SAML2 bearer tokens with OAUTH2

By: Simon Devlin user 15 Aug 2016 at 3:35 a.m. CDT

11 Responses
Simon Devlin gravatar
Hi everyone, Can someone say if it's possible to make use of SAML2 bearer tokens with OAUTH2 with Gluu? That is, re-use/exchange an incoming SAML2 assertion as an OAUTH2 authorization grant? In this example the SAML IDP could be Gluu, or 3rd party product, with Gluu acting as the OAUTH2 auth server. Still feeling my way through the several related RFCs so apologies if the question is a bit clumsy. Thanks
CentOS72
closed

Answers

By Mohib Zico staff 15 Aug 2016 at 3:40 a.m. CDT

Copy
Mohib Zico gravatar
Hello Simon, Just out of curiosity.. why you are trying to consolidate them?

By Simon Devlin user 15 Aug 2016 at 3:55 a.m. CDT

Copy
Simon Devlin gravatar
Hi Mohib, Good question :-) I'm not 100% sure if we need to. - Developing a product whose using OAUTH2 for authz (with Gluu being the Authn/Authz server - probably using OIDC). - Have customers that require SAML2 integration - Want to harmonise the application development so that internally we're only developing against OAUTH2 authn. - So the idea is, take a signed SAML2 assertion, and via the OAUTH2 saml-bearer function, exchange for a valid OAUTH2 access token. In our case, our "application" is actually comprised of multiple frameworks - Spring and NodeJS, so implementing split SAML2/OAUTH is potentially doubly costly. From this perspective collapsing the functionality into Gluu would allow us to focus solely on OAUTH2 in the future, whilst maintaining enterprise IDM interoperability. Does that make sense?

By Michael Schwartz Account Admin 15 Aug 2016 at noon CDT

Copy
Michael Schwartz gravatar
You're making it too complicated. The Gluu Server already has SSO between SAML and OpenID Connect applications. This is accomplished by a custom login module for the Shib IDP, which looks for an OpenID Connect session. BTW, you're use of OAuth2 is puzzling. OAuth2 doesn't really define a profile for user authentication, other then the resource owner password credential grant, which doesn't support sso. I think you should really look at OpenID Connect as the protocol... you may want to check out oxd if you are looking for a client library for Spring and node: https://oxd.gluu.org It's not officially launched, but you can try the beta software. You may also want to consider purchasing a support contract from Gluu.

By Simon Devlin user 18 Aug 2016 at 1:41 a.m. CDT

Copy
Simon Devlin gravatar
Thanks Mike. I probably did mean OpenID Connect - should have used the term consistently above. Does the SAML/OpenID Connect stuff happen automatically? And do I understand you correctly in that Gluu could take an incoming SAML assertion from a 3rd party IDP (let's say ADFS for example), and use that as the basis for an OIDC session? Does this require Asimba? Sorry for the question but I don't see anything covering this in the docs. Many thanks for taking the time to reply. Simon

By Mohib Zico staff 18 Aug 2016 at 2 a.m. CDT

Copy
Mohib Zico gravatar
>> Does the SAML/OpenID Connect stuff happen automatically? And do I understand you correctly in that Gluu could take an incoming SAML assertion from a 3rd party IDP (let's say ADFS for example), and use that as the basis for an OIDC session? That's correct. We are managing session with oxAuth here in Gluu Server for both SAML and OpenID Connect transactions and it is working automatically doesn't matter which protocol Gluu Server is using ( SAML or OpenID or CAS ). >> Does this require Asimba? No, Asimba is for SAML Proxy purpose.

By Simon Devlin user 18 Aug 2016 at 2:22 a.m. CDT

Copy
Simon Devlin gravatar
Wow OK. I'll work with our dev team to test it. You should really advertise that more :) Thanks

By Simon Devlin user 18 Aug 2016 at 3:44 a.m. CDT

Copy
Simon Devlin gravatar
Actually Mohib - can you point to the login handler in the source pls? I'd like to take a look to try and improve my u=understanding. Thanks

By Mohib Zico staff 18 Aug 2016 at 4:01 a.m. CDT

Copy
Mohib Zico gravatar
If you meant... shibboleth login handler then it is inside /opt/idp/conf/ of Gluu Server container.

By Simon Devlin user 18 Aug 2016 at 4:52 a.m. CDT

Copy
Simon Devlin gravatar
OpenID connect integration isn't a shibboleth feature - it's part of oxAuth I presume? That's what I meant.

By Mohib Zico staff 18 Aug 2016 at 5:12 a.m. CDT

Copy
Mohib Zico gravatar
For oxAuth that's 'oxIDPAuthentication' which is configured in LDAP ( inside ou=appliance dn ) through oxTrust ( the GUI of Gluu Server ). There are various types of AuthN and AuthZ; you can read the [doc](https://gluu.org/docs/integrate/openid-connect/) Sourcecode is available in [github](https://github.com/GluuFederation/oxAuth)

By William Lowe user 18 Aug 2016 at 11:35 a.m. CDT

Copy
William Lowe gravatar
> You should really advertise that more :) Good idea! I just added a note to our [Single sign-on page](https://www.gluu.org/gluu-server/single-sign-on/). Let me know if you have any other good ideas :) Thanks, Will

Post an answer