication openID- enable login through a google account.
Here http://documentation.bonitasoft.com/single-sign-cas they provide the way of doing it("Configure Bonita client for CAS"). My question is: how should I get the following parameters specified in the link: ip_address:port from google(gmail)?
as probably noticed, im newly to be in this section. Any help will be deeply appreciated.
Bonita BPM will not interact with OpenID protocol out of the box.
However it supports the CAS protocol in the subscription editions.
What you probably need to do is to configure your CAS server to act as an authentication proxy.
Here is how it could work in theory (not sure it is feasible):
Bonita BPM relays user authentication to your CAS server using the CAS protocol.
Your CAS server delegates the user authentication to an OpenID provider such as google. Here is how you could activate OpenID support on the CAS server:
http://jasig.github.io/cas/4.0.x/protocol/OpenID-Protocol.html
An alternative solution could also be to implement a specific Bonita authentication service for OpenID (this requires Java development). In that case you would no longer need CAS. I know for a fact that this is possible.
Be aware that both solutions are technically not trivial to put in place.
Cheers,
You can integrate the BonitaBPM Subscription Edition with a Jasig CAS server:
http://documentation.bonitasoft.com/single-sign-cas-0
The CAS server can be configured to get it's authentication from OpenID as can be found here:
http://jasig.github.io/cas/4.0.x/protocol/OpenID-Protocol.html
I could integrate Bonita Community 7.7.4 with Apereo CAS. Details are here: https://github.com/sparse91/bonita-community-cas.
Related
I am trying to integrate apereo CAS management with CAS server and the only tutorial that I found is this for a passwordless authentication(More precisely QR code authentication) and I am finding difficulties in the final step cas server works perfectly but cas management is display
Application Not Authorized to Use CAS
The application you attempted to authenticate to is not authorized to use CAS.
I tried to add casManagement as a service into cas server(both overlay versions)
I tried running them on different machines and that could not help
I tried building from code base but it didn't work
We want to utilize an external IdP that provides authentication services with Banno. Is there an option to configure it as OIDC IdP and redirect users to authenticate with it?
looking through Banno authentication framework I only see references to pulling data from Banno assuming user was already authenticated. Cannot find any documentation to how to configure redirect-to-IdP for authentation
We don't have documentation specifically about that use case, but we do have docs about our support for OpenID Connect Discovery: https://jackhenry.dev/open-api-docs/consumer-api/api-reference/v0/oauth-and-openid-connect/#openid-connect-discovery
We're aware of folks using Amazon Cognito, Kong, and Firebase with our OIDC Discovery endpoint.
Note that those services may not support Proof Key for Code Exchange (PKCE). If that's the case, then you'll have to have Banno Admin for your financial institution turn off the "Require PKCE" option in the External Application.
I see that many tools around authentication do not support integration with CAS. (e.g. AWS Cognito)
Is CAS deprecated for new projects? I'm deciding if I should support CAS IdP for my new SaaS project or not.
No, CAS authentication protocol is not deprecated. CAS authentication protocol is still active based on https://apereo.github.io/cas/development/protocol/CAS-Protocol-Specification.html. Most CAS IdPs such as Apereo's CAS Server support other protocols such as SAML and OAuth2. I would adopt these authentication protocols before the CAS authentication protocol.
My 2 cents.
I read about the FI-Ware Identity Management GE.
I understand it acts as an OAuth2 Identity Provider enabling users to log in into applications using their FI-Ware site credentials.
The FI-Ware catalog site states this about the IdM :
In addition to providing a native login, IdM supports the integration
of multiple 3rd party authentication providers. Foremost, it supports
in a first step the configuration of preferred identity providers
through the administrators. The use of 3rd party IdMs lowers the entry
barriers for a native user to register, since the user can link to
her/his preferred IdM and use this account for authentication.
However, I could not find an explanation how this can be done.
Can anyone help ?
Thanks!
IdM doesn't support authentication with other IdP's. What that paragraph explains is that developers can use third party authentication in THEIR services using other IdP such us Google, Facebook or Keyrock. So what IdM supports is to allow other services to login using IdM authentication.
BR
I'm starting to work with CAS on my company. This is totally new for me, so I had to read lot of documents and how to's to have an idea of how CAS works.
So, we have to provide a single sign on service in our server to a company with two different applications. One of those, uses SAML2.
My CAS server is now working against a MySQL database, so I'll have the users of those 2 apps on my database to provide authentication service.
What I don't get clear is about SAML. All the tutorials I've read about SAML2 integrated with CAS 4.0.0 are using Google Accounts. I don't know why! I have some SAML2 configuration on a xml on my CAS directories, but I don't know how to prove if it's working or not.
If you are going to authenticate both of the applications using your single database, CAS is enough, SAML not required. With SAML you can connect to an external application(which supports SAML), both might be having their own internal authentication, but they will commnicate each other through SAML2 protocol/agreement
CAS is ideal ,if you want to setup a web single sign-on to different web applications (exclusively for a single institution), which all use the same authentication (DB, LDAP or whatever). With this the authentication will be centralized for all these different applications.
For users from another external institution to use your web application, SAML would be the choice, provided the External application also should support SAML.