saml-idp | Simple SAML Identity Provider for Node | Authentication library
kandi X-RAY | saml-idp Summary
kandi X-RAY | saml-idp Summary
This app provides a simple SAML Identity Provider (IdP) to test SAML 2.0 Service Providers (SPs) with the SAML 2.0 Web Browser SSO Profile or the Single Logout Profile.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of saml-idp
saml-idp Key Features
saml-idp Examples and Code Snippets
Community Discussions
Trending Discussions on saml-idp
QUESTION
Trying to setup a custom policy in my Azure AD B2C tenant, I need to communicate to an external IDP using SAML IDP initiated, so client can navigate to their dashboard and click to "my app" that goes against my B2C tenant, and authenticates the user and gets send to my application using OpenIdConnect, it is required to me to get it integrated using SAML between my client's dahsboard and my B2C tenant
I used this article as based to create my custom policy using SAML. As SP initiated (through my app in azure ad b2c) works, but now I need to get it working using IDP initiated. Also found this idp-initiated sample, but here I got 2 problems:
- This is setting up "my app" as SAML application (protocol in my RelyingParty, not what I want)
- If I change that one to use "OpenIdConnect" which is desired in my RelyingParty I get the following error in my logs:
Policy '< myPolicyName >' in tenant '< myTenant >' does not have a supported relying party protocol"
So wondering in this point, is this something that's supported? I also got this unsupported-saml-modalities from the documentation and the last bullet point says:
Identity provider-initiated sign-on, where the identity provider is Azure AD B2C.
So, not really sure if what I'm trying to accomplish is something valid, any help?
...ANSWER
Answered 2021-Apr-12 at 16:55It’s not possible, an Idp initiated flow cannot respond to an OIDC relying party, only a SAML relying party.
Secondly, as the doc states, the IdP must be B2C, and will not work for an external IdP federated to B2C.
QUESTION
I'm signing my SAML requests like this:
...ANSWER
Answered 2020-May-28 at 18:35I expect you have configured the RP (relying party) to sign the Authn Request, which is optional in the SAML 2.0 standard and only required by som IdPs (identity providers).
If your IdP do not require the Authn request to be signed, I think you should omit it.
If the IdP is implemented by the ITfoxtec Identity SAML 2.0 package. The IdP can be configured to require signed Authn Request with the same configuration saml2Configuration.SignAuthnRequest = true. Therefore, you can test the signing with a test IdP implemented using ITfoxtec Identity SAML 2.0.
Samples:
ASP.NET core RP sample: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebAppCore
ASP.NET core IdP sample: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestIdPCore
Update: It looks like the Mini Orange WordPress plugin IdP can be configured with a public RP key for Authn Request signature validation in field X.509 Certificate (optional): (For Signed Request) see screenshot.
QUESTION
My mobile App currently performs SSO using following steps
- User will select one of the IDP from the list on the Mobile APP and click Login
- Mobile App will instenciate in-app browser control and navigate to SSO URL
- If not already authenticated IDP challenges user for authentication
- User will be presented with the login form to enter his/her credentials.
- Once user is authenticated successfully by IDP, the SAML Assertion will be passed to
Web Server Web Servertrusts IDP, accepts SML token and generates Session token- Mobile Browser component accepts the session token and share it with native mobile app
- Mobile App calls
web serverAPIs with this session token
Now due to security reasons Session token is not advisable to be stored on Mobile Device, whereas OIDC or JWT tokens can be stored
As my Web Application does not support generating OIDC tokens so I thought of adding one more layer of AWS Cognito in between my mobile device and IDP. Now the authentication flow will be like (SAML User Pool IdP Authentication flow)
- The mobile app starts the sign-in process by directing the user to the UI hosted by AWS.
- User is redirected to the identity provider.
- The IdP authenticates the user if necessary. If the IdP recognizes that the user has an active session, the IdP skips the authentication to provide a single sign-in (SSO) experience.
- The IdP POSTs the SAML assertion to the Amazon Cognito service.
- After verifying the SAML assertion and collecting the user attributes (claims) from the assertion, Amazon Cognito returns OIDC tokens to the mobile app for the now signed-in user.
Now my question is once I have OIDC token, how mobile App will call my web server for any API calls? Is it through Cognito? Direct call to my web server will not work as it does not understand the OIDC token returned by Cognito? How I can achieve this communication from Mobile App to my Web server?
UPDATE: I was able to validate the JWT token from my web server issued by Cognito. If anyone else is looking to do the same then they can refer this cognitojwt library (not written by me just found it on internet)
...ANSWER
Answered 2020-Apr-07 at 10:44OIDC tokens returned by Cognito are ID Token and Access Token, both are JWT. You can pass these to your custom backend directly (most commonly in Authorization header).
On the backend you should decode and verify the token using your user pool's public key (JWK). JWK is available at https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json. If token is valid and not expired, you can trust it and use it for custom backend authorization logic.
The whole process of verifying tokens is described here https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html and there are a number of open source libraries which will help you do that.
QUESTION
I am trying to use Saml2 from Sustainsys in an ASP.NET Core 3.1 web app as service provider. I am using the nuget package Sustainsys.Saml2.AspNetCore2. It works fine with a local test IDP in docker container kristophjunge/test-saml-idp, but when I deploy the site to Azure then the url /Saml2/Acs for assertions cannot be found.
This happens after the user is sent to the Azure B2C IDP for login, the user logins successfully and then the Azure B2C calls the assertions consumer service which is /Saml2/Acs but it cannot be accessed by Azure B2C. The metadata url /Saml2, however, is accessible.
Accoridng to the Sustainsys docs:
The ASP.NET Core 2 Handler is compatbile with the ASP.NET Core 2.X and 3.X authentication model.
What could be missing or wrong? Can someone confirm that the nuget package can be used in ASP.NET Core 3.x?
Thanks
...ANSWER
Answered 2020-Mar-26 at 16:28If the metadata URL /Saml2 responds, the handler is running.
Are you sure that /Saml2/Acs is not accessible? It's not just that there is a configuration error causing the response validation to fail? Do you see anything in the logs?
QUESTION
Looking at their documentation (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp), it looks like we need three things in the SAML assertion.
...ANSWER
Answered 2020-Feb-04 at 11:39@nkpatel Yes, using Graph API, you can fetch the value for Immutable ID. In case the user object is sycned from On-Prem AD to AAD, using the AAD Connect Tool, the user object will have an attribute called "onPremisesImmutableId" in the Graph API response for that user.
QUESTION
I'am trying to implement an saml 2.0 identity provider with symfony, but can't decide which bundle to use, lightsaml seems to be used for Service providers, others like samplesamlphp or oneloginsaml are either with native php or symfony 2, can you please recommend a tutorial or a bundle i can use to implement this identity provider
I tried this tutorial but can't see it working
...ANSWER
Answered 2019-Nov-13 at 14:31I'm in the process of implementing an SAML 2.0 identity provider with Symfony 4 as well.
I have chosen to use the LightSaml IdP even though it lacks proper documentation. I plan to draft some documentation myself once the project is done.
At the moment, I have ported LightSaml IdP sample code inside controller actions and proper authentication is done by implementing an AbstractFormLoginAuthenticator class from the Guard feature in Symfony Security component.
I am still scratching my head on how to properly use an incoming SAML authentication request to redirect the user back to the SP once he is authenticated locally on the IdP.
Right now I have chosen to validate the entity ID the user is coming from then initiating a new authentication from the IdP back to the SP. Not the cleanest way, but it works for my usage.
QUESTION
I think this is a proxy issue because I can still connect to 8380 with localhost domain. But the error is different.
Error: connect ECONNREFUSED 127.0.0.1:8080
Here is my docker-compose file. I set up docker overlay network but it doesn't help either. I think this is proxy issue.
...ANSWER
Answered 2019-Sep-25 at 01:38When you define ports:- 8380:8080, it will publish testidpsaml's 8080 port to host's 8380 port. Then, on docker host(not container), you can visit it with localhost:8380.
But, in app service, your code is running in container, then localhost not mean the docker host, but the current container, you could specify replace localhost with your docker host ip to make it work.
In fact, you could also directly specify the service name, because compose will setup a custom network for you:
User-defined bridges provide automatic DNS resolution between containers.
in which it has a internal dns server, which could help container find eathother quickly, no need to use docker host to pass traffic container. For your case, use next:
QUESTION
I have set up a keycloak server. Then I created a realm an in that realm an SAML-IDP. So my keycloak server is a SAML-SP that uses that IDP for authentication. The IDP needs the SAML-Metadata. I can export it in the keycloak admin console in the "export" tab of the IDP Entry. I can also download it here:
...ANSWER
Answered 2019-Sep-20 at 22:15Question: The SAML SP metadata does not contain a X509 certificate.
How do I get one into the metadata?
Answer:
It is OK that SAML SP metadata of Keycloak does NOT contain a X509 certificate if (I) Keycloak SAML SP does NOT need to sign SAML authentication request or (II) SAML IdP is NOT require to encrypt SAML assertion for Keycloak SAML SP.
(1) SAML SP metadata does NOT necessarily contain a X509 certificate. That is, X509 certificate is NOT mandatory for SAML SP metadata.
For example, both Google G Suite and ComponentSpace provide SAML SP metadata without X509 certificate.
(I) SAML SP metadata of Google G Suite does NOT contain a X509 certificate. I uploaded SAML SP metadata of Google G Suite into Shibboleth SAML IdP server and then logged in to Google G Suite through SAML authentication provided by Shibboleth SAML IdP successfully.
For your reference on SAML SP metadata without X509 certificate, I have made the 14th commit to upload the Google G Suite SAML SP metadata and corresponding SAML configuration to How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository.
(II) The ComponentSpace Development provides the guidance on how to generates SAML service provider metadata with no certificates.
No signature or encryption certificates were specified so no certificates were included in the generated metadata.
QUESTION
I am working on SSO authentification system using SAML2 protocol. Since i do not have the real IDP informations yet, i needed test environment so i used this docker image which worked like a charm. I am able to access it through localhost:8080 without any problem and also to log in with test account.
But then, when i try to log into my SP (the website i am working on), though i am well redirected to the idp at localhost:8080/simplesaml/saml2/idp/SSOService.php, i got an error telling me metadata not found. here is the stack trace :
ANSWER
Answered 2019-May-14 at 08:25Finally solved. The Authn Request i sent contained empty "issuer" field and this one was needed on idp side since simpleSAMLphp seemes to store SP Metadata in an array like Metdata['spName']. So of course their was no entry for the empty string as key.
QUESTION
I have a saml response that gives me azure active directory when doing the process with saml 2.0, the whole process is done normally, I send a saml request and the azure active directory returns the saml response, to do the whole process I have based on this guide, I've been reading a bit and I've noticed that Azure AD in the saml response sends the values within this tag:
...ANSWER
Answered 2019-Feb-10 at 18:40The SAML token is encrypted.
You need to get the client side certificate used for this and use that to decrypt it.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install saml-idp
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
