I successfully managed to install and use a few instances of SimpleSAMLphp both as Service Provider and Identity Provider (using the simple example user authentication).
Now I'm looking for a basic PHP App which manages the user account and attributes -- user, password, email, groups, password recovery, etc. -- and easily binds to the SimpleSAMLphp Idp as an authenticator.
I was very optimist about "Drupal + SimpleSAMLphp + drupalauth = Complete SAML Identity Provider (IdP)", but if to use Drupal, I would like to use Drupal 8 and not 7.
Do you know any other setup that could achieve something similar?
Related
We are running WSO2 IS version 5.10. and want to use external iDP (SafeNet) as step 2 authentication for Service Provider. I configured Service Provider in order to use an advanced configuration for the login process. I configured 2 steps where first step is basic auth and second step is federeted iDP - SafeNet (Saml2SSO).
Everything work's fine except one thing - when i try to logon to my application, WSO2 shows me login interface, I put my credentials (username and password) after that a redirected to SafeNet login interface and I should put my username again in safenet login page. So the user name, how it say correctly, does not transferred to step 2 (sorry for my English ))). I inspect SAML request which is generated by WSO2 and could not find NAMEID. Can any one help with this?
I want to use Google Authenticator for 2-factor authentication with WSO2 identity server 5.7.0. The Google Authenticator should provide a One-Time Password which is valid only for a very short duration. Using the email id, password and OTP (generated from Google Authenticator) a user should be allowed to sign in into an application.
I cannot find how to implement google authenticator in the link mentioned below WSO2 Identity Server Authenticators and Connectors Documentation
Can anyone provide some steps in the direction to implement Google Authenticator with WSO2?
Note: I am not referring to using Google as a federated authenticator.
As for me for your use case you don't need google authenticator you need email otp[1]. You can configure your email otp to generate from google. You can enable it as a second factor in authentication. So the first user will login using user name and password then user will be asked for the otp that generated from google. That will be sent to the user email account.
If you want to use the google authenticator to get the otp not the email then you should use wso2 totp. [2]
[1]. https://docs.wso2.com/display/IS570/Configuring+Email+OTP
[2].https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+Authenticator
I am developing a web application using EC2 on AWS.
In this application my client is requesting to use his SSO (Single Sign On) so I can verify the user against his Active Directory. My problem is that I can't get to know where to begin with, these are some of my questions:
1) Is this SSO takes place on my code or on my server?
2) Do I have to make different configuration for differents deployment environments (for example aws, azure, digitalocean, etc)?
3) Where do I define, send and parse SAML 2.0 format?
4) Do I have the send a POST request to the server where the SSO is installed? Or how is it managed?
So far I have found this tutorial, but I am still do not know what to do first, so any step by step information will help a lot.
First you need the client (Identity Provider IdP) SAML2 metadata. This will have their SSO endpoint URL and their X509 signing certificate.
Then you send them your SAML2 metadata with your Attribute Consumer Service (ACS) URL and X509 signing certificate.
Sample metadata here. Or you can build it here.
The certificates are normally long lived self signed certificates. They can be self signed as each side has a copy of the other's certificate which they will use to verify the signed request and response.
You construct a SAMLRequest and POST it to their SSO URL. There's an example request here.
They display their login page to the user and the user authenticates at their end.
They gather attributes for the user from their Active Directory and turn them into SAML attributes and put them in a SAMLResponse.
They POST the SAMLResponse to your ACS URL. There's an example response here.
You verify the signature on their SAMLResponse using their X509 certificate from their SAML2 metadata.
You extract the SAML Attributes from their verified SAMLResponse and take appropriate action in your application, e.g. create the user an account, perhaps their email address is one of their attributes.
The above is called the SAML2 Web Browser SSO Profile, explained here.
Depending on your stack, you can use something like:
Shibboleth (middleware, install on your server, it interrupts requests to specific paths requiring Authn against the Identity Provider [ADFS], and returns the user after successful auth setting some attributes telling you info about the user such as username, etc.). Works best if you can compartmentalize secured content into a particular path on the site like /secure.
SimpleSAMLphp (protect PHP resources directly)
Commercial SAML (ComponentSpace, etc. - works well if .Net app)
Basically, find something for your stack. DO NOT TRY TO ROLL YOUR OWN SAML IMPLEMENTATION!
I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.
I want to know if it possible to map attibutes between salesforce and wso2.
I can create my custom attributes on salesforce, but i want to map attirbutes with my WSO2 IDP configuration i.e salesforce configured as IDP within WSO2.
For eg:
If i choose to login with my salesforce account to my web app with my user of salesforce say abc#salesforce.com login must be successful only if same user exists in WSO2 IDP. Though the credentials for abc#salesforce.com user are correct w.r.t to salesforce account ,user must login only if same username exists in wso2 idp.
I tried with claim mapping but no luck.
Please suggest.
I believe the claim mapping is the correct way.
You need to define whole data path
SP claim->IdP dialect claim->user attribute->local dialect claim->SP claim
If you use a federation IdP (SF), you may want to set 'provisioning' of the user, storing their identity and attributes localy (so you can see what attributes are passed and recognized.
Have fun