I have configured OpenAM with the DesktopSSO module and everything is working fine with our SAML 2.0 app for domain computers. When they request the app, it redirects to OpenAM and they are immediately authenticated. I am trying to understand what config is needed in OpenAM to support non domain PC's. Is there an option in OpenAM to say 'if the device does not support this module, use another module' ?
It sounds like you are wanting to default to another authentication module if the DesktopSSO module is unavailable. You can do this by configuring another authentication module such as possibly an AD module and add the second module to the Authentication Chain. Set the Criteria to SUFFICIENT for both modules in the chain and in the options include the following string iplanet-am-auth-shared-state-enabled=true for both modules.
Related
My target site needs AD auth to browse and use the admin portal. All is fine there. This means syncing to this server via username and password authentication doesn't work. Does this mean i need to enable x.509 authentication?
If you mean using the Staging Module, the staging module's "Username and password" really is not linked to the actual CMS Users. You can put whatever Username and Password on the Destination server, and connect to it from the Source.
x.509 is also fine.
Tell me if you aren't talking about the Staging Module though.
You may need to do 1 of 2 things:
Enable mixed mode authentication. Yes the overall authentication doesn't need to use a physical cms_user user but since you have AD Authentication enabled, anytime another user or service tries to access a system page it may require them to log in.
Create a web.config location node in your /CMSPages/Staging/web.config file that excludes anyone or everyone to access a the SyncServer.asmx page within there.
Otherwise configure the x.509 certificate setup.
I have an ADFS single sign on application. Can we also have form authentication using login credential from a database on the same application? In other words, I need single-sign-on for people who have windows account and form authentication for people who do not have windows account. I did some research on this topic but I have no lead. Is there any suggestion?
Out of the box ADFS can only authenticate against Active Directory (The latest version of ADFS (vNext) do supports LDAP v3-compliant directories).
You need to build your own Custom Authentication Provider for ADFS if you would like to plugin your custom code.
Some pointers for further reading:
Understanding WIF 4.5
Create a Custom Authentication Provider for Active Directory Federation Services
I am trying to configure openam as Identity provider to test my SAML
based service provider application.
I have searched a lot and saw documentation of openam. There are lots
of thing supported by openam which probably I do not need at this
moment. I don't wish to read whole documentation which will take lot
of time reading things I do not want to test right now. I even saw
chatpet 9 "Managing SAML 2.0 SSO" at
http://docs.forgerock.org/en/openam/10.0.0/admin-guide/index/index.html
But it requires lot of things to be configured before this.
Is there any quick start guide to test it as saml based IdP?
EDIT
Not a quick, detailed is also fine. But I want OpenAm as Identity provider. SP is an application hosted on Jetty which we have developed. Also tell me what changed do I have to make on SP like what urls of application should respond with what.
There is no one-fits-all answer to your question really. Setting up SAMLv2 Federation largely depends on the actual SP implementation, some SPs can work with SAML metadata, some don't..
The simplest way to set up federation between two OpenAM instances for reference would be something like:
Create Hosted IdP wizard on node1
Create Hosted SP wizard on node2
On both nodes remove the persistent NameID-Format, so both will have transient at the top of the list
Register Remote SP wizard on node1, with URL: node2/openam/saml2/jsp/exportmetadata.jsp
Register Remote IdP wizard on node2, with URL: node1/openam/saml2/jsp/exportmetadata.jsp
On node2 in the Hosted SP setting set the transient user to "anonymous"
After all this you can test Federation by using:
/openam/spssoinit?metaAlias=/sp&idpEntityID=node1_entityid on node2
/openam/idpssoinit?metaAlias=/idp&spEntityID=node2_entityid on node1
I've used the default metaAlias values, but those should be visible on the console pages. Similarly by downloading the metadata you can see the actual entity IDs for the given entities.
Based on this, you should see now that with an OpenAM IdP you could at least test SAML support using the idpssoinit URL (if your SP supports unsolicited responses), but from the other way around it pretty much depends on your SP implementation how you need to actually trigger a SAML authentication.
This seems like a simple setup.
I am building a site using ASP.NET MVC 2. The site itself needs to be public but the admin section should require a windows login and the user logging in needs to have local admin privileges on the server.
i.e. http://server/site should be open, but http://server/site/admin should force an admin login before proceeding.
Can this be done in code or by tweaking the web.config file? If necessary, making configuration changes to IIS is acceptable but I am trying to keep deployment steps down to a minimum.
I don't know if you can do this in web.config, or even if it's possible via IIS in an MVC application (since /site/admin won't exist on the file system), but it is possible to have different permissions for different folders under IIS. You will need to use the IIS manager to configure this.
You may also be able to use an AuthorizeAttribute on your admin controller.
This turned out to be fairly straightforward:
Enable Windows Authentication in IIS.
Enable Windows Authentication in web.config.
Decorate each action that needs to be secure with [Authorize(Roles = "Admin")].
I found your article using Apache Auth with gitweb, gitosis.
I was wondering if there was a way to do this if I wasn't using LDAP for authentication. We currently have a very large NIS domain which we use for authentication on all unix servers.
We use this for SVN repositories through a UI, but for this case I am trying to meet a requirement of:
Git Repositories
Access Controlled - using Gitolite
Online UI - using Gitweb
UI must also have Access Control - not yet implemented
I was thinking first I need to get Gitweb and Gitolite to play together and each one works at the moment individually.
If gitolite provides access using SSH-keys, then it can provide the access this way by having a key for each machine a user/developer will be accessing Gitweb/gitolite from.
Or if I can get gitweb to simply authenticate users from NIS domain since every user has an account that our IT department sets up this would be better.
Any ideas or howtos I can use to get further on this requirement?
The way you link gitweb and gitosis together is by:
having gitweb configuration files with names identical to NIS logins
having gitweb.conf (from gitolite) including in gitweb_config.perl from this blog post (add at the end of gitweb_config.perl:)
use lib (".");
require "gitweb.conf";
using a NIS authentication for your Apache2 httpd.conf (or extra/httpd-ssl.conf if you are using https)
Once a user is authenticated (be it with basic, LDAP or NIS auth), the $cgi->remote_user will be set and that is that login which will be passed (by the gitolite gitweb.conf) to the gitolite perl script managing Git access rights (ACLs).
The Git ACLs are still managed by ssh key and are independent from the login mechanism, except for the login part which enable gitolite to make the right account association.