SAML SSO integration with Microsoft ADFS 2.0.
We have released the feature which will let you redirect your users to different IdP on the basis of the identifier sent by the firebase app. We will manage the mapping of the identifier to an IdP.
Let me know if you are ready to proceed.
We would like to start exploring using the MiniOrange software that we have been discussing over the past few months. I had a few questions:
1. Can we get access to the MiniOrange software on a free trial basis while we prototype this solution, so we can verify that it is working as we expect?
2. We anticipate having approximately 10000 users initially, ramping up to around 30000 users. Of those, the majority would be ADFS users, but some would not have ADFS accounts and would need to authenticate using the legacy (email/password) system that is in place today.
Thanks again for all your help,
I have answered your questions below:
You can avail miniOrange for a free trial by signing up for our free trial. Since your use case involves integrating with our APIs and broker service, do you want to do the integration yourself or do you want us to do the integration? If you want us to do the integration, I suggest engaging in a pilot project on a small scale. This would cover the entire use case and we might also come across other requirements which we could have missed out earlier. Let me know if you want me to estimate it.
I just want to confirm how your users will be accessing the firebase application.
Hi Anupriya, my responses are below.
You mention that ADFS(s) will no longer be your sole user authentication source and you will also be using your legacy system of email/password for authentication. So the users using the legacy system will be added to miniOrange IDP to authenticate with Firebase. How many such users do you have?
– My understanding is that there are on the order of a few hundred to a few thousand users that would not be in ADFS. If this is problematic from a setup standpoint, one thing we could do is to have two authentication user experiences that the user can choose between: the first would leverage the miniOrange solution to authenticate against ADFS, and the second would just be the existing user experience prior to miniOrange integration. Please let me know if there are any obstacles to this approach.
Thanks for your response. I have added my comments below.
We will be providing you with sample codes which you would need to integrate into your firebase app. Just so you are clear on the amount of integration required, I have mentioned exactly what we will be providing and what integration you would need to do.
We will be providing you with the following to perform the integration:
1. Sample JS for sending request to miniOrange
2. Sample JS for converting miniOrange JWT into token which can be accepted by firebase
3. Instructions to setup ADFS and Firebase app in miniOrange
And using the above here’s what you need to do:
1. Use these samples in your firebase app to call miniOrange API and accept response
2. Write code to authenticate users using the response received
The setup won’t be problematic as such. You would only be required to onboard your users in our system. This would make sure that the login experience for all users (redirecting users to miniOrange) is the same whether they are stored in ADFS or miniOrange. You can directly redirect them to our platform on login instead of showing them options to choose from.
Having said that, there will be no obstacles to the approach you mentioned except the fact that these users will have a different user experience. If you are fine with that, we can go ahead with the solution you suggested.
Thanks Anupriya – this is helpful.
For on boarding the non-ADFS users into your system, do you offer any kind of import process whereby we could provide the user information in a CSV file or something similar? Also, would miniOrange delegate authentication of these users to firebase auth, or would their credentials now be stored in miniOrange?
We do provide bulk upload using CSV to onboard users into miniOrange. Their credentials will be stored in miniOrange. Once the user is authenticated with miniOrange, we send a response back to your application and they will be internally logged in using firebase auth.
We would like to begin the process of setting up a trial account with miniOrange so we can start building a proof of concept of the new authentication flow for this app. Can you let us know how we can get started with that?
You can setup a trial account with us from here – https://www.miniorange.com/businessfreetrial. Please sign up if you don’t already have an account in miniOrange.
Once you have done that, and are ready to integrate your firebase app, do let me know. We will provide you with the required documentation.
We have created a document for your use case of integrating Firebase with ADFS through miniOrange. Please follow the steps given and let me know if you have any queries regarding the document.
Regarding Step 4: Modify JWT Response, I see that “Project’s Service Account Email” is listed twice. I think this is a typo? Would you be able to clarify?Gaurav
It is not a typo. The same value is required for the iss and sub values and we have just separated it out.
To get the project Service Account email address, you can go to the Firebase console and go to your Project Settings (gear icon)->Users and Permissions. There would be a Service Accounts section.
You need to use a service account listed there or create a new one and use the Service Account ID.
Let me know if you need help.
Thanks and regards,
Thanks for getting this done.klearskyz13# 4 years, 9 months ago
You must be logged in to reply to this topic.