Is there a web gui to kubernetes (on premises) that can be integrated with Active Directory (on premises, not Azure) authentication. This way RBAC would be integrated with Ad users.
I'm posting an answer based on my comment for better readability.
Such integration can be done using dex - A federated OpenID Connect provider project. In short:
Dex is an identity service that uses OpenID
Connect to drive authentication for
other apps.
Dex acts as a portal to other identity providers through
"connectors." This lets
dex defer authentication to LDAP servers, SAML providers, or
established identity providers like GitHub, Google, and Active
Directory. Clients write their authentication logic once to talk to
dex, then dex handles the protocols for a given backend.
Dex runs natively on top of any Kubernetes cluster using Custom
Resource Definitions and can drive API server authentication through
the OpenID Connect plugin. Clients, such as the
kubernetes-dashboard and
kubectl, can act on behalf of users who can login to the cluster
through any identity provider dex supports.
More docs for running dex as a Kubernetes authenticator can be found here.
You can find more about companies and projects, which uses dex, here.
As this is quite extensive topic, there is no point of rewrite all the configuration steps here. You can find a lot of well written articles about integrating kubernetes with Active Directory using dex e.g.:
Access your Kubernetes cluster with your Active Directory credentials
Authenticate Kubernetes Dashboard Users With Active Directory
Related
We have our own authentication server developed in NodeJs, which acts as identity provider for users. So We are looking for how we can integrate it with Kibana-opendistro.
The security responsibility lies with the security plugin, so most of the configuration should be made there.
Opendistro Security provides support for a couple of authentication backends that you can refer here https://opensearch.org/docs/latest/security-plugin/configuration/configuration/. You can configure the security plugin based on the authentication mechanism used.
Alternatively, there is this concept of injected user where the authentication is completely handled by another service fronting the security plugin. Though I did not find documentation on this, you can refer to the code here https://github.com/opensearch-project/security/blob/565f47e804ec03aeeba02ca8def563b91307fcc7/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java
Most of the document I found about GCP, the REST API needs a user interaction for authentication. Is there a possible way to access the GCP resource without an interaction from user.?
eg: I would like to implement a cron job in my local workstation to launch a GCP machine.
Yes, it's possible, this is that service accounts are for:
A service account is a Google account that represents an
application, as opposed to representing an end user.
Important: For almost all cases, whether you are developing locally or in a production application, you should use service
accounts, rather than user accounts or API keys. You can use a service
account by providing its private key to your application, or by using
the built-in service accounts available when running on Google Cloud
Functions, Google App Engine, Google Compute Engine, or Google
Kubernetes Engine.
All GCP APIs support service accounts. For most server applications
that need to communicate with GCP APIs, we recommend using service
accounts, as they are the most widely-supported and flexible way to
authenticate.
For more information, see getting started with authentication.
You'd have to create a service account representing your application (executed as the cron job) and in your application you'd authenticate the REST API calls using that service account's credentials.
Anyone have insight on how to implement Two-Factor Authentication when using Service Fabric Explorer to access a Service Fabric cluster in Azure?
I currently have it secured with a client certificate but I haven't found ways to add another type of authentication to go with it.
per the official documentation here:
When a client connects to a Service Fabric cluster node, the client can be authenticated and secure communication established using certificate security or Azure Active Directory (AAD). This authentication ensures that only authorized users can access the cluster and deployed applications and perform management tasks. Certificate or AAD security must have been previously enabled on the cluster when the cluster was created. For more information on cluster security scenarios, see Cluster security. If you are connecting to a cluster secured with certificates, set up the client certificate on the computer that connects to the cluster.
It doesn't support MFA, I'd recommend checking out Service Fabric cluster security scenarios
You could also implement MFA on the AAD level and then using the AAD to authenticate to Service Fabric
Is it possible to do federated identity between multiple instances of IdSrv3 using OpenID Connect/OAuth2 in the following scenario?
Multiple instance of IdSrv3, called Local STS, running on different machines with some kind of chain of trust to a Central STS. The machines running the Local STS can go offline and in that context the applications running on the local machines makes call to local STS for a token and uses that token while communicating with APIs on another server. The API Service, which is registered and connected to the Central STS, can validate and trust the token generated by a Local STS. Is it possible to do this setup with IdSrv3 or IdSrv4? Also how can a chain of trust be established between central and local STS?
That is absolutely possible -
in IdentityServer you can add external providers via ASP.NET (Core) authentication middleware. For the "other" IdentityServer this becomes a normal client.
https://identityserver.github.io/Documentation/docsv2/configuration/identityProviders.html
We are doing a Cloud POC, we will have applications hosted in the cloud that can only talk LDAP. Is there any system/appliance/virtual directory in the cloud that can appear to be an LDAP server from the application side, and on the output side talk SAML/REST based over the Internet to talk to our SSO product that can authenticate users against our corporate LDAP, which is tucked inside our internal firewall?
You need to deploy an Identity provider connected to the ldap. You can adopt CAS or SAML technology.
In that wikipedia entry you can check the differents products (commercial and free software):
http://en.wikipedia.org/wiki/SAML-based_products_and_services
Most of them support Ldap as the authentication source backend.
Also Take a look on this thread:
Way to single sign on between PHP, Python, Ruby applications
The emerging SCIM (System for Cross-domain Identity Management) protocol might make more sense for the use case you're illustrating. It's intended to provide a simple REST API around an identity store so you can perform Create/Read/Update/Delete operatons. What will be available could theoritically be controlled via some policy within a SCIM server to alloy your clients to essentially interact with the backend LDAP directory.
Many products are adopting the SCIM standard now, such as ones from Ping Identity, Salesforce and UnboundID.