I am trying to use SAML sso with pingidentiy (pingone) and componentspace SAML library. Currently what I have to initiate the SSO is
SAMLIdentityProvider.InitiateSSO(
Response,
"testuser", //username
attributes,
"https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=xxxx-xxxx-xxxx-xxxx-xxxx&idpid=xxxx",
"PingConnect"
);
When this runs it returns an error in relay state. I've figured out that I don't have a relay state to use, but I am not sure where to specify my Initiate Single Sign-On (SSO) URL from my pingone web portal (thats the sso.connect url in the code). This is my first time doing SSO with SAML and using componentspace so I am completely lost.
I have my XML service provider setup as such
<PartnerServiceProvider Name="PingConnect"
WantAuthnRequestSigned="false"
SignSAMLResponse="true"
SignAssertion="false"
EncryptAssertion="false"
AssertionConsumerServiceUrl="https://sso.connect.pingidentity.com/sso/sp/ACS.saml2"
SingleLogoutServiceUrl="http://localhost:50839/"
PartnerCertificateFile="sp.cer"
SignatureMethod="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
Just to confirm, PingIdentity is the identity provider and your application is the service provider? Assuming so, you should be calling SAMLServiceProvider.InitiateSSO and you should have a PartnerIdentityProvider rather than a PartnerServiceProvider configuration.
Have you taken a look at the PingOne Integration Guide? This describes both the configuration at PingOne and your application.
If you need further assistance, I suggest emailing ComponentSpace support.
Related
I have an api project configured with oauth for authentication. since the application uses load balancer to manage multiple requests, let's assume (server-1 ad server-2).
first request with valid credentials => server 1 (here token was generated)
second request with token included in header => server 2
now second request getting "Authorization Denied". How to handle this scenario?
Guess you are looking for something like vouch-proxy.
Here some useful links:
Article: https://medium.com/lasso/use-nginx-and-lasso-to-add-google-authentication-to-any-application-d3a8a7f073dd
Project: https://github.com/vouch/vouch-proxy
I am working on a Asp.Net MVC Web applications. We have requirement to implemented SSO and SLO. My applications (at least 2 applications) are acting as service provider (SP) and I am using Jumpcloud as Identity Provider (IdP). I want to add application on jumpcloud using SAML with service provider SingleLogoutService URL. But there is no option to add SingleLogoutService URL on Jumpcloud.
How do I add SingleLogoutService URL for an application on Jumpcloud?
How do I get SingleLogoutService URL of Jumpcloud (Identity Provider)? The export metadata on Jumpcloud do not have SingleLogoutService.
I am using ComponentSpace 2.6.0.2 for SSO and using low-level APIs. SSO has been already implemented and it is working fine.
Sample IdP metadata exported from Jumpcloud
Removed data for brevity
urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified
I am not sure whether JumpCloud supports SLO or not. I posted a request for SLO featuer and not received any reply yet.
While googling I found following URL which can be setup as SLO URL:
https://console.jumpcloud.com/userconsole
However I am not sure it will work or not.
Since I don't want to spend more time on research, so I switch to Okta, and Okta support Single Logout.
I am trying to implement an Authorization server using IdentityServer4, using the Hybrid Flow.
let's say url is : auth.company.com
To authenticate users, the company uses a simple .NET MVC login/password form.
url : client.company.com/login.html
My question is : how can i plug the authentication system into the IdentityServer4 ?
I've tried adding this :
Startup.cs / ConfigureServices()
services.AddIdentityServer(SetupIdentityServer)
private static void SetupIdentityServer(IdentityServerOptions options)
{
options.UserInteraction.LoginUrl = #"client.company.com/login.html";
options.UserInteraction.LoginReturnUrlParameter = "referrer";
}
But it resulted in too many redirections error between auth server and authentication server
Thank you
I just replied to another question very similar to this so this is a shameless copy and paste of that:
This will not work as the identity server needs to issue its own cookie once authentication has taken place. This cookie is what allows the authorise endpoint to know who is signed in.
The intention of this model is that authentication takes place on the IDP or it’s negotiated with an external provider via a suitable protocol. Therefore the appropriate approach in this case is to move the login UI into your identity server application. It’s entirely up to you exactly how that is done and where it gets it’s data from but it must be your identityserver4 that issues the cookie.
I have been securing a webapi using Rob Sander's instructions, found here: Securing a web api with adfs 3.0 and jwt tokens
I have successfully performed a login via ADFS using the usernamemixed end point, and have received the encoded Json Web Token (JWT). That's fine, and I can successfully validate the token with the X509 certificate found in the federation data xml found on the ADFS server.
I have implemented a DelegatingHandler so that any Authorize attributes added to methods will be checked.
The final piece of the puzzle is where I can get the refresh_token from. It would make sense to come from an ADFS endpoint, and I thought it would be in the response from the usernamemixed end point, but it doesn't appear to be there. Also, how do I make a call to request a new access_token if I provide a refresh_token?
Normally, there's another OAuth endpoint. You would have /authorize, /token and /refresh.
Not sure in ADFS 3.0 implements this?
You can get it via:
Set-AdfsRelyingPartyTrust -TargetName "RPT Name" -IssueOAuthRefreshTokensTo AllDevices
More details here.
I'm reading up on SSO with WIF STS and so on. Im ended up in this tutorial http://chris.59north.com/post/2013/04/09/Building-a-simple-custom-STS-using-VS2012-ASPNET-MVC.aspx .
I wonder how I can recive some custom data which I would like to send from the custom STS?
The Relying Party in this tutorial has no code which is evalulating the response from the STS. If I'm correct this is done by the Idendity.Model.Service.
How can I send data from the IdP and recive them in the RP? Is it also possible to send some custom information on the SSO from RP to IdP?
As per the article: "The second method, the GetOutputClaimsIdentity(), is just as simple. All that is need here, is to create a new ClaimsIdentity and add the required claims. In this case, I only set the Name and NameIdentifier claims."
So you can set any claims you want using this method - normally you would get the attributes from a repository like AD.
The RP is built using WIF so you have a bunch of built-in methods. Refer: WIF Claims Programming Model