I need to implement Single Sign On feature for several internal web applications which are not deployed on the same domain.
Is federation a good solution in my case? Or it is only used if I want to federate the authentication to an external IdP.
I mean I want to create a custom WIF STS and make all the applications claims-aware RPs.
I'm thinking of it because I don't want to use custom solutions or third party libraries. WIF seems to have a straightforward solution integrated with .Net Framework.
Is my suggestion correct? Or this is an incorrect use for WIF.
Yes - a solution with WIF / STS will work even if it's only internal.
Beware of security if you roll your own.
You may want to look at ADFS or IdentityServer.
Going this route will make your life a lot easier.
Related
I have an API REST made in node js, and now I'd like to implement some XACML policy. I have been searching and I found that I can use ALFA to make the XACML rules. But I need a PDP for applying the rules. What can I use / how can I implement it?
I have read about WSO2 Identity Server (which I think I can use as a PDP? I'm not sure). It is probably too much for a little project. Any other suggestions? Or is WSO2 IS adecuate?
The go-to open source implementation of XACML 3.0 nowadays is AuthZForce. In OSS, it's the most up-to-date. In the commercial realm, look into Axiomatics (where I worked). They have the most up-to-date PDP and are the authors of the standard.
Yes, you can use Wso2 Identity Server as your PDP. Once I had a requirement to secure a Spring Boot rest API through XACML[1]. Anyway, It would be much easier for you to use the Identity Server PDP than implementing one. You have easy beginner samples that you can try out for your use case.[2] There are tools in the identity server that you can use to create the XACML rules.
[1].https://medium.com/#buddhimau/role-based-authorization-for-spring-boot-using-wso2-identity-server-3d74ab307fb9
[2].https://medium.com/#gdrdabarera/how-entitlement-management-works-with-rest-api-via-xacml-in-wso2-identity-server-5-3-0-7a60940d040c
Adding to Buddhima Udaranga reply, If you think IS too much for a little project, then you can directly use balana, which is the entitlement engine used inside IS. You can refer to this for more details. But balana have only java API.
I am in the middle of setting up SSO in our infrastructure and I am wondering if people would more experience could share their learnings.
I already have a reverse-proxy in-front of our system.
We have several legacy java apps running on tomcat
We have SPA apps as well written in JS
We have few APIs that will also need to be protected
I have two ways to set SSO up for us.
set up SSO on the reverse proxy using mod_auth_openidc so our gatekeeper makes sure that anyone who is hitting our services is already validated.
add a keycloak libs to each individual service
My preference is to set this up on the referse proxy.
Are there any disadvantages / best practices when it comes to this?
For legacy apps I would just use the HTTP headers added by the reverse proxy to find user details
For the new apps I would like to use the keycloak libs to get user details.
I do not want to go down some routes which is obviously problematic. So Any tips so that I can save some time are very welcome.
So far I have come up with the following list
pros to use a proxy server and mod_auth_openidc
Single place to handle all auth specific configuration
Abstracts out the implementation detail of the SSO. E.g. we do not need to integrate keycloak into each service. In my opinion this could cause issues if we decided later to actually move to a different SSO. ( I know this does not happen often )
cons to use a proxy server and mod_auth_openidc
an additional piece of software to maintain ( bugs etc )
possible extra checks on credentials if the app also integrated with keycloak ( not required it is possible but only needed if keycloak specific features are required in the app and those not available in the headers )
I would be interested in other's opinion on the pros and cons?
Thanks
Is it possible to configure wildfly such that users and agents have "optional" security?
In essence I want form authentication for a web page, silent basic authentication for my services. Most unfortunately, one component of my ecosystem cannot call with basic headers.
That being said I have a work around but it will take some time to implement. For the time being I would desire to basically have optional security. So everything can play nice in the interim.
I know I could change my authentication module to allow everyone through. But with form turned on, requests without a basic header ram back the web page to log in with.
Thanks for any good tips or tricks.
Edit: This would be possible with Spring Security. Using WildFly's inbuilt security mechanisms with undertow seems to limit your flexibility. So much is handled up front before you reach your code, you really are stuck.
However, with spring security, everything is implemented as filters and so you can check the request context for user agents and all kinds of things, and make decisions about each request as you want.
Obviously this wouldn't be a production solution but in development, like was my case, I could have let any request with user agent XYZ run as admin, for the time being.
I have since migrated to Spring Security for our web app security management.
So the short answer is no. The short answer is still no, but the slightly longer answer is to stop using Wildfly's in built security and use Spring Security.
In the long run you could probably create your own undertow servlet extension that would validate authentication or default to admin credentials. This is going to be a lot of work, and spring security has already done a lot of work for you.
We ended up spinning up duplicate of our services without any authentication that our trailing component could call in the meantime. If you don't want to use spring security this is still the best solution I have
I have two applications on two sub domains (app1.example.com and app2.example.com)
I would like to have an SSO which with one authentication, I can switch between applications without authentication again.
I am using OpenAM and Java and I already have seen few java code for it but they are quite confusing. I am also super confused on OpenAM Server configuration. They seem very confusing.
Does anyone have a very simple walkthrough for me to test?
I very much appreciate it.
Honestly you don't have 2 sub-domains. From DNS point of view you have two hosts 'app1' and 'app2' in DNS 2nd level domain 'example.com'. The tech overview for OpenSSO is still valid for OpenAM and there is quite a lot of documentation. The J2EE agents have a sample app with a nice step-by-step readme.
The default config is quite simple, or as simple as other software with comparable complexity.
-Bernhard
We have some apps written in classic ASP, ASP.NET and PHP. They are all in one same web server.
We want to transfer between the apps who is currently log in or none, we do not need to transfer everything in the session object.
What is the best way?
We need secure and high performance. Thanks.
If you are looking at a secure single-sign-on solution, something like Shibboleth will come to mind. It uses Security Assertional Markup Language (SAML) to perform user authentication and attribute exchange. It works independently of the application language and injects environment variables into the app.