saml-2.0

I'm trying to integrate with Okta SSO by implementing SAML 2.0 in my website as Service Provider (SP) and Okta env. as my Identity Provider (IDP) I can't understand how to configure my IDP to return for each Auth request, the groups a user is in. How can it be done? Also, Is it possible to have service account in my IDP that my backend can ask the IDP directly if a user is inside some specific group? It is possible to add groups to the SAMLResponse by configuring the SP App in the Okta admin dashboard correctly. In order to do it for an existing app, Go to Admin panel and edit the SAML

I kind of understand how basic SAML authentication supposed to work: User request resource at SP SP sends auth request to IDP IDP authenticates user and sends back some userId SP sends attribute query to IDP for additional details with userId IDP sends back attributes SP gives user resource My issue is, can you any way bypass AttributeQuery. When I make a SAML 2.0 request to my testing Gluu/Shibboleth server, I get back givenName (firstname) and sn (lastname). Is there anyway I can request inum user id and email in just the AuthnRequest? My request is pretty simple: <samlp:AuthnRequest xmlns

I'm using Keycloak version 1.6.1, newly installed as a standalone application. Keycloak should act as an IdP (Identity provider) for an SP (Service Provider) called Tableau. I have read from this page: http://blog.keycloak.org/2015/03/picketlink-and-keycloak-projects-are.html ... Keycloak from being Identity Broker grew into being fully fledged Identity Provider While it was an Identity Broker, it is now also an Identity Provider. My question is then: I have exported the SP XML Metadata from Tableau, which I imported into Keycloak, but when it comes to the export of the IdP XML Metadata from

I am getting error while decryption of saml token. However this issue is not consistent it works after restarting server. It was working properly till last night :( DEBUG Decrypter:631 - Attempt to decrypt EncryptedKey using credential from KEK KeyInfo resolver failed: org.opensaml.xml.encryption.DecryptionException: Probable runtime exception on decryption:unknown parameter type. at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:705) at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:628) at org.opensaml.xml.encryption.Decrypter

Is it possible to validate a signature only having an ancestor or root certificate in the hierarchy? Disclaimer: I'm a newbie to the certificates handling so please forgive the naive terminology. Consider the following situation. We have two parties (let's call them IdP for Identity Provider and SP for service provider) and some central certificate authority CA which is definitely trusted by both IdP and SP. CA has it's own certificate CertCA known to both IdP and SP (imported into IdP's and SP's keystore under some alias) Out CA issues one certificate for IdP ( CertIdP ) and one for SP (

I have two service providers that I am connecting to Okta in order to manage identities externally. Can you think of a way to configure Okta to accomplish the following: Associate attributes with groups, rather than directly to users. Users within groups would then inherit these attributes. Associate groups with applications, rather than directly associating users with applications. My end goal is to be able to leverage Okta for managing a role store for each service provider. I would expect SAML assertions coming from Okta to be able to be mapped into assertions for individual service

I installed PingFederate on an AWS EC2 running Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09. I have a Java application that is using Spring Security for authentication. I have read about how with PingFederate, I can set up an Identity Provider(IdP) and a Service Provider(SP). I have gathered that the IdP would be the Application User providing login credentials(the Identity) and passing this to the SP which has the Target Application apart of the SP in this diagram on this page here: http://documentation.pingidentity.com/display/PF66/Service+Providers+and+Identity+Providers This