Is it possible to configure HashiCorp Vault to first authenticate users with mTLS, then take the user's identity from the certificate (CN attribute) and authorize the user using an LDAP group lookup? That is, the user must present a valid certificate and be part of a specific group in LDAP.
There is an auth backend for mTLS and for LDAP, but I'd like to use both. Is it possible?
Related
How can I set up authentication and authorization layers with Gun.js the tradicional way, for example with social logins with (Google, LinkedIn) or AWS cognito, Auth0,our my own RBAC server?
Centralized login systems give access tokens to a server and session tokens to the user.
Unfortunately, this means you cannot do fully p2p logins if you want to support other logins, because the server that receives the access token will need to have a "backdoor" into GUN's cryptographic user accounts.
If users are okay with this backdoor...
Then, save their keypair (or generate a secret password) privately to their profile on your existing centralized user account system. Now you can automatically log them into GUN by calling gun.user().auth(keypair).
When creating an external JWT provider in FusionAuth, there is need to set managed domains. When a new user is coming to my app, how can I know his domain ? Is there a possibility to set that all domains are accepted ? Wildcards and empty list does not work.
FusionAuth does not support a use case where you do not know ahead of time what email domain the user may be coming from. In order to validate the token signature from the 3rd party you will need to configure a public key, certificate or HMAC secret in FusionAuth such that we can validate the token.
A typical use case would be that you have a 3rd party that has employees that want to log into your application using their own IdP. In this case, let's say the company is Acme, Co, and each employee has an email domain of #acme.com. In this case FusionAuth needs the certificate or public key used by Acme, Co in order to verify the token sent to the Identity Provider Login API.
If you have a scenario where you do not know the origin of the incoming token, then FusionAuth also will not know how to verify the token signature.
I would need some additional context of your use case to see if it would be possible in FusionAuth.
User is authenticated on website using LDAP. How do I automatically authenticate the same user on another website using LDAP. The two websites are on the same domain but separate websites- they both authenticate against same LDAP store. Is an authentication token somehow passed from one to next? Or the credentials or something..? Sort of new to LDAP auth...
You can not use LDAP to achieve Single Sign On. LDAP is an 'authentication protocol' and a 'data model'.
You either need a proprietary mechanism or some standards based technology like OIDC or SAML.
There are some methods natively supported such as basic auth , X509 certificates and webhook tokens.
Is there some workaround/project to use LDAP for user authentication with Kubernetes. I need users to be grouped in LDAP , and then use role binding to bind the group to a specific namespace with a role.
Yes you can integrate with LDAP, for example:
Using dex
With Torchbox's kube-ldap-authn (hint: read this post)
Vis keycloak
Also, there's a nice intro-level blog post to get you started.
I'm using LifeRay and need some kind of special authentication: my users have x.509 certificates which are validated by an Apache Webserver. After a successful validation, the user is redirected to Tomcat and in there LifeRay.
Now I want to do the following: get the subject DN of the user's certificate programmatically and log in the LifeRay user that is connected to this DN.
So far, I have the following:
Created a hook "login.events.pre" where I get the DN from the certificate
Search the LifeRay DB for a user with this DN (using UserLocalServiceUtil.getUserByOpenId())
Authenticate user using UserLocalServiceUtil.authenticateByScreenName()
My question now: is that the "best"/cleanest way to do this or should I use other methods for querying the LifeRay DB, authenticating the user etc. For instance, instead of a hook I could create an Ext-Extensions for LifeRay. Additionally, I found some stuff like "com.liferay.portlet.login.util.LoginUtil.login" or User user = PortalUtil.getUser(request); to get a user.
Is there a place in the docu where those questions are answered? The API is not that comprehensive...