I have a web application written with spring boot and spring security, deployed on a Windows server.
The application users uses Windows too.
I would like to implement the below:
If a users is a member of a specific AD group, when he/she opens the web app in browser, he can auto login without entering user name and password.
Otherwise, login is denied and error page is shown.
Is this doable ? If yes, what technology stack I should look into?
Related
We've got an install of Azure Devops server that currently authenticates against our active directory server and authentication works, but it appears to do so by means of browser basic authentication (the browser modal prompt that asks for a simple user name and password).
I'm wondering if there is some way to configure authentication such that users that have never logged in, actually get a login page... not just the basic authentication prompt in the browser.
I appreciate any input, I've used and administered azure devops in the cloud for a LONG time, but the devops server stuff I'm new to.
NOTE: I've played with IIS settings for authentication (enabling and disabling basic authentication and forms auth etc, but nothing really seemed to help there)
it appears to do so by means of browser basic authentication (the
browser modal prompt that asks for a simple user name and password).
I'm wondering if there is some way to configure authentication such
that users that have never logged in, actually get a login page... not
just the basic authentication prompt in the browser.
What's the login page do you mean?
1.If you mean the login page to connect to TFS web portal, as I know using basic prompt with username+password is the only appraoch.
Web Portal:
Only logic page:
2.But if you mean something used for authentication when accessing the code. I think you must be familiar with PAT which is widely used in Azure Devops Service. IIS Basic Authentication is not recommended. You can check Enabling IIS Basic Authentication invalidates using Personal Access Tokens and Use the TFS Cross Platform Command Line with TFS using basic authentication or personal access tokens (PATs).
Hope it helps to resolve your puzzle :)
So after lots of research, I found that in the differences between azure devops server and azure devops services documentation. In this documentation it states that it uses windows authentication, and you will never be presented with any login experience.
I'd vote that this should be something that be configured to show a login screen, as sometimes we want to log in as users other than the users we logged into the machine as.
I have created a new ASP.NET web site using VS 2017 and changed the Authentication mechanism to use "Individual User Accounts". This adds the Claims Principal or WIF class support.I can click on register / log in, and set up user emails and then check for the claims for that user. I will also be using Server Session Authentication Management (SAM) to save claims on the server and do some claims transformation as well.
After Login, this site calls a winform application, and after some activity I return back to the above website.
I want to know how can I use SSO logic here and check if I am already Authenticated and access my claims saved at the server side / website and authenticate the user based on the saved claims.
Is there some project or code example anyone can give which i can use as a start to develop such a STS service (in VS 2017) with SSO and access my claims on website after coming from another domain?
The identity and access tools used to work only with VS 2012, so any way to replicate the above scenario and check for my saved claims after I hit my website from the winform application.
There's a good example here of using WS-Fed with Azure AD.
This is easily adaptable to ADFS.
Your other choice is to use ADAL.
We currently have a FileMaker Server instanace running, it already has PHP web publishing running.
I'm just wondering is it as simple as ticking enable XML web publishing for it to be up and running or have I got to restart the server??
Thanks
You need to enable it in the server deployment, then you need at least 1 user account in the file with the extended privilege to grant access via php/xml/iwp etc. You will need a user account in EACH file you want to have access to with the appropriate extended privilege.
Then comes the fun of actually working with the FMXML or FMPHP engine hehe.
I have a classic asp website with following IIS settings:
1. windows authentication is enabled
2. Impersonation is disabled, so are anonymous and basic authentication
3. App pool is .Net 4.0, Integrated pipeline with a custom Process model identity. This identityt is given exclusive full access to unc local and network shares, batch files etc
The asp application
1. displays user information of the user logging intot he web application,
2. accesses the above mentioned shares to display reports,
3. creates reports by calling DLLs which POST to an asp file in this web application (uing webrequest) and get XMl and write the XML to the share.
The issue I am facing is all the above calls are being made on the behalf of the application user instead of the Process Model Identity User in the app pool. Because of this, most of requests throw up Permission denied or 401 errors.
QUESTION: How can we configure the web site so that the calls made can be on behalf of the app pool user only?
Our web application will require API access to be enabled in the Google Apps control panel to take advantage of the Directory API (Admin SDK). Is there a way to prompt the domain administrator to enable it during their initial authorization with our application (if it is not enabled) or another alternative?
If the APIs are not enabled, the specific error you'll see will be:
Error 403: Domain cannot use apis. - domainCannotUseApis
when setting up your application, you should perform a simple Directory API request call, maybe something like users.get() for the admin user logged into your application. If you get the above error, you should prompt the admin to enable the APIs in the CPanel.