FAQ Database Discussion Community


Getting Roles for Group Membership Azure AD

azure,single-sign-on,azure-active-directory,adal
We got a ADAL premium license and we are able to assign more then one role to a user successfully. But we can across this problem where a user 'Rob' is in 2 different groups i.e. (Group A and Group B) and we assigned Group A to 'Spanish Translator' and...

Azure Active Directory Users (type=User with an existing user account) Json to List Model is giving null

c#,json,azure,single-sign-on,azure-active-directory
I want to deserialize Json result into a model. I am using Azure Single sign on method. when I am login with new new created user in ad (new user in your organization) i am getting proper user info. but if i created new user in AzureAd with "User with...

How to add users to Cloud Directory via API?

single-sign-on,bluemix
I am using Bluemix Single Sign On Cloud Directory from Node.js and I would like to be able to register users from the app (not manually via administration). Is it possible? After reading the docs I haven't found any API specification. Thanks!...

Sitecore 7.5 :Single Sign On (SSO) with Azure AD

azure,single-sign-on,sitecore7.5
Context: We are developing around 20000 microsites in Sitecore with each site having 10-20 pages at max or may be less than that.We have an existing admin portal which uses Azure AD for authentication.Admins managing the portal will be managing these microsites as well.So we will have to implement SSO...

JBoss EAP 6.3 / AS 7 Clustered SSO with unsecured pages

java-ee,jboss7.x,single-sign-on,infinispan
I am trying to get Clustered SSO working in JBoss EAP 6.3.2 (equivalent to JBoss AS 7.4.x), I have session replication working fine, however SSO (user principal replication) is not working in all cases. It works properly when I use servlets that are secured inside a <security-contraint> that has an...

SAML2.0 SSO with the WSO2 Identity Server?

java,wso2,single-sign-on,saml
I need to use WSO2 Identity server with SAML for SSO for my internal application. I came across this beautiful SAML2.0 SSO with the WSO2 Identity Server article But i have two questions on this article which i am not sure how works 1) In 5th step it is said...

HTTP-Redirect Binding SAML Request

single-sign-on,x509certificate,saml-2.0
Suppose SP-init SSO is carried out, HTTP-Redirect Binding is used instead of HTTP-POST Binding and signed AuthnRequest is required. It means to include the SAMLRequest in the URL. Q1. Do I need to include the signature in the URL or just embed in the SAMLRequest ? The redirect url is...

Using Magento as an SSO provider

php,magento,single-sign-on,token
I have two sites I want to be connected with SSO. One is a store, using Magento, and I would like this to be the "source of truth" that holds all the members and will handle the authentication. The other is a marketing site using a CMS (SilverStripe), and I...

create-metadata-templ in ssoadm/OpenAM fails

metadata,single-sign-on,openam
I'm trying to create metadata template using ssoadm in OpenAM with the following command: ssoadm create-metadata-templ -u amadmin -f pwd.txt -m sp.xml -x sp-extended.xml -s /sp -a -y https://stage1.abc.xyz.com/OpenAM It gives the following error: Incorrect option(s), ssoadm create-metadata-templ -u amadmin -f pwd.txt -m sp.xml -x sp-extended.xml -s /sp -a -y...

web2py CAS custom fields

single-sign-on,web2py,cas,jasig
I've setup my web2py application to work with JASIG CAS (CAS 2) as follows in db.py: from gluon.contrib.login_methods.cas_auth import CasAuth auth.settings.login_form=CasAuth( urlbase = "https://sso.mysite.co.za", actions = ['login','serviceValidate','logout'], casversion = 2, casusername = "cas:user") My CAS server is configured to pass some custom fields, which I've added as such on the...

CAS vs. SAML vs. OAuth2

ruby-on-rails,oauth-2.0,single-sign-on,saml,cas
Before you put me down for asking too basic a question without doing any homework, I'd like to say that I have been doing a lot of reading on these topics, but I'm still confused. My needs seem simple enough. At my company, we have a bunch of Ruby on...

WSO2 SSO always redirects to localhost:9443/samlsso

wso2,single-sign-on,wso2esb,wso2is
I'm using WSO2 identity server (on port 9443) and enterprise service bus (ESB, on port 9444). I configured ESB to use IS SSO. But everytime I try to login into ESB it redirects me to IS and there it redirects me to URL localhost:9443/samlsso. I already tried changing this URL...

How to Logout from Oauth2 SSO Server

java,single-sign-on,spring-security-oauth2,spring-cloud
I found tutorial about SSO https://github.com/dsyer/spring-security-angular/tree/master/oauth2 with configuration oauth2-authserver @Configuration @Order(-10) protected static class LoginConfig extends WebSecurityConfigurerAdapter { @Autowired private AuthenticationManager authenticationManager; @Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http .formLogin().loginPage("/login").permitAll() .and() .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access") .and()...

MobileIron SSO with custom auth provider

mobile,single-sign-on,mdm,siteminder,mobileiron
Is it possible to have SSO across multiple apps, installed through MobileIron, that connect to back-end services/sites protected by SiteMinder or any custom authorization provider ? Looking at this Stackoverflow discussion and MobileIron video, it seems like the MobileIron SSO can be against KDC only....

Single sign on single native client windows phone using ADAL

windows-phone-8.1,single-sign-on,adal
We have a windows phone native app (and building for android, iOS also) which uses ADAL to get token for ex:graph. ADAL is asking for credentials for the first time. Now inside of this native app on some frame we have a WebView control which launches another website (our own)...

Can WIF Saml2SecurityTokenHandler validate top-level signature?

.net,single-sign-on,wif,saml-2.0,claims-based-identity
See this (stripped-down) SAML 2.0 response: <samlp:Response> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">lkasjdflkasj</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <!--<snip>--> </Signature> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion> <saml:Issuer...

WAAD Authentication with WebAPI OData service consumed by Excel PowerQuery

asp.net-web-api,odata,single-sign-on,azure-active-directory,powerquery
I've created a WebAPI OData 3.0 web service with an OWIN middleware, which is configured for authentication with Windows Azure Active Directory. The ODataControllers are marked with an [Authorize] attribute, and the IAppBuilder is configured as follows: app.UseWindowsAzureActiveDirectoryBearerAuthentication( new WindowsAzureActiveDirectoryBearerAuthenticationOptions { Tenant = ConfigurationManager.AppSettings["ida:Tenant"], TokenValidationParameters = new TokenValidationParameters { ValidAudience...

CAS with LDAP vs LDAP only authentication

authentication,ldap,single-sign-on,cas
We have several custom developed online applications as well as open source application such as KOHA, moodle and bugzilla. We are attempting to integrate their authentication using a Single Sign-On service. So far we have tried JASIG CAS and this seems to solve most of our issues. However we would...

Laravel single sign on with subdomains

single-sign-on,subdomains,laravel-5
How I can implement single sign-on with subdomains on Laravel-5? I have: api.domain.com portal.domain.com I tryed set domain and driver parameters in /config/session: 'driver' => 'cookie' or 'driver' => 'file' and 'domain' => '.domain.com' or 'domain' => null It doesn't work anyway. I gets 401 (Unauthorized) anyway. Why? In controller...

Is exchange of metadata required for a working SAML2 connection?

single-sign-on,saml,saml-2.0
we are operating as SAML2 Service Provider. A few weeks ago our Certificate expired, so we provided new Metadata to our customers. We told them they have to upload the newdata to their Idp's, because else the SSO won't work anymore because the connection can not be seen as trusted...

Thinktecture IdentityServer3 - Single sign out for distributed system

authentication,single-sign-on,thinktecture-ident-server
I'm building an distributed system with multiple clients that use a single identity server for authentication. This provides single sign on between these clients. When a user signs out from one of the clients, and thus signs out from the identity server, can the identity server sign the user out...

SSO setup using Kerberos on windows server

active-directory,single-sign-on,windows-authentication,kerberos,ntlm
I am new to SSO, We had a application using java implementation of kerberos SSO. Now we need to migrate the application to some other machine. I need to know what changes will be required in: 1. Service account in Active directory used for authentication. 2. Keytab files 3. Can...

LTPA2 token name won't change

java,websphere,single-sign-on,websphere-8,ltpa
we have a complex infrastructure with WebSEAL, Websphere Portal and a couple of Wesphere AS' where we [obviously] want to set up SSO. we successfully configured TAI++ etc, but unfortunately default LTPA2 token name ("LtpaToken2") is not acceptable for compatibility reasons and we want to change it. Websphere AS 8.5,...

LaunchUriAsync with Authentication and other custom headers

authentication,windows-phone-8.1,single-sign-on
I am new to windows phone development. I have an app and a website and both of them needs authentication. When I launch the website from my app and if the user is already authenticated I want to pass the authentication headers so the user doesn't need to authenticate again...

How to implement Single Sign-On on iOS

ios,objective-c,single-sign-on,kerberos
I am a new enterprise iOS developer. We are developing an app that is managing our enterprise apps(somehow like a app store&MDM). I stacked by a issue : I want to implement Single Sign-On for our enterprise Apps (Not with the same Developer ID), which means if the app-store App...

Implement SSO in jBPM 6.2

single-sign-on,jbpm,bpm
Currently, we evaluate jBPM 6.2 as a possible BPM suite. One very important criteria is Single Sign-on. I found out that jBPM uses container-managed authentication and authorization. In addition, I looked into the github source code. But I could not figure out if it is possible to extend the KIS...

Please explain SAML2 Signatures and PKs

single-sign-on,saml-2.0
I am developing SAML2 Service Provider capability (supporting IdP-Initiated SSO). I understand the general flow is: 1) User authenticates at the IdP. 2) User launches to my SP via an HTTP POST to my SAML endpoint - containing XML token. 3) My SP's Assertion Consumer Service eats that token up,...

WSO2IS: SSO session timeout doesn't work

wso2,single-sign-on,saml-2.0,wso2is
I'm currently using WSO2 Identity server along with several service providers. I have also configured Single sign on between them. According to the documentation a system admin can configure a validity in seconds for any SSO sessions under /repository/conf/identity.xml, so that an user can enter their credentials, tick "remember me",...

SAML service provider signature verification

security,single-sign-on,saml,pingfederate
This is a basic question about SAML protocol and how it specifies verification of a SAML token. Looking an different diagrams and resources, it looks like the service provider doesn't need to make calls to the Identity Provider (IdP) in order to verify a SAML token. I am interested in...

Simplesamlphp wrong metadata

php,single-sign-on,saml
I'm making two application with simplesaml, an Service Provider and an Identity Provider. While I'm trying to test them out I get the following error: SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => '\'http://samlsp.dev/module.php/saml/sp/metadata.php/default-sp\'') Backtrace: 3 /var/www/samlidp/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:301 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaData) 2 /var/www/samlidp/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:318...

Log out from SSO kerberos

osx,single-sign-on,kerberos
My OSX application is required for authentication based on Kerberos protocol. For login I'm using WebView (and WKWebView for MAC OSX > 10.9) by load the authorization URL request. The login works as expected, but it remains logged in until I log out from my computer or killing my application....

Thinktecture v3 auto login for ADFS users within the same domain

single-sign-on,adfs,thinktecture-ident-server
I am using Thinktecture identity server v3 for authentication and authorization. It works good with local database. I added external identity provider as ADFS. It also works good but it asks credentials for intranet users. My requirement is automatically login the intranet users without asking credentials. If the user is...

How to achive facebook kind of SSO in iOS sdk? (The way the opens a view for login and loading )

ios,objective-c,single-sign-on
How to achive facebook kind of SSO in iphone sdk? (The way they open a view for login and loading). I Don't want to use UIViewController and want to show Login/Loading view and want to put Login/Loading code at one place as that view is going to be opened from...

Windows Authentication prompting twice

.net,asp.net-mvc,iis-7,single-sign-on,windows-authentication
I'm using Windows Authentication on two separate websites, on the same server, with the same domain postfix. Both are using https with two certificates. The problem is that when external users visit both sites, they are prompted for credentials twice even though the credentials will be exactly the same. I've...

Single Sign-On on Bluemix: how to retrive user profile after binding SSO service to Liberty

single-sign-on,bluemix
I create an app, and bind it to Liberty. It works fine. But how could I get the user profile after user login? I saw there is a "Return-to url" in integration tab: https://ssoConfigboard.mybluemix.net:443/oidcclient/redirect/rwuYaLiy78 But after I visit this url, I got 500 server error: Error 500: SRVE0295E: Error reported:...

Kentor.AuthServices configuring thumbprint validation

.net,single-sign-on,wif,saml-2.0,kentor-authservices
How do I configure Kentor.AuthServices to use the issuer registry from WIF? Specifically, to check based on thumbprint like in the example below: <system.identityModel> <identityConfiguration> <securityTokenHandlers> <securityTokenHandlerConfiguration> <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"> <trustedIssuers> <add thumbprint="1111111111111"...

Integrating Windows Authentication with ASP.NET and Drupal In External Portal

asp.net,drupal,single-sign-on,asp.net-identity,windows-authentication
We are in the final stages of developing a portal application, built in ASP.NET MVC, for a large organization with many subsidiaries. The portal will be used by both internal, meaning employees of the organization, and external users. The portal also has an accompanying informational CMS that is being developed...

Adding Single-sign-on to GMail API authorization

python-2.7,google-app-engine,single-sign-on,gmail-api
I have successfully created a python web-app on Google App Engine that interacts with the Gmail API. What I would like to get now, is that when that the permissions are given, my app also creates a user account to which the user can login with their Google Account. This...

Multi service with one-login authentication (Single sign-on)

authentication,login,single-sign-on,saml
Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. (from wikipedia) now, I have more web service:...

How to not have consent page in OpenID Connect Authorize Endpoint for Resource Owner?

oauth-2.0,single-sign-on,openid-connect
When I had resource owner grant type, I never needed to deal with the Consent Page but now I am trying to create SSO for my systems using OpenID Connect and I am very confused. /authorize endpoint always shows consent form for public apis (Facebook, Google etc) as this used...

Is there something like the CAS Proxy ticket available in SAML?

proxy,client,single-sign-on,saml,cas
Is there something like the CAS Proxy ticket available in SAML? I want to make a request to a 3rd Service Provider with the identity of the user, like i can do with CAS Proxy ticket. So the Service Provider thinks the request comes from the user himself. Thanks in...

OpenID Connect Signin Page separate endpoint or authorize endpoint

oauth-2.0,single-sign-on,openid-connect
How does OpenID Connect Authorization Code Flow work? Let's say a user made a request to app.example.com didn't have an access token or had an access token that is invalid. When the app redirected the user to authorization server: auth.example.com/authorize?response_type=code&client_id=CLIENT_ID&scope=openid&state=STATE&nonce=NONCE Does the endpoint above have the signin screen? Or does...

How to call a SSO enabled service via HTTP

java,http,single-sign-on,http-get,http-status-codes
I have 2 systems( System A, System B )and SSO is conffigured in between them. System B has exposed a service which we have to consume in System A. We are sending a HTTP GET request from System A to System B. How should I send a HTTP GET request...

Lotus Notes Single Sign On through PowerShell

powershell,single-sign-on,lotus-notes
I have a script that works with a Lotus database: $LotusSession = New-Object -ComObject Lotus.NotesSession $LotusSession.Initialize() $LotusDatabase = $LotusSession.GetDatabase('Server','Database.nsf'); $DocView = $LotusDatabase.GetView('ViewName'); $searchkey = # anything $doc = $DocView.GetAllDocumentsByKey($searchkey,$false); <# ... and so on ... #> Can I somehow initialize the session without entering a password each time, but using...

JSF link to external site without showing username and password in the URL

jsf,post,single-sign-on,commandlink
I was able to do a SSO(Single sign on) on click of external link from the code below. SSO works but username/password is seen on url. https://example.org/index.php?userLogin=user1&userPassword=pass123 <h:outputLink styleClass="ui-menuitem-link ui-corner-all" value="https://example.org/index.php"> <h:outputText value="Ext Tool" /> <h:outputText styleClass="ui-icon ui-icon-suitcase" style="float:left" rendered="#{userBean.in}" /> <f:param name="userLogin" value="#{userBean.user.eUser}" /> <f:param...

Implementing an SSO solution

oauth-2.0,single-sign-on,identity,openid-provider,openid-connect
I'm looking to replace our current SSO system based on openID 1, with an authentication and authorization solution that is more suiting modern needs. One of the things i would like to avoid is having the end user redirected to the identity provider for various flows, such as login, reset...

How to configure Azure ACS to return SAMLResponse parameter instead of RSTR xml?

azure,single-sign-on,wif,saml-2.0,acs
I have SSO login setup with Azure similar to the one above: In the POST request (6&7) from ACS at my application (RP) end, I am getting: ~~~~~~~~ POST wa: wsignin1.0 wresult: RSTR XML - (example format - data removed) ~~~~~~~~ whereas what my RP expects and understand is...

CAS Redirect Loop

java,tomcat,single-sign-on,cas
I am trying to get the CAS setup up and running and I am pretty new to this. I am following through the standard steps similar to this video. I have created keystore file Created a certificate Imported it successfully and add to cacerts file I have made the necessary...

Is using a SSO Assertion (JWT or SAML) For OAuth Assertion Flow Common?

oauth,oauth-2.0,single-sign-on,saml,jwt
I'm working on a set of systems that are exposing REST APIs that are authenticated using OAuth 2. Various of these systems have their own indpendant sets of user accounts, there is no common notion of a user identifier across all the systems. For interactive usage we already have a...

Is it possible to use the Single Sign On Service (currently only available on US) from an app deployed on UK?

single-sign-on,bluemix
I get that it wont be possible to bind the service and therefore not use the VCAP_SERVICES, and credentials would need to be managed in another way. Since the communication would go via the internet, I guess the question is really: Does the SSO service have an API that can...

WIF config: issuerNameRegistry vs. certificateValidation

.net,single-sign-on,wif,saml-2.0,claims-based-identity
In the Windows Identity Foundation (WIF) 4.5 config, what is the relationship between issuerNameRegistry and certificateValidation? What portion of a SAML 2.0 assertion is validated by each? For example: the code & config below will verify that the issuer cert has the given thumbprint. But I assume a certificateValidationMode other...

Replacement for Chrome SSO flags

google-chrome,single-sign-on
I've been using the Chrome flags auth-server-whitelist and auth-negotiate-delegate-whitelist to enable SSO on my corporate domains, but after the latest update to Chrome 41.0.2272.76m, these flags no longer work and SSO is disabled. I found an issue tracker at https://codereview.chromium.org/836843003 which describes the change but does not offer any remediation...

How to enable single sign-on between web portal and java rich client?

java,websphere,single-sign-on,jnlp,portal
I saw some of the related questions but my situation is slightly different. We have this web portal that provides a user access to many applications, among them a rich client(desktop) hosted on the web portal. Here is what happens. User logs into a web portal (WebSphere portal I believe)....

OKTA Saml 2.0 configurations

single-sign-on,okta,saml2
I have created a SAML 2.0 App on okta and have finished all the configurations. The app(service provide) and authentication seems to work fine. But I still have this notification on the SSO tab of the app on OKTA. I am just worried if this means some of the settings...

Can SAML Assertions Be Modified In Transit?

security,single-sign-on,saml,saml-2.0
Is there anything to stop a user modifying a SAML assertion being sent to a service provider? For example, if a SAML response identifies a user to the service provider by email address, is there anything in place within the assertion to stop someone modifying the it using something like...

'ruby uuid' file or directory not found error using apache and sso

ruby-on-rails,ruby,apache,single-sign-on,passenger
I am trying to deploy a rails application using apache and passenger. I have also integrated it with Okta for authentication. Though everything seems to be working fine after bypassing the authentication or by using thin/webrick server. I am getting the following error in my error logs if I use...

How to read the saml response that comes to the “../adfs/ls/”?

asp.net,single-sign-on,saml,saml-2.0,adfs2.0
I am new to the SSO and SAML . We have to set up Single sign on the our customer site using ADFS 2.0 and we did that successfully and when we try to access ../adfs/ls/idpinitiatedsignon.aspx and it redirects to the customer site and if we enter the user name...

Spnego setup with websphere custom SSOAuthentication

websphere,single-sign-on,spnego
I am trying to setup Websphere with Spnego. I have my custom SSOAuthentication implementation (the application needs to run o several different web servers). The problem i am facing is that the spnego-client configuration is being searched in wsjaas.conf file, while i have it setup in a custom conf file....

How to determine authorization rights after a login via SAML SSO

single-sign-on,saml,saml-2.0
First of all I do not have any experience with SAML (version 2). I was asked to investigate how we can make an existing site, which has a normal login page with a username and password page, ready for SSO with SAML. There are some tools around which we can...

CAS Single logout not working

java,single-sign-on,cas
I am implementing Single-Sign-On + Single-Log-Out in a Java EE environment through CAS. On the authentication side I have the cas-server-webapp v4.0.1. Then 2 simple Java + Spring MVC web apps with the cas-client-corev3.1.10. No issues regarding single sign on. If I access /app1 I'm redirected to cas login page...

What are the equivalent OpenID Connect and SAML actors/roles?

single-sign-on,saml,openid-connect
I’m having trouble understanding OpenID Connect actors/roles. I’m coming from using SAML. In the scenario I’m familiar with, the Service Provider is a web application with protected resources and the Identity Provider server is where users authenticate. With SAML, the typical client is a web browser although SAML also has...