I want to provide an authentication mechanism on Windows for a user on a cloud.
The credential provider mostly satisfies this requirement with the premise that the user is a local user, Microsoft account or a domain user of this PC.
But I also would like to get escalated privilege as the user, even the user is only on a cloud, not a domain user or Microsoft account.
As far as I know, Microsoft provide a mechanism, SSP(Security Support Provider), kerberos and NTLM implements it.
There are few documents describing about SSP, such as The Windows Negotiation Extension and Writing NegoEx SSPs
Futhermore, Spgetextendedinformationfn in my current implementation is called though.
But I cannot find any further information about what the data I should response to the LSA.
Is there any sample code about SSP, or I should try another way to achieve my goal?
Related
since anypoint platform url anypoint.mulesoft.com is publicly accessible anyone can access the resources. Is there anyway i can restrict access to my org users apart from creating access roles.
Can i create org specific url with org secific access so that others cant access?
Can put some network related restrictions?
I think you confusing two different things:
Accessing a public URL (ie https://anypoint.mulesoft.com)
Authorization inside your organization's account
You can not restrict access to a site that you don't own, it is publicly accessible and needs to be accessed by other users. It doesn't even make sense really. Would you attempt to restrict access by others to google.com or twitter.com (or their API URLs)? It is not the right approach and it is just not possible.
What makes sense however is to manage permissions inside your organization in Anypoint Platform. It means when an user belonging to your organization logs in you can manage what of the available roles are permissions that user will have. You can do that in the Access Management page. You can also create custom roles with specific permissions and teams to better organize your users.
As mentioned you are not able to change MuleSoft's main URL (ie https://anypoint.mulesoft.com), one option being to control from Access Management page, both mentioned by #aled
There are two main ways you can get what you need:
If your organization already has some MFA tool that requires you to be in your corporate VPN, you could use that MFA as the MFA for the Anypoint Platform e.g. Users will need Username/Password, connect to the VPN to be able to get access to the MFA generator/auth and then use that code to finish logging into the platform. As Admin in Anypoint Platform you can enforce EVERYONE to have MFA set up (keep in mind ClientApps authorization for your automation users)
If your company already has an Identity Provider you can configure identity management in Anypoint Platform to set up users for single sign-on (SSO). The fragments below extracted from the official docs external-identity:
After configuring identity management, you must add new SSO users using your external identity management solution and internal provisioning process. If you use the Invite User feature to add users to your organization after you have configured an identity provider, the credentials for these users are stored locally in your organization rather than with the identity provider.
Users that log in with SSO are new users to the system. If the new user has the same username as a user that already exists in your Anypoint Platform organization, the new user co-exists with the original user with the same username. Users with the same username are managed independently from one another.
I am very new to the concepts of SSO and Keycloak. I am trying to read the official documentation of Keycloak. In the "Supported Protocols" part (https://www.keycloak.org/docs/latest/securing_apps/index.html), the documentation talks about the two use cases of using OIDC like this:
"The first is an application that asks the Keycloak server to authenticate a user for them. After a successful login, the application will receive an identity token and an access token. The identity token contains information about the user such as username, email, and other profile information. The access token is digitally signed by the realm and contains access information (like user role mappings) that the application can use to determine what resources the user is allowed to access on the application.
The second type of use cases is that of a client that wants to gain access to remote services. In this case, the client asks Keycloak to obtain an access token it can use to invoke on other remote services on behalf of the user. Keycloak authenticates the user then asks the user for consent to grant access to the client requesting it. The client then receives the access token. This access token is digitally signed by the realm. The client can make REST invocations on remote services using this access token. The REST service extracts the access token, verifies the signature of the token, then decides based on access information within the token whether or not to process the request."
What I do not understand is this: In the first paragraph it talks about an application making a request and in the second one it talks about a client. But aren't applications counted as clients? Why the specific differentiation? And can anyone given an example of the remote services that is talked about in the second part?
Thank you.
But aren't applications counted as clients? Why the specific differentiation? And can anyone given an example of the remote services that is talked about in the second part?
Yes exactly it. The reason for the differentiation is because there could be many applications more than just this one client. And the client, that the user is authed against may want to access all those other applications' data.
For example take the google ecosystem. Does google email have access to drive, and photos, etc... While it could out the box, it doesn't. You need to explicitly allow email "offline access" to those other applications, even though they are all part of the same platform.
Keycloak understands this and provides that terminology. But it is a bit confusing because this isn't the best way to think about it. Instead a better explanation is that there is just the user and service clients. The service clients all talk to each other and ask for a user's data. While a user may want their data by going straight to one application, other applications may want that user's data too.
Assuming you want to actually allow one service to ask for user data from another service, you want to be using something that supports authorization as a service and not just authentication. There are some examples of this, such as PolicyServer and Authress.
So i'm tasked with implementing SSO for our Windows application. Currently, after a user logs into the machine, he or she has to re-log in to our app when he or she loads the application. The application validates the user by querying a LDAP server.
What we're looking to have is for the user to automatically be logged into the app when they click on it. My understanding is that the LDAP authentication must still happen, but Im not exactly sure what the workflow would be, and how exactly we can validate a user without requiring them to re-enter a username / password. Note that this is not a web application so I can't use tools like SAML or OAuth (unless i'm mistaken about this too..?)
So my specific question is as follows:
Is it possible to use LDAP for SSO, and if so, how? Is it possible for me to authenticate a user with just his or her username, or is a password also required?
Any guidance would be appreciated, and am happy to provide further clarification if needed.
First of all, LDAP is a protocol, which you use to communicate with databases that implement this protocol.
So LDAP databases (commonly called directories) are ... databases and so do not provide SSO functionality.
To deploy a SSO solution, you need a SSO service. All your applications will have to be "compliant" with this service in a way or another.
The only way I can think of to make a "Windows SSO" without adding a third party application is that the applications can retrieve NTLM informations in requests made by the client and uses the user data to identify him. (but in term of security, I let you judge what you think about it ;) ) . See this php example
Some LDAP implementations, including OpenLDAP, provide some level of support the Generic Security Service Application Program Interface (GSSAPI) or SPNEGO (a specific GSSAPI implementation)
Although not trivial, it is possible to perform SSO from a "browser" that supports GSSAPI. AFIK, IE, Firefox, Safari and Chrome all provide some level of support for GSSAPI although each browser requires specific configuration (typically whitelisting of Servers).
There are many SSO Products that implement these features in a "probably" more secure and easier process than doing it yourself.
There are many known vulnerabilities details that have been exploited with GSAPPI/SPNEGO typically due to implementation issues.
I am new to windows azure development.
I am developing an application for hosting online tests.
This application needs to have multiple authentication options like Windows live ID, Facebook etc.
It also needs to have default form based authentication fed by the database in back end (simple User name and Password match).
Based on the authentication mechanism different permissions will be available to the user.
Can anyone please suggest how i should proceed on this?
Thanks
Do you really need forms authentication, or do you just need an application specific store where people can use a credential specific to your app?
I'd suggest researching Windows Azure Active Directory and Windows Azure Access Control Services together. You may create either an AD tenant for your application store and use it as an Identity Provider for ACS or you could host your own Secure Token Service and Identity Provider which uses your backend database as the user store also registered with ACS. This means that all of your authentication goes through the same process and allows for you to have your own user store, plus the social Identity Provider capability.
The key here is that you want try to avoid having forms authentication AND Social, but rather a mechanism where multiple Identity Providers can be used, including one of your own.
As Gaurav stated there are a ton of resources out there for this:
Understand the difference between WAAD and ACS.
Provisioning an Azure AD Tenant as a Identity Provider in ACS
Windows Azure Identity
There are also many blogs and MSDN documents talking about how to set these up.
If you start with the default "ASP.net MVC4 Web Application" template in Visual Studio you get a web application mini-sample with an AccountController that supports local and 'social' accounts out of the box. See documentation here. It is based on DotNetOpenAuth (a fantastic lib with terrible documentation) and a Microsoft implementation of an special MembershipProvider which lives in WebMatrix.WebData.
Regarding the Azure Access Control Service 2.0: I have no idea what the status of this service is but it looks to me as if MS itself tries to discourage developers form using this service since it was to deeply hidden somewhere under Windows Azure Active Directory in the documentation.
I am creating a website and my company feels accessing active directory from internet can be a security threat. I would like the users to be able to log in using Active Directory Credential. Is there a secure way to do that?
I think that Active Directory Federation Services might be what you're looking for. Specifically the "Web Single Sign On" functionality.
Since you've tagged with question with "insecure-connection" I feel I must add that you should not, under any circumstances let user account data flow in to or out from your company's firewall un-encrypted.
Active Directory Federation Services (ADFS) is based on the emerging, industry-supported Web Services Architecture, which is defined in WS-* specifications. ADFS helps you use single sign-on (SS0) to authenticate users to multiple, related Web applications over the life of a single online session. ADFS accomplishes this by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
http://technet.microsoft.com/en-us/library/cc736690%28v=WS.10%29.aspx