java,maven,gwt,saml-2.0,opensaml
After manually adding every dependency to our Sonatype Nexus and creating a new maven war project, it finally worked. It doesn't work with our main project though as dependencies are clashing. I guess sometimes it's good to re-invent the wheel to be able to reduce the amount of dependencies clashing....
single-sign-on,saml-2.0,wso2is
If you are using WSO2IS 5.0.0 version or higher version, You can simplify edit html file which can be found at IS_HOME\repository\resources\security\sso_redirect.html Following applies to WSO2IS 4.6.0 and older versions It seems to be that redirect page is can not be customized by using some extension. Please see this jira...
First, I want to highlight that Identity Server supports for following two profiles. SAML2 SSO Web browser based profile. (SAML2 Assertions are used) More details from here WS-Federation (Passive STS) profile. (SAML Assertion) Normally ASP.NET is by default supports for 2 profile. Therefore you are integrating using Passive STS. It...
spring-security,saml-2.0,spring-saml
The secret to figure all this stuff out is to look at the sample apps context files and paste in everything, then remove the stuff you don't need. There is a ton of stuff in the sample app that isn't mentioned in the docs. I was able to get it...
The requirement is that the EntityId is a URI (not URL, in this case the difference between URIs and URLs is important). See "8.3.6 Entity Identifier" in the SAML2 Core spec. From SAML 2.0 Specification : 8.3.6 Entity Identifier URI: urn:oasis:names:tc:SAML:2.0:nameid-format:entity Indicates that the content of the element is the...
I've noticed that if you don't initialize ("bootstrap") the SAML configuration, you get a NullPointerException (rather unhelpfully, I might add) when you try to construct the SAML. import org.opensaml.DefaultBootstrap; import org.opensaml.xml.ConfigurationException; try { DefaultBootstrap.bootstrap(); } catch (ConfigurationException ce) { } The above is just a snippet of code to illustrate...
security,single-sign-on,saml,saml-2.0
The assertions in your SAML response SHOULD be signed using a private/public key pair and xmldsig. If they are correctly signed, changing the contents of an assertion will invalidate the signature, and thus the assertion itself. Now, if the service provider doesn't require a signature, or doesn't bother checking the...
.net,single-sign-on,wif,saml-2.0,claims-based-identity
OK, indeed you are parsing real SAML2 messages. WIF does not support that. WIF probably considers this an unsigned Assertion. I would have to dig in with Reflector and/or the reference source. Any way you would have to do the parsing and verification yourself. And I personally do not use...
No, an SP can send SSO Requests using the HTTP Redirect binding as long as the IDP is configured to receive those requests over that binding. Separately and IDP can send SSO Responses over any binding that it wants to including HTTP Post as long as the SP is able...
saml,saml-2.0,adfs,adfs2.0,openam
Unlike OpenAM, ADFS doesn't support SAML 2.0 Query Profiles including the AttributeQuery protocol. The available endpoints and profiles are listed here http://technet.microsoft.com/en-us/library/adfs2-help-endpoints(v=ws.10).aspx The WS-Trust standard (supported by ADFS) has a possibility to define which claims (attributes) should be returned as part of the security token. See an example of issuing...
authentication,oauth-2.0,saml-2.0
SAML is an authentication protocol, OAuth 2.0 is not. This means that OAuth 2.0 and SAML cannot be compared in the way you suggest since OAuth 2.0 does not pass attributes about a user who has just authenticated. On top of that, Just-In-Time (JIT) provisioning is rather independent of SAML...
A SAML Assertion is an XML document that represents a set of claims (i.e. name/value pairs) about a user asserted by an Identity Provider. A SAML Assertion is not a SAML message itself, but it is contained in a SAML Response message. Apart from that there are other SAML messages...
spring,single-sign-on,saml-2.0,opensaml
OpenSAML is the best (and possible the only) Java library which simplifies low-level handling of SAML messages. You can find examples on how to use it to implement SAML IDP/SP components in source codes of products like Shibboleth or Spring SAML. You can also find some examples in this blog....
java,jquery,ajax,saml-2.0,attask
I solved the above problem by using https://domain.attask-ondemand.com/logout this url. Now user is able to log out globally from IDP and SP(WF) as well by hitting the given url from my SP. However this URL is not accessible from outside domain due to CORS, so I opened this link in...
saml,saml-2.0,opensaml,simplesamlphp
The attribute name "SAMLRequest" is defined as part of the SAML 2.0 standard. You can find more details about it in http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf, it's in chapter 3.4 HTTP Redirect Binding.
wso2,single-sign-on,saml-2.0,wso2is
I think this is an issue with the user store manager that you have written. As this is a null pointer exception, you can go through the 778 line in the AbstractUserStoreManager and find out, why null has been generated. I guess, This is due to that, in your custom...
rest,oauth,oauth-2.0,single-sign-on,saml-2.0
Indeed OAuth 2.0 can be used for this use case because it allows so-called clients (i.e. your unattended processes) to obtain an access token granted by developers and use that token against your APIs. A typical flow to use here is the code flow: you would run an Authorization Server...
spring-security,logout,saml-2.0,wso2is,spring-saml
HTTP-POST is a front-channel binding and its message exchanges must go through the User-Agent and use HTML form. In case wso2is makes the POST call directly to the SingleLogout endpoint (in a similar fashion as SOAP binding - without involvement of the user agent), they are unfortunately not following the...
I realized a sample project in order to show how to integrate Spring Security SAML Extension with Spring Boot. The source code is published on GitHub: spring-boot-saml-integration on GitHub ...
asp.net,virtual-machine,saml-2.0,adfs,federated-identity
A Server 2012 can run inside of Virtual Box. B When setting up the VM, you will want to choose the Bridged networking networking option. This will make your ADFS guest look like any other computer on your local network....
ldap,saml-2.0,openldap,pingfederate
you can simply use multiple data source. Configure the filter of the other Data source form the unique value of first Data source. ex : uid=${userId} .
The following might solve your issue: Make sure to correctly endorse libraries shipped with OpenSAML Create your Decrypter with the rootInNewDocument property set to true: decrypter.setRootInNewDocument(true); ...
wso2,single-sign-on,saml-2.0,wso2is
How exactly is the session expired on the identity server? By default Identity Server 5.0 have session for 15mins and it only can reduce the time using the web.xml (which is at <IS_HOME>/repository/conf/tomcat/carbon/WEB-INF/ folder) If you installed Service Pack 1 for the Identity Server 5.0, it have the session persistence...
wso2,session-cookies,saml-2.0,wso2is
smalssoTokenId is a cookie, and it's used by WSO2 Identity Server (IS) to find user's SAML session. This cookie is set by IS, so browser will automatically take that to IS whenever a request goes there. That means, if user already has a SAML session at IS side, when s/he...
The private key would be used by the IDP to sign the SAML tokens that are being generated and sent to the SP. The SP would use the public key certificate to validate the signature in the SAML token. The private-public key pair will be created by the IDP and...
c#,owin,saml-2.0,kentor-authservices
When using AuthServices (or any external login) together with ASP.NET Identity, the incoming claims are only used for looking up the ASP.NET Identity user in the database. Then incoming user is then discarded completely and the user from ASP.NET Identity is loaded and used In the default MVC5 template, the...
.net,webforms,code-behind,saml-2.0
Solution: Killed the entire aspx page. created a new one through the studio tools, then merged the aspx and cs files together. Still not sure what went wrong (inheritance linking incorrectly, etc..) but code is now compiling.. Now to add the logging functionality as described above, and then actually add...
windows-authentication,saml,saml-2.0,adfs,adfs3.0
We have solved this by sending more authentication options and specifying Comparison to minimum <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="minimum" > <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> <saml:AuthnContextClassRef...
validation,saml-2.0,pingfederate
This isn't going to be the most kosher of answers, but you need to understand why you're doing before you can understand what you're doing. As such, I've compiled a list of the training videos that we host at Ping Identity. I would follow the order that I put them...
Your code: $response = new \SAML2_Response(); actually creates a new SAML 2.0 Response object instead of parsing the one that is posted back from the IDP. This call should be used by an IDP that wants to create a SAML response. You should be looking to execute something like the...
Name identifiers can be anything; an email address or a Kerberos principal name are common, every-day examples of such information. They do not always equal the username. Straight from Shib documentation . Thus you could have a NameID coming back from your IdP as something completely unrelated to the username....
spring,spring-security,saml-2.0,spring-saml
Your IDP is re-using information that user has authenticated earlier (at time identified by Authentication Instant) and Spring SAML is by default configured to not let user login if she's been authenticated more than 7200 seconds ago. It's a security measure - if it's a long time ago since the...
java,web-services,java-ee,saml-2.0,ws-trust
After a lot of gooogle finally I found this website which will help step by step that how to setup SAML. http://wiki.servicenow.com/index.php?title=SAML_2.0_Web_Browser_SSO_Profile ...
spring-security,saml-2.0,spring-saml,okta
I got it to work! The key appears to be setting Request to "Uncompressed". From there, I removed "alias/defaultAlias" since this only seems to work when you set an alias on the ExtendedMetadata. My settings that work on the Okta side: Application label: Spring Boot SAML App Force Authentication: false...
java,spring,saml-2.0,spring-saml
filterProcessesUrl property of samlWebSSOProcessingFilter is correct answer and works fine. In my case, filterProcessesUrl must be set to "/sso". It was not working for me, because I was setting it to full endpoint URL (scheme://server:port/contextPath/sso) rather that just path. As stated in documentation, a few other properties must be set...
When, as you suggest, users will always be initiated from the IDP - and in fact every IDP that the SP is connected to - then there's no need to add SP initiated SSO support to your SP. Of course one may argue that having support for SP initiated SSO...
web-services,identity,saml-2.0
OpenSAML contains a metadata provider that can consume SAML metadata from a URL: http://svn.shibboleth.net/view/java-opensaml2/trunk/src/main/java/org/opensaml/saml2/metadata/provider/HTTPMetadataProvider.java Learn OpenSAML and use it, don't roll your own....
You can find all details on how to send messages using different bindings in the SAML 2.0 bindings part of the SAML 2.0 standard. For details on how to attach signature to a message sent using HTTP-Redirect binding see chapter 3.4. The supported length of redirect URL is unpredictable and...
asp.net,single-sign-on,saml,saml-2.0,adfs2.0
I'm answering from SAML and not from ADFS. Regarding question 2, i would expect that you would have received a block of XML called SAML Metadata that describes your customer's IDP. In that metadata, i would expect that you would receive your customer's public key (2.4.1.1 Element KeyDescriptor). I don't...
.net,single-sign-on,wif,saml-2.0,kentor-authservices
No, currently (version 0.12.0), there is no way to set an own IssuerNameRegistry. This is however something that I'm looking into, as part of #145. The change is however non-trivial, as it's not just to feed a configured IssuerNameRegistry to WIF because that only covers the case where the assertion...
active-directory,saml,saml-2.0,adfs
You have to setup the claimsrules manually (or through powershell). ADFS does not look at that part of the metadata.
saml,saml-2.0,adfs,opensaml,pingfederate
I think you're confused between SAML and the authentication mechanism at the Identity Provider (IdP). Ultimately, the limit on credentials is at the IdP. SAML, in and of itself, is agnostic about the authentication mechanism used at the IdP. It simply doesn't care. All it does is provide a standards-based...
java,security,spring-security,saml-2.0,jwt
Both SAML and JWT are security token formats that are not dependent on any programming language. SAML is the older format and is based on XML. It's used commonly in protocols like SAML-P, WS-Trust and WS-Federation (although not strictly required). JWT (JSON Web Token) tokens are based on JSON and...
SAML is mainly a authentication protocol but there are still many ways to solve this. SAML supports sending authorization infromation in AuthzDecisionStatement in the assertion. Another alternative is to extend SAML using XACML which is a big framework for transferring Authz information. However the support for these are limited in...
java,saml-2.0,shibboleth,opensaml
This is the reply i got it from official forum: A) An alternative API to be used in OpenSAML 3.1.1 for "SecureRandomIdentifierGenerator" A.1)Using Open SAML 2.6 Sample SessionID generation at SP(non shibboleth SP Component) is given below :: SecureRandomIdentifierGenerator generator = new SecureRandomIdentifierGenerator(); sessionId=generator.generateIdentifier(); A.2)Using Open SAML 3.1.1 ??? The...
node.js,encryption,passport.js,saml-2.0,shibboleth
Yes, the cert is the certificate of the identity provider -- not necessarily its HTTPS certificate though. Your shibboleth identity provider should have a provider metadata document. If you haven't already, you probably want to make sure the contents of uwIdpCert matches the <ds:X509Certificate> block in that document. (here is...
There are a few reasons why a digital signature might be seen as invalid. Altered Document: Ensure that the document you are signing is not in any way altered after it is signed. Even the addition of a whitespace character will invalidate the signature. Character Encoding: If your document contains...
c#,asp.net-mvc,asp.net-mvc-3,saml,saml-2.0
Yes - it is possible. You need to implement a SAML stack on your side. Refer SAML : SAML connectivity / toolkit and the two links at the top of that post. There are some open-source and some commercial stacks. The commercial ones have a lot of sample code and...
Update: A detailed explanation on using PySAML2 with Okta is now on developer.okta.com. Below is some sample code for implementing a SAML SP in Python/Flask. This sample code demonstrates several things: Supporting multiple IdPs. Using Flask-Login for user management. Using the "SSO URL" as the audience restriction (to simplify configuration...
java,spring-security,saml,saml-2.0,spring-saml
You should implement org.springframework.security.saml.userdetails.SAMLUserDetailsService and plug it into the samlAuthenticationProvider bean. In case user doesn't exist you should throw UsernameNotFoundException exception, otherwise just populate and return data from your DB. On top of that you should implement your own org.springframework.security.web.authentication.AuthenticationFailureHandler and plug it into samlWebSSOProcessingFilter bean. This implementation will be...
As far as I know it is not specified how the IDP keeps track of security contexts. But I have never seen anything else than cookies. I'm not sure you need the tunnel. There will not be any direct communication between SP1 and SP2 only between the SPs and IDP....
single-sign-on,saml-2.0,adfs,openam
The problem was - my IDP forces to use only URN in idpEntityID. The issue is solved. Thanks :)
I had this problem, too, and I ended up getting past it with something like the answer to this question: How to disable Subject Key Identifier in SecurityTokenResolver Change your existing line ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(serviceTokens.AsReadOnly(), false) to ServiceTokenResolver = new Saml2SSOSecurityTokenResolver(serviceTokens) and add a class like this: private class Saml2SSOSecurityTokenResolver...
c#,.net,asp.net-mvc,saml,saml-2.0
After discussing it with a colleague I think I figured out the course of actions. Both OAuthWebSecurity and WebSecurity appear to be a part of SimpleMembership, so what I wrote in the question would indicate I want to write a custom membership or reverse engineer SimpleMembership to copy OAuthWebSecurity (which...
You can find possible solutions to your problem in Ping's support center: https://www.pingidentity.com/support/solutions/index.cfm/SSO-fails-with-Unable-to-lookup-sp-or-idp-connection-metadata-for-entityid In the server.log, the error "Unable to lookup sp connection metadata for entityid" is seen. This is usually an indication that there is a mismatch between the Partner Entity ID (Connection ID) configured in the IDP-side PingFederate...
spring-security,saml-2.0,spring-saml
The CachingMetadataManager is synchronized and you can add/remove MetadataProviders during runtime by getting the bean from the application context and calling addMetadataProvider/removeMetadataProvider.
java,spring,saml-2.0,spring-saml
You're most likely hitting a bug in the underlying OpenSAML and SSL library which presumes that file JAVA_HOME/lib/security/cacerts or JAVA_HOME/lib/security/jssecacerts is present and can be read as a JKS or PKCS12 keystore. In your case the file is probably corrupted. Please try updating the cacerts file in your JDK with...
cookies,https,fiddler,saml-2.0
The answer, as found by a colleague, was that the redirect request was an XHR request since it started in JavaScript and was not a ‘normal’ browser redirect. Cookies are only allowed to be included on cross-domain XHR requests if the destination server allows the requester access. So, the fix...
Digital signing of what - the SAML token, the AuthN request ...? In terms of the token - No - that would break security. In terms, of the AuthN request, yes - it's an option in the AuthN request. However, for this to work you would have to liaise with...
single-sign-on,x509certificate,saml-2.0
A1: when using the Redirect binding you put the signature in the URL query parameters A2: all URL query parameters should be url-encoded, just the SAML Request should be compressed and base64-encoded in addition to that. A3: use the PEM format since that is base64 encoded already but leave out...
You can find the actual SAML messages in the server.log file in PingFederate. So ../pingfederate/log is where those live.
In most cases users are created in local databases on SP side the moment user logs in through the IDP for the first time. And as user always has to authenticate through IDP in order to access SP, it is safe (from security point of view) to keep users which...
.net,single-sign-on,wif,saml-2.0,claims-based-identity
IssuerNameRegistry is a lookup table from Thumbprint to EntityID. Only Issuers in that table will be trusted. CertificateValidationMode is additional on top of the table requirement. "None" is almost always the best setting. Because the trust is setup through metadata, normally not through chain trust to a CA. So ChainBuilding,...
azure,single-sign-on,wif,saml-2.0,acs
SAMLResponse is part of the SAML2p protocol - ACS does not support that. Maybe have a look at Azure AD instead - http://blogs.technet.com/b/ad/archive/2015/02/12/the-future-of-azure-acs-is-azure-active-directory.aspx...
java,google-app-engine,saml-2.0,shibboleth
You can embed Spring SAML Extension (product built on top of OpenSAML) into your application. It will enable you to act as a SAML 2.0 Service Provider. You can see a working demo of such approach at http://saml-federation.appspot.com/ which shows a Spring SAML sample application connected to SSO Circle IDP....
As addressed in the first answer, exchanging metadata is not required, it is an option. Note that since you're the Service Provider, you're not required (by spec) to sign your messages. The other way around is required of course: the IDP needs to sign its messages. So are you even...
In PingFederate terminology what you are trying to accomplish is last mile integration after the SAML assertion is processed by the PingFederate server operating in the SP role. There are two approaches that work best for providing subject & attribute information via last mile integration, mainly Agentless Reference ID integration...
c#,asp.net,saml-2.0,thinktecture
I have found the answer to this. The SAML assertion can be found in the ClaimsIdentity var icp = System.Security.Claims.ClaimsPrincipal.Current; var claimsIdentity = icp.Identity as System.Security.Claims.ClaimsIdentity; var token = claimsIdentity.BootstrapContext as System.IdentityModel.Tokens.BootstrapContext; For this to be populated you need to add the following to the web.config: <identityConfiguration saveBootstrapContext="true"> ...
angularjs,session,spring-security,saml-2.0,spring-saml
Spring SAML issues an ExpiringUsernameAuthenticationToken for authenticated users. The token starts returning false in its isAuthenticated() method once the SAML Assertion used to authenticate the user reaches its sessionNotOnOrAfter time. This behavior can be disabled by overriding SAMLAuthenticationProvider and changing method getExpirationDate(credential), which returns time when the Assertion expires, or...
No. For SAML 2.0 Web SSO, you cannot use HTTP-Redirect Binding for the AuthnResponse. Your only valid Bindings are HTTP-POST or HTTP-Artifact. Page 6 of the SAML 2.0 Conformance doc outlines the valid bindings for various scenarios-- http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf...
There is no universal answer as it depends on which IDP/federation you use and what is supported by it. Generally, the friendly name is just a human-readable identifier for the attribute and the value can be freely defined. The NameFormat and Name are defined based on Attribute Profile used by...
Part of the SAML's security model is verification of the intended endpoint - where IDP wants to deliver a SAML message - and endpoint where SP actually received the message - the two need to match. Therefore your SP metadata needs to include correct information about the URL where it...
PingFed doesn't currently have this functionality built in beyond turning on Auto-Connect. It is a current feature request.
c#,saml-2.0,claims-based-identity,kentor-authservices
The Kentor.AuthServices SP translates all attributes in the assertion to claims. If you set a breakpoint in your GetNameID method and inspect the claimsIdentity.Claims enumeration all attributes should be there. If they're not, please file an issue on the AuthService github page.
spring-security,saml-2.0,spring-saml
After spending some time, I found that this is not an issue. The Signature validation doesn't need a JKS keystore, as it is validated using the certificate-data/method in the SAML Response/Metadata. The only keystore required by us at the moment is for the decryption of the assertion and it works...
c#,asp.net-mvc-4,saml-2.0,pingfederate
SHA512 isn't supported out of the box for .NET applications (don't ask me why). It can be enabled on a per application basis. See http://stackoverflow.com/a/21435041/280222. This should work if pingfederate picks up the global algorithm list, but I've not worked with pingfederate myself so I'm not sure of the solution....