how to extend keycloak to support fingerprint authentication - keycloak

We have a legacy fingerprint authentication service, some other systems use it to identify users. This system uses a ActiveX with a fingerprint scan device, it can be used in desktop applications or web application, not mobile built-in fingerprint support.
How can I integrate this service with keycloak ? what are the basic steps ?

Related

Way to implement SSO for web and desktop applications

I am reading alot about federated identity management and technologies like SAML, which can be used for implementing SSO for web applications, and Kerberos, which can be used for implementing SSO für desktop applications.
This is how I understood it so far. If we have the case, that we want to have SSO for a set of web applications and desktop applications, what are the technologies that are available for that? Do I have to combine SAML and Kerberos or is there another technology that fits better?
AFAIK, Microsoft ADFS and Oracle Access Manager are SSO products which supports SAML, Kerberos and other related protocols, does Windows based authentication and thus provide SSO access across webapps and desktop.
Check,
http://blogs.technet.com/b/abizerh/archive/2013/04/11/more-information-about-sso-experience-when-authenticating-via-adfs.aspx
https://docs.oracle.com/cd/E29542_01/doc.1111/e15740/wna.htm

Integrate Liferay with CAS and SAML

We have a requirement where user needs to login to portal with CAS (but SAML way). User can also login via login portlet of liferay.
We have few apps hosted on Intranet and few on Extranet. When user is in our office network, he should be able to login to all the apps via SSO. This includes apps which are hosted on extranet as well.
To achive this we want to use SAML with CAS.
By doing some research I understand that in this case CAS would be my IDP i.e. Identity provider and my apps on extranet would be SP i.e. service provider
Any idea how to proceed with it?
Any help is appreciated.
I have to do the same thing but using a LDAP too ...
I'm following this cookbook to achieve that, the second chapter talks about Authentication and Registration Process
I hope this would be helpful!!

IBM MobileFirst certificate pinning best practices

We are developing an IBM MobileFirst 7.1 Hybrid mobile application, and planning to use the certificate pinning feature.
We can find information on IBM website about the SSL certificate pinning on IBM MobileFirst website : Here is a post in the IBM Knowledge Center and Here is a tutorial and its sample project/code
All these resources are great, but I have some questions :
Are there any advantages to use native certificate pinning implementation for Android and iOS when my application is a hybrid application ?
If I use the hybrid environment code, will the SSL certificate be included in the wlapp, and then can be updated using direct update ?
Does the hybrid implementation of certificate pinning work on WindowsPhone 8 (Hybrid app for Silverlight environment) ?
In the tutorial video, I have seen that when SSL pinning is ON, and we call a URL outside our server (google for example) it will fail. Does this mean google maps will fail loading if I enable certificate pinning ?
What happen when the SSL certificate is revoked ?
What happen when the SSL certificate is expired ?
What is the best SSL renewal strategy to keep certificate pinning working and the application up while updating our server SSL certificate ?
Please advice
Are there any advantages to use native certificate pinning implementation for Android and iOS when my application is a hybrid application ?
You can always write your own code that does the pinning, or use 3rd party Cordova plug-ins. But none of those assure you the level of support you get by using the provided functionality. Note that you are then limited to the functionality provided (for example, certificate pinning by MobileFirst is restricted to a single destination host and not multiple).
If I use the hybrid environment code, will the SSL certificate be included in the wlapp, and then can be updated using direct update ?
You need to have the certificate in both the client and the server. You do not need to use Direct Update to update the certificate on the client.
The way it works is that you need to only update the certificate on the server, but you must maintain the same public key in case you do update it
Does the hybrid implementation of certificate pinning work on WindowsPhone 8 (Hybrid app for Silverlight environment) ?
As mentioned in the documentation, certificate pinning supports only: "native iOS, native Android, and hybrid iOS or hybrid Android"
In the tutorial video, I have seen that when SSL pinning is ON, and we call a URL outside our server (google for example) it will fail. Does this mean google maps will fail loading if I enable certificate pinning ?
The pinning relates only to requests that are bound to the MobileFirst Server and not to other services.
What happen when the SSL certificate is revoked ?
Requests that are bound to the MobileFirst Server will fail.
What happen when the SSL certificate is expired ?
Requests that are bound to the MobileFirst Server will fail.
What is the best SSL renewal strategy to keep certificate pinning working and the application up while updating our server SSL certificate ?
Because you only need to update the certificat eon the server, you only need to make sure to keep using the same public key as before.

Single Sign-On for SAPUI5 app: how to set up?

I have a SAP sso2 service enabled in the company, how would I enable single sign-on in code? What do I need to insert to my code and possibly where?
When I log in to portal, single sign-on feature works, as I am not asked for password every time. I would like to have the same thing for my SAPUI5 application.
Can I possibly use cookies? If yes, how?
Yes, you can have the same thing for your SAPUI5 application. You don't need to code anything. SSO for ABAP is standard configuration. You can use any of these:
SPNego for ABAP (included in SAP Single Sign-On 2.0)
SAML to Active Directory (assuming your users are there and that's why you have SSO to Portal)
When your company has implemented SSO for Portal, they should of course do the same for SAP GUI and ABAP HTTP. :-)
Note that there is a licensing cost for SAP Single Sign-On 2.0.
If you use ABAP on-premise system for your SAPUI5 app, then you need to have SAP Single-Sign-On solution installed, it includes SAML support.
SAML implementation on AS ABAP is provided by CommonCryptoLib (SAPCRYPTOLIB) so what you need here:
Install SAPCRYPTOLIB library server-side.
Not needed on Netweaver 72x/74x kernel PL released after November 2013, because now built-in kernel.
Enable SAML provider in AS ABAP in SAML2 transaction
Configure AS ABAP as service provider
Set up SAP SSO
After that you will be able to connect to ABAP system from your app.
If you connect to SCP cloud ABAP or HANA system, then this is even more simply because it supports SAML natively.

Is there any way to get domain users under google enterprise apps domain using OAuth 2.0?

Google Provisioning APIs use Google data protocol which requires admin userid and password. I looking for something like Google drive APIs so that I can use authority delegated service account to fetch entreprise info also. Idea is to avoid asking Admin credentials.
The Provisioning APIs support OAuth just fine. However, you should probably use the brand new Admin SDK Directory API which also supports the newer Google API similar to Drive SDK.