GitHub SSO - Enterprise Mandate - authentication

As a company, is it possible to mandate SSO for everyone who works for me? i.e anyone who registers with an #companyname.com email has to go through my Google SSO regardless if they're logging into and pushing code to a repo not maintained by my organization?

If your users are Enterprise Managed Users, you now (Sept. 2022) have the option of:
Automatic Single Sign On for Enterprise Managed Users – Public Beta
Enterprise administrators can now choose to redirect signed-out Enterprise Managed Users to their company's single sign-on (SSO) page. This feature is available as a public beta.
By default, enterprises with Managed Users enabled are hidden, showing a 404 error page any time an enterprise resource is visited by a user that isn't already signed in to the enterprise.
If you enable this feature for your enterprise, visitors to resources in your enterprise, org, or user namespaces will immediately be presented with an SSO redirect if not already signed in to your enterprise.
This redirect helps users sign in to the correct account, rather than giving them the impression that the link they were given no longer works.
You can find this setting in the Authentication security section of your Enterprise Settings, below the single sign-on configuration sections.
Read more about this settings at "Automatic redirection for Enterprise Managed Users".

Related

Azure AD Application Required Permissions list does not include all APIs

I have created an application to use the Office 365 Exchange Online (Microsoft.Exchange) API. I set successfully set up permissions as described here MS Integrating Applications on an existing development Azure Account. See APIs available on original account.
However, now I want to set up a similar app in a new Azure account so I can have a different visible domain for the permission sign up process. However, on this new account the Exchange Online API is not visible to select as a required permission.
This account only exists as a place to register the App so it doesn't itself have any users or need any licenses but do I have to have a license associated with that account just to be allowed to add a particular API to the required permissions? The documentation doesn't mention anything about this that I can see.
do I have to have a license associated with that account just to be
allowed to add a particular API to the required permissions?
Yes, you're right. You have to have a Office 365 Exchange Online license for your Tenant.
Why:
These APIs are exsiting in the AAD as service principal (Enterprise Applications). If you don't buy Exchange Online license, it won't occurs in the Enterprise Applications in your tenant. Once you buy the license, it will be automatically added to the Enterprise applications, meanwhile you can use its API via AAD.
This makes sense because if you don't have the license, you cannot use the product and you cannot use its API neither.
The documentation doesn't mention anything about this that I can see.
Yeah, the documentation maynot mention this and it should be noticed in the documentation. You can sign in the documenation webiste via a github account and give a feeback to the documenation Team:
Hope this helps!

OKTA On-Prem Provisioning with SCIM Servers

I have the free developer edition. I want to provision users to my web site using SCIM. The docs say look under "dashboard/agents". I have no agents tab under dashboards.
https://support.okta.com/articles/Knowledge_Article/46749316-On-Premises-Provisioning-Deployment-Guide?id=kA0F0000000AY3C&q=scim&l=en_US&fs=Search&pn=1#code
Also for behind a firewall the document says download the "On-Prem Provisioning Agent". I have not been able to find that under "setting/downloads" or anywhere else. Where do I find that?
You will need to contact Okta Support or your Okta Sales contact to enable the On-Premises Provisioning feature.

SSO from Share Point application to the IBM Lotus Domino server

I need to use the .Net token (or FedAuth cookie) to get in Domino credential from Active directory
The same need is describe in:
Lotus Notes and c# SSO.
Internet users are loged in a Share Point application and have to open a form in Domino.
My Domino Server is configured Assistant Directory, the users are managed in Active Directory and not in names.nsf. This works good. I can make a POST to log automatically a user of the AD.
But Share Point don't have the user password! Ideally it would be cool to POST the cookie... or run an agent that will inquire in back end the Active directory with the cookie to verify it. Is there a way to do this?
My Domino is 8.53 so I can't use SAML (if someone did this with Domino 9.0 I will be pleased to know :-).
There is a SSO using SPNEGO which can be setup on windows-based Domino servers.
More information about it can be found in the Domino Administration help (steps are very well documentd) and here:
Wiki: Deploying Windows single sign-on for Web clients (SPNEGO) in an existing Domino environment
Basically the steps to enable this are (details in notes admin help and the linked document):
Set an SPN on your windows server (to allow this server to pass Kerberos tickets to the AD)
Enable SSO on the Internet Site / Server doc
In the SSO Configuration: add all servers you will need SSO and enable windows-based SSO
Add a name mapping to your Person docs (Kerberos Principal Name Field) and set notes.ini entry WIDE_SEARCH_FOR_KERBEROS_NAMES=1 on your domino server to include this field in the namelookup
Configure browser: IE: trusted sites (add your host names), Firefox: add domino host to network.negotiate-auth.trusted-uris
Hope that helps - Michael
You could generate your own Domino Ltpa token (cookie) from sharepoint upon login. So long as the domains are set up ok, the browser should pass this to the Domino server and automatically log them in.
Feel free to contact me directly if you need specific help.

Is there a standard for using credentials from one web app to automatically log in to a partner app?

I am developing a web app that will be working with other companies web apps. Part of the desired user experience is that users on our web application will be able to log into our app, and be able to visit our parters' web applications. Accounts will be automatically created for the users on our partners' sites. We'd like them to be able to enter the partner sites already authenticated, without having to log in or authorize anything (like with OpenID or OAuth), similar to the relationship between a bank and a credit card rewards program. Is there an existing standard that covers this?
Single Sign On often used for such functionality.
There are a lot of implementations.
I used in production Jasig CAS

Managing users in a private TRAC

Are there plugins for trac that enable cookie based authentication instead of http authentication, and allow keeping the site private for unknown users?
We want to allow customers outside the office to log in, add and look at the tickets on their projects, but not the projects for our other clients. Non techie users are always confused by a http login box rather than a form that asks for a username and password.
Taken from its home page:
The Account Manager plugin offers several features for managing user accounts:
allow users to register new accounts
login via an HTML form instead of using HTTP authentication
allow existing users to change their passwords or delete their accounts
I second antispam on the Account Manager plugin. Also, if your trac needs to be web facing, you may be interested in the auth required plugin. Just be aware that it hasn't been upgraded for 0.11 and I suspect that there are some minor compatibility problems. It does do the job though.