I want to use IdentityServer3 in my solution, but one of my requirements is to connect to multiple databases for users, clients and scopes.
So, I want to customize the Login page and add a database selector. I’m doing this with a custom view service.
Then, when the user click on login button, my custom user service is called, but I don’t know how to send the database selector value to my AuthenticateLocal implementation on custom user service.
I need to know the database selector value in custom client and scope services as well.
I saw this post: http://forums.asp.net/t/2032044.aspx?Custom+User+Service+for+Thinktecture+Identity+Server+V3 where Brock said it isn’t possible.
Does the latest version of IdentityServer3 have any way to archive what I need?
Thanks!
Best regards.
You can add custom form elements to the submit on the login page. In your custom IUserService add the OwinEnvironmentService as a ctor dependency to get access to the incoming OWIN environment. You can then wrap that with an OwinContext for convenience. Then in your AuthenticateLocal you can read the posted custom form elements to do whatever you need in your logic.
Related
I would like to let my users have a choice which authentication method to use. For example, they could be presented with a menu to pick an option (username/pass, username/pass+OTP, etc).
Then, Keycloak should, based on their choice, assign specific scope to the token.
Is this possible to do with Keycloak (probably by somehow utilizing auth methods chaining) and how? I couldn’t find this in the documentation but it seems as a reasonable use-case to me.
Here is my solution:
Circled authenticators are custom ones for which I provided a custom implementation.
I used the fall-through mechanism, which means I that first authenticator implements a custom form:
which lets the user choose authenticator and captures user's choice in a variable.
Later, this variable is used in the following authenticators to decide whether to do the authentication or to pass on control to the next authenticator.
You can read more about Authentication SPI in the following page: https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
And here you can see how to implement custom authenticator.
Here is what i did and it works,
'My goal was give ability to client to choose authentication flow, choose between otp based email and sms.'
I created a new authentication flow, see screenshot :
select 'Alternative' on both flows.
On login form new link will appear 'try another way'
Now the client can choose between flows. see screenshot :
Is it possible to customize the login page / authentication logic within identity server in order to allow a user to authenticate without there username and password but instead using a customer number and say a postcode.
I have implemented a custom view service that uses the username and password properties but I was hoping on a slightly better solution. Any ideas?
Yes, you can customize it.
You would have to create your own implementation of IUserService to validate whatever values you want and IViewService to render and submit the desired markup.
See more here:
https://identityserver.github.io/Documentation/docsv2/advanced/userService.html
https://identityserver.github.io/Documentation/docsv2/advanced/customViewService.html
A customer of ours has just purchased CQ5 and would like to externalize all of its security. We'd like to use an STS server for SSO and then leverage a custom authorization/attribute provider instead of the CQ5 repository. Ultimately, we do not want to use LDAP in any way.
Here is how we envision this (some pieces already working):
User browses to CQ5 Dispatcher running in Apache
Apache filter redirects user to STS site where login is completed.
User is redirected back to Apache with SAML Claims.
User ID token is placed as cookie into browser. (everything is working up to here)
CQ5 captures that cookie based on the SSO configuration (working)
Problem starts here: From here, we want to call a custom authorization provider for the user's attributes, roles, groups etc...
We have tried to figure out how to do this and can't seem to find the missing link.
Do we need to create a custom login module? Do we need to create a custom principal provider? Do we somehow use the existing LDAP capability in CQ5 but have it call a custom class which leverages the external auth source?
If anyone here has any idea how to do this, their karma quotient would be full for the year if they could share it. I'm not sure if this is a basic thing you do with JAAS or even where to put my classes after I've created them.
We've worked really hard on this so far and seem to be close, but we keep hitting dead-ends.
Thanks so much if you have an idea where to begin!!
-joe
Recent versions of AEM now include the SAMLAuthenticationHandler which allows you to:
Redirect users to SSO to simulate IDP initiated login, or
Allow AEM to perform SP initiated login with IDP
Specify attributes to take from the SAML Assertion and add to the user's profile node (not sure if you can use this for groups)
Specify which groups users should be added to
Set a cookie called request-path that will store the URL the user arrived at, and then redirect them to that location when they're authenticated (ie. deep linking)
This makes relying on the SAMLAuthenticationHandler better than using Apache to redirect. The current version of the handler bundled with AEM 6.2 does not properly set the cookie when using the redirect method, but Adobe does have an updated version that they can provide that will fix that problem.
I normally recommend that clients do not have their own authentication handlers developed inside AEM.
When not using LDAP, this does create an issue where users will not exist until they've logged in. Additionally, when your architecture includes more than one load balanced publisher, it is possible that a user may exist on one server user synchronization.
Try searching the google group for SSO details. Here's one useful post:
http://groups.google.com/group/day-communique/browse_thread/thread/72c235c83a501252/fba4d08a90487156?lnk=gst&q=SSO#fba4d08a90487156
It seems that you will have to implement a custom LoginModule, more information here: http://dev.day.com/docs/en/crx/current/deploying/custom-login-modules.html
I'm working on a small marketing project with Zend Framework, the backoffice of the project is currently made of two controller: a campaign controller and a minisite controller.
The user create a campaign with a form, then he have to create a minisite with a second form linked to this campaign, so i need to get the campaign and the user id when saving the data of the minisite.
What is the best practice and why? should i pass those variables in a session object? or should i pass those variables through a route like :
/backoffice/minisite/create/:userid/:campaign/
Edit: users are logged and authenticated when creating campaigns
Assuming users have to be logged in to do this, you could store the user information you need in a Zend_Auth identity
If not, you could store the data in a normal session var with Zend_Session or redirect to with the route. Either option is good, so it's up to you to pick the one which best suits you and your application.
For passinf information between two controller the best way is to use session to store the values globally . :-)
I'm pretty sure users need to have an account to do these things. If yes, there campaigns and minisites will be associated with them in some way. I'd store and retrieve these things from some form of database.
If you're not having authenticated users and you really just need to pass two variables to another action, use url parameters but be aware of the fact that users can mess with them and a lot of unexpected stuff can happen. Storing in the session is harder to manipulate in that way.
So, if no authentication is involved and the site is public, use the session, otherwise use neither but use storage.
I would use the route option, as you suggest. Using sessions is going to end up being very difficult to test, debug, extend in the future etc.
I need to get a list of tasks for a user from a WCF service to display on an iPhone app. I'm planning to use something like http://www.nayyeri.net/custom-username-and-password-authentication-in-wcf-3-5 to authenticate, but how would I pick up the username/user ID to filter my list of items?
You'll need to follow the example in the answer to this question on custom validator access to the user name. This good overview of custom service credentials shows how all the pieces work together. On the iPhone side, you'll need to configure the client to perform Basic HTTP authentication over HTTPS to successfully call the service.