You have used word "SAML" in your mail and diagram, I hope it should be OIDC.
Thanks Godwin On Wed, Feb 28, 2018 at 5:54 PM, Chiran Wijesekara <chir...@wso2.com> wrote: > Architecture Diagram is attached below. > > > On Wed, Feb 28, 2018 at 5:45 PM, Chiran Wijesekara <chir...@wso2.com> > wrote: > >> *Introduction:* >> >> Suppose you have an ASP.NET web application or else you are going to >> create a new one. One of your major concerns would be to provide a secure >> mechanism of handling user authentication and authorization. With the >> introduction of this OIDC SSO Agent, you will never have to worry about >> that at all. Moreover, you can just incorporate this agent to your >> ASP.NET web application and it will take care of all the things related >> to OIDC authentication mechanism. >> >> >> *Architecture:* >> >> >> >> 2, 3, 7, 8 are related to resolving of the current request. >> >> >> How to incorporate to your asp.net web application? >> >> If you plan to use OIDC SSO Agent, all you have to do is following simple >> steps below and then you have a web application that authenticates users >> with your favourite Identity Provider ( Wso2 Identity Server). >> >> Let’s get started. The process of incorporating SAML authentication with >> wso2 identity server via SAML agent can be explained in 6 steps. >> >> 1. >> >> Add the agent.dll reference to your Asp.NET web application(You can >> get this the git repo) >> >> >> >> 1. >> >> Configure - the mandatory properties in your ASP.NET web >> application’s web.config file. Following image shows how does it looks >> like >> after adding those properties to your web.config file. >> >> >> >> Property >> >> Description >> >> Default Value >> >> EnableOIDCSSOLogin >> >> Enable OIDC authentication >> >> false >> >> OIDCSSOURL >> >> SSO URL >> >> oidcsso >> >> OIDC.spName >> >> Service Provider Identifier >> >> null >> >> OIDC.ClientId >> >> Client key which was generated during OIDC configuration for Service >> Provider >> >> null >> >> OIDC.ClientSecret >> >> Client Secret which was generated during OIDC configuration for Service >> Provider >> >> null >> >> OIDC.CallBackUrl >> >> Callback URL >> >> null >> >> OIDC.GrantType >> >> Grant Type >> >> code >> >> OIDC.AuthorizeEndpoint >> >> Authorization Endpoint of the IDP which is used to get an authorization >> code. >> >> https://localhost:9443/oauth2/authorize >> >> >> OIDC.TokenEndpoint >> >> Token endpoint of the IDP used to receive an access token >> >> https://localhost:9443/oauth2/token >> >> >> OIDC.UserInfoEndpoint >> >> User info endpoint of the IDP which is used to fetch user details >> >> https://localhost:9443/oauth2/userinfo?schema=openid >> >> >> OIDC.Scope >> >> Scope of the request as per the OIDC spec >> >> openid >> >> OIDC.EnableSLO >> >> Enable single logout >> >> OIDC.SLOURL >> >> Single logout URL >> >> oidclogout >> >> OIDC.EnableIDTokenValidation >> >> Enable ID token validation >> >> false >> >> OIDC.PostLogoutRedirectUri >> >> Post logout redirect URL >> >> null >> >> OIDC.SessionIFrameEndpoint >> >> OP Session IFrame Endpoint >> >> null >> >> >> Below is a sample to demonstrate this step. You can edit the values as >> per needed: >> >> <appSettings> >> <add key="EnableOIDCSSOLogin" value="true" /> >> <add key="OIDCSSOURL" value="oidcsso" /> >> <add key="OIDC.spName" value="music-store" /> >> <add key="OIDC.ClientId" value="6G4s9GSYLd2USGB9f_Bf7kI6RHka" /> >> <add key="OIDC.ClientSecret" value="_gWqRvvxrcxg_rZgraGX4d0fnS4a" /> >> <add key="OIDC.CallBackUrl" value="http://localhost:58521/ >> music-store/callback" /> >> <add key="OIDC.GrantType" value="code" /> >> <add key="OIDC.AuthorizeEndpoint" value="https://localhost:9443/ >> oauth2/authorize" /> >> <add key="OIDC.TokenEndpoint" value="https://localhost:9443/ >> oauth2/token" /> >> <add key="OIDC.UserInfoEndpoint" >> >> value="https://localhost:9443/oauth2/userinfo?schema=openid"; >> /> >> <add key="OIDC.Scope" value="openid" /> >> <add key="OIDC.IdPEntityId" value="localhost" /> >> <add key="OIDC.IdPURL" value="https://localhost:9443/"; /> >> <add key="OIDC.EnableSLO" value="true" /> >> <add key="OIDC.SLOURL" value="oidclogout" /> >> <add key="OIDC.EnableIDTokenValidation" value="true" /> >> <add key="OIDC.PostLogoutRedirectUri" >> >> value="http://localhost:58521/music-store/Default"; /> >> <add key="OIDC.SessionIFrameEndpoint" >> >> value="https://localhost:9443/oidc/checksession"; /> >> </appSettings> >> >> >> 1. >> >> Next, if you want to validate ID token signature, you need to have a >> valid certificate. [Note: It is highly recommended to use your own >> PKCS12 in your production environment]. >> >> For testing purposes you can get the wso2carbon.jks from the wso2 >> Identity server (<IS_HOME> / repository/ resources/ security/ >> wso2carbon.jks) and convert it to a PKCS12 using keytool utility. Then, >> add the .p12 to the Local Machine certificate Store. However, below steps >> guide you through the process which was described above. >> >> - >> >> You get keytool by default with java installation and it could be >> found under the directory: C:\Program Files\Java\jre<Version>\bin , with >> the name keytool.exe . >> - >> >> You can use the below command to convert the wso2carbon.jks to >> wso2carbon.p12 >> >> keytool -importkeystore -srckeystore wso2carbon.jks -destkeystore >> wso2carbon.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass >> [PASSWORD_PKCS12] >> >> - >> >> Then, run microsoft management console( i.e: mmc.exe) as >> administrator, menu File -> Add/Remove Snap-in.., select >> "Certificates", press Add, select radio button "Computer account", and >> then >> you can install wso2carbon.p12 >> >> >> >> 1. >> >> Register the “FilteringHttpModule” in your ASP.NET web application to >> handle the requests related to OIDC authentication mechanism.[ Note: >> The above mentioned FilteringHttpModule class is extended from >> IHttpModule. Click here >> <https://msdn.microsoft.com/library/ms178468.aspx> for more >> information on IHttpModules. ] >> >> >> >> 1. >> >> Add the following code to the global.asax of your ASP.NET web >> application to enable session access from the agent. >> >> >> public override void Init() >> { >> MapRequestHandler += EnableSession; >> base.Init(); >> } >> >> void EnableSession(object sender, EventArgs e) >> { >> HttpContext.Current.SetSessionStateBehavior(Sessi >> onStateBehavior.Required); >> } >> >> >> 1. >> >> Set your application’s login controls to refer oidc intensive >> segments. That is suppose you have a login link in your web application. >> All you have to do is set the attribute href to “oidcsso”. And in the >> places that you have logout controls, it should be “oidclogout”. >> >> >> [ Note: “oidcsso” and “oidclogout” are values that were configured under >> Step No: 2 for the properties OIDCSSOURL and OIDC.SLOURL respectively. >> However, “oidcsso” and “oidclogout” are the default values for those two >> properties.] >> >> >> >> >> Upon successful completion of the 6 steps above, you ASP.NET web >> application is enabled with OIDC authentication. >> >> >> >> The $subject has been completed and component 's PR is avaiable at >> https://github.com/wso2/samples-is/pull/12 >> >> Thanks. >> -- >> *Chiran Wijesekara* >> >> >> *Software Engineering Intern | WSO2*Email: chir...@wso2.com >> Mobile: +94712990173web: www.wso2.com >> >> [image: https://wso2.com/signature] <https://wso2.com/signature> >> > > > > -- > *Chiran Wijesekara* > > > *Software Engineering Intern | WSO2*Email: chir...@wso2.com > Mobile: +94712990173web: www.wso2.com > > [image: https://wso2.com/signature] <https://wso2.com/signature> > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Godwin Amila Shrimal* Associate Technical Lead WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: *+94772264165* linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ <https://www.linkedin.com/in/godwin-amila-2ba26844/>* twitter: https://twitter.com/godwinamila <http://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
