[mitreid-connect] mitreid-connect IDP: support additional authentication schemas.
Michael Furman
michael_furman at hotmail.com
Sun Sep 4 06:08:53 EDT 2016
Hi Justin,
Thank you for the provided links!
Now it is clear that possible to replace the backend user repository and to use LDAP.
Now I want to replace the form authentication to something else.
I have tested and I see that the security:http-basic element works perfect.
Will it be possible to support advanced authentication like SAML2 (we will create / reuse SAML2 authenticator)?
Best regards,
Michael
________________________________
From: Justin Richer <jricher at mit.edu>
Sent: Friday, September 2, 2016 1:42 PM
To: Michael Furman
Cc: mitreid-connect at mit.edu
Subject: Re: [mitreid-connect] mitreid-connect IDP: support additional authentication schemas.
Oh, that's different, then - you're really just changing the primary authentication mechanism, which is controlled by the user-context.xml file as you've found. You'll also need to set up the UserInfoService to point to somewhere that can look up user information for you at runtime.
Take a look at the LDAP-based server or the MIT server for examples on how to do this:
https://github.com/mitreid-connect/ldap-openid-connect-server
https://github.com/MIT-Mobile/oidc.mit.edu/
- Justin
On Sep 1, 2016, at 6:11 PM, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
Hi Justin,
Thank you!
I just want to override user-context.xml and configure in addition to security:form-login additional authentications.
For example security:http-basic.
Why it is not possible?
I do not need the client and rp never see the basic authentication header (or the Kerberos tickets) but I need IDP will see it.
Best regards,
Michael
________________________________
From: Justin Richer <jricher at mit.edu<mailto:jricher at mit.edu>>
Sent: Thursday, September 1, 2016 5:18 PM
To: Michael Furman; mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
Subject: RE: [mitreid-connect] mitreid-connect IDP: support additional authentication schemas.
No, this won't work and isn't using OAuth properly. You don't want the client app to intercept the credentials, you can have the server accept them directly. We've deployed the server using Kerberos authentication, but the client and rp never see the Kerberos tickets.
--Justin
Sent from my phone
-------- Original message --------
From: Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>
Date: 9/1/16 4:46 PM (GMT+02:00)
To: mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
Subject: [mitreid-connect] mitreid-connect IDP: support additional authentication schemas.
Hi all,
I want to extend mitreid-connect IDP and to support additional authentication schemas, like Basic Authentication (or Kerberos).
I read the following document:
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Server-configuration
In the current version we have RestAPI clients that accesses our application with Basic Authentication.
I just want to ensure the following flow will work when we will start to use OpenID-Connect.
1) A RestAPI client accesses RP (our application) with the Basic Authentication header
2) RP redirects the request to mitreid-connect IDP using OpenID-Connect protocol
3) The modified mitreid-connect IDP authenticates the request using the Basic Authentication header.
4) mitreid-connect IDP redirects request back using OpenID-Connect protocol
5) RP (our application) authenticates the request using OpenID-Connect protocol
Also, I hope the same flow will work for other authentication schemas (e.g. Kerberos).
Thank you in advance for your help.
Best regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160904/7b541962/attachment.html
More information about the mitreid-connect
mailing list