SSO possible with LDAP-backed web applications? - http

I have a client who wants their wordpress and google apps user accounts accessible using SSO, ie if they log in on one app domain google.client.com they will be logged into wordpress.client.com too without extra steps.
The same LDAP directory will be used to do backend authentication for both systems. Is it possible to setup SSO for LDAP-backed webapps?

You could use Open Id to achieve SSO. Google Apps and Wordpress both integrate well with openid.

The short answer is yes. Google Apps supports SAML to address SSO integration with LDAP authentication. You can get more information on a simple SAML IdP solution from www.pingidentity.com.

Related

Single sign-on using ADFS approach

One of my customers wanted to implement SSO using ADFS. I was thinking to do a POC for the same using ADFS in Azure. But one requirement is only some users have ADFS login and other user needs to use custom authentication using the identity provider.
Is it possible to use custom and ADFS authentication in the same web application? Like presenting a page with sign-in using SSO or sign-in with credentials?
My client just shared the federatedmetadata.xml. (Do we need to give the full URL DNS name + metadata URL when you create the new project?).
Is it possible to use custom and ADFS authentication in the same web application? Like presenting a page with sign-in using SSO or sign-in with credentials?
If you're open to it, you could integrate your application with an identity provider, and that provider does this for you.
For example:
Your application integrates with CAS as the IDP, and CAS presents this screen to the end user for the authn attempt. User can choose either option, and then once completed, they will be redirected back to your application to continue, and your application interacts with CAS to validate the user account/session. CAS itself is connected to your own account store, and is also integrated with ADFS.
What do you mean by "ADFS in Azure". The only way to do this is to run ADFS as a VM in Azure. Otherwise, you would use Azure AD.
Yes, you can federate ADFS with other identity providers so they both are accessible from the same login screen.
What other identity providers are you looking at?
ADFS is not a project, it's a server add-on and it's all done via configuration on the Windows server.
In terms of importing metadata, see this.

Azure AD SSO for independent App Registrations

I need to provide an SSO between two independent applications via the Azure AD SSO.
My app (A) use Firebase as the backend and currently isn't registered in Azure AD.
The second App (B) is registered in Azure AD via App Registration and I think has password-based login now (but it doesn't really matter). Can't say what technology it uses for the backend.
I've read a lot of Azure documentation but can't understand how exactly should I connect them with SSO.
I see that I can connect applications from the Enterprise Applications list. Is this the only way to do it? In this case, I need to publish my app to the Enterprise Applications gallery but it feels like an overcomplicated solution.
SSO feature and experience depends on the type of auth-protocol being used. It also varies based on that. Lets say, your app uses OpenIDConnect then the SSO experience would be something like what mentioned here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-oidc-single-sign-on
If it uses SAML as the auth-protocol it looks something similar to: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-saml-single-sign-on
and if its using Password-based SSO then: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-password-single-sign-on-non-gallery-applications
Specifically for Password-Based SSO, it provides SSO by storing the credentials in the browser extension. With password-based sign-on, users sign on to the application with a username and password the first time they access it. After the first sign-on, Azure AD supplies the username and password to the application.
Password-based single sign-on uses the existing authentication process provided by the application. When you enable password single sign-on for an application, Azure AD collects and securely stores user names and passwords for the application.
Choose password-based single sign-on when:
An application doesn't support SAML single sign-on protocol.
An application authenticates with a username and password instead of access tokens and headers.
In your case, both you apps (MyApp-A and MyApp-B) needs to be registered in AAD and they should support neither SAML or OIDC.

Integrate social logins like Facebook to a LDAP directory

For multiple applications, I want to build a centralized account solution. The core consists of some ASP.NET Core web applications. But I also want to include third-party applications like WordPress, GitLab, or a XAMPP/HipChat server. My goal: The user creates ONE account, which can be used in all of those applications. So an LDAP server seems the best way for this since many applications have support for this protocol. This also gives flexibility for other applications, which may be added later.
The problem here is, that the users should be able to authenticate using common social sites - Especially Facebook. It's state of the art and would increase the conversation rate, cause it's easier for the users.
Is it possible to integrate social login provider like Facebook to LDAP servers like ApacheDS?
As I see the topic, Facebook generates some kind of authentication token, which can be used from the application to verify the identity of the user. In my custom web apps, this is no problem. But for e.g. a XAMPP server, this seems not to work: LDAP requires username/password. But I don't have this, since there is only a Facebook token available. The LDAP server could store this in an attribute. However, this would require to check this token instead of a password on an LDAP bind.
On the other side, when I drop the LDAP server and use some framework like ASP.NET Core identity instead, it's not a big deal. The problem here: I'm not able to use this login for third-party applications. This would require the users to have an additional account for e.g. XAMPP, WordPress, and so on, which results in big chaos and is thereby not suitable for me.
By dropping social support, it works. This seems also not to be a good idea since those logins are state of the art and I'm targeting younger users, which expect an SSO solution with Facebook or similar providers.
Facebook (and other social login sites) use a protocol named OAuth to authenticate. Probably the easiest solution would be to implement an OAuth server yourself that uses your LDAP as backend and then add that beneath the Facebook login as the second way of login.
That will not add users logging in via Facebook to your LDAP but as you usually only get an OAuth token back for login (not necessarily a username) which needs to be verified against Facebook (or whoever provided that token) it doesn't work to use it as "password replacement".

Building SSO application with SAML or OPENID in Symfony2

We are using symfony2 as our framework to built the application which has different firewalls like admin, client and customer.
Now I want to built SSO using SAML(CAS) or OPENID in symfony2. Which will communicate with my application and provide the authentication and with other applications also through web service.
Please suggest some bundles which are already built for SSO and which is better SAML or OPENID.
Thank you in Advance.
Disclaimer: I'm the Chairman of CAS and founder of CAS in the cloud (https://www.casinthecloud.com).
I'm not sure if you want to use CAS, SAML or OpenID protocols, but here is an example of a CAS client for Symfony: https://wiki.jasig.org/display/CASC/Symfony+CAS+Client. It might help.

OpenID + OAuth for Webapp and Desktop/Mobile application Authentication and Authorizaiton

I'd like to use OpenID to authenticate users on my webapp -- similar to how StackExchange does it. I'd also like to enable users of my website to use my Desktop and Mobile Apps using the same account. I've read this requires OAuth (OpenID is purely website only).
What I don't know is
Is this the correct approach?
What would the workflow for this be?
What data do I need in my database per user/OpenID? Do I store an "account" and then when they've authenticated with OpenID, I allow them to generate an OAuth Token for the mobile app?
In an ideal world, I would be able to have buttons similar to those on https://stackoverflow.com/users/login for both my WebApp and also in my Desktop and Mobile Apps which would simply allow users to login with their google or facebook account, is that possible? Simplicity for users is paramount, because my userbase will not take well anything remotely complex.
Can I use something like DotNetOpenAuth to provide all of this functionality?
Would a better solution be to break this up and allow users to authenticate to my site with OpenID and then I provide my own OAuth scheme for my desktop and mobile clients?
Probably the simplest mechanism is to embed a web view, and simply watch for navigation to a specific callback page and grab the authentication data that way. You should still be able to use OpenID for this.
What you should be looking into is Windows Identity Framework (WIF), it will work similarly for Web or Desktop applications using Claims-Based Identity. You would store an authorization token for each user (along with any other information you need) and you would get it in the Authorization Header of an authenticated HTTP Request. oAuth is the protocol for passing authorization requests and responses. WIF is a .NET toolkit to simplify this interaction.
For more info, check out the WIF home page and the following blog (not mine):
http://msdn.microsoft.com/en-us/security/aa570351
http://blogs.msdn.com/b/vbertocci/
This is the workflow that I came up with, and so far I think its working well.
The user is required to authenticate to the website via third party OpenID/Facebook/etc (mobile friendly website is available). Then, in their "profile" they can generate an API "key" which they can copy/paste into their client software. It isn't 100% transparent to the user, but its pretty good.

Resources