We are using symfony2 as our framework to built the application which has different firewalls like admin, client and customer.
Now I want to built SSO using SAML(CAS) or OPENID in symfony2. Which will communicate with my application and provide the authentication and with other applications also through web service.
Please suggest some bundles which are already built for SSO and which is better SAML or OPENID.
Thank you in Advance.
Disclaimer: I'm the Chairman of CAS and founder of CAS in the cloud (https://www.casinthecloud.com).
I'm not sure if you want to use CAS, SAML or OpenID protocols, but here is an example of a CAS client for Symfony: https://wiki.jasig.org/display/CASC/Symfony+CAS+Client. It might help.
Related
I am new to Identitysever3 but I have worked with OAuth and OpenId.
I need to create a MVC client that will interact with QBO (Quickbooks Online). QBO uses OAuth by it's own.To start with I followed the github sample project from QBO community to use QBO REST API. This MVC app has OAuth stuff in MVC controller.
Now I need to create actual MVC project that will interact with QBO. I am after best practices to authorize my project. Here my authorize server would be QBO. So is my app is the right candidate to use Identityserver3?
My understanding is that I need to add Identityserver 3 project in my solution and use authorize server URI, client Id and client secret provided by QBO.
I assume Identityserver 3 is a framework that is the best way to use OAuth and OpenID connect as a separate project so it can be reused in other solutions. AND it's not an Authorization server, am I correct?
waiting for help please.
I assume Identityserver 3 is a framework that is the best way to use OAuth and OpenID connect as a separate project so it can be reused in other solutions. AND it's not an Authorization server.
This statement is not correct. In fact IdentityServer3 implements OAuth2 and OpenIdConnect and is an authorization server. If you have QBO as authorization server, you don't need to use identityserver3.
what you need is a client for OAuth2 and OpenIdConnect. You can use IdentityModel which is implemented by the same team that implements IdentityServer3.
I am new on a client project, which was created via oasp4j, and which relies on Spring Boot.
The client project, uses Spring Security, Spring MVC and the login is based on LDAP AD, the project works;
My task is to set up a single user authentication (SSO), and for now I can not find a good track to start it.
I had read articles about CAS, SAML, OAuth2, Waffle, SSOCircle and Kerberos, and I can not really pick one of them, and how to set it up with the Spring-Boot configuration.
https://spring.io/guides/tutorials/spring-boot-oauth2/
http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/
https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v
Any idea how to proceed if I want to implement them with Spring Boot configuration and wich solution is better and simpliest than others ?
secondly Is what if I choose CAS as authentication server, after that, will my users be able to access the other application of the company that uses another authentication server ?
thank you
When using an SSO, it's the SSO system which will be connected to the LDAP AD and your web applications will be connected to the SSO. The CAS SSO server can handle that.
To secure your webapps, you can use the spring-webmvc-pac4j security library for Spring MVC or the spring-security-pac4j security library built on top of String Security, both working with the CAS protocol.
I'm very new to the identity management world, so please spare me. :)
What I would like to do, is to have multiple client (MVC) applications that talk to a single Web API application to authenticate their users against. In that Web API application, I would like to use ASP.NET Identity to talk to a database with users.
That way, I could use SSO for the client applications (I guess).
Does that make sense? Could someone help me on my way to implement this (links are also welcome of course)?
I don't know if IdentityServer could help me with what I want?
And as a side question: when I could implement this the way I would like to, how do I deal with the same-origin policy?
Thank you for all the help. :)
I did some research myself during the last few months and I learnt a lot about the identity management stuff. Many of that also thanks to the guys from IdentityServer (and their other projects).
What I finally did was the following (very briefly):
IdentityServer is used as a provider for all client applications. The cookie and OIDC middleware are used.
I used the ASP.NET Identity user service to store the users in an SQL Server database. (The IdentityServer configuration is by the way also stored in a database.)
I set up a Web API service that uses the ASP.NET Identity user manager for user configuration (change password, create new users, ...). It uses bearer authentication with the application with IdentityServer as provider.
As a side note, IdentityManager is used as an internal admin tool to manage all the users.
If anyone is looking for some help setting up his / her identity management system (and thinks I can help): please ask. ;)
Many articles on active profile e.g. Federated Security: How to setup and call a WCF service secured by ADFS 2.0. But that article assumes you want to use AD?
I'm guessing you want to use ASP.NET Identity for the provisioning?
IdentityServer OOTB supports a SQL DB and has basic user provisioning built in. It allows users to authenticate against the DB and supports WIF.
This scenario is also close to what you need, take a look at the answers:
How to implement an OWIN Authentication server with a MVC Web Api content server and an Android end-user apk
I also recommend reading this article:
Decouple OWIN Authorization Server from Resource Server
I will soon need to add SSO to an ASP.NET app using SAML. The client will not provide access to their Shibboleth identity provider for testing, so I'll need to verify that SSO works myself.
What would be the easiest method to use/setup a SAML identity provider for testing? I'm not keen on having to setup an infrastructure myself if I don't have to.
I'm planning on using a SAML component from http://www.componentspace.com/
If you are a SaaS Provider - Check out "Getting Ping Certified"
http://www.pingidentity.com/partners/becomeapartner.cfm
All your suggestions look quite helpful.
For others who may find this page, the ComponentSpace SAML 2.0 component comes with an Identity Provider that appears to mimic Shibboleth. This appears to be the easiest way to test adding SSO to your own application.
I have a client who wants their wordpress and google apps user accounts accessible using SSO, ie if they log in on one app domain google.client.com they will be logged into wordpress.client.com too without extra steps.
The same LDAP directory will be used to do backend authentication for both systems. Is it possible to setup SSO for LDAP-backed webapps?
You could use Open Id to achieve SSO. Google Apps and Wordpress both integrate well with openid.
The short answer is yes. Google Apps supports SAML to address SSO integration with LDAP authentication. You can get more information on a simple SAML IdP solution from www.pingidentity.com.