I'd like to implement kind of SSO for openshift, what I mean: from my webapp a user can open openshift console in a new window without giving his credentials. I've configured Basic Authentication Remote and it's working, can open new window and post username/password but it's looks that openshift is protected with crsf token. Thus not sure if it's possible at all. It seems that developing custom identity provider is not supported either. Any idea ?
PS I'm aware of Request Header Identity Provider but that solution requires my webapp to provide idp functionality (not even sure if it's feasible), also apache (we use nginx), a lot of issues for dev to install it all on a single computer due to port conflicts, valid ssl etc etc
Best option will be to use oauth proxy. See if this helps in your case.
https://github.com/openshift/oauth-proxy
Finally I've implemented SSO using js postMessage to send user/token data and Basic Authentication Remote.
Related
I have a Spring Boot Application I am working on that uses CAS authentication. I have CAS working fine however once I start more than 1 copy of the application behind a load balancer the app fails to authenticate.
The app takes the user off to CAS and returns to the home page where once authenticated the user should see the main interface. But instead when it returns from CAS the spring security authenticated check still thinks the user isn't authenticated.
If I reduce my instances down to 1 it starts working fine again.
I am running this app behind an F5 load balancer so I am trying to figure out if there is some missing configuration on the F5 or if there is something I need to do in my app to deal with the switch from one server to another etc. I assume this is causing the issue but I want to keep my app stateless and not rely on making the F5 sticky for a given user. Actually I even tried setting the feature on the F5 but still get the same behavior so not sure what is really happening once more than 1 app instance is running.
My understanding was that this should just work because I have server.use-forward-headers=true configured.
Am I missing some other CAS, Spring Boot Server, or Spring Boot Security settings that are necessary to make this work?
Should this be working with CAS authentication.
I am using Spring Book 2.0.4.RELEASE
I am using spring-security-cas-client 3.0.8.RELEASE
I found the solution to this issue. It seems the Spring Boot Security defaults to a session based security so you need to implement your own Stateless Security to get this working in a stateless manner.
Thanks to this blog post and some additional help from the blog post author I was able to get this working perfectly in Spring Boot 2.x
Checkout the post, it's interesting and works perfectly.
https://www.dedicatedcode.com/posts/stateless-authentication/
Thanks to others who provide answers that sent me in the correct direction to find this solution.
I believe the problem is with multiple cas server cluster. When your spring boot application is looking for a valid ticket it fails to authenticate.
CAS has a support for these kind of situation try reading the link below
https://apereo.github.io/cas/5.2.x/installation/Hazelcast-Ticket-Registry.html
If the above solution works you have to add a dependency for the support and update your property files
Hope this helps
If you are using OAuth / SAML / Delegated Authentication, then you might need to set your F5 load balancer (or any load balancer) to enable "session persistence" in order for CAS server to function normally.
I'm new to Federation Services and I'm trying to understand how ADFS works as a whole and I've started to get down into the details. I followed along with creating an app using OIDC to authenticate a user, however, within the tutorial, they specified using a "Server Application" when setting up an Application Group. This ended up not working for me so I tried setting up a "Native Application" application group for kicks and was able to successfully login.
The thing that threw me off is, I ended up hosting ADFS on a server outside of the domain in which I had my application running, so I'm confused as to how that is "native" in terms of ADFS.
I went looking for this answer within microsoft's documentation but I didn't find the information very clear.
Native Application:
"Sometimes called a public client, this is intended to be a client app that runs on a pc or device and with which the user interacts."
Server Application:
"A web application that runs on a server and is generally accessible to users via a browser. Because it is capable of maintaining its own client 'secret' or credential, it is sometimes called a confidential client."
This may seem simple to some, but I'm trying to really get a grip on what would be used when. To me it sounds like a native application is used when you're running the application natively on a pc in which the user is also using the same pc, and the server application is run remotely in which the user would not be using the same machine. Is it really that simple or am I misunderstanding?
A native application (in Microsoft speak) is something that is not browser based e.g. mobile. The code runs client side. It may use JavaScript in which case the secret key is publicly accessible. (The secret key is one of the OAuth parameters). You use ADAL / MSAL to access it.
A server application runs server side e.g a web API. The secret key is not publicly accessible. You use OWIN to access it.
These terms have no relevance to where ADFS is actually installed. Native applications typically are not domain joined.
Our setup is like this: we use a coldfusion 10 server, and files are on a local intranet. Users use a domain login to access any files over https. I'm interested in using html5 websockets, but the first attempt gave me an error because no credentials were supplied. Is there a way around this? If not, is there a recommended technology for this scenario?
The user does log in on the client side. If it's possible, what I'd really like to do here is pass those credentials when making the connection to the server.
you should be able to supply the authentication header to your web socket server before the elevation to web socket read that and send it back in the headers for the elevation (first frame) then when the browser connects it should have the authentication it needs.
if your using a custom authentication E.G in page not authentication header you can also do this by passing any custom header to your server.
Or mandate that the first thing your web client sends is the authentication details this could be something like {username_hash}.{password_hash} if they don't close the socket to them.
Do not do this.
You're now responsible for sending and encrypting the authentication credentials yourself, bypassing something that already works and is tested.
Anyone can snoop on an unencrypted websocket port. Use HTTPs for an intranet, use stable solutions, don't reinvent this wheel because it tickles your fancy.
In a couple of years some colleague will have to maintain this and will have to figure out how your homebrew version works versus something that's solid like plain browser authentication.
My advice: Leave this to the browser and to well-tested coldfusion libraries.
Original jamesiarmes/php-ews offers authentication only by username / password. Fork by Garethp has some OAuth function but it requires Office365 and registering application in Azure. Is there any possibility to connect to Outlook by web browser just relying on user logged to Windows System? I know how to read which user is logged using kerberos, but don't know if it's right tool to make it.
There's no way with either of those tools. I looked in to trying to use Network Authentication as method of Auth, since my fork uses NTLM any way, but I couldn't find any resources on passing the NTLM Authentication over SOAP calls. That being said, if you can find some examples, I'd be happy to build it in as a method of authentication for you
In the EWS service object, you can select the flag to use default credentials, meaning whatever user context the code is running under. Would that help?
I'm trying to set up a JRuby application to use SAML 2.0 Authentication against a simpleSAMLphp IdP. The intention is to eventually authenticate against Microsoft ADFS, but that solution is still being built.
I've tried a couple of different SAML solutions so far (ruby-saml, samlr), and they all seem to fail under JRuby (but work fine under MRI). I'm specifically using JRuby to utilise the JMS API and JDBC Connectors, so I can't really go back to MRI.
Does anyone know of a SAML implementation that works properly under JRuby? I'm quite happy to go down the path of using native Java classes if that's required, but it'd really help to have a starting point that I can build upon.
Thanks in advance!
Is this application customer facing? If so, check out PingOne Application Provider Services. It's a hosted SAML SP from Ping Identity. You connect via a REST APS from your application and the service handles aol the complex SAML. Very simple to setup. The first connection is free as a bonus. [Note: I work for Ping]
HTH -Ian