I'm using saml php toolkit and aiming to make azure as idp for authentication.! can anybody here . can help me for the idp configuration to submit and receive reply.
You can get started from http://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/. It shows us a lot of scenarios. Based on your description, you have not described your scenario's details, so it is a bit difficult for us to provide more information at this stage. However since you're using SAML, I’d like to suggest you to look at the first scenario in the document: Web Browser to Web Application. Detailed registration guideline can be found at https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx. After Azure registration is complete, it’s needed to follow the steps in http://developers.onelogin.com/v1.0/page/saml-toolkit-for-php to register in OneLogin. Please use the URL like https://login.windows.net/[TenantDomainName]/FederationMetadata/2007-06/FederationMetadata.xml instead of OneLogin's own identity provider URL. More information can be found at https://msdn.microsoft.com/en-us/library/azure/dn195583.aspx. Please feel free to let us know if you need further assistance.
Related
Hello to all
I am new in Amazon Alexa, I have a work to Alexa Skill account linking using PHP with oauth 2.0.
I have successfully configured all and also get code for Auth Code Grant but when I run my code in Chrome Browser it is generating Account linking Failed issue but when I run same URL in Firefox it generates Amazon linking failed with ERROR=missing-state.
Please help me to resolve my issue, any help would be highly appreciated.
Implementing Account Linking is tricky at times. The thing is at some point what happens between Alexa and the OAuth2 server is transparent for the Skill (Lambda), for example the process of refreshing a token among others, that is why I suggest you take a look at the references cited below.
Also because of the error shown, it seems that the parameter code is missing in one of the URLs exchanged back and forth between either the Alexa web console or Alexa mobile app and the OAuth2 server. Please verify it is always the same and is always present in the URLs. Implementing a proxy for sure will help on debugging this issue.
I would suggest you take a look at these great sources:
Debugging Account Linking
Using API Gateway to Debug Account Linking issues
I hope this helps somehow.
Cheers
My question is not deeply technical but more of a system architectural one.
I'm designing an API backend in Go Lang. I'd like to have several clients, like a web server, cell phones etc.. I imagine that all these clients should have a secret API key so to validate that they can use the API. At the same time the web frontend is going to have a lot of users with different restrictions. I'd like for these users to be able to log in with their facebook or Google account. That should require OAuth authentication as I understand. My question is now where should I add the OAuth. Only in the frontend and then save the user in session or also between the frontend and the backend. I'm highly confused about how I should set up this communication and authentication.
I'm building the web server in PHP and I'd like the web frontend to be really light weight and more or less only function as en empty shell/view for the Go API. I've build systems in plain PHP/MySQL before but I'd like to make a shift to Go based APIs.
How would a URI look like to the API from the web server frontend for let's say a show profile page? I imagine something like a GET call to "http.//backend.com:3000/[api-key]/[api-secret][oauth-token?]/profile. Then some middleware to authenticate the web client and another piece of middleware to authenticate the user. Would that be "the right" approach?
I hope you guys can point me in the right direction.
Thanks in advance.
If you look at your facebook or google developer docs, you will find examples on how to integrate with their oauth login systems.
OAuth, or at least the last step of it, really must be done on the back end as you have to assume your front end is a bad guy hitting your system.
For go oauth, take a look at: https://github.com/golang/oauth2
You will likely have a http.HandlerFunc("/oauth/google",yourGoogleFunc)
and http.HandlerFunc("/oauth/facebook",yourFBFunc)
type thing, then you register that URL on your dev account with those companies.
while testing, it's easiest to use localhost:8080 (or whatever) as the callback url so it works on any machine as long as you are using a local browser.
That's my need: my company run a web-application coded with classic asp. Now one of our customer want that application to use SSO with their own IdP using SAML 2.0. So I have to interface with that service to verify users credential and then granting access.
I search the web to know about SAML protocol and, as far as I understood, my web-app have to act as a Service Provider, but the SAML protocols and specs are quite complex.
So, that's the question: do you know any "middleware", Classic ASP or PHP based, that can help me dealing with this kind of authentication?
Thanks.
EDIT: googling around, I came across this one
https://onelogin.zendesk.com/entries/268420-saml-toolkit-for-php
Anyone knows it?
SimpleSAMLPHP is a solid library, however, I would guess that it's far more than what you are looking for... It's an implementation with both SP and IdP code, and, while it has the name "simple" in it, is far more complex than what you need.
I would suggest you try looking at Kentor's open source stuff:
http://coding.abel.nu/2013/09/an-open-source-asp-net-saml2-service-provider/ It's pretty recent, and I've seen others use it successfully.
Yes, your application has to act as a Service Provider.
Try SimpleSAMLphp Service Provider. I haven't used it personally for integration with an existing application, but seems it should work for you.
Please refer: http://simplesamlphp.org/docs/1.5/simplesamlphp-sp#section_6
Try OpenAm's Fedlet library for .Net applications :
http://docs.forgerock.org/en/openam/10.1.0/dev-guide/index/chap-fedlet-dotnet.html
Story is that I need to make my website act as Identity Provider (read: IDP). Website itself is on Zend platform. Idea is making a IDP controller by which Service Providers (read: SP) contacts IDP. As it must be part of the website, I would need to include some extension, which could be easily used for responding SAML requests from SP.
I have found list of PHP extensions from:
https://wiki.surfnetlabs.nl/display/OSP/RFC+-+OpenSAMLphp,+a+new+PHP+library+for+SAML+2.0+support
All of these extensions have little documentation or are too complex. For example I haven't found a way to use SimpleSamlPHP in my application and also extracting useful code out of it looks very time consuming (which I really don't have anymore). Also I find all of them hard to implement into website.
I have been googling and checking github for days now, trying to find easy way to use some library (right now I'm trying to implement Lasso, which seems reasonable, but unfortunately lacks good examples / information how to use it as IDP).
Any kind of criticism, ideas, help or tutorial/code examples would be useful.
I wrote a guide about how deploy on an open source software (Tiki-wiki) an IdP using simplesamlphp, and how to connect the IdP to google or salesforce. Take a look:
https://github.com/pitbulk/tiki-saml/blob/master/doc/tiki_wiki_as_idp.rst
SimpleSAMLphp seems intimidating at first but it can handle all the SAML responses for you.
Have you looked at creating custom authentication module - http://simplesamlphp.org/docs/stable/simplesamlphp-customauth
You can tie this module to your existing login mechanism pretty easily.
Check out PingFederate and the PHP Integration Kit from Ping Identity. Alternatively there is the Agentless Integration Kit (instead of PHP) which allows you to integrate using a RESTful API call to the PingFed server instead of embedding any PHP libraries.
HTH,
Ian
Hey all,
I'm redesigning the infrastructure for a website, and I want to make the login system use the accounts on our Google Apps. How would I be able to do something like this? I'm using PHP for the backend.
Thanks for any help.
-Trey
OAuth is one way, but it might be easier to implement OpenID, which is already provided by Google Apps. See Google Apps domain as OpenID provider
Take a look at the Google Login PHP class. It is no longer under active development and there is no support provided for it, but it should give you something to work off of. Also be sure to look Google Federated Login as a reference.