I want to modify CAS 3.5 to store some data in Session right after the authentication is correct. (not sure if it's the right method)
My CAS server is linked to a Kerberos one, which is connected to my Active Directory. I want to retrieve data from AD when authentication is successfully done. Then to store this data in a session attribute to easily use it in a controller.
Does someone have a clue about where to do thing in this very large CAS server project ?
Thanks,
CAS has a mechanism for retrieving and associating user attributes with a user's SSO session.
The implementation is based on the Jasig Person Directory project:
https://wiki.jasig.org/display/PDM15/Person+Directory+1.5+Manual
You can then use the built-in services management tool to "release" those attributes to particular clients: https://wiki.jasig.org/display/CASUM/Attributes
Certain clients (the Java client, PHP, etc.) have built in capabilities to read and extract the attributes from the CAS server validation response. The link above as well as the specific documentation for each client should list them.
To enable attribute loading, you need to replace the "attributeRepository" bean in your "deployerConfigContext.xml" with one of the provided PersonDirectory implementations and link it to your backing storage.
Related
Is there a way to implement a cross browser single sing on using CAS? I'm aware that this isn't a standard workflow and that SSO workflows work on a single browser using session cookies, but we have a specific need that would require to automatically sign in in another browser (e.g. MS Edge instead of Mozilla) via some kind of URL parameter. We would use a custom protocols on OS level to be able to open a link in a different browser.
One thing that slipped my mind that you could use service token (ST) which you get in CAS callback of app1 and use it to open another application (app2) in a different browser. I guess you would also have to fake a client ID, i.e. use the one that retrieved a ST.
And of course, ST would need to be valid for a long time, i.e. it shouldn't quickly expire.
Is there some kind by-the-book alternative for this in CAS?
Thanks a lot!
Igor
CAS provides support for token-based authentication on top of JWTs, where an authentication request can be granted an SSO session based on a form of credentials that are JWTs. CAS expects a token parameter (or request header) to be passed along to the /login endpoint as the credential. The parameter value must of course be a JWT. You can create this JWT and pass it to any browser, and you'll get a session back. See this for more info.
I am trying to work out an application using
Dotnet Core 1.0
MySQL as the data store
Authetication and Authorization
Entity Framework
Ubuntu 16 machine
I have succeeded in creating a sample API to fetch data from MySQL database using entity framework. Now I want to introduce Authentication using email as username and Password.
I tried several method from different blogs but unable to achieve this.
What I am trying to achieve is Custom Authentication for the api where user will send username and password to login Api. The login Api will return an access token and refresh token. Using this access token, the user can call other APIs.
Later on I want to add Google and Facebook Authentication too.
Is there a way to do this?
Everything you want to achieve is possible. However there are some caveats.
Yes you can do this. You will need to use the resource owner grant which is turned off in identityserver 4 by default. I suspect the reason for this is because passing user credentials into an application is an anti-pattern, it is there to typically support legacy systems, also it does not authenticate users in the explicit sense because the credentials could come from an un-trusted source (as an example). You can read up about the grant's generic value here. You can find samples here.
The safer pattern is to use something like Implicit Flow which is good practice if you cannot guarantee trust between clients and your API.
As for social logins this is possible. There are tonnes of samples online but here are the official docs.
There is a project on github, https://github.com/diogodamiani/IdentityServer4.MongoDB and a corresponding nuget package that will send you in the right direction. It's obviously MongoDb, but the same premise applies.
I am working on an Identity management application, using which my goal is to manage users on Box application.
I was going through Box documentation, and there are two ways for authentication
OAuth 2.0, which has redirection URI as required parameter. And due to which I cannot make use of it, since I will not be able to enter username and password and Authorize dynamically using my Java code.
Reference: https://box-content.readme.io/reference#oauth-2
JWT authentication, this I can use in my code and successfully get Access token. But problem here is, this access token can only be used to manage App Users (who will not have login to Box website).
Reference: https://box-content.readme.io/docs/box-developer-edition
So, is there any other authentication mechanism which I can use for getting Access token for managing Box users?
Regards,
Sandeep
The current best option is #1 with a process like this:
Create a Box application with the 'Manage an Enterprise' scope enabled.
Use a web-based access token generator (such as this or this) to get an initial access/refresh token pair. Save these somewhere safe (flat file, DB).
Code your application to initialize itself with the access/refresh token pair from its saved location.
When the access/refresh token pair is refreshed, write them out to the save location.
If your application runs across multiple nodes/processes this approach will require some (painful) coordination between them. I believe Box is working on some improvements in this area, so you may not have to live with this for long.
CAS can push the logged in user attributes to the client when using the SAML ticket validation. But if I use OAuth, is there another way that I can retrieve user attributes through a second call to the CAS server using the received accessToken? I think this should be possible as when a user is authenticated(eg. through facebook) the requested attributes are in CAS memory.
Yes, it's possible as the user's attributes are indeed stored in the CAS server. As explained in the documentation: https://wiki.jasig.org/display/CASUM/Configuration+for+the+OAuth+client+support+in+CAS+server+version+%3E%3D+3.5.1, you can define what OAuth attributes you want to retrieve exactly like for any other attribute repository. You can even recreate the user's profile on the CAS client application side.
Here is a working example: https://github.com/leleuj/cas-oauth-demo-3.5.x/blob/master/cas-oauth-client-demo-3.5.x/src/main/webapp/WEB-INF/deployerConfigContext.xml. You can also get the OAuth access token to perform additionnal operations...
I am developing windows phone-8 app In this I need to register e-mail and password and after I have to login with registered user-name and password.I am using HttpWebRequest Class but don't know how it is possible please share with me any info or link regarding that.
You don't even need a separate web server running an auth service. Instead, you could use Windows Azure Mobile Services. There are several reasons for that, the main being the fact that you can easily manage outgoing data (register users) and check for existing data (authenticating users).
You can use the Azure Mobile Services client if you need an abstracted out data access layer.