SAML authentication with firebase - firebase

Is there a way to authenticate a user with SAML token using firebase as a backend? The company I am working with requires that SAML is used within the authentication system and I am not sure if this is possible with firebase as a backend.
Thanks

Maybe new GCP service "Cloud Identity for Customers and Partners" (in beta for now) could help you.
Cloud Identity for Customers and Partners (CICP) provides an identity platform that allows users to authenticate to your applications and services, like multi-tenant SaaS applications, mobile/web apps, games, APIs and more. CICP is built on an enhanced Firebase Authentication infrastructure, so it's perfect if you're building a service on Firebase, Google Cloud Platform (GCP), or on another platform, and need secure, easy-to-use authentication.
You can check SAML provider, Firebase is behind the scene.
This guide shows how to enable an existing web application for Security Assertion Markup Language (SAML) 2.0, with Cloud Identity for Customers and Partners (CICP). This will include accepting SAML assertions from identity providers (IdP) as a SAML service provider, verifying their contents, and producing a lightweight JWT that you can use in your application to verify authentication and perform authorization.
Hope it will help.
Updated on February 25th, 2020 :
I published a tutorial on how to integrate SAML authentication with Firebase and Angular app.

You can now use SAML provider with the new Cloud Identity platform. This platform works in combination with Firebase too.
Check Thierry's answer for more details.
Old/outdated answer below:
At the moment there is no built-in SAML provider for Firebase Authentication. See this discussion on the firebase-talk mailing list. From that post:
To support SAML authentication with Firebase Auth, you need to use custom authentication.
When the SAML response is posted to your server, your convert the SAML assertion to a custom token (minted via Firebase Admin SDK) and then pass that token to the client where you signInWithCustomToken. You can add any additional SAML claims to the custom token claims and they will propagate to the Firebase ID token JWT.
It's a valid feature request though, so I highly recommend to file a feature request.

Related

Mixed Authentication in .net core API

I'm building a multi tenant Service Fabric Application, that allows a tenant to specify a login type - Identity(asp.net)/Azure AD.
I have an Authentication service that checks to which tenant the user is linked to and then proceeds to check if the username:password for the user is valid, if valid it returns a JWT token to the gateway API/web API that then allows access to the rest of the services on the cluster.
This is further secured by roles to limit actions and data access etc.
Question 1
What would be a secure way to save the app id and secret given by that tenant if they use azure AD?
In my DB and encrypt the info, it would have to be decrypted to connect to the AD(Trying to keep in dynamic).
Question 2
I'm implementing my own sliding refresh tokens to obtain a new JWT after it expires, is there a better/standard approach?
Question 3
Is there a better/standard way to handle this multi-tenant sign in process.
Question 4
Is there a way to have optional claims set on the JWT Subject that would allow access to shared services but prevent access to tenant specific services if the claim value is incorrect?
Edit
Ideally the Roles should not be part of the tenants AD/B2C because they role are dynamic and managed from within the application.
Instead of building your own STS logic, have a look at IdentityServer, a popular and great OSS tool.
For example, have a look here for a multi-tenant example using asp.net core.
It supports adding custom claims to the token, by implementing a Profile Service. Services can be configured to use claims for authorization.
This blog post may also be useful.
I will very strongly advise you ride upon the Azure tenant model and let Azure AD manage all credentials and authentication. In today's world its a very bad idea to store and manage user credentials when there are plenty of Identity Providers available.
Recommended reading:
How to build a multi-tenant app with Azure AD
How to secure a Web API with Azure AD.
Libraries like MSAL.NET will automatically manage token caches and refreshes.
Use roles and groups in Azure AD
Claims in tokens issued can be customized to some extent.
disclaimer: I work for Microsoft

Firebase with third custom JWT

I have four Appengine Standard Application.
For authentication I will receive a JWT token of my customer (They have an oauth provider), I know that Firebase has some defaults providers Oauth like as Github, Google, Facebook and integration with Javascript API is verey easy. But I need to use of my customer.
Is there a possibility to have a new OAuth provider in Firebase console to easily integration my app with firebase like this example?
For the backend I am thinking to use SDK to validate a token.
FirebaseAuth.getInstance().verifyIdTokenAsync(idToken).get();
To sign in with unsupported OAuth providers, your need to use custom authentication. Here is a full example on how to authenticate with Instragram: https://firebase.googleblog.com/2016/10/authenticate-your-firebase-users-with.html

WSO2 API Manager Federated IDP Access Token

How can I pass the access token created on an OpenIdConnect Federated IDP to the developer application?
Currently, the federated access token doesn't get passed through the API Manager and the API Manager generates a new access token for the application.
You won't be able to plug in an external IDP and generate access tokens using an out-of-the-box API Manager. But you can implement a custom keymanager implementation and plug external third party keymanager to API manager and then use that tokens. See Configuring a Third-Party Key Manager in the product documentation regarding this. It has a sample where "Surf OAuth Authorization Server" is use as the key manager. You will be able to implement similar thing for your scenario.
following are some good posts related to this feature.
https://amilasnotes.wordpress.com/2015/06/20/customizing-key-validation-flow/
https://amilasnotes.wordpress.com/2015/05/19/integrating-with-a-third-party-oauth-provider-overview/
https://amilasnotes.wordpress.com/2015/06/07/provisioning-oauth-clients-created-out-of-band/

Can GITKIT be used as a SAML idP?

I would like to connect SAML service providers (let's say Zendesk for example) to my "Google Identity Toolkit" users.
Is there a way (or any plan in the near future) to allow GITKIT to behave as a SAML identity provider?
Google Identity Tookit does not support SAML provider or relying party yet. We do have thought of SAML integration but no concrete timeline in near future. You are more than welcome to post your request details to the Google Identity Toolkit mailing list.

Need Guidance Implementing OAuth 2.0 in ASP.NET App

I have created an ASP.NET application and an Azure-AD domain. Currently, I have the ASP.NET auth set up to hit the wsfed endpoint in Azure-AD. Everything works fine, but the problem is that this issues a SAML token and I need a JWT. From what I have read after much internet searching, I need to authenticate to the OAuth 2.0 endpoint of my Azure-AD domain. The trouble with this is that with everything configured the way it is, I always get back a 400 from this endpoint, likely because my config file is all set up for fed auth. My question is how do I configure my ASP.NET application so that it can talk to the OAuth 2.0 endpoint of my Azure-AD domain?
I need to use passive authentication.
Azure AD supports the OAuth2.0 flow that you can execute once the user has signed in using passive authentication, to receive access tokens to make delegated calls to WebAPIs on behalf of the user. You can use the Active Directory Authentication Library (ADAL SDK) to execute the OAuth flow. This sample application does exactly that: http://code.msdn.microsoft.com/AAL-Server-to-Server-9aafccc1
However, for your scenario, we recommend the OpenId Connect flow now, instead of SAML SSO + OAuth. With Azure AD OpenIDConnect flow, the Web Application receives an SSO token (JWT id_token) using which it signs-in the user, and also receives an auth code (OAuth auth code) that it can redeem for an Access Token (JWT access token) to access WebAPIs on behalf of the user. Azure AD provides an OWIN component that does this. This sample application should see you through: https://github.com/AzureADSamples/WebApp-WebAPI-OpenIDConnect-DotNet
Finally, refer to this help topic to find all authentications flows supported and recommended by Azure AD for your Web Apps/APIs and Rich-Client/Mobile Apps: http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx
Hope this helps

Resources