All Questions
27
questions
1
vote
1
answer
562
views
How can I fully trust a SAML IDP?
My web application is allowing SSO via SAML authentication and I am doing the development now. The idea is that this by-passes my application's local authentication and the user is automatically ...
0
votes
1
answer
1k
views
How to setup a single SAML app for all the tenants of multi-tenant app(having different domain urls)?
App Architecture:
We have a multi-tenant setup where every tenant has its own URL.
Every tenant has its own schema and configurations.
Problem:
We need a single SAML app that could be integrated ...
0
votes
1
answer
2k
views
SSO using SAML with Spring Security for REST service
I have a REST service on Spring Boot and now need to add SSO using SAML into it. I'm a new on SAML / Spring Security and trying to understand main pieces which need to add into the my application.
My ...
0
votes
0
answers
72
views
Can SAML send assign/send the same browser id for two users who have different authentication user id's
I am not a Security Engineer, but here is the issue. Two users (A & B) live in different states. Each user log into network with assigned user id and passwords. One day a User A logged into an ...
0
votes
1
answer
2k
views
Understanding Entity ID when URI is URL should I use HTTP or HTTPS
When setting up an SSO solution, in my case using Okta, there are the following elements to define:
IdP Server Issuer/Entity ID - http://www.okta.com/dskjeoirueiuaksjdkfj
SP Issuer/Entity ID - http:/...
0
votes
1
answer
3k
views
How to prevent replay attack in IDP initiated SSO using SAML2
In IDP initiated SSO, SAML response from IDP could be prone to replay attacks. Since SP has no awareness about the IDP initiated session till it gets the response, what are the possible ways to ...
0
votes
1
answer
66
views
How to ensure linking a user via SAML request is legitimate?
I am setting up basic SAML support for a web application. Each user this application (identified by email address) can belong to multiple organisations/companies of the application. I would like to ...
4
votes
0
answers
774
views
Keycloak SSO with SAML via webservice call/java api
I'm currently working on a keycloak client to authentificate the user with SAML 2.0.
Instead of redirecting the user to the login page, we want to authentificate the user directly over a webservice ...
2
votes
1
answer
129
views
Providing proper security for SAML service provider
I'm adding SSO feature to my service to allow customers login with their AD accounts. To provide this I use SAML component from componentpro.com
What is correct way to perform security interaction:
...
1
vote
1
answer
285
views
Spring saml SSO
I have a portal application developed using spring security and mvc framework. This portal application connects to IDP (Developed using Spring security and spring saml) for authentication. if the user ...
0
votes
0
answers
481
views
Single Sign On : Get user name pc before authentication on Identity Provider
Well, I am new in security (SSO, SAML, etc).
The scenario We have a Web Application , we want to catch user name (for example windows user) before it has been sent to be authenticated with the ...
2
votes
2
answers
2k
views
use X509Certificate field in SAML assertion or an external cert file.
As Identity Provider we send a SAML assertion request to Service Provider and then they validate our signature in assertion using our certificate. SAML assertion contains an optional field called ...
0
votes
1
answer
83
views
start a SAML SSO transaction from the identity provider
Consider this schema https://developers.google.com/google-apps/sso/saml_reference_implementation.
User will go to the service provider and from there redirected to the identity provider.
But, In my ...
0
votes
1
answer
317
views
SAML service provider signature verification
This is a basic question about SAML protocol and how it specifies verification of a SAML token.
Looking an different diagrams and resources, it looks like the service provider doesn't need to make ...
1
vote
2
answers
1k
views
Can SAML Assertions Be Modified In Transit?
Is there anything to stop a user modifying a SAML assertion being sent to a service provider?
For example, if a SAML response identifies a user to the service provider by email address, is there ...