Spring Boot + Security + MVC + LDAP AD + SSO - spring-mvc

I am new on a client project, which was created via oasp4j, and which relies on Spring Boot.
The client project, uses Spring Security, Spring MVC and the login is based on LDAP AD, the project works;
My task is to set up a single user authentication (SSO), and for now I can not find a good track to start it.
I had read articles about CAS, SAML, OAuth2, Waffle, SSOCircle and Kerberos, and I can not really pick one of them, and how to set it up with the Spring-Boot configuration.
https://spring.io/guides/tutorials/spring-boot-oauth2/
http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/
https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v
Any idea how to proceed if I want to implement them with Spring Boot configuration and wich solution is better and simpliest than others ?
secondly Is what if I choose CAS as authentication server, after that, will my users be able to access the other application of the company that uses another authentication server ?
thank you

When using an SSO, it's the SSO system which will be connected to the LDAP AD and your web applications will be connected to the SSO. The CAS SSO server can handle that.
To secure your webapps, you can use the spring-webmvc-pac4j security library for Spring MVC or the spring-security-pac4j security library built on top of String Security, both working with the CAS protocol.

Related

How to authenticate user using Spring Ldap Authentication with spring mvc

I am using Spring mvc 5 and Spring Ldap with xml base configuration. I have read many tutorials for this and all are using Spring boot with embedded servers, but i need to authenticate users with actual ldap server in spring mvc 5 with spring security.
You can do this using an LDAP ContextSource that has a URL pointing to your LDAP Server. For example:
<ldap-server
url="ldap://ldap.example.com:53389/dc=springframework,dc=org" />
I'd strongly suggest that you start with a working example that points to and embedded LDAP instance before pointing to your production LDAP server. A few things that you will need to adjust for are deciding if you are performing bind authentication or password comparison based authentication. You will also need to ensure that you adjust your settings to align with the LDAP schema of your LDAP server you are pointing to.

How to build a Spring MVC based application to connect with any service provider to do the SSO

We want to build one spring MVC based application which will support below use case:
User access the application URL to login into application.
Once the valid credentials are entered to login into application, the user can access any of the service provider application for performing SSO.
On the access of any service provider application the SAML response should be generated and post to the Service provider ACS(Assertion consumer service) URL.
Also in addition to IDP initiated SSO, it should also support SP initiated SSO where the authentication request will we posted to the application login page, after valid credentials are entered by user, the application should redirect to service provider(which have posted the authentication request).
The application should have its own login page and authentication mechanism, it should not redirect to any other identity provider for authentication.
Should we use normal Spring MVC based application which will generated the SAML response using open SAML library, or any other SAML builder can be used for satisfying the above use case.
This basically means
- your app bundles a SAMLv2 compliant IdP (please don't try to build one yourself based on some SAML lib)
- your app calls an API of the IdP for authentication and issues a session token the IdP will recognize later on (otherwise authentication will always happen again when another application (acting as SAMLv2 SP) wants to perform SSO
Issue with the latter: The "token" will most likely be a cookie and then the restrictions of the cookie spec apply. This means you can only use host-based cookies (which security mandates) if your app and the IdP are deployed behind the same 'FQDN' (e.g. by using an HTTP reverse-proxy)
Another issue: How does your app know when the show the 'login screen' if the user actually has a valid session with the IdP because SSO was started at a different SP?
SAML way: You would first have to do a 'passive AuthnRequest' to check this.
Conclusion: Your use case can be achieved, but the effort seems quite high. I'm not aware that there is some lib/framework, which would offers this at the moment OOTB.

What is the recomended method for adding Authorization/Authentication to an MVC application that uses Web API

In most cases, I have used AD to lock down applications through IIS. In this case, I need to create an MVC Application that will have some Web API controllers and authentication/and authorization (roles). I was looking to try to use a stack overflow suggestion that I have found to several other posts.
https://identityserver.github.io/Documentation/docs/overview/mvcGettingStarted.html
Most of the answers that I have seen in Stack Overflow reference the above link
ex). Implementing Authentication and role based authorization in ASP.NET MVC web API service and MVC client architecture
The question that I have for the community that has experience with adding Authentication/Authorization to a combined Web Api/MVC project is if the identity server approach listed above is the best solution for this scenario and if there are other resources that I should look at also?
From your requirements (authenticate to use an MVC site and then be authorized to use a Web API) you'll need an OpenID Connect Provider such as Identity Server 3 (aka a Security Token Service (STS), an Authorization Server, etc). Basically something trusted by both the MVC site and the Web API.
The basic flow of things here is that your users will authenticate using OpenID Connect on your MVC site, after which they can get an access token to authorize access to the Web API using OAuth.
The mentioned tutorial is the best way to start. Near the end it takes you through how to access the API on behalf of the user.
ASP.NET Identity is a user/identity store. It is not add authentication or authorization to your application.

Using a Web API Service as Central Authentication Point

I'm very new to the identity management world, so please spare me. :)
What I would like to do, is to have multiple client (MVC) applications that talk to a single Web API application to authenticate their users against. In that Web API application, I would like to use ASP.NET Identity to talk to a database with users.
That way, I could use SSO for the client applications (I guess).
Does that make sense? Could someone help me on my way to implement this (links are also welcome of course)?
I don't know if IdentityServer could help me with what I want?
And as a side question: when I could implement this the way I would like to, how do I deal with the same-origin policy?
Thank you for all the help. :)
I did some research myself during the last few months and I learnt a lot about the identity management stuff. Many of that also thanks to the guys from IdentityServer (and their other projects).
What I finally did was the following (very briefly):
IdentityServer is used as a provider for all client applications. The cookie and OIDC middleware are used.
I used the ASP.NET Identity user service to store the users in an SQL Server database. (The IdentityServer configuration is by the way also stored in a database.)
I set up a Web API service that uses the ASP.NET Identity user manager for user configuration (change password, create new users, ...). It uses bearer authentication with the application with IdentityServer as provider.
As a side note, IdentityManager is used as an internal admin tool to manage all the users.
If anyone is looking for some help setting up his / her identity management system (and thinks I can help): please ask. ;)
Many articles on active profile e.g. Federated Security: How to setup and call a WCF service secured by ADFS 2.0. But that article assumes you want to use AD?
I'm guessing you want to use ASP.NET Identity for the provisioning?
IdentityServer OOTB supports a SQL DB and has basic user provisioning built in. It allows users to authenticate against the DB and supports WIF.
This scenario is also close to what you need, take a look at the answers:
How to implement an OWIN Authentication server with a MVC Web Api content server and an Android end-user apk
I also recommend reading this article:
Decouple OWIN Authorization Server from Resource Server

Building SSO application with SAML or OPENID in Symfony2

We are using symfony2 as our framework to built the application which has different firewalls like admin, client and customer.
Now I want to built SSO using SAML(CAS) or OPENID in symfony2. Which will communicate with my application and provide the authentication and with other applications also through web service.
Please suggest some bundles which are already built for SSO and which is better SAML or OPENID.
Thank you in Advance.
Disclaimer: I'm the Chairman of CAS and founder of CAS in the cloud (https://www.casinthecloud.com).
I'm not sure if you want to use CAS, SAML or OpenID protocols, but here is an example of a CAS client for Symfony: https://wiki.jasig.org/display/CASC/Symfony+CAS+Client. It might help.

Resources