Is there an API in Ping Federate/ Ping One to validate user credentials - username and password?
Here is a scenario in which I would like to use it:
user logs in via SAML SSO to my web application
certain application feature requires that the user credentials are validated again (to sign-off some operation)
SAML SSO does not make it easy to re-validate user credentials without logging out from application, users passwords are obviously not stored in the application so the only way to validate credentials is to send them via some API to Ping to validate - however I was unable to find such API in Ping.
For example, OKTA (which offers similar services as Ping) does provide such API:
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
"username": "dade.murphy#example.com",
"password": "correcthorsebatterystaple"
}' "https://${yourOktaDomain}/api/v1/authn"
I am looking for something similar in Ping.
Yes - there are two options in PingFederate for this:
Authentication API - This enables clients to authenticate users via a REST API instead of having the adapters present login templates directly. More details here: https://docs.pingidentity.com/bundle/pingfederate-102/page/elz1592262150859.html
OAuth Resource owner password credentials grant type - If you're just looking to validate a username + password combination you could leverage PingFederate's support of OAuth ROPC grant type. It allows you to POST the credentials and get back an Access Token if it was successful. More details here: https://docs.pingidentity.com/bundle/pingfederate-102/page/lzn1564003025072.html
Karolbe, you may also wish to take a look at Adaptive Authentication feature provided by PingFederate which directly answers your second requirement as provided by you above, i.e. - certain application feature requires that the user credentials are validated again (to sign-off some operation). Here is the reference from PingIdentity website. Adaptive authentication and authorization allow you to evaluate contextual, behavioral and correlated data to make a more informed decision and gain a higher level of assurance about a user’s identity, which is what your requirement 2) is asking for. Typical use case could be, say a user tries to access a high valued application, or tries to login after a configured idle time, Adaptive authentication will force user to present authentication credentials again.
Related
I have created a Google cloud function, and in the permissions I've added the 'Cloud Functions Invoker' role to the 3 individual users I want to be able to trigger the function.
The function is accessible at the trigger endpoint provided, similar to this:
https://us-central1-name-of-my-app.cloudfunctions.net/function-name
I have assigned myself the invoker role on the function. When I enter the URL I get a 403
Your client does not have permission to get URL /function-name from
this server.
Since I am signed into my Google account already, I had assumed I would have permissions to access this function.
If not, how can I show the authentication prompt as part of the function without exposing the entire function via allUsers?
You can't call directly the function even if you are authenticated on your browser (this feature will come later, when you will be behind a Global Load Balancer and with IAP activated).
So, to call your function you have to present an identity token (not an access token). For this, you can use the gcloud SDK with a command like this (on linux and after having initialized it with your user credentials (gcloud init))
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" https://....
You can also create an API Gateway in front of it (I wrote an article on this) and use an API Keys for example.
I am using openshift for deploying my web application. For login, I use openshift oauth api with a service account.
Right now, I am using the scope: role:edit:<namespace> for all users when they login. But, now I want to set their access as per their roles defined in their openshift accounts.
I tried retrieving user roles, but as I do not have admin access, I cannot view user roles.
Any ideas on how to approach this problem? Any help would be appreciated.
PROGRESS: So I was able to somewhat solve my problem:
Basically, as an admin: I created a clusterrole allowing read access to clusterrolebindings and then added that role to the required user.
oc create clusterrole roleget --verb=<verb_list> --resource=<resource_list>
oc adm policy add-role-to-user roleget developer
Then if I change the scope in my application to role:roleget:<namespace>, I am able to access the rolebindings via rest api
curl -k -H "Authorization: Bearer $TOKEN" -H 'Accept: application/json' https://$ENDPOINT/apis/rbac.authorization.k8s.io/v1beta1/namespaces/$NAMESPACE/rolebindings
So now, I am able to separately fulfill my requirements. But now, I need to merge the two scopes together somehow, i.e
scope:role:edit:<namespace> and <scope:role:roleget:namespace>.
Does anybody has an idea how to do this?
As of now, we have an authentication service using Spring Security OAuth2 which implements the following grant types: client_credentials and password.
To obtain a token, a client (potentially an HTML5 SPA client) would have to store the client_id and secret to obtain a bearer token with either the client_credentials or password grant type. For this case, it's not very safe as anyone the client_id and secret would live within the HTML5 apps source and anyone could obtain it.
Is there a different flow for this, other than client_credentials or password?
Generally speaking, for SPA s the recommended authorization protocol is OAth with Implicit grant.
You can read a bit more about how that is implemented in Azure Active Directory (it is free) here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-dev-understanding-oauth2-implicit-grant
and here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-implicit
Scenario is
Heroku server sends web service call to Parse.com using CURL command. web services are written as Jason and are using REST.
I need to test performance of parse.com server for my website in case of 40 users hitting it at one time
As the communication between heroku server and parse.com is through REST Jason Web services so I assume I need to generate concurrent 40 calls of each web service to hit the parse.com.
Each Curl command has One user session token and some parameters in header which I configure in Jmeter HTTP request when generating loaded web service call
I need to test the scenario in which 40 concurrent users simultaneously create project (Create project is also a web service) on parse.com (There is no web service for creating users but each curl command has a user session token as a key of each user signed up on website)
Problem:
Curl Command for creating project on parse.com has one user session. So even if I enter 40 value in thread. It will create 40 projects against one user session. whereas I want 40 users creating 40 project simultaneously.
Here is the CURL command with one user session
curl -X POST -H "X-Parse-Application-Id: " -H "X-Parse-REST-API-Key:" -H "Content-Type: application/json" -H "X-Parse-Session-Token: l8beiq2zv6kf420nbno8k7or1" -d '{"projectType":"feedback","users":null,"ownerOnlyInvite":false,"topicName":"SERVICE UPDATE TOPIC","name":"SERVICE UPDATE","deadline":"2014/03/08","s3ProjectImageKey":"065D417C-EEAA-4E74-BB43-5BDCED126A58"}'
Question:
Should I use curl command in Jmeter for load testing or there is
another alternative for testing REST Jason WEb services. If I enter 40
user session tokens in HTTP Header while configuring HTTP request in
JMETER. Will it hit as 40 concurrent users creating 40 projects on
parse.com?
This can be achieved by following the steps mentioned below:
Using CSV, put all the session tokens you want to use in the CSV file. jmeter will use
1 token for every user.
Refer: http://ivetetecedor.com/how-to-use-a-csv-file-with-jmeter/
hope this will help.
Haven't seen a lot of posts on here related to opends but its worth a shot I guess.
I am trying to configure my server to use the SMTP Account Status Notification Handler to email users on account specifics (e.g. account disabled, password expiring soon, etc). I followed the directions in their documentation to the letter (including obviously enabling the handler) but I get no emails sent out. I've verified that the SMTP address is correct in the General Configuration section and I can manually connect to SMTP via telnet on that machine so I know that part is working. But no email is sent (double-checked spam folders and examined the mail server logs) and I'm getting nothing in the error logs for opends, it just doesn't seem to be doing anything. I feel like I must be missing something stupid, any ideas?
thanks
To receive Account status notifications with OpenDS or OpenDJ, 2 things are needed.
First you need to configure the SMTP Account Status Notification Handler, and that's what you've done.
The second thing is that you have to attach the Notification Handler to a Password Policy, most likely to the Default Password Policy that applies by default to all users (but Root DNs).
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \
set-password-policy-prop --policy-name "Default Password Policy" \
--add "account-status-notification-handler:SMTP Account Status Notification Handler"
The reason for attaching the Notification Handler to a Password Policy, is that you can have different handlers for different populations, for example employee vs customers.
This is something that is too often overlooked, and I've fell in the same trap the first time I was playing with Notification Handlers.
Kind Regards,
Ludovic Poitou
Product Manager for OpenDJ, open source Directory services in Java
http://opendj.org