EzDevInfo.com

single-sign-on interview questions

Top single-sign-on frequently asked interview questions

What is SAML?

I saw an interesting blank page today titled "saml post profile intersite transit."

  • What is SAML?
  • What was it created for?
  • What is it commonly used for?
  • What was the page I mentioned above all about?
  • What functions does it provide that it's rarely used for but are otherwise interesting?
  • Is there something better or other technology that competes with it?

Source: (StackOverflow)

How to use Windows login for single-sign-on and for Active Directory entries for Desktop Java application?

I'd like to have my desktop Java application to have single sign on related to Active Directory users. In two steps, I'd like to :

  1. Be sure that the particular user has logged in to Windows with some user entry.
  2. Check out some setup information for that user from the Active Directory

With http://stackoverflow.com/questions/31394/java-programatic-way-to-determine-current-windows-user I can get the name of the current Windows user but can I rely to that? I think the

System.getProperty("user.name")

won't be secure enough? ("user.name" seems to be got from environment variables, so I can't rely on that, I think?)

Question http://stackoverflow.com/questions/390150/authenticating-against-active-directory-with-java-on-linux provides me the authentication for given name+pass but I'd like to authenticate based on the Windows logon?

For the Active Directory access, the LDAP would probably be the choise?

I'm not totally sure if I'm asking the right questions but hopefully somebody has some ideas to forward me on.


Source: (StackOverflow)

Advertisements

Which CAS implementation to use in django?

Which CAS implementation should i use to enable CAS single sign on to my django app (trusing a specified CAS server, I'm not interested in creating a CAS provider) ? What I can find are the following:

I've used django-cas before, and it seems to work but seems kind of abandoned? django-cas-consumer at least seems to have more recent activity.

What are the actual pros and cons of each implementation? Are there other implementations I should use?


Source: (StackOverflow)

Implementing Single Sign On (SSO) using Django

I would like to use Django for implementing Single Sign On (SSO) for multiple applications that we currently use. How to implement SSO using Django ?. Are there any Django packages that can be utilized for implementing SSO ?

Please Help Thank You


Source: (StackOverflow)

How to build LDAP integration for my web app?

My company develops and sells a SaaS application that has hundreds of customers. Some of our customers have asked us to support LDAP integration for authenticating user accounts against their existing systems instead of having to create another login account for each of their employees. Seems like this is referred to as Single Sign On (SSO) in many places? Naturally our system already has a mechanism for maintaining user account profiles and authenticating those user accounts from our login page.

We're a bit ignorant about LDAP and are confused about a few things. Please excuse the possible use of wrong terminology (remember, we're a little ignorant about this).

We think we understand the basics of how this might work:

  • Our customer configures their account to "turn on" the "remote authentication" feature for their account. They provide the remote URL that will authenticate their users.
  • Users come to our login page and attempt a login using their username and password provided by their company's LDAP system.
  • Our login page will securely forward the login credentials (presumably encrypted and hashed in some agreed upon format) to the "remote authentication" URL provided by our customer.
  • The customer's script will authenticate the user and then redirect them back to our site with the "authentication status".
  • Our page will analyze the "authentication status" and either accept the user as logged in or not.

Assuming the above information is even semi-correct, we'll still need each user to have an account in our system. Won't we need some way to synchronize our user account profiles with the user profiles in the LDAP directory? Is this simply an "external ID" that references the user's ID in the LDAP system? Would it then be required that the customer's "remote authentication" script must provide that ID to our system so we know which user account in our system to associate the login with?

What are we missing?

BTW, our platform is IIS, ASP.Net 2.0, and SQL Server 2005.


Source: (StackOverflow)

Simple SSO - using custom authentication - CAS or some Oauth or openid server?

I'd like to know more about the different ways of solving Single Sign-On and their pros and cons. Have you worked with one particular solution, tell me what's good about it and tell me what the limitations or suboptimal parts are.

Below are the details of what I'd like to know, or don't understand.

SSO is a huge topic, as listed in the wikipedia. The more I learn the more questions I have.

First of all, I don't understand the need for token verifications of CAS, what is it good for?

Is it more secure? I guess it's vulnerable to man-in-the-middle attack like any. Should clients also use ssl?

Let's get real, this is our need: Automaticaly recognize/sign-in user if already logged in at one of our apps.

  • my-php-app.com
  • my-java-app.com
  • my-ruby-app.com

(we have many webapps, written in different languages)

We want (to keep) our own authentication rules and users store, but might add some Oauth2 provider, as facebook-connect. We want it dead simple for the users and simple for developers using it.

What would you do?

  • CAS?
  • Openid? Can I have centralized authentication with it?
  • Other? Or a server with OAuth?

On the client side, would you use an iframe, like lightbox, to show the redirected page? Why/Why not?


Yet another SSO related question: Saml is often (wrongly?) mixed into the SSO discussions - do I understand if I say that

a saml implementation would not provide sso (autologin) when pointing the browser to www.yetanother-myapp.com?


Some related SO questions I've studied:

Thanks for educating me!


Source: (StackOverflow)

Can you recommend a SAML 2.0 Identity Provider for test?

I'm implementing a SAML 2.0 Service Provider and need to install a SAML 2.0 Identity Provider for testing. Given this need, the Identity Provider should ideally be free (or have a trial period) and be easy to set up and configure.

I'm looking for basic single sign on and single log out functionality.

I've tried Sun Opensso Enterprise. The price is right, but so far it's been a nightmare to configure. Also, its error messaging and logging leaves a lot to be desired and I'm often troubleshooting an issue that basically boils down to a misconfiguration or a counterintuitive default setting.


Source: (StackOverflow)

Cross domain cookies

I have a small problem.

How do I set a cookie for multiple domains?

I do understand the security problems, and I am sure it has been done before. The reason for this is SSO.

ie.

account.domain.com will need to set domain logged in for:

domain.com, domain1.com, domain2.com.

Is there any easy way, using PHP and cookies, or any alternatives?


Source: (StackOverflow)

Custom Claim Handling Failed In Single Sign On

I am using WSO2 Identity Server for Single Sign On Implementations.

In my demo applications I am trying to get Custom claim attributes of authenticated User from my own JDBC Database.

I followed this blog of Pushpalanka.

This worked fine for the Identity Server 5.0.0

But when I updated Identity Server with latest Update "WSO2-IS-5.0.0-SP01", Custom Claim Handling stopped working.

Following is the error stack :

[2015-04-22 19:09:43,311] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Claim handling failed! org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: Index: 0, Size: 0 at com.wso2.sample.claim.handler.CustomClaimHandler.handleLocalClaims(CustomClaimHandler.java:200) at com.wso2.sample.claim.handler.CustomClaimHandler.handleClaimMappings(CustomClaimHandler.java:66) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handleClaimMappings(DefaultStepBasedSequenceHandler.java:604) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handlePostAuthentication(DefaultStepBasedSequenceHandler.java:394) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:134) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:121) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:94) at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:54) at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178) at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141) at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.IndexOutOfBoundsException: Index: 0, Size: 0 at java.util.ArrayList.rangeCheck(ArrayList.java:635) at java.util.ArrayList.get(ArrayList.java:411) at org.wso2.carbon.claim.mgt.ClaimManagerHandler.validateClaims(ClaimManagerHandler.java:668) at org.wso2.carbon.claim.mgt.ClaimManagerHandler.getMappingsFromOtherDialectToCarbon(ClaimManagerHandler.java:529) at org.wso2.carbon.claim.mgt.ClaimManagerHandler.getMappingsMapFromOtherDialectToCarbon(ClaimManagerHandler.java:614) at com.wso2.sample.claim.handler.CustomClaimHandler.handleLocalClaims(CustomClaimHandler.java:141).

According to my study on source code of Identity Server this problem is in Authentication Framework at org.wso2.identity.application.authentication.framewotk component.

The problem might be in validating claims but I didnt found any method named validateClaims in the source code.

In the source code given in blog post, Authentication Framework version - 4.2.2 is used.

I tried using latest version of Authentication Framework - 4.2.3.

But the problem is still in the same component.

I am still giving my efforts on this. I need some guidance on this.

Please someone help if I am missing something or any of you have faced same problem.

Thanks.


Source: (StackOverflow)

Something compareable to 'localtunnel' for Windows

I found this here http://github.com/progrium/localtunnel , and it's exactly what I need, but I am working on Windows and localtunnel is Unix...

Some backgorund: I am currently developing a Facebook app and the Single-Sign-On won't work on my local Tomcat.


Source: (StackOverflow)

Pass cookies from HttpURLConnection (java.net.CookieManager) to WebView (android.webkit.CookieManager)

I've seen answers about how this should work with the old DefaultHttpClient but there's not a good example for HttpURLConnection

I'm using HttpURLConnection to make requests to a web application. At the start of the my Android application, I use CookieHandler.setDefault(new CookieManager()) to automatically deal with the session cookies, and this is working fine.

At some point after the login, I want to show live pages from the web application to the user with a WebView instead of downloading data behind the scenes with HttpURLConnection. However, I want to use the same session I established earlier to prevent the user from having to login again.

How do I copy the cookies from java.net.CookieManager used by HttpURLConnection to android.webkit.CookieManager used by WebView so I can share the session?


Source: (StackOverflow)

Facebook authorization fails on iOS6 when switching FB account on device

I'm using die Facebook SDK 3.1.1 to implement FB Connect in my iOS application. This works fine in the simple case with either the new FB integration (logged in on iOS) or falling back to the normal authorization via web view (I do not have the native Facebook application installed in both cases). The problem occurs when I switch the account on iOS level. Logging out and logging in with a different FB user account.

To log in/authorize I perform:

[FBSession openActiveSessionWithReadPermissions:nil allowLoginUI:allowLoginUI
                                     completionHandler:^(FBSession *session, FBSessionState state, NSError *error) {
                                         [self sessionStateChanged:session state:state error:error];
                                     }];

If then get a FBSessionStateClosedLoginFailed every time even though I perform a closeAndClearTokenInformation when that state is reached:

- (void)sessionStateChanged:(FBSession *)session
                  state:(FBSessionState) state
                  error:(NSError *)error
{
    NSLog(@"Session State Changed: %u", [[FBSession activeSession] state]);
    switch (state) {
        case FBSessionStateOpen:
            break;
        case FBSessionStateClosed:
        case FBSessionStateClosedLoginFailed:
            NSLog(@"FBSessionStateClosedLoginFailed ERROR: %@", [error description]);
            [[FBSession activeSession] closeAndClearTokenInformation];
            break;
        default:
            break;
}

However, I receive the same state on every retry. My log says the following:

FBSDKLog: FBSession **INVALID** transition from FBSessionStateCreated to FBSessionStateClosed
FBSDKLog: FBSession transition from FBSessionStateCreated to FBSessionStateCreatedOpening 
FBSDKLog: FBSession transition from FBSessionStateCreatedOpening to FBSessionStateClosedLoginFailed Session State Changed: 257
FBSessionStateClosedLoginFailed TOKEN: (null)
FBSessionStateClosedLoginFailed ERROR: Error Domain=com.facebook.sdk Code=2 "The operation couldn’t be completed. (com.facebook.sdk error 2.)" UserInfo=0xb24cc20 {com.facebook.sdk:ErrorLoginFailedReason=com.facebook.sdk:ErrorLoginFailedReason}

Can anyone reproduce this or has any idea where the problem might lie?


Source: (StackOverflow)

Stackoverflow's use of localstorage for Authorization seems unsafe. Is this correct else how do we strengthen it?

I have been working on a Authentication and authorization module similar to how stackexchange is in place. Now I am sure they use a certain model of oAuth or a token generation server that authorizes uses to their various sites. I tried a little experiment.

Once I am logged into Stackoverflow, I delete all my cookies from the developer console.

I leave my localstorage object intact which contains a key se:fkey xxxxxxxxxxxxxxxxxxxxxxxxx for stackoverflow domain.

there is another key for stackauth domain GlobalLogin: xxxxxxxxxxxxxxxxxxxxxxx

the se.fkey if I used for a session hijack, nothing happened. but the GlobalLogin, I was able to copy and hijack my session. So, my query would be, how does S/O deal with the authorization post authentication for each one of the sites. Also, is there a way to invalidate the globalLogin for them after it is used once?

{EDIT1}

So, just the globalLogin alone is enough. If you can get that key, just open a private browsing instance. In the Localstorage for stackauth when you are in the login page, create the key-value mapping and refresh the page. You will be logged in.

{EDIT2}

The globalLogin key seems to be consistent across multiple sessions. It has been a day and no refresh of my globalLogin key. Safe to assume if you key is hijacked, the attacker will have access to your profile indefinitely.

{EDIT3}

For everyone who is voting and will vote for this question as not a programming related question. Let me put it this way, how do we store SSO's on the web browser with localstorage safely and since they are prone to get compromised, what do we need to do prevent it from happening? One of my colleagues was considerate enough to give me his GlobalLogin key, I was able to hijack his session from a different computer albeit it was on the same network.

Set the GlobalLogin key life this

PS: This is purely for theoretical understanding that I did this.


Source: (StackOverflow)

Generating hash key for app using facebook sdk

I am using facebook sdk for login into my application. The application runs fine on HTC devices. The application also works fine on Samsung devices if there is no facebook app pre installed.

But if there is already facebook app on mobile and then the user installs my app, the user is never logged in. From what I know, I think this might be a problem of single sign on, and I think this is somewhat related with generating proper application hash key, and using the hash key in facebook application which I used to log into the mobile app.

Please guide me how to create the hash key. I am running ubuntu 10.4.

When I run this command in terminal :-

keytool -exportcert -alias <your keystore alias name>.keystore -keystore ~/.android/<your keystore name>.keystore | openssl sha1 -binary | openssl base64

I am never prompted for password, though I am given the hash key.


Source: (StackOverflow)

Rails authentication across apps/servers

I've been developing my rails apps whilst keeping them as modular as possible. I'm trying to implement different parts underneath as services.

Say an example of Facebook:
a) A MainApp that allows the user to have a wall, posts, etc.
b) A PhotoApp that stores photos, allows the user to see his photos, etc. This is a standalone app that will have a REST API that can be used by MainApp as well.

I was thinking of using OAuth as a Single Sign On solution (as in this tutorial http://blog.joshsoftware.com/2010/12/16/multiple-applications-with-devise-omniauth-and-single-sign-on/) where each app will be authorized via OAuth and will get access to the current user session based on the cookie.

First question: Is this a viable solution?

Second question: I want to be able to call the PhotoApp API from the MainApp server (not from the user's browser). How would authentication work in this situation?

Third question: How would this work if say I had a service that used node.js?


Source: (StackOverflow)