I set up a gerrit server.
For authentication gerrit allows among others OpenId and OpenId_SSO.
The first one works fine, but requires me to enter the whole long OpenId.
As I only want to allow a single provider the second option sounds perfect.
To use this, I have to supply the parameter auth.openIdSsoUrl which is "The SSO entry point URL".
How can I find out the correct URL to enter?
I already tried to use wireshark to monitor the http conversation during the normal OpenId login. But the URL involved there seems not to be the right one.
What exactly is an "entry point" in that context?
BTW: I currently use my own Atlassian Crowd as a OpenId server.
Edit: The java code involved can be found here.
The "entry point" is an OpenID endpoint URL. Using it to authenticate allows the OpenID server to say which user is authenticated, rather than requiring users to supply their own identifier. It's not used in the OpenID process unless you provide it, so it won't show in Wireshark logs.
From Crowd 2.6 there is an endpoint URL, which will end in openidserver/op.
Related
sorry for my poor english...
I 'll do my best to write question.
Basically, keycloak provide loginPage where login form has a some name and value parameter determined by keycloak (forexample session_code, excustion, client_id, tab_id).
this way is Server side randering(SSR).
However, I want to login process with keycloak in API way. In this case, it's not possible to use those parameter.
How to use apis below to login?
enter code here:8180/auth/realms/{realm}/login-action/authenticate
enter code here:8180/auth/realms/{realm}/protocol/openid-connect/certs
enter code here:8180/auth/realms/{realm}/protocol/openid-connect/token
It's not a good practice from the security point of view to host your login page somewhere else. It would be better to allow Keycloak to have control over the login process so that the integrity of the overall process would be kept. But in case you really need to do that, you can have your own UI hosted somewhere else and send the credentials you received from the user to the Keycloak via OAuth password grant type. It's not recommended and is going to be deprecated. I suggest you to check the recommended approaches mentioned here.
We have about a dozen internal admin web apps (mostly Java) that employees use for various workflows, and each of them have their own, disparate sign-in/authentication systems. I've been asked to federate them all together under a single sing-on system. I was handed the following diagram to use as a starting point:
As you can see, each app uses a CAS client to connect to a CAS server. This server also has Apache httpd with a Shibboleth plugin (?) configured. This CAS server then communicates with our Active Directory ("AD") server.
I need to make sure I completely understand how these technologies all work together:
What is happening between the CAS server and Apache/Shibboleth?
What is happening between Apache/Shibboleth and the "Trust Store"?
What is being communicated between the CAS server and AD?
What is stored in this SAML2 token being sent back from the CAS server to each CAS client?
How can I, as a Java developer, do with the SAML2 token (or lack thereof if auth fails) to actually sign users in with?
Are there any better technology choices here: if so what are they, and why? Bear in mind that all of these are Java apps, except one of them, which is a C#.NET app.
Here are a few of your answers:
First, let me give you a quick overview of how the interaction between a CAS client and a CAS server normally works: (I am not familiar with the Shibboleth portion, so I am omitting that.)
User hits the application webpage.
application redirects user to CAS.
CAS, using standard cookies and sessions, determines if user is already logged in.
if User is not logged in, CAS displays a login form for the user to provide login credentials. IF the user is already logged in, CAS skips to step #7.
CAS then interacts with the AD to verify that the provided credentials are valid.
if they are, then CAS logs in the user.
then CAS will redirect back to the application, providing a ticket.
The application makes a direct call to CAS to validate the provided ticket.
If the ticket is valid, then CAS returns user information as a response to the request.
The application then creates an authenticated session for the user, potentially looking up user information based on the info provided by CAS, and redirects them wherever is appropriate.
Now for your questions:
CAS and AD : CAS will actually login to AD and use the user provided credentials to find and authenticate the user. If you are using a forest, make sure you use the correct port to log into the Global Catalog, as that is easy to miss.
The contents of the token are not significant, as the standard CAS protocol will send the token back to CAS and retrieve user details in the response.
As a developer, this is actually very little you can do with the token, as it is tied to the application and can only be used once, and, for security reasons, has to be used within a very short amount of time (ie, sent back to CAS to be validated) or it will expire.
If you are doing primarily CAS and you have the ability to do your own CAS clients in your applications, CAS can be a very nice solution. Unfortunately, CAS does not have full SAML2 support, using it's own protocol instead, though CAS's protocol is very similar to the ARTIFACT profile for SAML2. If you want to integrate with other SAML2 clients, some work needs to be done.
Also, if your java applications happen to use Spring, Spring security includes a CAS client out of the box.
It is also pretty easy to write a custom client as you can see that the protocol is not terribly complex.
Also, while it is a bit more work and can be a pain to set up, if your employees already login to your domain via windows, then you can actually piggy back on that and configure CAS to use the windows login information users have already provided rather than prompting users with a login form making them re-enter their windows credentials.
I have an application(client application) hosted in a Tomcat server and this application has to be integrated as a Tab in another application(parent application). In the Parent application the user authentication is done. in the Parent application Html we are using iframe to integrate the client. Everything is working fine except this. The Problem is, if some one knows the URL they can access the client application. How can we avoid this.? we are using JAVA,SERVLET,HTML,Tomacat as technologies.
Thanks :)
One of possible solution is token based authentication.
The parent application should add special token either as a URL parameter or as HTTP header. The token should contain authentication information in encrypted form. "Client" application should extract the information and decide whether authentication passed or failed. In order to guarantee that no-one can copy this token and then get unauthenticated access to your application you should make the token to be one-time or limited in time range.
You can also use x-frame-options in your header. I found this article with some quick googling: http://www.jtmelton.com/tag/x-frame-options/
This will prevent your app from loading in frames except for the domains which you allow permission. You might check into browser compatibility, I'm not sure when this was implemented in different browsers.
Also, you can check the 'host' and 'referrer' header fields to check that requests are coming from a domain you trust before sending a response.
OAuth is the standard for authorizing third party apps. You should check into that as an authentication approach.
None of these will give you a completely secure app. You should consider consulting with a security expert.
From parent application add cookie and from child application get that cookie and validate user.(if both are running on same domain).
I want the user to be able to Single-Sign-On, i.e. once logged on as Windows User, all services offered by my application should be accessible without further authentication.
In order to authenticate the user I'm using JAAS (Java Authentication and Authorization Services), which is integrated in Java.
The Java API ships also with a several JAAS LoginModules. One of them is called NTLoginModule, which retrieves user information about the currently logged on Windows User.
Where does NTLoginModule retrieve
its information from?
Can I use the
information returned by NTLoginModule in order to authenticate - in a safe manner -
the current user?
Are there any security issues I have to know about?
Thank you in advance!
I cannot help with JAAS, last tyime I did SSO with NTML, it was based on jCIFS.
However, I'm replying on your third point: There are security issues with NTLM
NTLM is quite weak (even v2), and you should lock accounts after a given number of login failures (to avoid brute force attack).
NTLM cannot work other a firewall.
NTLM token cannot be trusted by a third party, leading to the double-hop problem. Your application cannot take the identity of the logged in user to call another NTLM-protected server (like a web service; a RSS feed; or any web resource).
NTLM is not supported by all browsers. Internet Explorer and Chrome works natively ; Firefox needs to edit a configuration for each targeted site ; Opera, Konqueror don't support NTLM at all.
As I said in the comment to rds' answer: "I learned that NTLoginModule is quite insecure. I was able to fake the returned username by replacing the NTUserPrincipal.class file in the rt.jar package and so I was able to return a bogus user name. So it's not suitable for any kind of authentication."
Additionally, by doing some researches I found out that NTLoginModule retrieves it's information from nt.dll, which is part of the Java native libraries for Windows. nt.dll uses advapi32.dll in order to retrieve the current's user information.
have anyone tried this, create openid4j servlet and try authenticate with google openid? i tried it and fail and so want to get confirmation from you all. i able to authenticate with yahoo_email and myopenid.com
I don't have personal knowledge of openid4j, but I can't imagine they wouldn't support Google's OpenID. Google OpenID is just standard OpenID 2.0, although they have a few notable differences in normal behavior that you should be aware of:
You should kick off authentication by supplying the URL https://www.google.com/accounts/o8/id instead of just gmail.com or google.com since Google hasn't made those simple domain names OP Identifiers yet.
They don't support delegation, and you cannot start an authentication using a user's claimed_id. Only OP Identifiers work.
If the user clicks "Always remember me" for the site during login, Google won't supply any AX attribute values to the RP on subsequent logins (the RP must store the initially received values).
Well, right now I'm logged in as a Google openid account. The trouble is that they have supported a strange blend of OAuth and OpenID, so I don't know how one would implement it on one's own servers. At least for Stack Overflow, my OpenID URL is www.google.com/accounts/o8/id, without the comma, obviously.