We want to utilize an external IdP that provides authentication services with Banno. Is there an option to configure it as OIDC IdP and redirect users to authenticate with it?
looking through Banno authentication framework I only see references to pulling data from Banno assuming user was already authenticated. Cannot find any documentation to how to configure redirect-to-IdP for authentation
We don't have documentation specifically about that use case, but we do have docs about our support for OpenID Connect Discovery: https://jackhenry.dev/open-api-docs/consumer-api/api-reference/v0/oauth-and-openid-connect/#openid-connect-discovery
We're aware of folks using Amazon Cognito, Kong, and Firebase with our OIDC Discovery endpoint.
Note that those services may not support Proof Key for Code Exchange (PKCE). If that's the case, then you'll have to have Banno Admin for your financial institution turn off the "Require PKCE" option in the External Application.
Related
I'm doing some tests with Azure APIM and have already published an API on the developer portal. I have the docs, have it secured using OAuth2 with Azure AD with client_credentials flow. I can invoke this API from Postman and from the developer portal.
Unfortunatelly, the client_id and secret are set on the configuration and the developer cannot self service them. Is there a way to do so instead of having to add it manually to each developer?
I was looking for something like this: https://tyk.io/docs/tyk-stack/tyk-developer-portal/portal-oauth-clients/
Azure APIM itself doesn't act as an identity provider like tyk but instead uses Azure AD (or rather any OAuth 2.0 provider).
The configuration in the docs is primarily to get the Developer Portal Console (the one used to test APIs) to work. For the actual API calls, there is no configuration required.
The validate-jwt policy is what takes care of preauthorization of requests.
Since you are looking for the client credentials flow alone, you could simply expose a portal that can create the required app registrations on your Azure AD using the Microsoft Graph API and expose the client id/secret to your users.
The current developer portal doesn't support this as of today but is something you could contribute to if you wish.
I have an ASP.NET Core REST API Service hosted on an Azure Web App. I own its source code and I can change it if required.
I am planning to publish REST API Service with Azure API Management.
I am adding Azure AD authentication to the Azure API Management front. So, the API management front is secured. All the steps are is described here.
All good so far. Here is the question (or challange?) :
Considering that my backend REST API Service is hosted on Azure and publicly accessible, how do I protect it against the request calls other than the API Management Calls?
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
A link to a code sample or online documentation would be a great help.
Update
While there are some overlaps with the follwoing question:
How to prevent direct access to API hosted in Azure app service
... part of this question is still outstanding:
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).
Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
I read about the FI-Ware Identity Management GE.
I understand it acts as an OAuth2 Identity Provider enabling users to log in into applications using their FI-Ware site credentials.
The FI-Ware catalog site states this about the IdM :
In addition to providing a native login, IdM supports the integration
of multiple 3rd party authentication providers. Foremost, it supports
in a first step the configuration of preferred identity providers
through the administrators. The use of 3rd party IdMs lowers the entry
barriers for a native user to register, since the user can link to
her/his preferred IdM and use this account for authentication.
However, I could not find an explanation how this can be done.
Can anyone help ?
Thanks!
IdM doesn't support authentication with other IdP's. What that paragraph explains is that developers can use third party authentication in THEIR services using other IdP such us Google, Facebook or Keyrock. So what IdM supports is to allow other services to login using IdM authentication.
BR
I'm starting to work with CAS on my company. This is totally new for me, so I had to read lot of documents and how to's to have an idea of how CAS works.
So, we have to provide a single sign on service in our server to a company with two different applications. One of those, uses SAML2.
My CAS server is now working against a MySQL database, so I'll have the users of those 2 apps on my database to provide authentication service.
What I don't get clear is about SAML. All the tutorials I've read about SAML2 integrated with CAS 4.0.0 are using Google Accounts. I don't know why! I have some SAML2 configuration on a xml on my CAS directories, but I don't know how to prove if it's working or not.
If you are going to authenticate both of the applications using your single database, CAS is enough, SAML not required. With SAML you can connect to an external application(which supports SAML), both might be having their own internal authentication, but they will commnicate each other through SAML2 protocol/agreement
CAS is ideal ,if you want to setup a web single sign-on to different web applications (exclusively for a single institution), which all use the same authentication (DB, LDAP or whatever). With this the authentication will be centralized for all these different applications.
For users from another external institution to use your web application, SAML would be the choice, provided the External application also should support SAML.
Im trying to make my Bonita account authentication openID- enable login through a google account.
Here http://documentation.bonitasoft.com/single-sign-cas they provide the way of doing it("Configure Bonita client for CAS"). My question is: how should I get the following parameters specified in the link: ip_address:port from google(gmail)?
as probably noticed, im newly to be in this section. Any help will be deeply appreciated.
Bonita BPM will not interact with OpenID protocol out of the box.
However it supports the CAS protocol in the subscription editions.
What you probably need to do is to configure your CAS server to act as an authentication proxy.
Here is how it could work in theory (not sure it is feasible):
Bonita BPM relays user authentication to your CAS server using the CAS protocol.
Your CAS server delegates the user authentication to an OpenID provider such as google. Here is how you could activate OpenID support on the CAS server:
http://jasig.github.io/cas/4.0.x/protocol/OpenID-Protocol.html
An alternative solution could also be to implement a specific Bonita authentication service for OpenID (this requires Java development). In that case you would no longer need CAS. I know for a fact that this is possible.
Be aware that both solutions are technically not trivial to put in place.
Cheers,
You can integrate the BonitaBPM Subscription Edition with a Jasig CAS server:
http://documentation.bonitasoft.com/single-sign-cas-0
The CAS server can be configured to get it's authentication from OpenID as can be found here:
http://jasig.github.io/cas/4.0.x/protocol/OpenID-Protocol.html
I could integrate Bonita Community 7.7.4 with Apereo CAS. Details are here: https://github.com/sparse91/bonita-community-cas.