I'm new to SAML, SalesForce and PingFederate and have a need for integrating a Java based server with SalesForce and PingFederate using SAML assertions. Essentially what I need is to be able to do is to allow a SalesForce authenticated user to use the Java based server without having to re-enter user/pass info when the directed to the Java server from SalesForce. In turn, changes made from the Java server will need to be pushed back to SalesForce as well.
I've been trying to find Java code to handle authentication that I can incorporate with the Java based server, but I find bits and pieces here and there, but not a complete solution.
Are there any good Java sample code for authenticating against SalesForce with PingFederate using SAML?
TIA
There are a couple things you need to clarify first, the solution would follow.
Who's going to be the Identity Provider, Salesforce or PingFederate?
Is the Java Application going to be a standalone SAML 2.0 Service Provider or directly integrated with PingFederate, which takes care of federation?
Salesforce as IdP
Either configure a SAML 2.0 Connection between the Salesforce IdP and PingFederate as the SP. (Salesforce doc, PingFederate doc)
Or use the Salesforce Cloud Identity Connector for PingFederate, which provides an IdP adapter. (doc)
Salesforce as SP:
Either configure a SAML 2.0 Connection between PingFederate as the IdP and Salesforce as the SP. (PingFederate doc, Salesforce doc)
Or use the Salesforce Connector for PingFederate, which simplifies the configuration. (doc)
Java App as standalone SP:
Use one of the many SAML 2.0 Libraries for Java, then configure for PingFederate as the IdP.
Java App integrated to PingFederate:
Also called the "last-mile integration", PingFederate has several Integration Kits available which can be used for this purpose, the Java IK and the Agentless (or RefID) IK being the two coming to mind. Both of these include Sample Applications which can be leveraged. (Java IK doc, Agentless IK doc)
For your use case, there are three subsystems, mainly (1) PingFederate as the Identity Provider (IdP), (2) Salesforce as an application, and (3) your Java based server application. Single sign-on (SSO) occurs via PingFederate issuing SAML tokens to each application. Once a authenticated session occurs by accessing one of the two applications, the second will not be challanged to re-authenticate granted SSO p[olicy has not expired.
There are two SAML connections here, mainly the Salesforce connection and the connection to your Java Application. There are many tutorials on the internet to configure the Salesforce-PingFederate SAML connection. Your question asking "how to setup a connection to your Java based application from PingFederate". There are a couple of options here using PingFederate. I recommend you download the Agentless (also known as reference ID) integration kit and the Java Integration Kit. Both of these integration kits allow "last mile" integration to your Java based server application. Both of the kits have documentation and samples. My preference is the Agentless integration kit since it uses REST API and does not require any libraries being compiled into your application.
Related
I need to develop a java Spring-Boot server that uses OAuth 2.0 to handle logins. Unfortunately, the very tight security on my office network prevents me from accessing well known OAuth 2.0 OpenId Connect providers like GitHub, so I need a fake OpenID Connect server to test my code. Everywhere I go for examples, I find advice that tells me to just use GitHub or some other site that's restricted. I'm not even clear on the protocol that a connection would use. How can I create a dummy OAuth 2.0 server (preferably in Java) to handle the identity layer of the protocol and feed me the necessary authorization grants?
My preferred way to go for unit and integration testing of Spring resource-servers (REST APIs secured with OAuth2) is to use no authorization-server at all and mock Authentication. Have a look at unit and integration tests in this tutorials or samples for illustration.
The exact way to do it depends on quite a few factors, but most are covered in samples linked above:
are you using MockMvc or WebTestClient?
Is your secured component under test a controller, a service, a repository?
What type of Authentication have you configured? (what is the output of SecurityContextHolder.getContext().getAuthentication().getClass()? )
Now, for working with real client (like Angular app) connected to real resource-server (Spring API), I use a real authorization-server: either one from staging environments or a Keycloak instance running on my own machine (standalone or in a docker container).
I am implementing Single Sign On in java application via ADFS.
I have only ADFS URL, and its metadata.xml.ADFS is using SAML. Access to the ADFS logs I dont have. I need to implement SSO, so I can only send requests from https? How can I achieve https on tomcat If, maybe via Azure? Maybe I can Set up this environment on Ubuntu? I used very many example and non of them are working, usually, I get response from ADFS server saying "An error ocured, contact your administrator". Is there any tutorial that is working?
Found this useful posting on SO on how to ADFS SSO-enable a Java app. Hope this helps.
Your application needs to act as a SAML SP, either directly (from your code), or indirectly (e.g. through SAML SP support on reverse proxy, application server, ...).
For direct options (which require more modifications to your application) you can:
• code the SAML SP yourself (most likely with OpenSAML, you can find examples in sources of existing products)
• use a ready-made product to integrate into your application, such as Spring SAML or OpenAM Fedlet
For indirect options (which require less modifications to your application) you can:
• use Shibboleth SAML SP plugins on your Apache reverse proxy (if you use one)
• deploy SAML SP as another application on your container (e.g. Spring SAML or OpenAM) and make it communicate with your application - so SAML SP performs authentication with ADFS and communicates this to your application e.g. through a shared cookie, or a custom token
You can find more comparison details and considerations in this thread.
ADFS 3 should have support for OAuth Authorization Server and it might well be an easier way to integrate, see here and here. Implementing authentication using OAuth is generally significantly easier than SAML, with no relevant disadvantages.
I am developing a application which uses Spring Rest services. I am using basic auth for authentication. I know that it is unsecure. My end client are capable of handling OAuth. I want to use OAuth, can any one point me to how to do OAuth in Java. I saw some examples they mention about Twitter , Google and Facebook.But I don't want to use social networking sites.
OAuth is a concept, and not any library which you can inject, (of course libraries exists to implement that)
So if you want to have OAuth in your application (i.e your application has its own OAuth), you have to setup following things
Authentication Server
Provide Provision to Manage OAuth Clients
Manage AccessTokens
Check out the OAuth 2.0 Specification to get clear understanding of how it works and how to build your own.
https://www.rfc-editor.org/rfc/rfc6749
I have a pair of web applications written in Java 1.6.X using Wicket-1.5.x There is another organization where I work that maintains a public login portal for my web applications to integrate with that supplies user Identities via ADFS/SAML tokens.
They actually provide a sample application for me to look at but its written in ASP.net. The part of the application that does the checking of identities is using the Windows Identity Foundation classes and therefore is a non-starter. Doing a web search on Converting ASP.net code to Java code I found Grasshopper but I have VS 2010 and it "requires" 2008 and wont install.
I've created a simple test page that displays all the cookies it can find and while I'm getting: JSESSIONID, utma, utmz, utmb, utmc, none of my received cookies looks like a SAML token.
I've tried running the hosted version of the other organizations sample. and the Sample.domain.com cookies don't even exist until AFTER there sample applications secure page loads. So how do I get the identity information if the cookies are not CREATED until after my page is loaded?
is this where WS-Federation comes in?
I did eventually solve my problem. I ended up Integrating Apache CXF Fediz with my application. It's still relatively new, but it works and with some tweaks was able to fulfill my needs.
WIF uses WS-Federation and there's no Java equivalent that I'm aware of.
However, you can use SAML. Refer: SAML : A SAML stack.
The Problem:
I want to implement a set of Webservices, protected with SAML. I need to authenticate the users, and also need to authorize based on the user role.
I found some questions similar to this one, but none with satisfactory answers.
The scenario:
Java Webapp accessed only using Webservices;
SOAP - metro;
Clients use some Desktop application that they will develop.
Key features that I need:
Free software;
SAML 2.0;
LDAP(or similar solution) to manage users information;
Message level security (SOAP).
The question:
I study some SAML (SSO) solutions (e.g. Shibboleth, opemAM, JOSSO...);
Can I use any of those, without compromise any of the key features?
Or do I need to implement my own way to handle the SAML tokens?
How to do it?
Thank you!
Here are some results that I found, and/or some tips from the answers:
Shibboleth:
http://shibboleth.1660669.n2.nabble.com/Web-Service-End-to-End-Security-td5526934.html
Shiboleth doesn't do ent-to-end, just point-to-point.
http://www.predic8.com/shibboleth-web-services-sso-en.htm
Requires a proxy module for authentication, before the SP.
OpenAM:
https://wikis.forgerock.org/confluence/display/openam/Web+Services
Doesn't present a service provider (SP). Define an architecture based on client-server, where client explicitly ask for tokens, when use web methods to authenticate.
WSO2:
http://wso2.org/library/articles/2010/07/saml2-web-browser-based-sso-wso2-identity-server
Doesn't provide SP, you need to implement it using OpenSAML.
Still searching, please contribute!!
I am an architect at WSO2. WSO2 produces WSO2 Identity Server supporting all the features you required. You can deploy WSO2 Identity Server over an existing LDAP user store and make it act as an SAML2 IdP. We are using this functionality of Identity Server in our Platform as a Service [PASS] offering - https://stratoslive.wso2.com for SAML2 single sign on.
This is a good starting point and you can download WSO2 Identity Server from here.
Since no one answered with a valid option. I decide to secure the services with metro SAML, and try to provide the tokens using OpenAM.
For this you could have a look at jasig CAS.
We don't use SAML yet, but it should work as described here