I am doing integration of SalesForce and OpenSSO with SAML. I have implemented steps mentioned on site
http://wiki.developerforce.com/page/Single_Sign-On_with_SAML_on_Force.com
There are two important use cases for SAML
Identity Provider Initiated Login, where a user starts directly at their identity provider, logs in, and is then redirected to a landing page at the service provider;
----This case working fine
Service Provider Initiated Login, where a user starts by clicking a link to the the service provider (e.g. a bookmark, mailed link, etc.) and temporarily redirected to the identity provider for authentication, then returned to the link they initially requested.
I am trying to implement 2nd Scenario :I am performing following steps
created my domain in SalesForce and deployed for Users
Added Identity Provider in Single Sign-On Settings
When I access My Domain URL. It redirect me to Identity provider login page.
After login to IDP it won’t redirect back to SalesForce page. It shows IDP success page.
How should I redirect back to SalesForce success page?
Salesforce's SP initiated SAML implementation is basically a hack - You need to first fire off an IDP initiated SAML response which contains an attribute called ssoStartPage. this points to your IDP login page. Once salesforce has seen this attribute it remembers it and uses it for future (SP initiated) requests. This post should hopefully help you (see point 3 at the bottom)
Related
I have setup a gateway url which points to my actual domain. But if users go to the developer portal URL, a basic blank page with a little info on API-M is shown. How do I redirect this page to the actual domain?
Sign in to the Azure portal > API Management services > Select your API Management service instance.
Under Developer portal, select Identities > Click on Add:
Under Type, select Azure Active Directory from the drop-down menu.
Once selected, you'll be able to enter other necessary information.
Information includes Client ID and Client secret.
Save the Redirect URL for later.
And the same redirect URL must be added in the app registry in the Azure AD.
To configure this, please refer here for more detailed information.
I am working on an Angular application.
We have a web service which takes login credentials and returns an apikey if the credentials are valid.
On the client side we make an AJAX call and if the credentials are valid we are storing the API key in session storage and taking the user to home screen.
Also we have a route guard to secure all screens with authentication.
Now when we try to open a link in new tab, the user is again taken to login screen because the API key is in session storage.
We can use local storage to store the API key, but the problem here is the API key never expires but is available to all tabs.
Can anyone please suggest a better solution?
A solution which I think will work but did not try is, make a normal HTTP request is when the user clicks login, then create a session on the server side and redirect the user to home page from the servlet. In the client side, add a web service call in ngOnInit to see if the user is logged or not.
The part where user needs to enter their creds can also be shown if the client app redirects to a stateless static page alongwith the some params, that belongs to the oauth-server.com domain so that no other app has access to username and pwd.
After POST -ing this form to oauth-server.com, Is there a way to redirect the user back to the client app without the oauth-server redirecting via a browser session? Is there a json restful mechanism to OAUTH2?
So to answer your question, redirect_uri exists for the sole purpose of letting the client app(web, iOS or android) know status of the authentication request.
And OAuth2 server cannot do anything other than redirecting, because where the server will redirect to? (which is what redirect_uri anyways).
Refer the following articles for best practices to redirect data to installed / mobile client app
https://developers.google.com/identity/protocols/OAuth2InstalledApp
specifically this section,
https://developers.google.com/identity/protocols/OAuth2InstalledApp#choosingredirecturi
Hope that helps!
We want to provide seamless access for all our users to SP's like publishers. The SP's are independent and provide services to a lot of different companies, i.e., we each have independent IdP solutions.
We want it to work as if there were no authentication, i.e., the user find a link on the Internet and follow it. If the site provide special services (that we pay for) for our users we would like them to use our own IdP (but only for our own users) to authenticate them.
Our current SAML setup requires that the SP support IP-address recognition and/or use specific domain names, i.e., the user access a specific domain name or come from our IP-ranges so the SP knows which IdP to redirect to but if our user comes from any other IP-address and don't access a specific URL the system is lost.
How is this solved?
I think a cookie given by the SP every time the user gets authenticated (from our network which the SP recognizes) can solve this but is that the standard? And it is not really a solution as it requires that our users have visited them at least once from our network!
This isn't so much a SAML question as it is an identity provider discovery problem which isn't specific to the protocol. How is a publisher supposed to know / decide that a particular user should be redirected to your IdP via SAML or any other protocol? This isn't a tractable problem in a general sense. The publisher and you will need to agree on a contract between two entities (you and these publishers) when it comes to these special users / services.
One possible implementation of IdP discovery that doesn't involve domains or IP ranges is a dynamic lookup of the IdP based on the user's identity. User clicks a link, navigates to the publisher site and attempts to login with (for example) his identity of myname#mycompany.com . The publisher can then do a lookup of mycompany.com in their identity store of special users / services / IdPs and determine that this user should not be allowed to login with local (publisher-managed) credentials. Instead, the user should be sent to some 3rd party IdP via a SAML authentication request. The publisher can do this at the time of user login but before the user has a chance to enter their publisher-managed credentials, be it via your favorite AJAX technique or some other form of UI gratification.
The publisher could use a persistent cookie so that the next time this user comes to this publisher they'll know that this user "belongs" to a 3rd party IdP and redirect accordingly.
Either I'm dense, or the docs assume I already know what they're telling me, but I need some clarification on doing authentication for a box.com app. I really don't understand whate's going on. As I read it:
the app running on the user's machine sends a request to Box, including all the little secrets (Which aren't all that secret any more if the user knows how to read the code).
The user is directed to the Box login page, which then sends the user to my server (with no page specified) attaching an authentication code.
The app somehow magically gets that code back from my server and sends a request to Box for the access token.
Box sends the access token to my server?
The app again magically gets the access token from my server and sends its APT requests.
Obviously I got lost somewhere.
And, why do I have to have a server involved in the process? The article on making a JavaScript app refers to a direct request for a token. Is there documentation on that somewhere?
You register your application on Box
After registration you receive clientId and clientSecret once on Box website
You hardcode your credentials somewhere in your application
First time your application needs to access Box API it should redirect user to https://www.box.com/api/oauth2/authorize, specifying your clientId, clientSecret and redirectURI as parameters. About redirectURI see below.
The box.com website opens. User enters his own credentials in the web form on box.com
User allows your application to access his files via API on the box.com website
Box redirects user back to you application using redirectURI specified before. One of the parameters to this request is "code". This is a very short-lived (30 seconds) access code that is only aligable for obtaining real access token.
During next 30 seconds your application should make another call to Box API to next URL: https://www.box.com/api/oauth2/token, specifying the previously obtained code. If everything was correct, your application receives an access_token, a refresh_token and "expires" values.
Now your application can make requests to Box API, specifying access_token every time
access_token expires in number of seconds, specified in "expires" field. It should be about 3600 seconds or 1 hour. Each time your application sees that access_token has expired, it should make another request to Box with the refresh_token and obtain a fresh access_token for another 1 hour.
refresh_token itself expires in 14 days
Note: if you develop a desktop application, then you should open browser for user on the step 4, redirectURI should be something like http://127.0.0.1:8080/Callback and you should run a small webserver just to catch the redirect with the code as in step 7.
Box requires that you specify a redirect_uri in your application's profile, and it must be an HTTPS URL.
As a result, it is not possible to use box with what google's oauth2 documentation calls "Client Side" or "Installed" applications, only "Web Server Applications" are allowed. Web Server applications do not have the secret leaking problem, because only the server knows the secret. You can pass the access token from your server to javascript on the client after
the oauth transaction is complete, if you want the client to make api requests directly.
In your question you are not totally clear in what you are actually trying to produce.
I however suspect that you are trying to write a client application what needs to authenticate to box using the OAUTH2 solution they have delivered in API V2.
If this is for an IPhone for example BOX has a great example of how to handle it.
In a WinForm application you would need to capture the resulting code sent back by box in the browser1.isnavigating event.
Windows console application you register a custom URI registration to collect the code.
Neither of these need to be registered in the API developers Application on box as you would pass the redirect required in the request to box.
If this does not point you in the right direction and your writing a .NET app then post again and I will try to clarify a little more.
Box requires some form user interaction which is short sighted in my opinion but try a web service that simulates a user interaction which then you can save/pass the token to your application to sync up with the Box "Cloud".