All geek questions in one place

How can I talk to ADFS with Java?

We have a website powered by Caucho Resin. The vast majority of sites are JSP / Java. We have our own authentication on the site, which means that we do not use third-party authentication platforms. We host the site, not our customers.

Our large customers want their users to register on our site with their active credentials. For this, I assume that I will be talking with ADFS with SAML, please correct me if this is not the case.

So my question is: how do I do this with Java? from what I can say, there is OpenSAML, which sounds like it does not do everything, and if I want more, I need to use Shibboleth. Are there other alternatives? if all i want is for users to be able to log in, what is my best option?

Any info would help. Thanks.

EDIT: I just found out that the other option would be OAuth. Pros? Minuses?

+4
source share
2 answers

Your application must act as SAML SP, either directly (from your code) or indirectly (for example, through SAML SP support on the reverse proxy, application server, ...).

For direct options (which require more changes for your application) you can:

  • program SAML SP itself (most likely with OpenSAML , you can find examples in the sources of existing products)
  • use a ready-made product for integration into your application, for example Spring SAML or OpenAM Fedlet

For indirect options (which require fewer changes for your application) you can:

  • use the Shibboleth SAML SP plugins on your Apache reverse proxy (if you use it)
  • Deploy SAML SP as another application on your container (e.g. Spring SAML or OpenAM) and force it to interact with your application - that's why SAML SP authenticates with ADFS and passes this message to your application, for example. via a shared cookie or user token

You can find more details and comparison considerations in this thread .

ADFS 3 should have OAuth authorization server support, and it might be easier to integrate, see here and here . Implementing authentication using OAuth is usually much simpler than SAML, without any significant drawbacks.

+9
source

The resin authenticators that Caucho provides will not help in federation. Instead, you need to add ServletFilter, which searches for unverified users. When he finds him, you must direct them to the login page. You should ask the user if they want to log in directly to your site or join another organization. (This can be done by displaying the username and password form + logos of trusted third-party organizations.) In the first case of direct login, use the Resin Authenticator to check the local user against your replication or, nevertheless, you are doing it now. For a federated case, use SAML.

Federation will begin by sending a request for authentication of a trusted partner (ADFS server). This is a small XML document packaged in a form that will require several things that need to be changed for each request (for example, creation time). This can be done using String.format - nothing complicated. Send this authentication request to the SAML server (for example, ADFS) in the organization that the user selected. They will log in and send an authentication response to some of the "Assertion Consumer Service" that you need to create.

ACS is the only endpoint that receives a SAML authentication response. It must be an unauthenticated endpoint that will analyze and verify the response from ADFS. Use OpenSAML for this. There are many things that you need to do to make sure that this is true. For example, you must verify the digital signature of the approval. You also need to check the time of the problem so that it does not happen in the future. Make sure that this statement is for you by checking the addressee in the confirmation data, audience and recipient. Etc.

If this goes beyond what you would like to code, check the open or commercial SAML server. It must function as an SP and must work in Resin so that everything is simple. One candidate, medium and thin, Asimba . ( The company for which I work is the developer of this project.) You can deploy this to Resin, and he will take care of the request and response.

OAuth Note

What you are considering here is a federation (or web one time subscription). OAuth is not suitable for federation. This is a protocol for delegating authority. The OpenID Foundation has expanded OAuth 2 to support federation in the OpenID Connect OAuth profile. ADFS does not support this federation protocol and is limited to WS-Federation and SAML. Therefore, you should not look into OAuth if ADFS will be used by your partners.

+4
source

Source: https://habr.com/ru/post/1244937/

More articles:


All Articles