I'm at the early days of looking into IdentityServer v3 and IdentityManager, as I'm certain those guys are more clued up than I, but I cannot see how to configure the IdentityManager.
If we're deploying IdentityManager to a client, all the client want to do is "standard admin type stuff", such as
create users
unlock accounts (e.g. after 3 failed login attempts)
suspend accounts (not paid your bill, tut tut...)
delete users
..rather than amend claims, roles and suchlike (presumably these would be hidden from the Administrators).
What am I missing?
Or, is the IdentityManager supposed to be used by the implementation team installing the thing, and then the business administrators who deal with the topics listed above actually don't use IdentityManager at all, but a separate admin site we have to write? As far as I can make out all the pages, htm letc is within the nuget package so cannot be amended by me.
If it makes any difference, we're trying to create a public facing website that can be logged into, but the users are only created by the company, whose admin site to create & administer the users is IP restricted / not public facing.
Identity Manager is aimed at developers and internal administrators for testing and initial configuration purposes, as opposed to end users.
Check out https://vimeo.com/125426951 by the repo's author. I think it's explicitly stated at around the 1 minute mark. It's mentioned on the Github issue tracker quite frequently too.
Also, it's not that extensible yet, so you won't be able to brand it or remove sections (such as your requirement of no claims).
Related
I asked this question on the github community support forum, but I'll ask this here too since no reply there...
I am trying to setup a Github App to give some scripts limited Admin rights to some repos in an Organisation. The Organisation is (I believe) under an Enterprise account - we are using this currently instead of having an Enterprise server. I have created the App, transferred it to the Organisation, and one of the Organisation Admins (which I an not) has set me as the manager. So far so good. However, although I can see the App in the Organisation Settings, there is no “Install App” button. Also trying to use it in scripting gives 401 (A JSON web token could not be decoded) errors trying to get hold of a “PAT” for the app - even though the Admin has installed it into the app.
There is obviously something wrong but I’m at a loss. Does anybody know of some extra logs that can be looked at or have a suggestion on how to approach this. We’ve tried deleting the app and retrying - no different. I should say this is the third app I’ve created for transferring into the organisation this way - so far it has just worked.
We raised a support ticket on this so got a formal answer. I thought it might be useful to replicate the key part of the answer here. Essentially the issue is the fact this App has Admin rights. I am an Administrator on some of the repos, and am "App Manager" for this App, but I am not an Owner of the Organisation.
I quote:
"""GitHub App permission requests [control] access to a number of organization REST API endpoints... As these endpoints are outside the individual repository scope, only the organization owner can approve requests to add or change them. If this wasn't the case, App Managers who aren't organization owners would be able to grant an application the ability to view organization members and teams - which is private organization information that can otherwise only be granted by organization owners via inviting new organization members."""
Basically that is it. The original idea was to allow a central place to set some things that only an Administrator could set in a repo - c.f. branch rules. Seems that this can't be done as is with an App - the system just isn't flexible enough.
The alternative, which I know works, is to use the PAT of a user with Admin rights. That just feels less secure.
Our main Azure DevOps Organization is linked to our Azure AD. We need to invite customers to specific projects as stakeholder only, and with this, they are added as external users in our AD. We found that within a customer project also, all other external users are visible, e.g. via mention with # anywhere in the text or assignment drop-down, although these do not have access to that project. Our only workaround so far is to create new non AD linked customer specific organizations, but this is really not the right way to go (licencing, management etc.)
Is there any option to prevent this and to restrict visibility to only those users, which are part of a project (or planned)?
I tested and found the same issue as you said. It is by design, you can raise a problem in the Developer Community
https://developercommunity.visualstudio.com/spaces/21/index.html
Besides, since there is a workaround that works now, continue on this basis. You can create different AAD for the customer specific organizations, then add the customers to these AAD. Thus, these users will be invisible because they are in different AAD organizations.
Am using Moodle for online quizzes locally in a lap environment.
I am facing a problem with students sharing log in credentials in the exam. so am searching for a solution that will associate every user with a single ip address for a period of time. is there is any way from moodle to do this.
This may not be possible to completely prevent without writing a new plugin to cache the login and restrict any new logins for a period of time. IP address probably isn't the best way to do this, as multiple students could be using the same IP address if sharing something like a WiFi connection at a campus or public location.
However, you can make it a little more difficult.
1.) Enable the "Limit concurrent logins" setting. You can find this in Site Administration > Plugins > Authentication > Manage Authentication.
2.) Try this plugin. It will cache login information for a student when accessing a quiz and prevent another computer from logging in to the same account from continuing that same quiz.
3.) Use some sort of single-sign-on service which you can connect with Moodle via a SAML2 plugin like this one. Look for a service that provides the specific functionality you're asking for.
4.) Use multi-factor authentication. You can combine this with option #3 above or look for a plugin supported by your current version of Moodle. Lambda Solutions appears to have a commercial product for this. There is also an older plugin on Moodle's site that you could get a developer to update for you.
Is it possible in GitHub enterprise to arbitrarily add a user to an organization if you are a site administrator. I am evaluating the software, but cannot seem to do this reliably. A site admin who is not themselves part of an organization cannot pull up the organizations dashboard, nor see which users are part of it, although they can view and contribute to the repositories within (in a round about way). I know that it is possible to impersonate a non-admin user, but you would have to know who already is a part of that organization to do this, which is hidden. There has to be a better way because what if some nefarious employee and removed everyone but themselves. The organization would effectively be orphaned.
Thank you
I think I have found where all the members are, under "Members & Teams", duh. I can usurp their account and make myself an owner if needed. Seems cumbersome though.
You most likely want ghe-org-admin-promote
I am doing some dev work for a client. She has a Dev License should would like to put the app under but since she is non-technical it has been frustrating since she has to be the one to submit the final app.
Is there a way for a Dev License to have multiple Admins? I have it configured so I am a developer but as such I cannot do the Distribution License. Only she can do that. Is there a fix?
If you have a good relationship to your client, you might want to ask her for her login details so you can do it yourself.
There is one other possibility though: For a similar problem I was given the advice to build & archive my app and send the archive to the client. He could then resign the app using his certs, which would eliminate the need for him to do all the building stuff, not to mention it will spare you to surrender your source code. However, this will not eliminate the need for your client to enter all the meta information and so forth while uploading the app.
For the necessary steps to resign an app, see this answer.
To answer your original question: Each developer account has exactly one Team Agent. So you need some kind of workaround anyway.
There is only one administrative or Team leader per developer account. So you really need to plan on the policy for sharing use of that account from the beginning, if the required activities of the agent need to be split up among multiple parties, if you can't have one party capable of doing everything.
A shared account can be created from the beginning (either by the owner or the developer). I recommend an ADC account be created just for this purpose, instead of just using the owner's personal account and email address ( e.g. instead of mary.smith#sample.com, create and use iosdeveloper#sample.com for enrolling as an iOS developer. )
Account credentials can be "loaned" (perhaps with password changes after use).
You can be given remote access (VNC/RDP) into the owners PC or Mac (or more secure yet, a VM session) as or after they log in.
You can talk the owner though the process over the phone (or video chat, etc.).
Or, the owner can learn how to get certificates, and build or resign and submit apps themselves, perhaps using a comprehensive script.