I need to put reverse proxy (web server) in front of another web application. That proxy should provide Basic LDAP authentication.
If LDAP authentication is successful:
Proxy should take username;
Find its match in dictionary (I would provide it separately in required format);
Use value from dictionary for Basic Authorization http header.
Forward request to web application.
Problem I want to solve - web application only supports RBAC with local users, so I want map local users with AD users and achieve RBAC with AD authentication.
Is it achievable with apache or nginx and how? Or should I look for another way?
Related
We are currently analyzing the API gateway for our microservices and Kong is one of the possible candidate. We discovered that Kong support several plugins for authentication but the all based on users stored in Kong database itself. We need to delegate this responsibility to our custom auth HTTP service and don't want to add these users in API gateway database.
It's possible to do this with some code around, instead of using the OpenID connect plugin; in effect you need to implement an Authorization Server which talks to Kong via the Admin (8001) port and authorizes the use of an API with externally given User Ids.
In short, it goes as follows (here for the Authorization Code grant):
Instead of asking Kong directly for tokens, hit the Authorization Server with a request to get a token for a specific API (either hard coded or parameterized, depending on what you need), and include the client ID of the application which needs access in the call (you implement the /authorize end point in fact)
The Authorization Server now needs to authenticate with whatever IdP you need, so that you have the authenticated user inside your Authorization Server
Now get the provision code for your API via the Kong Admin API, and hit the /oauth2/authorize end point of your Kong Gateway (port 8443), including the provision key; note that you may need to look up the client secret for the application client id also via the Admin API to make this work
Include client id, client secret, authenticated user id (from your custom IdP) and optinally scope in the POST to /oauth2/authorize; these values will be added to backend calls to your API using the access token the application can now claim using the authorization code
Kong will give you an Authorization Code back, which you pass back to the application via an 302 redirect (you will need to read the OAuth2 spec for this)
The application uses its client and secret, with the authorization code, to get the access token (and refresh token) from Kong's port 8443, URL /oauth2/token.
It sounds more involved than it is in the end. I did this for wicked.haufe.io, which is based on Kong and node.js, and adds an open source developer portal to Kong. There's a lot of code in the following two projects which show what can be done to integrate with any IdP:
https://github.com/apim-haufe-io/wicked.portal-kong-adapter
https://github.com/Haufe-Lexware/wicked.auth-passport
https://github.com/Haufe-Lexware/wicked.auth-saml
We're currently investigating to see whether we can also add a default authorization server to wicked, but right now you'd have to roll/fork your own.
Maybe this helps, Martin
Check out Kong's OpenID Connect plugin getkong.org/plugins/openid-connect-rp - it connects to external identity and auth systems.
I have JIRA, Confluence and Bitbucket deployed on my server behind Apache reverse proxy. Each of them is connected with others using Application links. Now, I want to add additional layer of protection by implementing HTTP Basic Authentication in front of this. When I do this, I lose connection between apps. How to configure Apache properly in order to have HTTP Basic Authentication in front of whole stack AND connection between apps?
Where did you configure basic authentication?
Normally Atlassian applications handle authentication themselves, so you should not have to configure anything in apache.
Application links use OAuth to handle authentication between applications and there are 2 flavors:
if both applications have the same set of users, you can use plain OAuth
if both applications have a different set of users, you can use OAuth with impersonation
More info is available in the Application Links documentation here.
I am working on implementing WebSeal single sign-on so that the user does not have to enter credentials for a particular web application if the user is already logged in via Windows authentication. Can anyone please point me in the right direction. I am new to Web Seal
WebSEAL has something called junctions. You can create webseal junctions and configure it to application webservers. Suppose if your SSO solution involves 3 applications, three webseal junctions has to be created. Webseal will act as reverse proxy in this case. So when a user trying to access anyone of the application, He will be challenged with a login screen from webseal. User will be authenticated against LDAP(u need to map your ldap in webseal) and his session will be maintained at webseal.Once authenticated user information will be sent to application servers via junction in HTTP headers. Now when user access other two application, he will not be challenged with authentication. His information will be sent to application servers directly via headers as webseal maintains his session.
For more info:
https://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1359-00/en_US/HTML/am51_webseal_guide16.htm
WebSEAL supports Windows single sign on using SPNEGO protocol & Kerberos Authentication. Read this link for configuration steps:-
https://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1359-00/en_US/HTML/am51_webseal_guide78.htm#sso-windows-desktop
I'm trying to add Basic Authentication for my web-service based on Axis2.
Tomcat successfully pass auth data to web-service code but weblogic uses this information for its purposes (tries to authenticate the request).
Is it possible to configure weblogic to allow passing auth data depends on URL for example?
I have several web services that I want to make available to clients. My clients are split into two groups:
users using a web browser (I serve a web page that uses javascript + AJAX to request data from the web services)
applications (e.g. server app pulling data into a client's system)
1) I can solve the former by exposing my web services to external users using the application server and I can use the identity server to authenticate access (haven't worked how to do this out yet).
2) The latter is nicely satisfied by using the API manager. I can happily tell clients to log in to the API manager and subscribe to APIs. The APIs I create are proxies for the web services mentioned in 1).
I know that an API I create in the API manager can include a username and password for accessing the proxied web service. Is it possible to let an API proxy a web service that is authenticated using the identity manager? Sorry I'm reading documentation and struggling to understand if I can do this. Thanks
". Is it possible to let an API proxy a web service that is
authenticated using the identity manager? "
Currently APIManager supports the service endpoints which are secured using basicauth/usernametoken.
If you use identityserver to secure you service, using any other mechanism, that wont be supported by APIManager.
Stodge,
Default API manager authentication mechanism is Oauth. it uses Oauth token mechanism to authenticate all APIs.
Please refer [1],
Here the authentication component also sits in the AM. This can be delegated to a different AM instance if required.
Hope this helps.
[1] http://docs.wso2.org/wiki/display/AM140/Token+APIs