Artifactory: SAML/ADFS authentication with groups - saml

We are having problems with the authentication via SAML. All users who have an Active Directory user can log into Artifactory - which is not what I want.
I configured Artifactory to use two specific AD groups to allow users in, but we can't seem to get ADFS to filter those same groups
As far as I've understood Artifactory doesn't do anything with SAML authentication besides checking if ADFS says user is allowed or not allowed - is that correct?
Does anyone have experience with that kind of problem or an idea on how to solve this?
We are using Artifactory 5.2.0 at the moment

Never used Artifactory but assuming it's just a SAML SP ...
What is the format of the AD groups? What claim type? You may need a claims rule to transform the attribute to the required format.
ADFS can pass groups as Roles using "Token Groups - Unqualified Names".
Or you can set an access rule in ADFS so that access is denied if the user is not a member of a group.

Related

Keycloak users security

I am using Keycloak 18.0 for Angular 13 + Spring Boot App. The solution utilizes Microservices architecture pattern for this app so basically Keycloak already guards access to other solution resources. I am using only Keycloak REST API.
The problem is Keycloak security itself:
I want to restrict Keycloak client token only to user creation.
Any user has to be able:
1. Fully access and manage ONLY his own profile.
2. Has restricted access to profiles of other users.
3. Any other operation of viewing other users, adjusting
roles etc. should be enabled only if authenticated user
has some kind of permission to do it.
For example:
Anybody can create user (signup).
After user is verified, some role is assigned to that user.
User logs in and acquire its token that has permissions to fully manage only his own resources including user itself and has restricted access to other users and user resources.
I am not sure I want to integrate Keycloak as resource security manager (i am considering that option but for now, only Spring Boot Adapter was implemented to control corresponding resources security) but at least i would like to prevent e.g. reading full list of users using Keycloak client token.
I have basic understanding of Keycloak Resource/Policy/Permission Feature but I am not sure i understand how can i apply it to Keycloak users itself.
Thanks a lot in advance for your help.

AWS OpenSearch Goggle Workspace SAML authentications

I have configured a custom SAML app in Google Workspace and configured AWS Opensearch to use SP-initiated SSO.
I am able to access OpenSearch via the URL but I get the following error
Missing Role
No roles available for this user, please contact your system administrator.
I guess there are some SAML attribute mapping and group set up that are required. I've created an opensearch group in Google for users that I wish to have access.
I think the following AWS Opensearch parameters require a value
SAML master backend role
Subject key
Roles key
From what I can see, the issue is that you need to create a custom attribute inside the Admin console of Google Workspace with the "roles" for AWS Opensearch.
You can also read this information in the AWS documentation.
This was resolved using and IdP initiated authentication flow instead. The links posted in answers above helped us implement this.

How to configure RedHat APIMan Authorization Policy for unprotected endpoints?

We have installed and configured RedHat APIMan for our working API and the plan is migration form current home-grown tiny gateway to APIMan. The problem is that we have some unprotected endpoints which do not need login (Not everyone role! No login required at all). We are using Keycloak OAuth plugin for roles, and Authorization Policy for API security. When Authorization policy is not added, I can allow unauthenticated requests via a boolean value in Keycloak OAuth policy, but after adding Authorization policy, there is no way to let unauthenticated requests pass!
Kamyar. Apiman developer here.
Please file a feature request for this over at https://github.com/apiman/apiman/issues.
I think what you are trying to do may not currently be possible easily because the authentication policy is expecting a successful auth of some sort before it is hit (to get the roles, etc).
We probably need a slightly more detailed explanation of your use-case, and then we can figure out whether we can support it. It seems like it should be doable without major changes if I understand correctly.
If and when we add support for the specifics of your requirement, I will endeavour to update this ticket.

Artifactory: getting HTTP 400 after unauthorized SAML log in attempt

I have SAML with ADFS configured in Artifactory and it is working just fine really. We are also "filtering" users by AD group membership and only allow users within a certain group to log in. All that is and has to be done by ADFS because Artifactory doesn't do that.
When a user is not authorized to log in with SAML he is redirected to an HTTP 400 Page though which obviously isn't a good solution. I can already see the tickets pouring in telling my that Artifactory doesn't work at all.
How can I avoid that or tell them actually what's the problem?
EDIT: using Artifactory version 5.3.1

Nexus OSS Remote User Token (RUT) for SSO

Hello I am using Nexus OSS, and wanted to simulate SSO, using Remote User Token. Currently the Nexus is configured to LDAP authentication, and is working fine.
As per the instructions found here https://books.sonatype.com/nexus-book/reference/rutauth.html
Basically enabled Remote User Token and added header field Name "REMOTE_USER". This user is ldap and has access.
This instance is behind apache, so from apache, To test this RUT, I can set the header value REMOTE_USER, whoever, I don't see passed in user getting logged nor I see cookie being generated. I even tried firefox rest api client and set header, but with the same results. I can see that HTTP header is being set right.
Am I missing something?
Is there a way to debug that? Appreciate any help.
Thanks
S
RUT handles authentication, but the authenticated user still needs to be authorized to access the web UI. What this means is that you need an LDAP user or group mapping in Nexus which assigns the necessary roles and privileges to the user.
I had a similar issue with Nginx, the header was not set using the correct value.
This can be quite confusing, as the reverse proxy does not complain and simply sends a blank request header to Nexus.
Using Keycloak and Nginx (Lua), instead of a preferred_username field in the IdP response:
-- set headers with user info: this will overwrite any existing headers
-- but also scrub(!) them in case no value is provided in the token
ngx.req.set_header("X-Proxy-REMOTE-USER", res.preferred_username)
I had to use the preferred_username field returned in the response's id_token element:
-- set headers with user info: this will overwrite any existing headers
-- but also scrub(!) them in case no value is provided in the token
ngx.req.set_header("X-Proxy-REMOTE-USER", res.id_token.preferred_username)