I have an Azure File storage folder and I would like to have a simple HTTP Basic User/Pass authentication on it and be able to list the directory contents of that directory upon successful authentication.
I know that there are Shared Access Signatures but that's a different security approach.
This is so simple scenario but yet I cannot find a solution to it...
What I want to have is just a simple (bucket) folder that is going to be available over HTTP Basic Auth through the browser externally.
Does Azure File Storage support basic authentication?
At this time, Active Directory-based authentication and access control lists (ACLs) are not supported.
Azure Files supports identity-based authorization over SMB (Server Message Block) through Azure Active Directory Domain Services. Your domain-joined Windows virtual machines (VMs) can access Azure file shares using Azure AD credentials.
Related
We're trying to develop an ASP.NET Core web API which lets users authenticate through Azure AD and would like to retrieve files from NextCloud on behalf of this Azure AD user. Our infrastructure is composed of an Ubuntu server running NextCloud 12, a Windows Server running the ASP.NET Core web API and an Azure Active Directory instance with Azure AD Domain Services.
Signing in through NextCloud using LDAP (provided by AAD Domain Services) works without any issues.
We've been trying out SSO with SAML in addition to LDAP but we keep seeing this error message when signing into NextCloud:
Account not provisioned.
Your account is not provisioned, access to this service is thus not possible.
How exactly are we able to retrieve files from NextCloud by using the same Azure AD token we receive when authenticating with our ASP.NET web API?
SAML is not well versed to use with Web APIs - its protocol is heavily vested on the application being Web Apps - ideally you should use Open Id Connect with Jwt tokens.
Is it generally possible to have a Microsoft Azure in the background to act as a SSO Authentication server for Apache auth?
The example is:
There are many users inside the Microsoft Azure
I have a Webpage on a Linux server served by Apache2
The webpage should be protected (exactly like basic-auth) by Azure (via SSO)
If the user is signed in into Azure and has rights, he can see the website
If the user is not signed in, he will be redirected back to Azure's login-page and after successful login will back to the webpage.
Is this generally possible?
If so what technologies/modules do I have to use for apache in order to speak with Azure?
Thanks for any hints towards the right direction.
Update
The Azure server is already fully configured. I just need to sort out the end on Apache.
I think what you are looking for is Azure Active Directory. it is an Identity as a Service product that supports modern protocols like OAuth, OpenID Connect. There's a client SDK called ADAL (Active Directory Authentication Library), but since it's standard protocols, you can integrate with other standard based authentication libraries. For example, the node.js tutorial shows how to use passport.
You didn't mention what web stack you are using but it's most likely listed here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-developers-guide/
On a side note: if you can host your app on Azure Web App Service then it has built in integration with Azure Active Directory, so you can add a layer of authentication on top of your website without modifying your application code.
More info on that here: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
Hie Please explain which to use when, OpenDS OpenDJ OpenAM. Thanks.
OpenDJ is an open source project building LDAP and REST base Directory Services. OpenDJ is continuing in open source the development of OpenDS, a project that was started by Sun Microsystems, but abandoned by Oracle.
OpenAM is an open source Authentication, Authorization, Web Single Sign On, Federation solution that is flexible, extensible and highly scalable. For its configuration management, OpenAM embeds OpenDJ. For its user stores, it relies on LDAP directory servers, and is very well integrated with OpenDJ.
[Disclosure: I am product manager at ForgeRock, the company that supports and commercializes OpenDJ and OpenAM]
OpenAM is entirely different from that of OpenDJ or OpenDS. Let me clear all your doubts:
OpenAM is an open source access management and federation server platform, backed by ForgeRock. It was sponsored by ForgeRock until 2016.Now it is supported by Open Identity Platform Community.
What exactly OpenAM is ?
OpenAM provides a service called access management, which manages
access to resources, such as a web page, an application, or web
service, available over the network. Once it is set up, OpenAM
provides an infrastructure for managing users, roles, and access to
resources.
It centralizes access control by handling both authentication
(Confirming the identity) and authorization (Determining whether
to grant access to someone who has authenticated).
When you dive deep inside this beautiful service you will find,You can secure your resources and customize it through Open Access Policy and can implement social authentication, Multi-Factor Authentication ,Account Lockout, Single Sign-On etc. and can define Authorization policies in no time .
Moving on to OpenDJ ..
OpenDJ is a directory server which implements a wide range of
“Lightweight Directory Access Protocol” (LDAP) and also have
support for “Directory Service Markup Language” (DSML). OpenDJ is
written in Java language.
It was an internal project started by Sun Microsystems, which is now maintained by ForgeRock.
Let me help you with those big terms like LDAP and Directory :
Lightweight Directory Access Protocol (also known as LDAP) is an application protocol.
This protocol is used specifically for querying data as well as modifying said data.This is performed by using directory services –that is, a software system that stores, organises, and provides access to the information that is in a directory.
Conclusion:
OpenAM regulates who can access what resource ,when and under what condition while OpenDJ is the high-performance,Highly-available and
secure store for identities managed by the organization.
.
Given there is a requirement from a 3rd party application where LDAP integration is required for authentication, authorization and assignment of users/roles with lookup to directory services or user repository...
When the application environment is Microsoft Server 2012 with WAS to support the application and the server can only access security principals through a web service...
Is there a way to provide LDAP or AD LDS to integrate with the web service or even to sync the local repository with the system of record?
This will probably provide many routes for discussion, but let's assume the application for now can only best subscribe to a LDAP instance for this and AD is not being provided directly to the environment where the application exists AND AD isn't even the system of record - that is exposed from a web service.
This is fundamentally the definition of a meta directory or Virtual directory.
That is, rather than directly contact the directory service for usage, instead there is an abstraction layer, often caching, perhaps uniting data (on the fly per request, or in advance as changes occur).
There are any number of vendors that provide such services in products.
I am creating a website and my company feels accessing active directory from internet can be a security threat. I would like the users to be able to log in using Active Directory Credential. Is there a secure way to do that?
I think that Active Directory Federation Services might be what you're looking for. Specifically the "Web Single Sign On" functionality.
Since you've tagged with question with "insecure-connection" I feel I must add that you should not, under any circumstances let user account data flow in to or out from your company's firewall un-encrypted.
Active Directory Federation Services (ADFS) is based on the emerging, industry-supported Web Services Architecture, which is defined in WS-* specifications. ADFS helps you use single sign-on (SS0) to authenticate users to multiple, related Web applications over the life of a single online session. ADFS accomplishes this by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
http://technet.microsoft.com/en-us/library/cc736690%28v=WS.10%29.aspx