Common Custom STS for both Active and Passive Federation with ACS - wcf-security

I've a Custom IP-STS(non-ADFS) for passive federation scenario. For an active client I've created custom IP-STS for active federation referring to http://msdn.microsoft.com/en-us/library/hh446531.aspx . However, I'd like to use a single IP-STS for both passive and active clients. How do we handle this with a common FederationMetadata.xml since the entityIds(endpoints) should be different for active and passive scenarios? And what are the changes we need to make in order to use a single STS for both?
Passive federation endpoint:
"https://localhost/MyCustomIdp" - Clients will be redirected to Login page.
Active federation endpoint:
"https://localhost/MyCustomIdp/Service.svc" - Clients will pass credentials to this service. The service has a ws2007HttpBinding endpoint and returns SAML token for given credentials after validation.

Look at the ADFS metadata - you'll see both passive and active endpoints.
In terms of how to implement it, have a look at Thinktecture IdentityServer.

Related

Keycloak realm client users authenticating in another keycloak realm containg client apps

Hi Keycloak devs and gurus,
I wanted to setup keycloak, using openid-connect with 2 realms.
Where realm1 will contain client(s) application
And realm2 contains the users
The users will then access the client applications in realm1 by authenticating through realm2.
I found this link --> idp initiated sso using keycloak, but it is implemented based on SAML not on openid-connect.
Your help will be much appreciated.
I think that you can convert realm2 as an idp keycloak OIDC and connect realm2 to realm1 (by creating an idp in realm1). Then, configure the idp redirector in the browser authentication to automaticaly redirected to realm2.

How to build a Spring MVC based application to connect with any service provider to do the SSO

We want to build one spring MVC based application which will support below use case:
User access the application URL to login into application.
Once the valid credentials are entered to login into application, the user can access any of the service provider application for performing SSO.
On the access of any service provider application the SAML response should be generated and post to the Service provider ACS(Assertion consumer service) URL.
Also in addition to IDP initiated SSO, it should also support SP initiated SSO where the authentication request will we posted to the application login page, after valid credentials are entered by user, the application should redirect to service provider(which have posted the authentication request).
The application should have its own login page and authentication mechanism, it should not redirect to any other identity provider for authentication.
Should we use normal Spring MVC based application which will generated the SAML response using open SAML library, or any other SAML builder can be used for satisfying the above use case.
This basically means
- your app bundles a SAMLv2 compliant IdP (please don't try to build one yourself based on some SAML lib)
- your app calls an API of the IdP for authentication and issues a session token the IdP will recognize later on (otherwise authentication will always happen again when another application (acting as SAMLv2 SP) wants to perform SSO
Issue with the latter: The "token" will most likely be a cookie and then the restrictions of the cookie spec apply. This means you can only use host-based cookies (which security mandates) if your app and the IdP are deployed behind the same 'FQDN' (e.g. by using an HTTP reverse-proxy)
Another issue: How does your app know when the show the 'login screen' if the user actually has a valid session with the IdP because SSO was started at a different SP?
SAML way: You would first have to do a 'passive AuthnRequest' to check this.
Conclusion: Your use case can be achieved, but the effort seems quite high. I'm not aware that there is some lib/framework, which would offers this at the moment OOTB.

Sending SAML request with Symfony2

I am using Symfony2 and I have to Connect my user through SSO to another service using Saml Request , in this Case we are the Service provider , from what i gathered ; once the user hit the link im supposed to redirect him to the bridge with a Saml request having the data so he can be authenticated , but i don't know which bundle to install or how to send a Saml request in the first place .
any help will be appreciated
You have 3 alternatives here:
Use bundles based on php-saml like OneloginSamlBundle
Use bundles based on simplesamlphp like SimplesamlphpBundle
Use SamlSPBundle, a bundle based on lightsaml
If you decide to use OneloginSamlBundle, the AuthNRequest is sent from the SP to the IdP when the SP-initiated SSO happens.
Resources/config/routing.yml defines the SAML routes. /saml/login will initiates the SSO process.
When you access /saml/login the loginAction defined on the SamlController.php happens and an AuthNrequest is sent to the IdP SSO url, and a SAMLResponse is expected at the SP on the ACS endpoint. That SAMLResponse is the one that will contain user attributes in order to SSO or provision that user on symfony2 app.

How to implement SAML for SSO using ADFS as identity Provider

After 2 days of research ,now i am at assumption that ADFS can be used as Identity Provider which uses Active Directory as its Repository (this means we can store Username,password... required to identify user) .My confusions are
When a user opens a login Page in SP ,and if there is trust
relationship between SP and ADFS(IP) ,does the IP takes the windows
logged in UserId to check user from active directory ?
If the authentication is successful then does IP sends
UserInformation(as a SAML responce) to SP ,so that i can create
session for logged in user ?
what should i do ,if user logs out from SP ,should i also have to
clear session in IP(now ADFS)
if my assumption are right ,how to implement ADFS as Identity Provider (IP) and consume its service in Asp.net Application (Service Provider) ?
When the SP notices that the user is not signed in it sends the user to the IDP. This is where the login page is presented. ADFS can be configured to authenticate the user based on the signed in windows user.
Yes ADFS can be configured to return user information in the SAML response. This is defined as claims in ADFS
When the user is logged out in the SP, the SP should send a SAML LogoutRequest to the IDP to remove the session on the IDP.
Here is a library I have seen others use for .net
Another option is to use a product such as Shibboleth in front of you application
Your question is: "How to implement ADFS as Identity Provider (IP) and consume its service in Asp.net Application (Service Provider)"
Then you have tagged it with SAML?
Why do you want to use SAML? (And here I am talking about SAML the protocol NOT SAML the token).
Just use WS-Federation and WIF which is OOTB support. WS-Fed also uses SAML tokens.
If you want to use SAML, refer SAML : SAML connectivity / toolkit and SAML : ASP.NET MVC application talking to SAML IDP .

What difference between active federation and passive federation in ADFS?

I am new in ADFS. Actually I dont know what is Active or passive federation and also don't know the difference between them,Can Anybody help me on this?
Thanks in advance !!!...
Passive uses the browser - to do redirects etc. Protocol is WS-Federation. User is asked to log-on via a flow.
Active uses a web service - protocol is WS-Trust. It's essentially "headless". User normally doesn't actively log-on - credentials may be part of the web service.

Resources