Any tips on how to accomplish the following would be appreciated:
Application A needs to call a SOAP web service (Application B) for a given user. Application A has authenticated the user using our own internal web security processes and knows the ID of the user. Application B requires a user ID and a Kerberos ticket to be passed to it. Can Application A retrieve a ticket from the KDC on behalf of the user to pass along to Application B?
I've been reading a lot about Constrained Delegation, S4U proxies, etc. but am not getting anywhere. This is running in Java 1.6. I'm thinking I need to use JAAS and GSS-API. Has anyone done something like this that could provide insight? I'm not even sure if the setup in Active Directory is correct.
Thank you in advance.
Stanford WebAuth is capable of handling this kind of delegation. It may not map very well into your application, but it at least shows what is possible.
https://github.com/Stanford/webauth
and might give you some hints.
Related
I have an application where right now a user could work in different context : in the same client application he could switch his context and work either for a company1 as "Administrator" or if he switch to the second context , he could work as "Editor" for the company2…
This was done by using a custom homemade authorization module, but we are trying to use openid-connect now so we are trying to find some solutions with KeyCloack.
Is it possible to assure the same kind of thing in Keycloack ?
It's possible. BUT it's not something that anyone who doesn't know the internal of your custom implementation could give you a solution.
Authorization services provided by Keycloak is quite flexible and of course complex. I suggest you to take a look at the following link and see which of of authorization solution can answer your requirements and would also be possible to adopt your system to use it (e.g. RBAC, ABAC, CBAC, etc.).
As an example, one solution could be to consider each company a resource and then each user of the application, can have different roles/permissions on each resource. So in Keycloak you define who has what roles on which resources (companies) and then in your app, you check those to see if user is authorized or not. But I'm pretty sure when you get a better overview of the Authorization Services in Keycloak, you would come up with a much better idea.
Keycloak Authorization Services
The basic architecture of my application is React front-end consuming a RESTful API sitting on top of a polyglot storage layer.
Front-end:
React consuming APIs
Back-end:
Python
Flask
Authentication
Auth0+OKTA
Everything is working great. However, I need to have different roles for the users. In other words, I need to control the actions that a user can perform on a resource based on the role.
Example:
-User A wants to add a new user
-He has a token in his request, so I know User A is Authenticated
-Now I need to make sure he can in fact add users base on his role.
I don't want to hard-code the user roles as suggested in other solutions, and I would like to allow for custom roles to be added.
Also, I want to be respectful of people's time, so if there is a resource that addresses my concern, please feel free to point me to it.
These are my questions:
1. Are there any best practices for implementing what I am trying to accomplish?
2. Could you point me to examples or tutorials discussing authorization(not authentication)?
3. Do I check at each service call if the authenticated user can also perform the action or do I provide the roles in some form after authorization, so a service request contains both the authentication and authorization token?(this seems pretty easy to hack so I am guessing no...)
If I sound confused on the topic of authorization, it is because I am. Please feel free to point me to any resource that have been helpful to you.
Thank you in advance for taking the time to help! I really appreciate it.
You can use a framework like Yosai that is based on Apache Shiro.
These are some features:
Enables Role-Based Access Control policies through permission-level and role-level access control
Two-Factor Authentication, featuring Time-based One-Time Passwords
Native Support for Caching and Serialization
Event-driven Processing
Ready for Web Integration
I'm attempting to implement SSO and wanted to use Netsuite as an IdP. Now I know officially this isn't possible but I was wondering if it's even remotely possible to have something like this done (custom coded or anything like that)?
Unfortunately I am not the most knowledgeable person in regards to these things, please forgive my ignorance.
Thanks!
It really comes down to what NetSuite exposes for PingFederate to hook into. From a PingFederate perspective, if NetSuite exposes the ability to validate an existing user session by a 3rd Party or provides an API that can essentially authenticate a user you could create a custom IDP Adapter for PF that would handle this.
This is something that your Ping Account team can assist with if you're interested in getting some assistance.
HTH
--Ian (Note: I work for Ping)
I'm currently trying to setup FOSOAuthServerBundle with my Symfony2 app.
Everything seems to be setup and functional, anyway I'm stuck after the installation.
What is the proper workflow with URLs to get the access_token ?
I tried /oauth/v2/auth, but sounds like I need to define a Client object first.
How to create/generate Client ? Clients are always supposed to be created manually ?
FOSOAuthServerBundle doc is great, but seems to skip all the usage workflow. Am I supposed to check the OAuth2 doc for this ?
Thanks !
In short, yes. You should be using the oAuth2 RFC to determine which workflow you want to use. In regards to client registration the RFC specifically states that the means through which a client registers is beyond the scope of the specification (https://www.rfc-editor.org/rfc/rfc6749#section-2).
With that being said I can give you some insight into how I did this. My application is a mobile phone application that connects to several services running on various servers. I'm also using the Resource Owner Password Credentials Grant.
The way I approached this was: when the application loads, the first thing it does is to check if it has an oAuth2 client id. If it doesn't, then it POSTS to a create client endpoint I've setted up with the meta-data I need. The endpoint validates the POST, creates the client and returns the client information. The application stores the client id and the process doesn't have to be repeated the next time.
Application loads;
Application checks for oAuth2 client id;
If there is one, the process ends;
If there isn't, it posts to http://www.example.com/client;
If we get a 200, store the oAuth2 client id.
I could have also created the oAuth2 client when the user created an account in the application, but I wanted to make the registration process as fast as possible. Creating the client would have added some extra waiting time to the process.
Check this: http://blog.logicexception.com/2012/04/securing-syfmony2-rest-service-wiith.html
It's quite simple to convert to Doctrine, whether you use it.
There's a command-line that does exactly what you need: create a Client!
We are using PingFederate to enable SSO. It's being mapped with the LDAP directory server and our site is able to use SSO. Now we are integrating a helpdesk software application which is being hosted somewhere within our own site. We want the help desk user to be able to login using our site credentials. For that I need to add the help desk as a partner (SP) in PingFederate acting as an IdP.
How can I achieve this? A brief explanation would be helpful. Thanks in advance.
You may want to check out the Getting Started - Part 3 recording from our website. It demonstrates how the setup a connection to a typical service provider.
https://www.pingidentity.com/support/training-center/index.cfm/103-creating-a-connection?id=1011570451001
In a nutshell, you would need communicate with your partner about federation and share some information like:
Federation Standard/Protocol,
Base URL, Entity ID, Endpoints,
Binding,
SSO profile,
Attributes,
and so on.
All of the above depends on what federation server your partner is using. Once you have all the information you can quickly setup the connection to your partner within PingFederate.
I hope this helps. I've also sent you a PM.
There's lots of good information in our documentation on managing SP connections: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-92&topicId=adminGuide%2FmanagingSpConnections.html
How the connection is made largely depends on how you authenticate users, what attributes you're sending, and what the SAML capabilities/details are of your help desk software. If no SAML features are available, you may have to use one of our Integrations to either front end it (with a web server plugin, like Apache or IIS) or modify the app (using one of our language kits or agentless integration approach).
You may also want to consider sitting in one of our training sessions on PingFederate basics: https://www.pingidentity.com/en/resources/training.html
Should all else fail, our support centre is there to help if you have a valid contract.