• Home
  • XACML
    • XACML Policy Editors
    • XACML Samples
    • XACML Performance
    • XACML Discussions
    • Balana
  • SAML2
  • OAuth2
  • OpenID-Connect
  • SCIM
  • WS-Security
  • User Management
  • KeyStore Management
  • Patterns
  • WSO2
    • WSO2IS
    • WSO2APIM
    • WSO2ESB
    • WSO2 Extension
    • Load Balance
    • Clustering
    • Multitenancy
  • Shibboleth
  • Contact Us

SSO without Identity Provider login page ?

I have seen some of the people you are using SSO mechanism (SAML2 SSO, OpenId , OpenID Connect) have raised this in several places. Answer is “Yes“.. it can be done. Simple way is that, Service provider can promote a login page for the end users (or else Service provider can retrieve end user’s credentials some other way) and then credentials can be sent to the IDP with the login request.

But when it comes to the end user experience, I think, we are trying to cheat the end user. We just promote the login page in Service Provider and ask to provide the credentials. Then user thinks that credentials are given to SP but it is not, they have been given to the IDP.

However, Lets how this can be achieve with WSO2IS which is open source Identity management Server.

Request Path Authenticators in WSO2IS

 

In WSO2IS, Request Path Authenticators are a type of local authenticators that are meant to authenticate requests that contain the user’s credentials. By default, this will be handled in following two ways.

  • User Credentials in “sectoken” parameter
  • User Credentials in Authorization Header

Service provider can send the end user credentials in above two way in the login request. User credentials separated by a colon (:) and encoded with Base64 using one of the above methods.

Please note, When sending the user credentials from the client application to the WSO2 Identity Server,it is recommended to use;

  • SSL
  • POST the parameters instead of GET. This is because when the parameters are sent in GET requests, the URL will contain the encoded credentials which can be printed in the access logs files of the Identity Server or some other proxy servers.

Try-out

 

Let try the request path authenticator with SAML2 SSO flow. You can find the more details on configuring Identity Server as SAML2 SSO IDP from here, I assume that we have already go through it. Then,

Step 1. In the Local & Outbound Authentication configuration, add the Request Path Authentication configuration as basic-auth.


Step 2. We need to modify the sample SSO application to send the end user’s credentials. In the sample application, once user credentials are entered,  they must be sent to Identity Server in either of the following ways.

1. In the Authorization header

Authorization: Basic <base64_encode(username:password)>

Important  Note :  This may not work properly with SAML2 SSO as it is a browser redirection. HTTP header can not be sent 

2. In the sectoken parameter
sectoken=<base64_encode(username:password)>

As mentioned above, SP need send the SAML2 Auth request using SAML2 SSO POST binding , NOT redirect binding. You can find the modified  war file for the updated sample application from here.  This sample uses the sectoken parameter


Once you enter the credentials in to the sample application , you will not see the IDP login page..

Thanks for reading…!!!

Share this:

  • Facebook
  • LinkedIn
  • Twitter
  • Tumblr
  • Pinterest

Related posts:

  1. IDP Initiated SAML2 SSO with WSO2 Identity Server
  2. [Federated Authentication] : Integrating Shibboleth with WSO2 Identity Server
  3. Configure WSO2 Identity Server as SAML2 SSO IDP
  4. [Federated Authentication] : Integrating TestShib with WSO2 Identity Server
Discuss this article on Stack Overflow
Tags: Login Page, Request Path Authenticator, SAML2, SSO, WSO2, WSO2IS
◀ JAX-WS client for WSO2 Admin service.
Handling SP-IDP Session Synchronization with SAML2 SSO ▶

Related Posts (YARPP)

  1. SSL profiles in WSO2 ESB
  2. How Install PostgreSQL database in Ubuntu
  3. How to Deploy Axis2 services in WSO2 BPS
  4. Configure WSO2 Identity Server as SAML2 SSO IDP

Recent Posts

  • Exchanging An OAuth2 Access token for An OpenAM Cookie (Cookie base OAuth2 grant)
  • How to renew self signed certificate keeping old private key
  • JIT provisioning & user association with WSO2IS
  • Mutual SSL (X.509 Certificate) grant type for OAuth2
  • Service provider grouping with WSO2 Identity Server
  • Custom authenticator for WSO2 Identity Server (WSO2IS) SSO login
  • How to configure session time out in WSO2 Identity Server (WSO2IS)
  • Deployment pattern of WSO2 Identity Server in production
  • Resolving ERR_SSL_WEAK_EPHEMERAL_DH_KEY error in WSO2 Products (Server has a weak ephemeral Dillie-Heffman public key).
  • Custom notification module for account management in WSO2 Identity Server (WSO2IS)
  • Configure Multiple Federated Identity Providers with WSO2 Identity Server (WSO2IS).
  • Configure KeyStore (JKS) files in WSO2 products in Production
  • Secure WSO2 ESB proxy service with HTTP Basic Authentication.
  • How to enable Hash Passwords in OpenLDAP
  • How to Install OpenLDAP server
  • User Password Hashing with WSO2 Identity Server (WSO2IS)
  • Securing APIs using Mutual SSL with WSO2 API Manager.
  • Federated authenticators in WSO2 API Manager - WSO2APIM
  • [Federated Authentication] Integration OpenAM with WSO2IS using Openid-Connect
  • Openid-connect support with OpenAM
  • Granting different access tokens for each APIs in WSO2 APIM using OAuth2 Scopes
  • Federated Authentication for granting OAuth2 Access token with WSO2 API Manager (APIM)
  • SAML2 Signature validation tool for SAML2 Response and Assertion
  • Validate and Process JWT tokens with Java
  • Customizing SAML2 Response and SAML2 Assertion in WSO2

Like SOA Security

Like SOA Security

Tags

Admin Services Balana Cluster Clustering Custom Customizing Entitlement Federated Authentication Federation Pattern grant_type Hash Password Identity Server JKS KeyStore LDAP Load balance Load Balancer Login MDF Mutual SSL OAuth2 OpenAM Openid-Connent Open source PAP PDP PEP PIP Policy Editor Proxy Server SAML SAML2 SSL SSO User Management Username Token WS-Security WSO2 WSO2 Extension WSO2APIM WSO2ESB WSO2IS XACML XACML 3.0 XACML Sample

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 53 other subscribers

Asteroid Theme