Camunda and Okta integration for SSO - integration

I am building a workflow engine using camunda. I have made progress on it. But I want to make its admin panel such that it take authentication from OKTA where my other apps are present. I don't want to have separate username and passwords specific to camunda. I have no idea how to do that. Please give some ideas to achieve it.
Thanks

I do not know OKTA, but the general way of telling camunda do use a different Identity Management than the database default is to exchange the IdentityProvider. Its documented here for LDAP and should work similar for OKTA (though you'd have to write your own OKTA Provider for it).
A more reusable approach would be to use spring security with camunda and integrate OKTA with spring security ...

Related

Authentication for nestJs on cloudfunction

We are creating an integration between https://retreaver.com/integrations and a nestjs server running on a cloud function.
What methodology is best suited for nestjs integrations authentication?
What methodology is best suited for nestjs on cloud functions authentication?
I am assuming to just use a token authentication or something simple. but I am not sure at all! ( I have no idea where to look for this authentication piece, I looked at multiple youtube videos but I have not come across anything good )
I am following the following tutorial for learning nestJs:: https://www.youtube.com/watch?v=Mgr5_r70OJQ
I looked around for similar questions but I didn't see anything close to what I was looking for. the only related question is the one below but there is no answer at the moment::
NestJS authentication: how to globally pass UserId to CRUD endpoints?
example of nestjs on cloud function :: https://www.youtube.com/watch?v=ZmfDlUAokYc
Any advise or guidance is greatly appreciated!
There are several ways an app can authenticate its users and restrict access to only authorized users.To learn more about the various methods to authenticate users, see the Authentication concepts section.
In order to integrate a NestJS app to serverless cloud functions, you may create a wrapper Express function and pass it to functions-framework, check the thread for details on the same.There is also a good example describing the setup for the nest.js and cloud functions.
I would also recommend to check the below for more information:
Developing a secure api with nestjs adding authorization
How to create a nestjs app with authentication

Azure APIM Data Level Authentication - How do people accomplish this?

Scenario: Externally exposed API, connects to multiple backed Dbs. Multiple customers can use the API, they obviously should only have access to their data. In the past this is done by separate accounts for each customer/user, and consequently each account would need setting up in each of the backend systems with the correct authorities.
Problem: I want to use Azure APIM. I don't want the extra maintenance for each user in both the Azure APIM and the backend Dbs. I was wondering if anyone has any thoughts or cases where they accomplished this in a different way. Also the API may be built with access via one account with all access to tables.
I'm sure there are different ways to approach this but a common way I believe to do this would be using Application Roles.
I don't believe this is really dependent on Azure APIM as such, but you can leverage OAuth 2.0 support to pre-authorize requests and in your backend, depending on the claims present in the token passed, you can allow/deny access to the data.
You backend would usually authenticate to the different DBs as itself with full access to all data and your backend would be tasked with making sure only people with the right claims can access the data.
In order to use an API the user/customer has to register with the Developer Portal and get a Subscription to a given API and the associated key. So you have to authenticate them. When you publish APIs through Azure API Management, it's easy and common to secure access to those APIs by using subscription keys. Client applications that need to consume the published APIs must include a valid subscription key in HTTP requests when they make calls to those APIs. https://learn.microsoft.com/en-us/azure/api-management/api-management-subscriptions
The Developer Portal supports different authentication mechanisms including Azure AD. So if you plan to use Azure AD for your authentication for both portals you will need to configure it accordingly. https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad

ASP.NET Core MVC Authentication with existing database

I'm about to implement a web application (back office for an existing app.) using the ASP.NET Core framework. At the moment I'm thinking about on how will I authenticate the user. The main database is using MySQL (not supported on this framework), so I will access the database troughout an existing PHP SOAP API.
Is there any way to implement a token based (OAuth) authentication knowing that the data access will be done trough a SOAP API ?
You can take a look IdentityServer3 in combination with the default OpenID middleware. You can completely separate the authentication logic from your application. Your application will trust the tokens generated by the identity server. The same as signin in with facebook/google/linkedin accounts etc.. using your own secure ticket provider. Identity Server supports customization so you can use the datastore of your choice. It is also possible to use your identity server for a various set of applications as long as they are "known" by your identity server. Definitely worth the investigation if you ask me.
https://github.com/IdentityServer/IdentityServer3

Can I share session data between app using CAS?

I am newbie with CAS Server, I found it is a single sign on server between different application in terms of technology like php, .net & java. I explore it but even though there are some questions yet not clear. Before ask my doubt, I tell what am I trying to achieve?
I am using a gwt based application, Now for some of the features, development is in a php technology. It should get some session data from existing java application. another approach to customize CAS like integrate a web service layer for authorization, instead of using its existing like query to db.
The doubts are:
1) Can I share a session data between Java & php application using CAS?
2) is there any security issue while passing a data using CAS server?
Thanks in Advance.
Sharing session data accross application can be addressed by mechanisms not linked to CAS. Though, when authentication occurs in CAS server, user data are retrieved from various data sources and these user data can be pushed to client CAS applications through SAML validation and the appropriate configuration.

Making an integration between two system secure using web services

I have two applications one is a business process management (BPM) & the other is a document management system (DMS) , both systems exposes web services to enable integration with other systems. Both system provide a master login username and password to provide JSON API Authentication. for example to start a process ("process1") inside the BPM ; the DMS can send the following API call
/jw/web/json/workflow/process/start/process1?master_username=BPMadmin&master_password=982716171717&loginAS=currentusername
and same apply for calling DMS web services.
The limitation in this security approach is that i am unable to call any of the DMS or the BPM web services using JavaScript and consume the returned JSON using javaScript, since if i follow the javaScript approach i will be exposing the master_username & master_password to the end users and they can manually modify the LoginAs parameter to other usernames and perform actions they are not authorized to do.
so my questions are:-
Can i make the web service calls secure using JavaScript?
second question what other security approaches i can follow to make the web services calls secure using javaScript? baring in mind that i can modify the webs service security to other approaches rather than using master login username and password, but this might require more time and effort from my side?
Thanks in advance for any help
Best Regards
First of all JS is client side and does not include any special security/magic/irreversible functions, like browser aided crypto engine, high grate SPRNG for key generation and so forth. So long story short anything you do with js is not secure it can be obfuscated but it will be NOT SECURE. That is the point you already made. Another more approach is to use your server as 'proxy'. So lets say You are designing an JS aided gui and show some documents ro so, then you make an AJAX request to your app server (not BPM nor DMS) and it acts as proxy that will do the authentication against DMS and call WS and then return the result back to your JS :) So your setup would look like JS (session)-> App (ws auth)-> DMS -> App (sesion)-> JS (I assume you have authenticated user and we'll use users session as JS <-> server secure channel, if not you will have to incorporate some other js auth mechanism maybe one time pass or something but it will be easy because it is your system). And voila. Only security consideration is to not allow anyone to call your servers proxy site :)