Best solution for centralised identity management - single-sign-on

I am investigating an open source solution for IdM.
So far, my choices are OpenIDM, OpenAM, Josso & CAS.
But most solutions are focusing on SSO, however my requirements are more on user management and provisioning. Can Josso/CAS/OpenIDM provide user provisioning/deprovisioning, group policy , etc? Any open source alternative to Atlassian Crowd, matching in every functionality?

The open source solutions that you mention focus largely on SSO, not identity management. JOSSO has a user provisioning feature but AFAIK it does not include group policies. If you are looking for a full identity management solution you would need to look at the commercial products like Cloudseal, Crowd, Oracle etc.

Related

Headless ecommerce architecture with flexible RBAC

I'm creating a software marketplace web app, and looking for some insights and suggestions about the architecture.
I would like to be owner of the UI, so probably a headless approach is the way to go.
The basic requirements contains:
I need to have multiple external identity providers (custom sites, not like facebook or google)
I need to have at least three roles
simple users who can buy stuff
users who can upload things available for sale in the marketplace
administrators, who has to approve everything that is uploaded to the marketplace
Do modern ecommerce platforms allow limiting certain API-s based on custom user's roles? Or allow registering custom external identity providers?
If not, would it be a viable option to put the ecommerce API behind one of my own microservices and do RBAC in one of my on MS?
I generally would like to do most of the customizations of the ecommerce externally, in my own microservices, instead of within the ecommerce platform itself - so I'm not bound to any specific language or technology. I would like to host the site myself, in a containerized environment.
Additionally, any suggestions about a platform that would fit the use case mentioned above?

Encryption at Rest for Source Code on Team Services

I had someone reach out to me with a couple of queries about source code encryption in Team Services. I don't know and can't find an answer to online (Google fell flat?).
The question is: Can a company control their own encryption of source code at rest with Team services? Essentially, this would mean controlling their own keys and having the ability to pull access logs for people accessing the source control.
I believe the answer is still no. Microsoft may encrypt, but I don't believe there is a provision for a company to control their own source control security if it goes on the cloud.
The answer is just as what you think: No for now. Microsoft use kinds of ways (Check this link for details: Visual Studio Team Services Data Protection) to protect the customer data, but the way which you are asking isn't supported for now.
You can submit a feature request on VSTS User Voice for this.

Single sign on solution

Hi I am using CAS for SSO. But problem is that i want reset password,register new user on CAS login screen.Does CAS provide these services or i have to implement?
Or Any other SSO solution exist which fulfill my requirement.
CAS is just a SSO frontend to your existing identity management solution (database, LDAP etc). It does not include any identity management features itself (create user account, reset password etc). I have recently been using the Cloudseal platform which is a full identity management solution and so far I am pretty impressed. I believe Atlassians Crowd also includes this although I have not used it. There are probably other products out there as well.
Both of these are commercial products although they are both free for the first 50 users. Crowd is a traditional standalone platform which you download, install and configure but Cloudseal is a hosted service so there is no installation and less config.
You can certainly modify the spring weblog and login page to allow for the functionality that of course you'd have to implement. You should also ask the question on #cas-user mailing list to see if a similar need in the community has been implemented by other users which you may be able to take advantage of. I remember only recently someone raised the same question to the list and there was a bit of interest in getting this feature developed and integrated. You may want to revisit the topic on the mailing list.
Hope this helps.

Minimum overhead for ASP.NET MVC authentication

I want to keep things as simple as possible and I don't want a complicated security mechanism. Basically I need for a user an ID and an e-mail address and I really don't want to bother about other things. Also, I was a minimum overhead in terms of security (if there is anoter provider who can do it for me, that's even better).
What is the simplest way to do this? I was thinking about incorporating LiveID or OpenID by I don't know what are the advantages/disadvantages.
I am working with the Azure SDK.
If you use the Windows Azure Access Control Service, you can basically outsource all identity management. Take a look at the Windows Azure Platform Training Kit - there's a lab called "Introduction to the AppFabric Access Control Service 2.0" that will get you up and running quickly. Currently, you can choose any combination of the following identity providers:
WS-Federation
Facebook
Windows Live ID
Google
Yahoo!
"Simple" for whom?
The simplest strategy for you would probably be to use ASP.NET's standard SQL-based authentication provider. You just run a script against your database to set up all the tables, and then you use ASP.NET's built-in utility methods to authenticate. Give your user-specific tables a foreign key reference to that user's ID, and you're good to go. We've done this, and never had any trouble with it. It's a tried and well-used system, so you know you won't be introducing any security invulnerabilities by hacking your own solution together. (see SqlMembershipProvider vs a custom solutions)
If you want something simple for the user, then an OpenId solution would be my pick. Set up something like StackOverflow has, where you can let users choose an account from a number of trusted providers to allow them to log in. From the user's perspective, it's really nice not to have to remember one more username and password for one more site.

Help to choose Alfresco or Nuxeo for DMS

I have requirement to develop DMS(Document Managemen System) with some initial requirements:
If possible DMS should be open source
Initially DMS should support up to 500 users
System should be scalable in sence od users or content
Docuemtns/Content should be stored on a file system
Document should be able to be marked for later destruction
Mandatory to have workflow capabilities
Mandatory to have version control capability
Nice to have SSO(Single Sign On) with Liferay portal
Nice to have posibility to expose some of funccionality via portlets in Liferay
Document management should be done via the web interface
Nice to have shared drive capability
Nice to have events and notifications about add/change content
At the moment I am in doubth to choose between Alfresco and Nuxeo.
I will appreciate any help to choose between them.
Thanks in advance
I have not much experience with Nuxeo, but here is for Alfresco:
1.If possible DMS should be open source
Yes.
2.Initially DMS should support up to 500 users
Yes, if you have a good server.
3.System should be scalable in sence od users or content
Yes.
4.Docuemtns/Content should be stored on a file system
Yes. Only metadata is stored in a database.
5.Document should be able to be marked for later destruction
The free Records Management module has retention capabilities.
6.Mandatory to have workflow capabilities
Yes.
7.Mandatory to have version control capability
Yes.
8.Nice to have SSO(Single Sign On) with Liferay portal
Yes.
9.Nice to have posibility to expose some of funccionality via portlets in Liferay
Alfresco and Liferay work very well together.
10.Document management should be done via the web interface
Yes.
11.Nice to have shared drive capability
Yes.
12.Nice to have events and notifications about add/change content
Not sure about this one. The Share module has this feature, but not sure about the main DM application.
Don't know the Nuxeo system, but we are using Alfresco as a document storage and session server. We have our own GUI and only use it as a back-end system. So far we had no problems. Plus Alfresco has a nice REST interface which makes it easy to integrate into any existing system.