Single sign-on (SSO) is conceptually pretty simple. User hits domain1.com. domain1.com sees there’s no session cookie. domain1.com redirects to sso.com sso.com presents login page, and take credentials sso.com sets session cookie for the user sso.com then redirects back to domain1 to a special url (like domain1.com/ssologin) the ssologin URL contains a parameter that is basically … Read more
While implementing a microservice architecture at my previous job we decided the best approach was in alignment with #1, Add identity service and authorize service access through it. In our case this was done with tokens. If a request came with an authorization token then we could verify that token with the identity service if … Read more
CAS-Server: A stand-alone central login page where the user enters their credentials (i.e. their username and password). CAS supports the standardized SAML 1.1 protocol primarily to support attribute release to clients and single sign-out. (a table in a SQL database, ActiveDirectory/LDAP, Google accounts, etc.) Full compatibility with the open, multi-platform CAS protocol (CAS clients are … Read more
We’re using OpenAM. http://forgerock.com/openam.html The OpenAM Cookie means that the user is authenticated. An authentication backend for this is pretty simple. Under 50 lines of code. https://docs.djangoproject.com/en/3.1/topics/auth/customizing/#other-authentication-sources We wrote a little bit of code that makes a RESTful request to the OpenAM server to get the user, group and role information. We then use the … Read more
I’ve had a similar issue in the past where after the user logs in using the OpenAM login it sits redirecting to itself. The problem was the cookie domain. When OpenAM authenticates it will set a cookie withe the session token. If tomcat is on a separate domain then it won’t be able to look … Read more
I recently went through the same thought process: having never heard of SAML, I needed to enable a web application to authenticate via SAML with OneLogin as the identity provider (instead of Active Directory). During implementation, I made heavy use of OneLogin’s documentation and the passport-saml library, both of which I recommend, though I’m not … Read more
ADFS (Active Directory Federation Services) – Off-the-shelf Security Token Service (STS) produced by Microsoft and built on Windows Identity Foundation (WIF). Relies on AD for authentication. Can be used in active (SOAP web services) or passive (web sites) scenarios and supports SAML tokens, WS-Federation, WS-Trust and SAML-Protocol. It can be used as an Identity Provider … Read more
My company just enabled SSO for my Github Org overnight so was getting the same error running git pull. I fixed this with the following steps. Open Credential Manager in Windows and delete the existing credential for github.com Re-initialise the cred manager in git bash: git config –global credential.helper manager-core Re-run git pull and follow … Read more
Refer to Section 8.3 of this SAML core pdf of oasis SAML specification. SP and IdP usually communicate each other about a subject. That subject should be identified through a NAME-IDentifier , which should be in some format so that It is easy for the other party to identify it based on the Format. All … Read more
I was looking for an official Facebook statement regarding this issue and finally i found this: https://developers.facebook.com/docs/facebook-login/multiple-providers#postfb1, which clearly says that developer should not rely on the fact that email address is verified.