I need to use ADFS Authentication implementation for Coldfusion.
I've found only this post, but I'm not sure if this is the right answer...
https://community.adobe.com/t5/coldfusion/i-want-to-implement-adfs-2-0-integration-with-coldfusion-has-anyone-implemented-this-before-please-i/td-p/7361728?page=1
Related
I'm experiencing the same issue as the one mentioned here, for which there was no conclusive answer: Asp.Net Owin authorized request works in Incognito mode but not "normal" Chrome
I am unable to comment on that question as I do not have the reputation to allow but was going to ask whether it is something to do with the fact that my project includes both Web Forms and Web API and there is a conflict going on with the authorization cookie.
Has anyone else come across this issue?
Thanks
For the benefit of anyone else with the same issue:
It was indeed due to forms authentication being enabled at the same time as OWIN bearer tokens.
If you are logged in via forms authentication, then try to call a web api end-point in the same browser, it uses the cookie information which gets recognized by Web Api authorization.
In incognito, there is no such cookie so behaves as expected.
I am evaluating wso2is and trying to use OpenID Connect and specifically JWT tokens functionality.
The issue I am facing is at least one third party applications are requiring the JWT token to be sent on the Url rather than on the preferred Http Header (which wso2is does). I have talked to the third party support about this issue, but have no confidence on when they will fix the issue. Is it possible to configure wso2is to send the JWT token on the Url as well as on the Http Header?
Example of the JWT token on the Url: http://test.example/com/access/jwt?jwt=[JWTToken]
Many Thanks
I need some clue or direction on how to implement authentication into soap message.
Is it possible to implement authentication by using plain WSDL and Xml Schema ?
When I said plain, I referring to only using WSDL / XML schema, no php, no java annotation, no ruby, no .net, etc.
I know there are standards on WSS, which is SAML / OASIS, but from their documentation (only OASIS, I haven't access SAML documentation yet) they are focus on their specification on soap message, which isn't what i want.
On top of that, I want soap authentication, not http basic authentication.
A WSDL is simply the description of the service. It doesn't implement anything, and certainly doesn't implement authentication.
Also, FYI, there's no such thing as SOAP Authentication.
The recommended approach would be to use the WS-Security standard. The easiest way to achieve a solution would be to use WS-Security Username token policy described here:
https://www.oasis-open.org/committees/download.php/13392/wss-v1.1-spec-pr-UsernameTokenProfile-01.htm
The benefit of using this approach is that your WSDL will include a section that will describe the authentication requirements of the web service. Any clients that generate stubs using the WSDL will then be able to automatically generate code for including username token with the request message.
You can find an example implementation here:
WS Security - Username token Profile
I need to use Active Directory Federation Services (ADFS) authentication in a Django application. I will create an authentication backend, but which tool would someone recommend me to make it as fast as possible, or would it be better to implement authentication from scratch?
I have read some articles from the Microsoft website, and have checked:
http://claimsid.codeplex.com/
http://msdn.microsoft.com/en-us/library/ff359102.aspx
But even though they explain some core concepts and ideas about ADFS and SSO, the examples are in my opinion more .NET stack focused.
Writing a basic client in .NET and sniffing the traffic would give you all necessary clues to actually implement the flow in any technology.
Basically, your django app has an endpoint adfs uses to return back. You register the endpoint in adfs (like https://myapp.com/authgateway).
Then, your application initializes the flow by redirecting to https://adfs.address/adfs/ls?wa=wsignin1.0&wtrealm=https://myapp.com/authgateway
Adfs picks the request and validates credentials. Then it creates a SAML token and redirects back to your application with a POST request containing the token.
Then comes the difficult part, the SAML token is a plain xml you can use to establish a local user session. One of the claims contains user name provided by adfs, other claims can contain roles, the email, whatever you configure at the adfs side.
But, to prevent forging, you need to validate the token. The validation consist in checking the XMLdsig signature and verifying that the signing certificate thumbprint matches the thumbprint of the adfs signing certificate. Depending on how much knowledge on x509 certificates and xml validation you have this can be easy or difficult. Try to find any support in django community.
Anyway, as you can see the basic flow is simple, is a matter of two redirects, a 302 from your application to adfs and a POST back from adfs to your application. Although we do this daily in .net, our partners do it in php/java under our guidance.
There's a package available for this here:
http://django-auth-adfs.readthedocs.org/en/latest/
I've already succesfully implemented LinkedIn and Twitter Oauth 2.0 authorization in my App with external libraries. But I have problems with Facebook. It seems like it has different authorization flow.
I need to have 3 endpoints to implement OAuth: request token url, access token url and authorize token url.
For LinkedIn and Twitter I have them:
REQ_TOKEN_URL="https://api.linkedin.com/uas/oauth/requestToken";
ACCESS_TOKEN_URL="https://api.linkedin.com/uas/oauth/accessToken";
AUTHORIZE_TOKEN_URL="https://api.linkedin.com/uas/oauth/authorize";
REQ_TOKEN_URL="https://api.twitter.com/oauth/request_token";
ACCESS_TOKEN_URL="https://api.twitter.com/oauth/access_token";
AUTHORIZE_TOKEN_URL="https://api.twitter.com/oauth/authorize";
But for Facebook instead of request token I have
OAUTH_FACEBOOK_DIALOG = "https://www.facebook.com/dialog/oauth";
And I'm not sure if it's equal. Probably not, since it doen's work the way it did with LinedIn and Twitter.
And in Facebook documentation they suggest to start with redirecting user to "https://www.facebook.com/dialog/oauth", but in classical OAuth 2.0 first I have to request the token from request_token_URL.
So the question is: is Facebook authorization flow actually not OAuth 2.0 and I have to use different approach?
Facebook does in fact fully support OAuth 2.0. Twitter currently does not support OAuth 2.0. LinkedIn OAuth 2.0 support I believe is still in beta. But yes, you will need to use a different approach for different versions of OAuth.