SAML 2.0 Puns

A new client would like to allow access to my web application through one of the above mechanisms. We're running a PHP backend on AWS. Wondering if somebody here with experience in Azure AD or SAML 2.0 can comment on:

• which of the two would be the better choice from our end (for example, broader use or simpler implementation);
• any frameworks available to manage this; and
• where I can get started understanding how to implement this.

Thanks in advance!

Hi guys, am curious and would like to check if there are any tools out there that is similar to SAML trace for oAuth instead?

I have a requirement to find a tool that can help to troubleshoot access/id token release from the protected resource to the application. Thanks!

Got an interesting question for those that are knowledge with oAuth / SAML.

For our react native mobile app, we use OKTA oAuth password grant to get an access token that we leverage for making API calls within our app. We just got another OKTA app that is setup with SAML SSO links. We would like to be able to access this new app via a WebView within our mobile app. I setup the WebView URI to use the okta sso saml link (i.e. oktapreview.com/XXXXXXXX/sso/saml).

When the user is logged into our app and gets to this webview, they are brought to the OKTA login screen, instead of being SSO'd in.

Any ideas / guidance how to get SSO to work from going from the native app into a webview?

Apologies in advance that this may be a basic question / understanding. Not very familiar with implementing SSO / authentication in general.

Basically the title. I'm working on my first Next.js app and am curious what packages folks would use to set up a SAML 2.0 flow. Next.js app is the service provider in this instance. The identity provider already has SAML endpoints set up. I have no control over identity provider.

Is this a great job for Passport or should I be looking at other packages?

One thing giving me pause before plunging ahead with Passport is that it's written specifically to work with express.js. I have seen talk about people swapping out the default http server (haven't investigated this avenue further yet), but I'm interested in what this community thinks!

Thanks!

Hi.

I am trying to build an API for an online student website. This student website first requires a student to sign-in through a SAML 2.0 SSO webpage. It has a JSESSIONID created when you first go to the page.

I have already implemented it with them manually giving their credentials to the API and the NodeJS server uses fetch to make a POST request to the server to log in. However, I feel that storing the student credential in plain-text in a JS variable is not very secure.

I was wondering how I am can let others use my API and securely log in to the system (using NodeJS as the server) without them giving their student credentials to the API. I am not too sure how SAML 2.0 works nor SSO (though I've read some information about them) so I am fairly new to this.

EDIT: Just to be clear, I am not trying to create my own SAML 2.0 SSO webpage. I am actually trying to log in to an existing SAML 2.0 SSO webpage at my University which grants access to student web services. I am doing this by making a POST request to the webpage given the student gives their credentials to the API. However, now I am trying to find a way so that the credentials are not sent to the server and I can log in or store the credentials on the server safely and securely (in variables and not a database).

Hi guys. I am writing a post here appealing to the help of the community since my googling hasn't worked out at all.

Basically we want to integrate SAML 2.0 SSO with an enterprise. In the terminology, they are the Identity Providers and us the Service Providers.

So I found this gem that integrates with Identity Providers: https://github.com/onelogin/ruby-saml being used on top of https://github.com/apokalipto/devise_saml_authenticatable

That works fine. However, I am struggling immensely to make it work with the following features:

- Encryption

- Rotating Certificates

I am so confused about when to use idp_cert_multi or when to use certificate_new, private_key, and idp_cert.

Has anyone here used this library that can help me? I tried to make a "fake" Identity Provider by using the https://github.com/saml-idp/saml_idp gem, which is a fork of the original gem and it seems to be lacking of proper documentation. Whenever I want to use encryption, it breaks.

So I have one question here:

1. If encryption is required on both ends, that means that both the Sdp and Idp generate a private key which they will use for encryption and a public certificate that the other party will use for decryption right?
2. What's the signature for then? Cannot we skip it? If we are using HTTPS already, why I am concerned about the signature and why the Idp cert is necessary?

Hey everyone,

Just a quick question, is it possible to integrate Azure AD SSO into the Carbon Black PSE console? I see the attribute listings based on this document: https://community.carbonblack.com/t5/Knowledge-Base/CB-Protection-What-are-the-Required-Azure-SAML-Attribute/ta-p/69123

Any advice on where to start or does anyone have better GoogleFu than me right now?

Good evening,

Sorry if this is a stupid question but I am new to cybersecurity.

I am curious what are the benefits of implementing SSO (saml 2.0) security wise?

It seems dangerous to consolidate all your credentials to me. What if that account gets compromised?

We'd like to include single sign on using SAMLL/Shibboleth on our web application. In this scenario, I believe we are acting as the service provider and another institution will be the identity provider. Do we absolutely need to register to a federation (such as InCommon) which requires a fee in order to be a service provider?

hey guys, iam trying get the attributes in the attribute statement of SAML 2.0 response and set it into java objects(a String basically) any ideas on how this can be achieved?

In rebuilding my lab in 7.0.2, I had a hard time getting SSL VPN with Azure SAML IdP working right. The symptom was when I got redirected to /remote/saml/login/ I would get an "invalid http request" message, and debugs for SAMLd griped about invalid signature. And after staring at the config for what felt like forever, I saw something that piqued my interest:

config user saml

edit "azure.saml.idp"

set cert "cert"

set entity-id "https://<ssl_vpn_fqdn>/remote/saml/metadata/"

set single-sign-on-url "https://<ssl_vpn_fqdn>/remote/saml/login/"

set single-logout-url "https://<ssl_vpn_fqdn>/remote/saml/logout/"

set idp-entity-id "https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxx/"

set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxx/saml2"

set idp-single-logout-url "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxx/saml2"

set idp-cert "sso.azure"

set user-name "username"

set digest-method sha1

next

end

The I hadn't seen that setting before, so when I looked at it closer I noticed that it had 2 values, the default is SHA1, so I changed it to SHA256. And it started working. Hope this helps.

Madman out.

I am acting as a service provider and have the following questions:

1. I am looking to provide a url that generates our service provider metadata for the service consumer. Is this correct?
2. Should I be expected to receive a public certificate from the service consumer?
3. Should I be expected to send the service provider's public certificate to the service consumer?

Hello All,

Wondering if you could possibly help. We are trying to get SAML 2.0 working on ONTAP 9.6 System Manager, we have most of the setup working correctly, we use SAML in other applications so this isn't terribly new.

The issue we are having is trying to get ONTAP to authenticate with DUO Application Gateway, the problem we have is we are getting the following error:

https://preview.redd.it/p0t025raso651.png?width=1446&format=png&auto=webp&s=d94866516001e9d42d56e211e4ae3193c1cb6d4a

We have the parameter attribute mapped to sAMAccountName in AD but for some reason its still trying to pull UID. Does anyone have experience on SAML setup w/ ONTAP 9 System Manager, it seems like the best practice guide has more details on OCUM setup for SAML then SM.

In the shibd.log I see the following skipped unmapped Attributes:

[kern_shibd:info:61571] INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping unmapped SAML 2.0 Attribute with Name: distinguishedName, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping unmapped SAML 2.0 Attribute with Name: sAMAccountName, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
[kern_shibd:info:61571] INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping unmapped SAML 2.0 Attribute with Name: mail, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
[kern_shibd:info:61571] INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping unmapped SAML 2.0 Attribute with Name: duo_username, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
[kern_shibd:info:61571] INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping unmapped SAML 2.0 Attribute with Name: "urn:oid:0.9.2342.19200300.100.1.1", Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
[kern_shibd:info:61571] INFO Shibboleth.SessionCache [1] [default]: new session created: ID (_d2c35b78db7661af03599ce5bb46349a) IdP (https://example.com/dag/saml2/idp/metadata.php) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (W.X.Y.Z)
[kern_shibd:info:61571] INFO Shibboleth-TRANSACTION [1] [default]: New session (ID: _d2c35b78db7661af03599ce5bb46349a) with (applicationId: default) for principal from (IdP: https://example.com/dag/saml2/idp/metadata.php) at (ClientAddress: W.X.Y.Z) with (NameIdentifier: _7bc18d77a263c2a933d0dd229f5ccc33be8370614a) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: _9ef0

As the title says, management is pushing hard to phase out ADFS and wants to implement PortalGuard SAML 2.0 for SSO for our users.

Would we be giving anything up or putting ourselves into a difficult situation by going this route?

I’ve heard a few things anecdotally, but don’t have anything to tell them up or down at this point. Does anyone know more about this than I do?

I'm a beginner exploring SAML authentication. I was reading up on consuming SAP OData services and saw that SAP accepts SAML assertion received from ADFS. I'm looking for a service to service authentication scenario where I won't have an end user but a service principal instead(an AAD app). Will I be able to get the SAML assertion from ADFS using the credentials of this service principal (which would be the client id and secret)?

In the below link it has been mentioned that SAML 2.0 Bearer Assertion Flow can be used when user interaction is not necessary.

https://wiki.scn.sap.com/wiki/display/Security/OAuth+2.0+-+Constrained+Authorization+and+Single+Sign-On+for+OData+Services

I'm attempting to locate a service or project that allows for testing and debugging SAML 2.0 interactions. In my mind, it'd be a simple "service provider" and would display the received SAML information. I know I can debug the data being sent to an actual service, but I'm looking to test different configurations and am hoping to not have to delete users information on real systems for testing.

So far I've found https://samltest.id/ but can't seem to get that working with AzureAD

One of the core issues that I believe is causing issues at my company is identity. Shared accounts for vendor sites (not just IT), juggling ssh keys for dev/test/qa/prod environments, permissions for our core business apps (CRM/ERP/Customer Service ticketing), windows share drive permissions, and even G Suite shared folder permissions are all a mess (or non-existent). We have an MSP that handles all our on-prem (Windows) servers and AD, but I'm really losing faith in them because their management of our AD is completely inadequate. They refuse to manage any *nix servers, so that burden came over to me.

Enough with the rant. I'm testing various systems out, and I think I know what I want to do, but I'd like to hear if someone here has some first-hand experience with any parts of the "stack". Unfortunately we use Paycom for HR related stuff, and they don't really integrate with shit.

Target State

• (SAML IdP) G Suite (mail, calendars, groups, drive, etc)
• (SAML SP) Build out SAML for our CRM/ERP (Odoo)
• (SAML SP) Dashlane business to handle shared vendor account stuff (works with G Suite IdP)
• (SAML SP) Jenkins for CI/config mgmt (works with G Suite IdP)
• Google Cloud - Compute resources, GKE, Container Registry

Current State

• G Suite (Oauth provider)
• Odoo (Oauth)
• Shared passwords in a Google Sheet
• DigitalOcean - all cloud hosting
• Ansible - config mgmt (will probably keep this in the mix)

Hi all,

how to achieve SSO with SAML on Azure AD in web api 2.0 or mvc

If any body know please provide fully implementation step by step with details

Thanks in advance

Does anyone have any good tutorials or resources where I can learn how to implement SSO using SAML 2.0? I chanced upon passport.js(saml strategy) and saml2-js which can be used to implement SAML authentication. But would like to understand by building a demo application.

Ignore all documentation you ever read.

The SSO Address and SLO Address for SAML 2.0 applications should be the following:

https://adfs.contoso.com/adfs/ls

This is it. Nothing else. Do not use ?wa=signout1.0 on the end of your addresses.

I don't care WHAT your vendor documentation says. Do not do it.

For SAML 2.0 Applications, do the above.

P.S. If SLO doesn't work from your app, have your SAML 2.0 application sign their logout requests. This is required.

Thank me later for simplifying your ADFS SP configurations.

Hi all,

I'm currently trying to configure SharePoint 2016 with Keycloak via AD FS (since AFAIK SharePoint still doesn't support SAML 2.0).
Unfortunately I'm struggling to find detailed documentation on this topic, regarding the SharePoint <=> AD FS and the AD FS <=> Keycloak (or other SAML 2.0 IdP) configuration.

The goal I'm trying to achieve is to have e.g. some form of non SharePoint related Web App (e.g. React based) that also uses the same IdP (Keycloak in my setup), the user signs in via the IdP and the React App could then make REST Calls to SharePoint to get for example a search result for the current user, without having to login in SharePoint, since the user has a valid session with the IdP.

Is this at all possible?

As far as I understand it, the solution is to let the AD FS pass the Claims from Keycloak / SAML 2.0 over to SharePoint?

Am I on the right track here at all?

Does anyone know a proper documentation or can point me in the right direction?

Many thanks in advance!

As per title, we have a web app (hosted on Azure App Services) which I've managed to get the user authentication working with our Azure AD accounts via SAML 2.0. It's all in the same Azure tenancy btw.

So even though the SAML auth is working, there's two parts that aren't working as expected.

1. The profile field mapping between the app users and the ad users isn't working for anything apart from Display Name, Given Name, Surname, Groups and "Name" (which is the AD user's email address and mapped to our app's "Username" field - I've also mapped it to email address field too because the suggested MS claim schema isn't working for "Email"). I want the field mapping for address, phone, company, department and more, but this isn't the real problem bugging me at the moment...
2. The SAML process isn't creating users in the app. I was hoping that on the first SAML authentication, all AD users and groups would be replicated in our app. They're not. Have I misunderstood what the SAML authentication is capable of?

I've been speaking with the app devs and they've said that they have directory synchronization for Windows AD and LDAP via a button in the backend of the app which does a manual sync, but this won't work with Azure AD.
I've seen other web-based apps use directory sync with AzureAD (Mimecast for example), so given that our app can use SAML 2.0, and the devs can get it to sync on demand for Windows AD and LDAP, maybe I can get it also working with Azure AD.
The devs have told me this will be custom work if they have to do it.

Is it possible? If so, how?

Here's a few support articles the devs have based around Windows AD, Azure PaaS deployment (which is the guide I used to get it setup in the first place), Azure SAML authentication (which is woefully out of date and missing critical steps).
Thanks in advance.

https://knowledgehub.intelledox.com/docs/windows-active-directory
https://knowledgehub.intelledox.com/docs/infiniti-azure-ad-saml-extension
https://knowledgehub.intelledox.com/docs/deploying-guide
https://ixsupport.intelledox.com/kb/a631/user-directory-sync-for-ad-and-ldap.aspx
[https://ixsupport.intelledox.com/kb/a5

We have an ADFS 3.0 deployment, which is planned to be used for a third part application hosted outside of the business environment. The third part application requires SAML 2.0 authentication to be available.

In my case, I (believe) I have configured SAML 2.0 authentication as described by few other SaaS providers and as far as I am aware they are set exactly the same way we have ours configured.

The challenge I am running in to is that when the SaaS providers app tries to authenticate against our ADFS servers their application logs "The SAML response isn't signed".

We are using a globally trusted public certificate for Token Signing/Token Decryption and Service communications. I have provided the .cer of the Token signing cert to the application vendor which they have plugged into their Authentication mechanism.

Other then the above mentioned error, I do not see any errors in "Applications and Services Logs\AD FS\Admin" logs or in the "Applications and Services Logs\AD FS Tracing\Debug" (I have enabled debugging).

Sorry for the long rant, I will like to think I have provided all relevant information in regards to the problem but at this point I am at a complete loss and hoping that someone can provide me some direction.

Here is a screen shot of SAML Request: http://imgur.com/hSaNc4w Here is a screen shot of SAML Response: http://imgur.com/dYAtDtn From SAML Chrome Panel, here is the SAML output: <samlp:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://site.domain.com/SSO/SAML2/AssertionConsumerService.aspx" ID="_9ae33c70-f633-4a89-a95f-06fb0b0e8349" IssueInstant="2017-06-14T16:48:07.012Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.domain.com/adfs/services/trust</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_9ae33c70-f633-4a89-a95f-06fb0b0e8349"> <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>/ds:Transforms<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>qg3Sa7rBGqvmqw85nb66P4