I'm new to Federation Services and I'm trying to understand how ADFS works as a whole and I've started to get down into the details. I followed along with creating an app using OIDC to authenticate a user, however, within the tutorial, they specified using a "Server Application" when setting up an Application Group. This ended up not working for me so I tried setting up a "Native Application" application group for kicks and was able to successfully login.
The thing that threw me off is, I ended up hosting ADFS on a server outside of the domain in which I had my application running, so I'm confused as to how that is "native" in terms of ADFS.
I went looking for this answer within microsoft's documentation but I didn't find the information very clear.
Native Application:
"Sometimes called a public client, this is intended to be a client app that runs on a pc or device and with which the user interacts."
Server Application:
"A web application that runs on a server and is generally accessible to users via a browser. Because it is capable of maintaining its own client 'secret' or credential, it is sometimes called a confidential client."
This may seem simple to some, but I'm trying to really get a grip on what would be used when. To me it sounds like a native application is used when you're running the application natively on a pc in which the user is also using the same pc, and the server application is run remotely in which the user would not be using the same machine. Is it really that simple or am I misunderstanding?
A native application (in Microsoft speak) is something that is not browser based e.g. mobile. The code runs client side. It may use JavaScript in which case the secret key is publicly accessible. (The secret key is one of the OAuth parameters). You use ADAL / MSAL to access it.
A server application runs server side e.g a web API. The secret key is not publicly accessible. You use OWIN to access it.
These terms have no relevance to where ADFS is actually installed. Native applications typically are not domain joined.
Related
I'm fairly new at building Electron apps and I've seen a lot of examples where Electron app connects directly to a remote database (MySQL in my case) so I started wondering what the problems might be with doing it that way. My first thought was to have a remote API (built on top of Express) which would communicate with the database and Electron app (React) would just utilize that API.
Any advice? Thoughts?
Thanks.
A problem with directly connecting to the database is you have to embed the database credentials in the electron app which makes them available to anyone who wants to snoop through the code. In addition, once the credentials are exposed, you lose control over what anyone can do to your database.
This is why you would usually give the user their own credentials, have the user authenticate to a web server and then have the web server be the only one who can directly talk to the remote database. You can then completely control what happens to the database since your web server is the intermediary and the only one that actually talks to the database.
This doesn't mean that there aren't some circumstances where you might want the client to talk directly to the database as it really depends upon what you're doing, what the data is and what the risk exposure is for allowing untrusted code to directly manipulate the data in the database.
Remember, you cannot protect credentials embedded in a client. They can be discovered by the client and used for other things.
I know about xamarin connection with SQLite but it is locally
I need to connect my remotely MySQL database with xamarin.forms (I know about the security issue of this without using web services layer, but i will only use it for my own work)
This plugin is for xamarin.iOS and Xamarin.Android
I cannot add it using dependency service because i cannot add this component to the shared project
So is there any example of connecting MySQL database with xamarin.forms
You can't add references to your shared library. Shared libraries act like a list of files that are directly included in the project. The advantage of shared projects is just, that you do not have to maintain these included files for each project that uses code of the contained files. See the Xamarin documentation for further explanation.
What you have to do, if you want to consume a 3rd party libray within a shared library: Add the library to each project that uses the shared library (e.g. your iOS and Android project)
2ct to the mentioned security issue
You are right about the security issue. That's why I'd advice against, using mysql directly from your app. (I'll explain it for other readers that aren't aware of this problem and stumble over this question)
You should tunnel it through HTTPS because:
Some networks just block certain ports (HTTP and HTTPS are usually not blocked)
You publish your credentials with your app either statically or dynamically, but the credentials to your database are interceptable either way. You should authenticate a user and not an app. So there should be some kind of authentication / authorization that is revokeable. There was a nice talk from Kerry Lothrop on the Xamarin Evolve 2016 on this topic. https://www.youtube.com/watch?v=uLFtQHNxGaI
I am running Report Service Manager - Web portal for accessing the Reports. For Development and Testing purpose, Report service is running from my computer.
Whenever Testing Team tries to access the web from their end, report service is asking an Initial Authentication of my computer account. ( Windows Authentication ). How to skip this authentication mode ? This is an Internal Application, i want Report service to run on any computer without asking any authentications.
If you are all on the same domain, simply add "DomainName\All Users" with the appropriate role to the portal. The testers may also need to add your site as a trusted site in their browsers. "All Users" is exactly as it sounds - any user account on that domain will have the access you grant.
Alternatively, if you need to disable security entirely (bad idea), you'll have to configure a new security extension - it's relatively simple to do, especially with all the samples you can find online (google "SSRS custom authentication" or "SSRS anonymous authentication"), but if you've never done anything like this before, you may struggle if you run into any unexpected issues.
See here for one example on how to enable anonymous access:
http://blogs.msdn.com/b/jameswu/archive/2008/07/15/anonymous-access-in-sql-rs-2008.aspx
I have IIS7.5 with two websites, and I have an Access database on a server on our network.
The first website has anonymous auth on, using a specific network account (lets say 'jim.smith').
The second website has windows auth on.
I've written some ASP to use a DSN-Less connection to the Access database, and I'm using the same code in both websites.
When logged on to a computer with the same network account as is in use with the first website anonymous setting ('jim.smith') - when viewing in a browser, the first website has access to the database, the second website does not.
The error message is: 80004005 The Microsoft Jet database engine cannot open the file '...'. It is already opened exclusively by another user, or you need permission to view its data.
It is definitely not opened by another user.
So the first website is being accessed by network user 'jim.smith' via the anonymous setting.
The second website is being accessed by network user 'jim.smith' via windows auth.
Why would access to the database work from website one, and not website two..?
Does anyone know how to make windows auth work the same as the anonymous setting so I have access to the database from website two..?
Cheers!
Steve
Edit: Everyone has full rights to the folder where the database sits.
Seems to me that you need to enable impersonation so that the incoming user is used to acces the database. Otherwise the user of the application pool is used and this usually doesn't even have right on the server itself ( Application Pool Identity)
When using 'Integrated Pipeline' on IIS on the server, and if your application does not rely on impersonating the requesting user in the 'BeginRequest' and 'AuthenticateRequest' stages (the only stages where impersonation is not possible in Integrated mode), but still requires Impersonation in other areas of the application, ignore this error (500 - Internal Server Error) by adding the following to your application’s web.config
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>
See:
http://allen-conway-dotnet.blogspot.com/2010/11/how-to-use-impersonation-in-aspnet.html
I recently created a web application with GWT. Then re-used most of the code to create a Swing version of the application that accesses a local database in offline mode. I am now implementing the 'online' mode of the application and want to access the same data as my GWT application.
Any ideas? Considered connecting directly to the MySQL server via SSL, but that's not working and doesn't seem as scalable. Should I use REST?
Any suggestions would be helpful.
To solve this problem in the past, we've used Jersey to create REST Web services which returns protocol buffers. The Swing app would then interact with the protocol buffers. The GWT app would ask for content type 'json' and receive protostuff objects in return. It worked quite well. That way, both apps can communicate with the server in the exact way.
Edit:
To allow your swing app to communicate with GWT-RPC, look at this blog article.