For example, I'd like to run Identity Server as an API which other resources authorise against. I'd also like to have a separate Web Application to handle Login/Registration/ForgottenPassword pages which uses said Identity Server API. I'm used to running both within the same application.
I appreciate this is a very light description for the question. I'm fairly certain I read somewhere that IdentityServer4 can be run as just a service/API.
Yes you can. You have to use the endpoints. Have a look at all of them. I think that the one that suits best your requirements is the Token endpoint. There, by specifying some params (including username and password), you can practically login and receive the tokens.
Btw - Identity Server doesn't support OOTB any forgotten password or registration support. This should be custom. And also I guess that you are not using InMemory users, so basically it is up to you how to design this, but yes - it will be separate from Identity Server.
Related
We are into data security and we have a portal which can be accessed through Azure AD. Now we want to add support for ADFS for login.
For this when we add new customer, we would ask for the details like ClientId, secret, call back URL etc and thinking to store this in our Web API table.
We use Identity server 4 for auth operations. If we want to add one or 2 ADFS servers, it would be easy as we can add the data we got from the customer and put it in a config and add those details in startup class hard coded. But if we would need to add new server, it would be extra work every time.
The Challenge we are facing is, we want to get ADFS server details from Web API database and the login page is in Identity server.
Should we call web api from startup or middle ware of identity server, which I guess is not the best option. Or we should have ADFS table at identity server side? This is challenge too as we add ADFS details from angular app which does not send anything back to identity server.
Can someone suggest best option for this situation?
Thanks in advance.
As far as I understand, you are facing the issue because you have the database tied to your Web API. Conceptually, there is nothing a Web API database. You should never tie your databases with the application or APIs. Separate out your data logic into a separate project. Make it independent. Then that can be used from both your Web API as well as from your other Startup classes.
I am going to preface this by saying I am a novice in this field. Our system has a large number of users, some of whom, log in using SAML authentication, others use the forms authentication on the home page, and some use a custom built Single Sign On solution. This happens because different clients prefer different modes of authentication.
We are looking to streamline authentication so that it is not a function of the web application, and we are therefore going by the claims model. One of the infrastructure options to build the STS is the Thinktecture Identity server.
My question is this:
- Is is possible to have multiple STS for the same web app, and if so, where does the switching happen? I.e if user1 uses SAML, how is this user's credentials sent to that specific STS?
Also, is Thinktecture the right infrastructure to be building something like this, or should I look at something else?
I am working on an application where all user authentication happens in a ColdFusion application (based on CFWheels), but interactions with the file servers happen through a Node.js application. I need to make sure that the user who is logged in on the CF application is allowed to access the files in the node server. I was thinking of setting a cookie with a CFToken or something that the node server can read and pass to ColdFusion asking "Hey can this token access this file"
My only problem with that is I wasn't sure if CFTokens are re-used eventually, and if they are what should I use instead?
If other people have other ways of doing this sort of thing where authentication needs to be reusable across multiple engines I would love to hear your strategies.
That sounds like a fine way to do it.
But, I would just use CFCOOKIE to set a cookie of your own devising.
The two servers will have to share a domain name, of course, to be able to read the same cookie. You will also have to set the cookie to be a domain cookie.
One clean way to architect this would be to create a whole CFC devoted to the security.
It would have methods for generating and validating login tokens.
Your CF application would use this to generate the token, and you could have your node.js application call this via a webservice using the
http://server.com/path/security.cfc?method=validateToken&token=whatever
An even more efficient way to do this, assuming they have access to the same datastore, would be to use the same algorithm to generate/decode (if needed) the tokens in both systems, and let the node.js app directly access the datastore.
When I needed to do this, we stored the "session" tokens in mongodb, and directly accessed the datastore from each application (CF, Java, and Rails). The CF system was responsible for the initial authentication. The other two systems did no authentication, just validated the token, and if it was not found/invalid/etc, responded in the appropriate way.
Yip, what you want to read up on is SSO (Single Sign-on).
OpenID is a popular one that works with multiple platforms including CF.
If you're feeling adventurous... With a little tought, it is fairly easy to devise your own mechanism for sharing logins - usually around sharing some token via a cookie or header or could also be via RESTfull (or any) form of webservice call too.
I have a need to implement a STS-IP server for our web applications and services. The server will need to issue SAML tokens for the following scenarios:
Business partner submits their SAML token which is converted to a SAML token with the claims required for our applications. This token is used to access our Web Applications and Services.
Our public facing applications need to have a user sign in (via forms authentication) and then access our web applications and services with a SAML token.
Our clients (without a STS trust) needs to authenticate with our STS-IP server, get a SAML token, and use that token to access our WCF services.
In all 3 scenarios, we need to have custom claims on the SAML token that our applications and services use. The thought is once we identify the user, we would look up their authorization in our back-end systems and attach claims.
In these scenarios, you can assume the back-end authentication store is a custom implementation with authentication stored in Active Directory and authorization stored in a database.
So my thought has been, we need to create a custom STS-IP server using something like Windows Identity Framework. But I have also been reading that you should not do this because it can take some time.
Can I use an off-the-shelf STS-IP server? Everything I've seen is a mapping between one system to another (SAML to SAML or AD to SAML).
Why will it "take a long time" to build a production ready STS-IP ? I built one using WIF very easily, but I guess I don't understand the risks in doing this.
In terms of "It will take a long time", the documentation showing how to do this is very poor. See here: http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/257d93be-165e-45a6-a277-fc7ed2286e7d/
Anyhow, you'll simply need to look over the code samples that Microsoft provides: Google for Identity Developer Training Kit. That should help you get started.
Why are you not considering using ADFS? If the backing store for authentication is AD, then ADFS is probably a good candidate to evaluate.
Before writing you own STS, you may want to check out this blog and closely review the features that you may need in the STS. Just because you can build one yourself, doesn't always mean you should.
extending adfs to multiple identity and attribute stores
They "why not" is relatively simple: Why take weeks to build something that will probably only handle a single use-case when you can put in off-the-shelf STS in a day that will cover all sorts of things your company may come up with? Building it yourself will also require you to become an expert in SAML (which is probably not the best us of your company's time).
Check out --
http://www.pingidentity.com/our-solutions/pingfederate.cfm
Good luck -- Ian
Agree with #eugenio - why not use ADFS?
ADFS can only authenticate against AD as discussed but it can derive authorisation attributes from AD / LDAP / SQL server
The nuts and bolts for an STS are available in VS 2010 plus the identity tool kits. A simple STS can be quickly prototyped.
There are some examples available. StarterSTS is already mentioned plus SelfSTS.
The hard part is getting the security right especially if this will be part of a production system. As per "Steve on Security" Build your own Directory Federation Service:
It may sound like I think it’ll be a
synch to develop this system and have
it work securely, but in reality there
is a lot that will need to go into it
to protect the network, the employees,
and the data this could possibly
interact with. It is tough to develop
applications securely. It is far
harder to develop secure applications
whose sole responsibility is security
related.
That's the reason that all the samples on the Internet have disclaimers in bold:
Do not use in a Production environment
Disclaimer: I'm not a Notes admin, I just wrote the application :), and I try to help our client to use it.
We provide a simple database with one agent to accept and process HTTP POST messages from Internet.
The Domino server where this database is going to be installed is configured for Single SignOn authentication for web access.
Is there a way so set only our database to use different type of authentication - i.e. Basic Authentication, so we can hit it like this to POST messages to the agent:
http://username:password#my.domino.server/mydb.nsf/myagent
I thought about another approach as well - to remove any form of auth, and pass the credentials in the POSTed data itself. Then the agent will take care to process or not the data, base on if the creds are OK. But this most probably will require some form of "impersonation" - I.e. to map somehow the anonymous user to the one, which has the rights to execute the agent. So, I valid answer to this question may be an advise how to set this up.
Additionally - we are looking at the web service approach (available in Domino 7.0+), but it will require changes on both sides - the sender (our publisher service) and the receiving agent. And most probably will lead back to the original question about how to authenticate the sender.
Any advice in that regard (even changing the approach) will be highly appreciated.
Cheers
Since Domino 7.0.2 there is a new kind of website rule entitled "Override Session Authentication" that allows you to specify, for a specific URL pattern (ex : /folder/myapp.nsf/myagent?*) to use BASIC auth even if the whole server is configured for session-based auth.
This was initially introduced for RSS readers (that cannot handle sessions).
More information here :
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/H_OVERRIDING_SESSION_AUTHENTICATION_8847_STEPS.html
Although it's horribly insecure to allow this, it is possible using web site documents on the server.
Create a website document that has basic authentication for your database (it will need it's own domain name) and then everyone else can access the server through the default website document which uses session authentication.
I'd suggest adding Anonymous to the ACL of the database, with No access and nothing but Read public documents checked. Then, you can grant access to the agent by checking Allow Public Access users to view and run this agent in the Agent properties.
I don't know if it is possible to get the Authorization header into the agent to check the authentication. If there are only two parties communicating I would compute a hash of the message, a timestamp and a shared secret and use that to check access.
Edit
You won't be able to parse the Authorization header manually. Domino (at least 7.0.3) tries to do a session authentication if your request contains an authorization header, regardless of access settings on the object you request.
Here, put that URL in your Favorites toolbar :
http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_8.5.3/welcome_Domino_8_5_3.html
Also did you know that your Notes client and Domino Server come with help databases full of very adequate documents ? Try the [Help] menu for starters.
Then, said help databases are usually in the aptlty named "help" folder". Open them.