I have a Java desktop app. I found a lot of online resources that talk about SSO authentication for web apps. I need the same thing for an old school desktop app. Basically, I need the app to open a browser window, have the user authenticate against ADFS and then get a token back.
How can I add SSO authentication with ADFS/SAML?
I found the answer.
First, the desktop app needs to show a browser window. This can easily be achieved using JavaFX WebView. I have successfully tested Google and ADFS login using JavaFX WebView. NB: If you use ADFS you must set up ADFS to use Form-based auth.
A helper webservice needs to be built. The webservice will provide a method secured by any federated authentication mechanism (SAML2, OAuth, etc). I haven't been able to do this in Java. There are some solutions like JOSSO but they're ridiculously cumbersome or severely lacking. However, C# has outstanding support for federated auth which makes it an excellent choice for this task.
When the user needs to authenticate, the desktop app shows the browser window which automatically calls the method above. After the federated auth handshake, the browser will be able to access the method. This method tells the desktop app whether the calling user is allowed access.
The final step is to close the browser window and log in the user.
NB: This is not an easy task. It takes about a week's worth of work to put everything together.
Desktop apps. don't have browsers.
WS-Fed and SAML are built around browser redirects.
Why do you need SAML? What about OpenID Connect / OAuth?
If that's an option have a look at the ADAL Java samples - Azure Active Directory Authentication Libraries. There is limited OAuth support in ADFS. V3.0
Your other alternative is to use the active profile (web services) rather than the passive (browser).
But that's WS-Trust not SAML.
Related
i am trying to create a javafx application has a button when clicked, opens the user's web browser and authenticates the person using SAML after which the user is redirected back to the application with authorization code. if valid verification, the user is granted access to more scenes. Now i understand using saml in java desktop is difficult. however if any other alternative is available i'll like to have it and also a tutorial or sample on how to go about its usage
I know that CAS is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password.
So, How can i use Jasig CAS server for android mobile applications ? some guidelines would be very useful!
Actually there exist two ways of doing this, each of them has some drawbacks.
1) Expose the REST interface (here you'll find a simple JAVA client that consumes them and a iOS sample how to use it on a mobile)
The problem here is that if somebody downloads your application from the store and checks the network traffic in it (or simply decomposes it) he'll find the calls you make. With this he could create an APP that does the same as you do, and log the passwords entered by the users (like a man-in-the-middle attack)
2) Open the real website in a web view inside your APP
You'll need to create a modle login page, or a responsive one on your CAS server so that it looks nice. Obviously even here somebody could theoretically copy your APP and the Website on your CAS fake both to look like your APP grab the username and password and send it in background to your CAS to give to the user the impression that everything went right but it is much more complex.
However even here u'll need to tweak the CAS; CAS is designed to accept a login for a service to which it would redirect after successful login. Therefore in this case you'll need to add a fake service to the CAS configuration and check if the webview will redirect to it. when that happens u'll find the TGT in the CASTGC cookie.
In our first APPs we used the REST version, but then as we use our CAS for websites too we wanted to restrict the REST access only to other servers in the facility, so we came up with the second solution which seems to fit better, but overall CAS seems not to be prepared for mobile APPs
You can set up CAS in order to expose REST service, this allow to validate credentials.
Documentation: https://wiki.jasig.org/display/casum/restful+api
How can I authenticate a user onto IIS. Actually my purpose is that an online user to make supply enter the application by using a kind of verification. And on the other hand we have Microsoft web system. So probably, I need to solve the authentication issue on IIS. Essentially I know how to secure and authentication AMX page within weblogic system. Basic HTTP Authentication is a standard though and ADF mobile useS it too. But can it handle my expectation, I cannot be sure.
What is the best practice and best way?
This is acutally a question to the IIS guys - all you need is a URL on that server that will prompt you for a basic authentication.
I'd like to use the google universal analytics API on the server side. The idea is that there is a browser app showing some graphs which is open to the intranet and doesn't require a login at all. So server either does the login for client and provides the working token to the client or the server provides all the data to the client as well. Oauth login docs and libs from google rely on redirect urls etc which sounds painful for a server-side login . So is it possible and are there any tutorials?
I’m looking for a bit of feedback on the practice of requesting users to authenticate to an intranet based web app by entering their AD credentials directly in form fields. For example, using domain\username and password fields as opposed to using the native browser based challenge window for integrated authentication. In the form based example, credentials are passed to the application in plain text and it’s essentially up to the integrity of the application to handle the data appropriately. It seems to me this is the equivalent of entering my Open ID credentials directly into a host app on the Internet.
So my questions are:
Is there any best practice guidance on authenticating to a custom web app (assume predominantly .NET / Java stacks) in an AD environment?
Can you think of any legitimate circumstances where this is really necessary?
Is this a legitimate concern or am I just being paranoid?!
In a highly secure environment, users would be encouraged to only enter their credentials when using the Secure Attention Sequence CTRL-ALT-DEL, which is designed so that it can't be intercepted by applications.
So in such an environment, even the browser challenge window for authentication would be suspect. Instead you would log on locally using the same AD credentials as you need to access the website, and would be authenticated without needing to be prompted.
I'd say entering AD credentials in form fields is extremely suspect if the credentials can also be used for access to other sensitive resources. Even if the app developers are well-intentioned, it is an unnecessary security hole. For example, anyone who has write access to the web directory can easily replace the login form and capture credentials.
If it's a browser based application, why wouldn't you just enable Windows authentication in your web.config (not sure what the equivalent is in the Java world, sorry) and let the browser handle authentication.
Otherwise, I'd say if you do this over a secure transport (SSL) then you should be ok. Microsoft's own products often use form fields to submit AD credentials (I know Outlook Web Access and Internet Security & Acceleration Server both do this).
The best approach is to use Kerberos tokens instead of an encrypted username/password.
This open source library, http://spnego.sourceforge.net, will allow your java web apps to perform integrated windows authentication using Kerberos tokens.
The library is installed as a servlet filter so you will not have to write any code.