Jira / Bitbucket Application Links with Basic Authentication - authentication

This is admittedly a duplicate of this question :
HTTP Basic Authentication and Attlassian JIRA, Confluence and Bitbucekt
... but I have the same question, and that was not answered!
Does anyone know how to setup "Application Links" between Jira, Bitbucket, or other Atlassian apps when the remote app requires basic authentication? The legacy docs for Jira indicate there use to be a basic authentication option, but they seem to have eliminated that.

If you're stuck with a combination of very old and new applications, then it is possible that you cannot create an application link between them, unless you upgrade your legacy application(s).
Atlassian has this in their Application Links documentation:
As a general rule, you should ensure your applications are using the same major version of AppLinks to resolve any potential incompatibilities.
For a matrix of compatible versions, look here.

Related

SSO for web application hosted on S3

I have been scratching my head for a while now. Went through tons of documentations but everything seems very confusing. Please forgive if it appears to be a duplicate question, but believe me, the more content I find, the more its confusing me.
Below is the configuration of my project and what I need to achieve:
The project is a web based application developed using Spring framework with Java 8 that is hosted on S3(linux server). HTTP server used is Apache. JBoss is used as an application server and the exact version used is wildfly-8.2.0.Final.
Currently, the user enters his credentials which are validated against Microsoft Active directory using LDAP and is let in. The requirement now is that when the user logs into the machine using his AD credentials in his intranet environment, and he tries to open the application, he should directly log in and not prompted for credentials again. If he is outside his intranet network, the existing log in method should be followed.
While researching I found the below things I assume can be useful but not able to reach to a conclusion.
Kerberos along with Shibolleth: I went through below two references which somewhat matched with my requirement but not very sure am I looking at the right thing or not.
http://richardjohnson798.blogspot.in/2011/10/single-sign-on.html
http://gfivo.ncl.ac.uk/documents/UsingKerberosticketsfortrueSingleSignOn.pdf
My confusion revolves around the below things.
Is Shibolleth the right choice. If yes, what is the exact role of Shibboleth?
What things needs to be setup on the linux server(Kerberos implementation for example), and what changes would be needed in the client's AD environment?
Is the implementation possible on the Wildfly server? (as all the references have the thing implemented using Tomcat).
What are the security aspects I should be concerned about.
Help is much appreciated. Thank you.
Since you are using S3 I assume you are using AWS.
Go to IAM and add the Active Directory as a SAML provider
https://aws.amazon.com/blogs/mobile/announcing-saml-support-for-amazon-cognito/
Then use AWS Cognito Federated Identity Pool via the JavaScript SDK in the front end code you have hosted on S3.
http://docs.aws.amazon.com/cognito/latest/developerguide/using-amazon-cognito-user-identity-pools-javascript-examples.html

Suggestion/Guidance to Implementing LDAP (Active Directory) authentication

Problem Statement:
I am trying to build a custom management system which would require authentication and authorization both.
The system needs to have capabilities to manage/create/update/delete users, roles, permissions and groups.
My Design Solution
I am planing to implement this in-house from scratch and would provide authentication and authorization as follows.
Authentication : user would provide their credentials and the system would authenticate if the user is valid or not.
Authorization: once the user is authenticated, based on the user groups and the permissions they could access the requested pages on the site.
Question:
Now, my question is that suppose I have this application built successfully and in future my application requires LDAP (active directory) authentication would it be possible to plug in LDAP related features keeping my existing application intact or I would have to re-write the entire or most application using LDAP API's.
I have had a look at at apache shiro and spring security which
provides LDAP functionality and they also provide capabilities to manage/create/update/delete users.
As of now I have not yet decided if I would go with either of them or write my own.
Would appreciate if I could get a detailed reponse about how to go about things.
Note:
I am a complete newbie to LDAP so please excuse me if I have used some wrong terminology with regards to LDAP.
I would recommend NOT implementing this your self, just integrate with existing API.
Disclosure: I work for Stormpath (which provides exactly this) and on Apache Shiro.
Also, if your application needs to be backed by LDAP, most LDAP setups I've seen only support read operations when integrating with applications, so you may want to chat with your LDAP admin and see if your 'manage' user use case is viable.
Security is a serious domain, with lots and lots of hidden complications. I would definitely recommend against implementing this yourself. Since you mention Spring LDAP, I'm guessing you're in a Spring-based project. The obvious choice in such a setup would be the excellent Spring Security project.

Authenticating Google users without registering application first

The old Google OpenID endpoint provided a way of authenticating users without having to register your application first. This was very convenient for open source applications because they could provide a "log in with Google" option which would work out of the box. For instance, Google's own code review tool Gerrit makes use of this.
It appears that this endpoint is deprecated and will be shutdown:
https://developers.google.com/accounts/docs/OpenID2
My question is twofold:
Is the endpoint that's going to be shutdown the one at https://www.google.com/accounts/o8/id used by StackOverflow, Gerrit etc.? (With all the different OAuth and OpenID variants mentioned in Google's docs, it's not terribly clear.)
If so, is there any non-deprecated login option that doesn't require the application to be registered.
Indeed OpenID2 is deprecated, and that is the endpoint at https://www.google.com/accounts/o8/id;
Open-Source code can still be written; it will require just that the site integrating the open-source solution perform the registration step and supply the registration values (client_id, redirect_uri) to the open-source code. If you write the code with a modular approach to configuring the registration data, the code can be highly re-usable.

Authentication server for Google Apps

We are using Google Apps services in our startup for email and docs. However for some other purposes such as svn and bug tracker we have our local machines on which we have installed the required apps. All of them have their own separate credential sets.
Ideally I'd like to have one authentication (i.e. that of Google Apps) and authenticate on svn & trac etc. using them. Considering Google Apps does not support OpenID, what should be a good solution? Can I setup a server which uses a particular protocol and still nicely wraps around Google Apps authentication?
There is a Google Federated Login API now, it provides OpenID services. Also, as this guy has shown, it's easy to use Google App Engine to create an OpenID provider of your own using Google IDs as the underlying credentials. HTH.
OAuth may help, up to a point -- Google Apps' gdata APIs do support it decently, see here. Of course all this requires and concerns programming, not just system administration: but then I know for sure your question IS about programming, since it's on Stack Overflow -- if you meant to ask strictly about sysadm issues, you would of course be using serverfault.com, right?-)

What methods exist for leveraging SecurID and similar technologies?

From Wikipedia: RSA SecurID is a mechanism developed by RSA Security for performing two-factor authentication for a user to a network resource.
I just read about this device, and it seems interesting to me. However, I'm not sure how (or even if) software (networked or non-networked) can utilize this method of authentication.
I'm making this a community wiki post as this isn't a specific question, but a general overview of addressing authentication with SecurID and similar technologies.
There's a similar technology called YubiKey.
Verisign's OpenID provider supports such tokens (sold at a discount by EBay and PayPal), which is certainly the easiest way to get started using dual-factor authentication for web applications.
To actually answer the original question, there are several ways to integrate with SecurID, from "simplest" to "requires a bit more work":
See if the application is already integrated/certified. A list of applications that have been integrated and validated by RSA can be found at http://www.rsasecured.com. Only applications that have opted to be validated are listed; it's possible that an application can integrate but has not undergone validation.
Leverage one of the existing RSA Authentication Agents (pieces of code that talk to the Authentication Manager server) and that integrate, for example, with the OS/Application Server/Web server, so that the authentication can be "offloaded" to the agent, and the application only has to take care of the core functionality. The Agents that RSA develops can be downloaded from http://www.emc.com/security/rsa-securid/rsa-securid-authentication-agents.htm (RSA is the Security Division of EMC).
If the application/device can leverage the RADIUS protocol for external authentication (see http://en.wikipedia.org/wiki/RADIUS), the Authentication Manager server is also a RADIUS server.
Lastly, if you want to integrate the application directly with RSA, the RSA SecurID Agent SDK allows you to embed the needed functionality in the application itself, so the app can talk directly to the Authentication Manager server, send authentication requests, receive the answers, leverage the HA functionality of the authentication server etc... This is how devices such as VPN SSL Concentrators, Firewalls, and many many others integrate (see the list in point 1).
Hope this helps
My company, WiKID Systems, has a dual-source two-factor authentication system. In addition to radius, ldap etc, we have a very simple API called wAuth and packages available in PHP, Python, Ruby, Java and C#. These 'network client' packages are LGPL so you can put them in open source or commercial licensed software. You can download here. It would be pretty simple to do others too.
Also, we have an open source version of the software token, so you can embed that if you like and you can really see how the system works from end-to-end.