Web App Central AAA - authentication

I would like to centralise user management including authentication, authorisation and auditing as this is currently being performed by each application. I was wondering if there is an open source solution already available? I'm aware I can use LDAP or AD but this still requires development of an application to manage users.
I believe LDAP is not an appropriate solution as we require custom user attributes to be defined at runtime which is something LDAP does not support.
Any advice would be greatly appreciated!

There is Apereo CAS. It handles what you are after.
See www.github.com/apereo/cas

Related

Authenticate users using LDAP for SSO

So i'm tasked with implementing SSO for our Windows application. Currently, after a user logs into the machine, he or she has to re-log in to our app when he or she loads the application. The application validates the user by querying a LDAP server.
What we're looking to have is for the user to automatically be logged into the app when they click on it. My understanding is that the LDAP authentication must still happen, but Im not exactly sure what the workflow would be, and how exactly we can validate a user without requiring them to re-enter a username / password. Note that this is not a web application so I can't use tools like SAML or OAuth (unless i'm mistaken about this too..?)
So my specific question is as follows:
Is it possible to use LDAP for SSO, and if so, how? Is it possible for me to authenticate a user with just his or her username, or is a password also required?
Any guidance would be appreciated, and am happy to provide further clarification if needed.
First of all, LDAP is a protocol, which you use to communicate with databases that implement this protocol.
So LDAP databases (commonly called directories) are ... databases and so do not provide SSO functionality.
To deploy a SSO solution, you need a SSO service. All your applications will have to be "compliant" with this service in a way or another.
The only way I can think of to make a "Windows SSO" without adding a third party application is that the applications can retrieve NTLM informations in requests made by the client and uses the user data to identify him. (but in term of security, I let you judge what you think about it ;) ) . See this php example
Some LDAP implementations, including OpenLDAP, provide some level of support the Generic Security Service Application Program Interface (GSSAPI) or SPNEGO (a specific GSSAPI implementation)
Although not trivial, it is possible to perform SSO from a "browser" that supports GSSAPI. AFIK, IE, Firefox, Safari and Chrome all provide some level of support for GSSAPI although each browser requires specific configuration (typically whitelisting of Servers).
There are many SSO Products that implement these features in a "probably" more secure and easier process than doing it yourself.
There are many known vulnerabilities details that have been exploited with GSAPPI/SPNEGO typically due to implementation issues.

Suggestion/Guidance to Implementing LDAP (Active Directory) authentication

Problem Statement:
I am trying to build a custom management system which would require authentication and authorization both.
The system needs to have capabilities to manage/create/update/delete users, roles, permissions and groups.
My Design Solution
I am planing to implement this in-house from scratch and would provide authentication and authorization as follows.
Authentication : user would provide their credentials and the system would authenticate if the user is valid or not.
Authorization: once the user is authenticated, based on the user groups and the permissions they could access the requested pages on the site.
Question:
Now, my question is that suppose I have this application built successfully and in future my application requires LDAP (active directory) authentication would it be possible to plug in LDAP related features keeping my existing application intact or I would have to re-write the entire or most application using LDAP API's.
I have had a look at at apache shiro and spring security which
provides LDAP functionality and they also provide capabilities to manage/create/update/delete users.
As of now I have not yet decided if I would go with either of them or write my own.
Would appreciate if I could get a detailed reponse about how to go about things.
Note:
I am a complete newbie to LDAP so please excuse me if I have used some wrong terminology with regards to LDAP.
I would recommend NOT implementing this your self, just integrate with existing API.
Disclosure: I work for Stormpath (which provides exactly this) and on Apache Shiro.
Also, if your application needs to be backed by LDAP, most LDAP setups I've seen only support read operations when integrating with applications, so you may want to chat with your LDAP admin and see if your 'manage' user use case is viable.
Security is a serious domain, with lots and lots of hidden complications. I would definitely recommend against implementing this yourself. Since you mention Spring LDAP, I'm guessing you're in a Spring-based project. The obvious choice in such a setup would be the excellent Spring Security project.

Silverstripe system using another Silverstripe system as Login Authorisation

I'm aware of various authentication modules for OPAuth, OAuth, LDAP and OpenID for using other systems as login authentication.
My question is which method works to setup authorisation for silverstripe systems from another silverstripe system... so that the users can be solely managed from one installation. All installations are under full control.
I am not talking about subsites... these systems are completely separate - different servers, databases, etc.
Use Case...
AuthSite is the single auth site setup and ClientSiteA and ClientSiteB are both using AuthSite. A User is registered in AuthSite with access to ClientSiteA - this user then can log into ClientSiteA, but not ClientSiteB.
All of the systems you listed will work, however you'll need to code it yourself.
If they're on the same server and you're looking for the quick and dirty solution, I'd probably suggest overriding MemberAuthenticator to use AuthSite's database.
More eloquently, you'd probably want to create some sort of authentication interface on AuthSite which is used by MemberAuthenticatoron ClientSiteA and ClientSiteB. This allows ClientSiteA and ClientSiteB to be hosted elsewhere without having to muck with database settings.

User management and single-sign on over REST

I am building a web application with front-end coded in angular. The front-end will access a bunch of web-services coded in Java/Spring. There might be other ways that people may try to access the webservices such as from a desktop tool. Now I need to secure the whole infrastructure.
I need a way to maintain a user repository, i.e. provision users and manage users, roles etc.:
users should be able to register themselves and have their emails verified.
admin should be able to approve users and assign them roles, delete users, update them etc.
I also need single sign on functionality. So once you login through the webfront end, you should be able to access the REST based webservices seamlessly (depending upon the role you have).
I do not need to support millions of users, so something light-weight will be preferable.
I am looking for open-source solution(s) that can:
allow user management (ideally over REST based API and have its own user interfaces as well)
allow single-sign-on functionality for web frontend and webservices, and potentially for desktop apps that may need to be implemented.
I have tried Apache Syncope which seemed promising as it provided REST based APIs. I am thinking of using it with CAS. However, the default UI seemed kludgy and CAS doesn't directly support REST.
I am looking at Shibboleth and OpenIDM as well - but none seems to be meeting my requirement directly.
I'll appreciate any suggestions on what options/stack can I consider for this. Ideally, a single solution or a well integrated solution on Java/Spring stack might work better for me.
you should have a look at https://github.com/openMF/mifosx for Java and Springs RESTFull Web service.
and https://github.com/openMF/community-app for there AngularJS web app.
plus you can also find a live demo link on there repository.
username is mifos and
password is password.
it is ment for microfinance but you can study its architecture implementation and use there core functionalities, it is really amazing.

Creating a custom STS-IP with WIF and why not

I have a need to implement a STS-IP server for our web applications and services. The server will need to issue SAML tokens for the following scenarios:
Business partner submits their SAML token which is converted to a SAML token with the claims required for our applications. This token is used to access our Web Applications and Services.
Our public facing applications need to have a user sign in (via forms authentication) and then access our web applications and services with a SAML token.
Our clients (without a STS trust) needs to authenticate with our STS-IP server, get a SAML token, and use that token to access our WCF services.
In all 3 scenarios, we need to have custom claims on the SAML token that our applications and services use. The thought is once we identify the user, we would look up their authorization in our back-end systems and attach claims.
In these scenarios, you can assume the back-end authentication store is a custom implementation with authentication stored in Active Directory and authorization stored in a database.
So my thought has been, we need to create a custom STS-IP server using something like Windows Identity Framework. But I have also been reading that you should not do this because it can take some time.
Can I use an off-the-shelf STS-IP server? Everything I've seen is a mapping between one system to another (SAML to SAML or AD to SAML).
Why will it "take a long time" to build a production ready STS-IP ? I built one using WIF very easily, but I guess I don't understand the risks in doing this.
In terms of "It will take a long time", the documentation showing how to do this is very poor. See here: http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/257d93be-165e-45a6-a277-fc7ed2286e7d/
Anyhow, you'll simply need to look over the code samples that Microsoft provides: Google for Identity Developer Training Kit. That should help you get started.
Why are you not considering using ADFS? If the backing store for authentication is AD, then ADFS is probably a good candidate to evaluate.
Before writing you own STS, you may want to check out this blog and closely review the features that you may need in the STS. Just because you can build one yourself, doesn't always mean you should.
extending adfs to multiple identity and attribute stores
They "why not" is relatively simple: Why take weeks to build something that will probably only handle a single use-case when you can put in off-the-shelf STS in a day that will cover all sorts of things your company may come up with? Building it yourself will also require you to become an expert in SAML (which is probably not the best us of your company's time).
Check out --
http://www.pingidentity.com/our-solutions/pingfederate.cfm
Good luck -- Ian
Agree with #eugenio - why not use ADFS?
ADFS can only authenticate against AD as discussed but it can derive authorisation attributes from AD / LDAP / SQL server
The nuts and bolts for an STS are available in VS 2010 plus the identity tool kits. A simple STS can be quickly prototyped.
There are some examples available. StarterSTS is already mentioned plus SelfSTS.
The hard part is getting the security right especially if this will be part of a production system. As per "Steve on Security" Build your own Directory Federation Service:
It may sound like I think it’ll be a
synch to develop this system and have
it work securely, but in reality there
is a lot that will need to go into it
to protect the network, the employees,
and the data this could possibly
interact with. It is tough to develop
applications securely. It is far
harder to develop secure applications
whose sole responsibility is security
related.
That's the reason that all the samples on the Internet have disclaimers in bold:
Do not use in a Production environment