I successfully configured WSO2 API Manager 1.8.0 [e.g. https://wso2am.com:9443] and WSO2 Identity Server 5.0.0 SP1 [IS] acting as Key Manager [e.g. https://wso2is.com:9443] in a clustered setup on 2 different servers.
I also configured a Service Provider in the IS using a SAML SSO Inbound Authenticator and tested it with travelocity.com sample app.
The sample app builds the SAML request in the right way, but https://wso2am.com:9443/samlsso?SAMLRequest=[base64stuff] returns an HTTP Status 405 - HTTP method GET is not supported by this URL.
Changing the url in https://wso2is.com:9443/samlsso?SAMLRequest=[base64stuff]
leads to successful authentication.
Basically I want to be redirected to wso2am login page and not wso2is login page.
In this way, I could deploy in DMZ WSO2AM only, leaving WSOIS in the internal network.
How can I do?
Thanks
In this scenario I think your authentication request must be directed to IS server, not APIM. The IS server is the one who does the authentication. Hence it acts as the IDP. APIM is just a service provider (SP). Even if you succeeded (even it's not the correct behaviour) with sending a SAML request to https://wso2am.com:9443/samlsso endpoint, it will redirect you to the login page in IS server. So you have to send the SAML request to the https://wso2is.com:9443/samlsso endpoint for successful authentication & for the correct behavior.
Related
I am calling a third party API which needs authorization header with Basic base64 encoded (for the third party API). I also have to do proxy authentication with my company's proxy server with Basic authentication (with service account with AD authentication).
The issue I am facing when I send both of the properties proxy forward the request with the service account to the API not the Authorization header. Has anyone else faced similar issues. Please advise.
I were following the sample provided in OneLogin Developer Portal - https://developers.onelogin.com/quickstart/authentication/java-spring. I did everything described in the article. But on running the application, authentication happens; I were taken to OneLogin page and I enters the credentials. But on redirection, I get following error.
"http://localhost:8081/login" is the redirect url configured in admin portal. And it is the default url which is been passed in the first request.
https://kore-wireless-dev.onelogin.com/oidc/2/auth?client_id=<?>&redirect_uri=http://localhost:8081/login&response_type=code&scope=openid profile email&state=UY6Tam
In the sample code, the endpoint is not implemented. But I don't think application developer needs to implement that endpoint.
I tried Github SSO. Where we can specify different redirect urls in app configuration (spring-security-url) and github sso configuration (app-url). And after authentication github will redirect to spring-security-url. And then that endpoint will redirect to app-url.
Is Spring Security OAuth2 is not compatible with OneLogin? Or what I am missing here.
I have recently faced the same issue. In my case, we had to modify the Authentication Method of the Token Endpoint in OneLogin oidc application. When it was set to Basic, it was throwing the Unauthorised error. Probably, the sample application invokes the OIDC token endpoint with credentials (clientID and clientSecret) in the payload request (POST Auth Method) rather than in request header(Basic Authentication method). Sharing the screenshot of the same here.
Hi Keycloak devs and gurus,
I wanted to setup keycloak, using openid-connect with 2 realms.
Where realm1 will contain client(s) application
And realm2 contains the users
The users will then access the client applications in realm1 by authenticating through realm2.
I found this link --> idp initiated sso using keycloak, but it is implemented based on SAML not on openid-connect.
Your help will be much appreciated.
I think that you can convert realm2 as an idp keycloak OIDC and connect realm2 to realm1 (by creating an idp in realm1). Then, configure the idp redirector in the browser authentication to automaticaly redirected to realm2.
We want to build one spring MVC based application which will support below use case:
User access the application URL to login into application.
Once the valid credentials are entered to login into application, the user can access any of the service provider application for performing SSO.
On the access of any service provider application the SAML response should be generated and post to the Service provider ACS(Assertion consumer service) URL.
Also in addition to IDP initiated SSO, it should also support SP initiated SSO where the authentication request will we posted to the application login page, after valid credentials are entered by user, the application should redirect to service provider(which have posted the authentication request).
The application should have its own login page and authentication mechanism, it should not redirect to any other identity provider for authentication.
Should we use normal Spring MVC based application which will generated the SAML response using open SAML library, or any other SAML builder can be used for satisfying the above use case.
This basically means
- your app bundles a SAMLv2 compliant IdP (please don't try to build one yourself based on some SAML lib)
- your app calls an API of the IdP for authentication and issues a session token the IdP will recognize later on (otherwise authentication will always happen again when another application (acting as SAMLv2 SP) wants to perform SSO
Issue with the latter: The "token" will most likely be a cookie and then the restrictions of the cookie spec apply. This means you can only use host-based cookies (which security mandates) if your app and the IdP are deployed behind the same 'FQDN' (e.g. by using an HTTP reverse-proxy)
Another issue: How does your app know when the show the 'login screen' if the user actually has a valid session with the IdP because SSO was started at a different SP?
SAML way: You would first have to do a 'passive AuthnRequest' to check this.
Conclusion: Your use case can be achieved, but the effort seems quite high. I'm not aware that there is some lib/framework, which would offers this at the moment OOTB.
I have a node based sample rest based application in Nodejs which is accessible by the url http://localhost:8288/api/users.
I have configured APIM and I was able to hit some sample services like https://www.googleapis.com/books/v1/volumes?q=isbn:0747532699 and get the response back.
But when I try to hit my localhost rest service via API Manager using API Console, I am getting
Response Body no content
Response Code 0
Response Headers{
"error": "no response from server"
}
I have no error in the logs.But Neither call is reaching the backend rest service. Should i make some changes to access my localhost urls in API Manager.This API Manager installation and rest service is in the same machine.
Please help.
This can happen if the browser does not trust the certificate of the APIM endpoint. Ideally what should happen is that you should install APIM certificate in your browser.
As a workaround, you can tell the browser to accept the certificate. For that, copy API URL to a new browser tab and accept the certificate.
Then try again in API console. It should work.