How to call web service that requires claims based authentication? - web-services

I have a client that wants to invoke a web service.
I have a web service(asmx) , a default.aspx that can show the claims .
I have a test STS that my web service trusts.
I tested and sts can send correct claims and also web service seems to get them if I go through default.aspx page that shows the claims. I created a proxy(using Visual Studio "add service reference") for client to call the web service. I could not find a way about how to call web service from client programatically so that it will authenticate through my STS. I am calling like below but sts returns the claims response to client where it should return to web service and invoke the web service function.
MyClient = MyWebServiceSoapClient("MyWebServiceSoap", "http://127.0.0.1:81/MyService.asmx?whr=http%3a%2f%2flocalhost%3a25919%2fteststs%2fdefault.aspx%3fwa%3dwsignin1.0%26wtrealm%3dhttp%3a%2f%2f127.0.0.1%3a81%2fmyservice.asmx");
MyClient.MyServiceFunction();

Check samples in the Identity Training Kit or the "A Guide to Claims based Identity" for examples.

I wrote a C# library that enables you to get a SAML token from a 3rd party STS and subsequently ADFS to eventually authenticate to SharePoint. It may be of some help:
http://www.huggill.com/2012/02/04/claims-proxy-a-c-sharp-library-for-calling-claims-protected-web-services/

Related

How to select and work with a particular Provider (OIDC provider) added on Google Could - Identity platform by using server side java code

I have added these 2 identity providers (refer attached images) to Google Cloud -->Identity Platform
Email/Password
OIDC Connect (oidc provider)
Now if you see there is a User section as well under Identity Platform
So I have added some random users which are non gmail users (refer image), like xyz#abc.com, which I want to authenticate with the help of Google Cloud (it when this user comes to login, I will hit API endpoint /login and in login server side code, I will redirect to Google Cloud to Authenticate this user using OIDC Authorization flow)
I need Java code to :
Using some java code, First choose the provider as OIDC provider (oidc-auth-provider).
Make call to Google Cloud which should use this Provider (oidc-auth-provider)
This oidc-auth-provider should look up the users which I have created under Users section (refer image)
Google Cloud after verifying user exist, should send back with Auth Code
using Auth Code I will call back to Google and get ID token/JWT token
I was referring to this link :
https://cloud.google.com/identity-platform/docs/web/oidc
If you search "Signing in users with OAuth" this section on page, that is what exactly I am looking for, but the problem is it has given a UI code example using Firebase API example, to create OAuthProvider instance (which will choose provider), but I need server side code example instead, I am not sure if I can use this Firebase API on server side java code for a web application? Any suggestion that how can I do similar things from a server side Java code?
added Providers under Identity-platform
Added users manually which I wanted to authenticate

is there any web service present for authnetication using wso2

I am new to this wso2 evaluating wso2,
I am using Identity Server I have web application , want to apply web SSO feature using WSo2, I had check there are soap web service present in wso2 for UserAdmin,
https://server-info:9443/services/UserAdmin.UserAdminHttpsSoap12Endpoint/ using soap client for test , for dev have to write java client for request
but did not find any web services related WEB SSO for example I require authentication web service which will accept Username/password return some token information and using that token I can store in session for single sign out
Is there any web service/ API in wso2 provide authentication? or what is best approach for implement SSO using wso2 for web applications.
Thanks
If you are looking for SSO with WSO2IS, WSO2IS supports several standard ways to achieve it. They are,
SAML2 SSO
OpenId Connect
OpenId
Passive STS (for windows based applications)
From above, most popular way is to use SAML2 SSO or Openid connect. Your web application also must support to talk with WSO2IS using above standards. Say, if you need to achieve SSO using SAML2 SSO. You application needs to send the SAML2 Request and process the SAML2 Response in standard way as mentioned in SAML2 SSO spec. You can find a sample web application that has been implemented to work with WSO2IS from here. This blog contains all configuration details that you need to do in WSO2IS side as well. You can even use the sample web application with other SAML2 IDP as sample web application is talking in standard way. Also. if you are looking for Openid connect, you can find another sample web application from here with config details. I hope this would be a good starting points for you.

WSO2 Identity Server REST and SOAP call

WSO2 Identity Server : I am new to WSO2 Identity Server. Could somebody help to get list of REST call and soap call supported by WSO2 Identity Server
This blog post has an example of using WSO2-IS APIs.
Take a look at the answer to the following question also. WSO2 identity server api
WSO2 products are manage internally SOAP web services known as admin services. The admin service wsdl as bellow.
https://localhost:9443/services/UserAdmin?wsdl
Note: you cannot view the wsdl of admin service by default due to security reason. Configure the following steps to enable and invoke the admin service wsdl.
Set the <HideAdminServiceWSDLs> element to false in <IS_HOME>/repository/conf/carbon.xml file.
<HideAdminServiceWSDLs>false</HideAdminServiceWSDL>
Restart the server.
Also you can use OSGi console to get the list of SOAP Services exposed in Identity Server and view the available service components details. To enable osgi console doing following steps.
Get osgi console by executing the following command.
<IS_Home>/bin/wso2server.bat –DosgiConsole
After successfully started the server press ‘Enter’ key and osgi>console will be displayed.
To get all admin services that are deployed on this server.
osgi> listAdminServices
List down all hidden services that are deployed on this server.
osgi>listHiddenServices
All services expose Web Service APIs which can be used for to gain access to back end functionality.

passing user credentials to web service

I have the following scenario:
I have an application (html files + javascripts hosted in a webserver)
There is a SOAP web service that we need to develop.
Web service will be called from java script (AJAX calls).
User will access the application in intranet scenario. Users are validated against active drectory.
Requirement states that user need to be logging in using logged in users network credentials. There should not be a login screen shown to user.
Web service interfaces need to be invoked with logged in users credentials. A login inteface of web service specifically needs to be called as first call.
I have a specific question on how to pass user credential to web service.
I am planning to configure Integrated windows authentication (NTLM) for web application to avoid login screen.
However I do not know a way to capture and send user id and password to login interface of web service.
Most of the questions and answers around this topic has been for microsoft technlogies. Any specific ideas?
Further research and several blog posts pointed me to Kerberos authentication and a single sign on framework. With NTLM i cannot delegate credentials to web service. However with Kerberos i can. I will be using SPNEGO and delegate the credentials after authentication. Please refer to below link for further details.
http://spnego.sourceforge.net/

Do we absolutely need a STS for SAML?

I am trying to implement SAML enabled SOAP services for the first time and I have some conceptual questions regarding the role of a Secure Token Service (STS) in a SAML implementation.
User ---> Web Application ---SOAP/SAML--> Messaging Application
Basically the scenario is that the user logs into the Web application using his user name and password, web application in turn authenticate and authorize the user with an external service, on successful authentication/authorization, Web application creates a Sender Vouches SAML assertion with user as subject, signs the assertion with its private key, packages the assertion in a soap envelope using WS-S and makes a SOAP call to the messaging application. Once messaging application receive the request, it verifies the signature with the public key of the web application, pull the authentication and attribute statements out of the SAML assertion and based on them enforce auth policy on the end point.
As you can see in the above scenario there was no external STS involved however most literature I have read on SAML suggest that an STS is absolutely required. The question I have is that am I doing anything wrong with the above scenario since I cannot see any reason why I would absolutely need an STS. Sure it would be nice to have a STS but at least in my opinion, absence of it does not stop me from implementing SAML for my use case.
No, you don't need an STS for SAML tokens in web services. The STS exchanges one token (where 'token' includes things like username+password) for another, so it's useful in that your web service consumer can send some input token (typically username+password or a signature+X.509 cert for simple use cases) to the STS and get back a SAML assertion all ready to go.
Now, if you have the capability to create SAML tokens that will be accepted by your web service provider, have at it! No STS necessary - the actual SOAP message on the wire is identical whether or not an STS was involved in its creation.
I wrote a couple of blog entries a few years ago that detail some of this:
Access Manager 7.1 Beta in Java EE Tools/NetBeans 5.5 Enterprise Pack
Anatomy of a SAML-Secured SOAP Message
Sun Access Manager 7.1 has been superseded by OpenAM, but the principles remain the same. In particular, the second entry is independent of any actual product.
You can leverage any of the open source SAML toolkits. If your application is written in Java and you are running on either JBoss or Weblogic, SAML support is built-in.