I like to know what is the difference between ISAM Federation vs IBM Tivoli Federated Identity Manager (TFIM)?
Does ISAM Federation supports SAML 2.0 or for that I need TFIM?
ISAM starting at version 9.0 has an additional module "Federation" activated by separate license.
Technically it is embedded instance of TFIM component (that previously needed to be deployed on external server) so most of external TFIM functionalities are working in ISAM's embedded Federation Module.
So answering your question, yes, Embedded Federation Module does support SAML2 and OpenID.
You should choose the ISAM+Federated Module for SAML2 unless you will be doing some extremely complicated scenarios like clustering or would ever need altering configuration by response files (which might be limited in ISAM appliance).
Related
Our company is considering Neo4j for a database solution. We're using to Oracle dbs, and have relied upon their built in user authentication management to control who can connect to the db, who has read or write access, and what they are allowed to view in the db.
With Neo4j, most of these security options are missing. While we don't necessarily need to control visibility of nodes and relationships on a per-user level, the lack of multiple user accounts and the inability to control read/write access per account could be a dealbreaker. While application access of Neo4j should be well-contained and secure, we want to allow read-only accounts via the browser client to our developers (at least in our dev and qa environments).
The only solution that's jumped out at us so far has been GraphAware's Enterprise Security offering. I'd like to know if there are any other solutions out there that are compatible with Neo4j 3.0. At the moment we are not considering using the Neo4j REST API.
GraphAware Enterprise Security is compatible with 3.0 and there are no other solutions as far as we are aware. That said, judging from Github activity, it looks to me like the security mechanisms in Neo4j 3.1 will be enhanced to include multiple users and LDAP integration. We have to wait for 3.1 to be out. GraphAware Enterprise will be compatible with Neo4j 3.1 and use its native security features where possible.
DISCLAIMER: I work at GraphAware.
I did find one other partial solution to this, though it has its own hoops to go through to set up.
With the Enterprise edition, in a clustered environment, a node can be configured to be a read-only slave, and configured with its own login/pass for dev use.
Does anybody know if BLToolkit has been tested and certified for use with Azure Sql and if it supports the dropped connection retry functionality? And if not are there any plans to get it tested and passed?
At the time of writing, there is nothing official on the BL Toolkit website, and no issues listed in their issue tracker for Azure.
There are a few other requests (e.g. here and here) that are requesting the same details. At the moment they are unanswered but you could add your weight to them.
Based on this evidence from the official sources I would say that the Toolkit is not Tested or Certified specifically for Azure use.
With the exception of the transient nature of Azure which may require handling of database reconnections, there doesn't seem to be anything obvious that would prevent you from using the Toolkit however.
I would recommend you raise an issue with the developers regarding Azure Testing and Certification while performing a proof of concept test on Azure to determine how to best handle reconnections on Azure for your specific application.
There is recent activity on the project, so I'd be quite hopeful of a response.
I wrote Azure Sql Data Provider for BLToolkit. You can find its sources on github.
Also it's available over NuGet. Please, see how to install and configure it here.
We've discussed SSO before. I would like to re-enhance the conversation with defined requirements, taking into consideration recent new developments.
In the past week I've been doing market research looking for answers to the following key issues:
The project should should be:
Requirements
SSO solution for web applications.
Integrates into existing developed products.
has Policy based password security (Length, Complexity, Duration and co)
Security Policy can be managed using a web interface.
Customizable user interface (the password prompt and co. screens).
Highly available (99.9%)
Scalable.
Runs on Red Hat Linux.
Nice to have
Contains user Groups & Roles.
Written in Java.
Free Software (open source) solution.
None of the solutions came up so far are "killer choice" which leads me to think I will be tooling several projects (OWASP, AcegiSecurity + X??) hence this discussion.
We are ISV delivering front-end & backend application suite. The frontend is broken into several modules which should act as autonomous unit, from client point of view he uses the "application" - which leads to this discussion regrading SSO.
I would appreciate people sharing their experience & ideas regarding the appropriete solutions.
Some solutions are interesting
CAS
Sun OpenSSO Enterprise
JBoss Identity IDM
JOSSO
Tivoli Access Manager for Enterprise Single Sign-On
Or more generally speaking this list
Thank you,
Maxim.
What about FreeIPA?
"FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 (formerly known as Fedora Directory Server), MIT Kerberos, NTP, DNS. It consists of a web interface and command-line administration tools."
If you focus on web applications, check out http://oauth.net/.
CAS has strong adoption, user-base, and a strong lead (who recently switched jobs, but is still comitted to the project). It is straightforward to integrate (if you're comfortable writing Java code/configuring Spring beans), and can do all your requirements, noteably:
SSO solution for web applications.
YES
Integrates into existing developed products.
YES (though some cleaner than others - but many modules are available for major products, and it supports common standards (SAML, OpenID).
has Policy based password security (Length, Complexity, Duration and co)
*YES - can easily be implemented, and some extensions to integrate with LDAP (probably the most common user store) are supported
Security Policy can be managed using a web interface.
NO - though one could be build fairly simply - if you're comfortable with development, and given that this is likely to be a non-trivial project, I'd recommend considering this a non-blocker given that the product is open-source
Customizable user interface (the password prompt and co. screens).
YES - easily customized through some basic HTML/CSS editing
Highly available (99.9%)
YES - both reliable, and can support multiple node/failover scenarios easily
Scalable.
YES - used in many high-traffic environments both intranet and internet
Runs on Red Hat Linux.
YES
Oracle Enterprise Single Sign-On is not what you're after - it requires a Windows executable to be deployed. Oracle Access Manager is closer to what you're after (though it's not free or Java-based).
The major commercial players in the Identity and Access Management (IAM) market space are CA, Oracle, IBM, Sun and Novell. None of these are free solutions but they have many of the features that you are looking for.
For free software, I recommend DACS: The Distributed Access Control System. I know that one department where I work has implemented this with great success. It doesn't have as many features the commercial IAM products but otherwise is a good solution.
I have used Tivoli Access Manager backing onto Websphere and IIS boxes - the way it writes access information into the page headers is very useful. On the downside, I didnt find the DB2 Ldap backend very scalable or reliable, and you know with IBM this isn't going to come cheap.
Also the asynchronous paths (junctions) used to identify different servers is a bit of a hack really eg http://mysite/myserver/myapp - a very bad idea and not thought through very well.
My network has a kerberos server for username/password authentication. Machines that run my application have functioning kerberos clients, so users can use kinit, etc.
How do I interact with the server programatically, from my own custom applications? The preferred language for an example is C.
I want users of my application to authenticate against a kerberos server before access to certain functions. I anticipate having to ask them for their username and password - kinit may not have been called.
The machines hosting the applications run OS X and Debian/Linux.
I believe the answer might well involve GSSAPI. If so, are there good tutorials for this?
Sun covers this in their book Solaris Security for Developers Guide. Specifically helpful to you will probably be Appendix A - Sample C-based GSSAPI programs and Chapter 5 - GSS-API Client Example.
Have a look at Heimdal, they have an extensive kerberos API, and the site below has a great doxygen install that describes the API.
http://www.h5l.org
GSSAPI is indeed the recommended approach, but the precise details will depend on your language environment and whether you need interop with Windows. Is your kerberos provider Windows or something else?
On Windows, Kerberos is a native protocol supported by the OS, and many high level Win32 APIs will effectively give you it for free. Making it interop with a non Windows kerberos server is possible but not trivial.
On UNIX, you may first need to install kerberos client support and get that working - but if your network already has a kerberos server, this may have been done for you already.
Windows includes an implementation of GSSAPI as does Java, and most UNIX flavors have an implementation. I believe GSSAPI addons are available for PHP also.
If you can add more specifics on your requirements I can firm this answer up a bit.
I'm helping a typical small company that started with a couple of outsourced systems (google apps, svn/trac). added an internal jabber server (ejabber for mostly iChat clients). subscribes to a couple of webservices (e.g. highrisehq). and has a vpn service provided by a pfsense freebsd firewall.
And the net result of all this is that they're drowning in passwords and accounts.
It seems that if they had a single unified login / single signon service they could go a long way to combining these. E.g.: ldap as the master repository, radius linked to it for vpn, ejabber and even WPA2 wireless access, plugins for google app sign on, and perhaps an openid server for external websites like highrisehq.
It seems that all these tools exist separately, but does anyone know of a single box that combines them with a nice GUI and auto-updates? (e.g. like pfsense/m0n0wall for firewalls, freeNAS for storage). It doesn't have to be FOSS. A paid box would be fine too.
I figure this must exist. Microsoft's Active Directory is likely one solution but they'd rather avoid Windows if possible. There seem to be various "AAA" servers that ISPs use or for enterprise firewall/router management, but that doesn't seem quite right.
Any obvious solutions I'm missing? Thanks!
It's been over a year since you originaly asked the question, so I'm guessing you've solved your problem by now. But if someone else is interested in a possible solution I suggest the following:
First of all, I don't know of any "all in one" solution to your problem. However it's quite easy to combine three products that will solve all of your needs and provide a single source for User management and password storage.
The first thing to do is install an LDAP Directory to manage Users and Groups (and possibly other objects outside the scope of your question). This can be OpenLDAP, Apache DS, Microsoft Active Directory, etc. Basically any LDAP Server will do.
Second I recommend installing FreeRADIUS with the LDAP Directory configured as it's backend Service.
Third get a license of Atlassian Crowd. It provides OpenID and Google Apps authentication. Prices for up to 50 Users start at $10 and go all the way up to $8000 for an unlimited user license.
Installation and Configuration of the three is relatively easy. You'll probably put most work into creating your Users and Groups. You can install all three components on a single Server and end up with a box that allows you to authenticate pretty much everything from Desktop Login, over Google Apps and other Web Apps, down to VPN and even Switch, WiFi and Router Login.
Just make sure you configure your Roles and Groups wisely! Otherwise you might end up with some Sales Person being able to do administration on your Firewalls and Routers :-)
I would encourage anyone searching for this type of solution to check out the Gluu Server (http://gluu.org).
Each Gluu Server includes a SAML IDP for SAML SSO, an OpenID Connect Provider (OP) for OpenID Connect SSO, an UMA Policy Decision Point (PDP) for web access management, and a RADIUS and LDAP server.
All the components of the Gluu Server are open source (i.e. Shibboleth, OX, FreeRADIUS, OpenDJ, etc.), including the oxTrust web user interface for managing each component of the server.
For commercial implementations, Gluu will build, support, and monitor this stack of software on a clients VM.
You may not want to standardise passwords across so many apps (especially external ones), though for internal ones using an auth service like LDAP makes sense.
You could solve the issue of remembering passwords with an eSSO like Novell SecureLogin
Also you might be interested in Novell Access Manager and Novell Identity Manager
I too could use such a device, however the only one I could find was a (possibly outdated) data sheet from Infoblox. They seem to have since concentrated on automated network managment and I can't find the LDAP appliance on their current website. I guess building a linux box with the FOSS stuff mentioned above is what everyone does, but it would be great not to have power supplies, disks, fans etc. I suppose you could use something like an EEE PC and put the config on a flash card.
This is something I was looking for as well, and http://www.turnkeylinux.org/openldap looks like the solution: "appliance" installation, and it includes encrypted online backup which is easily restored to a new or replacement machine.