Without gateway the ADFS auth just works fine:
client -> serverdomain.com:8400 -> ADFS -> ADFS redirects client to serverdomain.com:8400/saml2/authenticate/myidp?RelayState=/ -> ADFS login page
But we have to use a proxy now, and we can access the webapp only through that.
server:
port: 8400
spring:
cloud:
gateway:
routes:
- id: application
uri: https://localhost:8091
predicates:
- Path=/**
But in that case, the ADFS redirects the browser to localhost instead of serverdomain.com:8400
client -> serverdomain.com:8400 (proxy) -> https://localhost:8091 -> ADFS -> ADFS redirects client to https://localhost:8091/saml2/authenticate/myidp?RelayState=/
What needs to be configured so that ADFS redirects to the login page through serverdomain.com:8400?
Related
I have a shiny proxy application that runs on a domain let's say A.com and then I have an express application that runs on B.com.
I created Google OAuth2.0 client credentials for the app and added the following in application.yml:
proxy:
...
...
authentication: openid
openid:
auth-url: https://accounts.google.com/o/oauth2/v2/auth
token-url: https://www.googleapis.com/oauth2/v4/token
jwks-url: https://www.googleapis.com/oauth2/v3/certs
client-id: <CLIENT_ID>
client-secret: <CLIENT_SECRET>
...
...
I can successfully log in with google into my shiny-proxy application with this
and
I have also set up the express application with passport-google-oidc and successfully log in to it with google.
Now I am extremely puzzled about how can I implement SSO between them. How is this possible with Shiny proxy and expressJS? Is it possible?
I have a web app on domain a.com, that requires authentication via a sso service with a return in the url on domain b.com.
the sso service receives the request from the browser, and returns a cookie to the return url specified in return url.
however, because the app domain and sso service domain are different, im unable to set the cookie in the browser for the app on domain a.com due to cross domain cookie restriction.
i have been trying to use nginx as a reverse proxy, whereby the call to the sso service is made via a a proxy running in the same domain as the app, which then returns as 301 to the sso service on domain b.com.
i'm struggling to work out how I then process the return response from the sso service in order to set the domain on the cookie to a.com domain.
any help appreciated!
my server block in nginx:
server {
listen 3002;
server_name server.a.com;
location / {
return 301 https://sso.b.com/Logon/v1/auto? returnUrl=https://service.a.com/Home;
}
}
The normal scenario that I can access my application URL and then my request redirected to the login page of keycloak. what I need is accessing keycloak login page direct and then after login, the redirection happened to my application.
I successfully configured WSO2 API Manager 1.8.0 [e.g. https://wso2am.com:9443] and WSO2 Identity Server 5.0.0 SP1 [IS] acting as Key Manager [e.g. https://wso2is.com:9443] in a clustered setup on 2 different servers.
I also configured a Service Provider in the IS using a SAML SSO Inbound Authenticator and tested it with travelocity.com sample app.
The sample app builds the SAML request in the right way, but https://wso2am.com:9443/samlsso?SAMLRequest=[base64stuff] returns an HTTP Status 405 - HTTP method GET is not supported by this URL.
Changing the url in https://wso2is.com:9443/samlsso?SAMLRequest=[base64stuff]
leads to successful authentication.
Basically I want to be redirected to wso2am login page and not wso2is login page.
In this way, I could deploy in DMZ WSO2AM only, leaving WSOIS in the internal network.
How can I do?
Thanks
In this scenario I think your authentication request must be directed to IS server, not APIM. The IS server is the one who does the authentication. Hence it acts as the IDP. APIM is just a service provider (SP). Even if you succeeded (even it's not the correct behaviour) with sending a SAML request to https://wso2am.com:9443/samlsso endpoint, it will redirect you to the login page in IS server. So you have to send the SAML request to the https://wso2is.com:9443/samlsso endpoint for successful authentication & for the correct behavior.
I have two website, Site A and Site B.
Site A is on the DMZ area where allow public/anonymous sending http request (one of the client http request data), and i would like the request to redirect to Site B(internal secure host which only allow internal http request)
My question is, Site B is setup with basic authentication REALM. but public/anonymous http request doesn't support Basic REALM. is there a way in the IIS Site A to redirect the request with authentication so Site B could accept the request with REALM
I have found a way to resolve the above question by using Microsoft ISA Server