We are developing saas web application on SAP HANA XS Engine.
We have subscription based product packages and we want to manage user authentication on web. So, we removed XS Engine authentication.
Now we have login page that use XSJS methods for authentication. It is working for login page and it redirect to another page. However, I don't know how can I control session in the redirected page. How it is working in XS Engine.
Could you provide some information about this?
According to this documentation it seems SPNego or SAML is suitable for us. But, I read another document that says SAML is no longer available after SP 8.
If you are using HANA Cloud, you can activate the SAML or LDAP login, and works with SSO, btw you need to develop some code to integrate this
OR
On login page, you can create a TOKEN, and authenticate every request based on this TOKEN, this solution is good to SP9 or SP8
OR
You can use $.session to manage sessions, available on SP10 and later
Related
I am looking for a bit of direction here. I am building an ASP.NET Core 3.1 web interface to an existing jira tool that does some queries and presents status. For authentication, my calls to the server that retrieve data need proper jira credentials to operate. However, the API I am using never establishes a connection via logging directly into jira. It opens a connection in the code with the passed credentials.
So my question is, what is the proper way to do this in ASP.NET Core 3.1? I don't need someone to do all the work for me, just point me in the right direction. in WPF, I simply had the user enter their name and password and I established the connection object at startup.
Check out these docs. The user shouldn't be putting in their Jira creds in your app.
OAuth 2.0 (3LO) for apps
The app directs the user to an Atlassian screen that prompts them to
grant access to their data on the Atlassian site. The screen displays
the access being requested in the Atlassian product.
The user grants (or denies) access to their data on the Atlassian
site, via the screen.
The user is directed back to the external service. If the user
granted access, the external service can now access data (within the
specified scopes) from the Atlassian site on the user's behalf.
So we are using IdentityServer4 for our web applications, all is good.
We have a new requirement from a client to allow them to perform SSO via their ADFS system using WsFederations, we already provide this for another one of our older web applications that is not tied into IdentityServer4 yet.
Ideally we would like to tie WsFedereration into IdentityServer4 so it is in one place.
Does anyone know if it possible to use IdentityServer4, so we redirect to IdentityServer4, identity that this particular client (possibly via an alternative URL), then IdentityServer4 authenticates against ADFS, collects the claims (probably basic, e.g. email/username/etc) , and we then supplement them with additional claims for access, and pass back to the web application.
What I'm trying to achieve ideally is to not change the existing Web Application, and to sort the plumbing at IdentityServer4, and the Web Application wouldn't know or care if this user was IdentityServer4 only or
IdentityServer4 + WsFederation. This would be useful for other clients across our applications to easily integrate in the future.
Alternatively I could deploy another version of the Web Application that authenticates directly with my clients ADFS system. However this seems a waste of server resources/maintenance for just one small client.
I had a look at the external options (where you click google on or near the IdentityServer4 Login Screen), is there a way to automatically redirect to the ADFS without event seeing the IdentityServer4 implemented Login screen.
Is this possible?
Thanks,
Jon
This was released 2017, see the example at
https://github.com/IdentityServer/IdentityServer4.WsFederation
We have several apps Deployed on Google Apps Marketplace using OAuth 1.0 protocol. According expiration OAuth 1.0 in Google Platform we are trying to migrate all the apps to new OAuth version but we are facing some difficulties regarding background request to Google Admin SDK Directory API.
In our apps we need to request for Domain user accounts, groups and other stuff related Email Domain structure. Until OAuth 1.0 we have been doing this with 2-LO (Two-Legge OAuth) so basically once Admin gave us access we can impersonate request for domain using this mechanism.
After reading all Google Documentation about Google API, Oauth Mechanisms and stuff, and after trying some code test hypothesis too, we haven't figured out yet how can we managed the same concept with OAuth 2 because of the following:
Using Web Server Oauth 2 Strategy simply will not work because in that scenario we would be getting a Domain user Access to Admin SDK. If we keep their access/refresh token pair to later querying Admin SDK and the user is deleted because Domain change it Admin we will be disconnected from flow.
I supposed in that case the best choice was Service Account strategy. The problem with this scenario is the user has to manually configure access to the App in their Admin Console according to the Google's document domain-wide delegation authority (https://developers.google.com/+/domains/authentication/delegation#create_the_service_account_and_its_credentials). This is really awkward for us since we were managing all application installation interactively and we don't want to remove User Experience facilities.
Finally, my questions are:
Is there any way to do domain-delegation authority with OAuth 2 with no manual user configuration, full interactively?
Is there any way to do this without needing user email, which in fact is one of the parameters in Service Account Oauth2 Strategy?
Must we keep 2-LO Authentication for this scenario and do OAuth 2 only for installation Google Marketplace part?
Any comments or guide will be wellcome.
Best,
Certainly - in the latest update to the Google Apps Marketplace, the act of installing an App means the admin doesn't need to do an additional manual step.
You need a way to impersonate a user in a Service Account. Depending on how you implement your application, you might need to utilize the Directory API.
OAuth1 is going away eventually so I recommend you use OAuth2 throughout to simplify your code complexity.
I am a newbie to oracle apex and I need to know the authentication mechanism performed by Oracle Apex.
Basically, I am using LDAP authentication and once the user/pwd is authenticated, no more authentication is done until session expires.
The process is built in, can anyone let me know what happens after its authenticated like creating cookies/session or any other mechanism?
The idea is to integrate asp.net website with Oracle apex(in iframe). The login page will exist in asp.net website and once the user clicks submit button both asp.net website and Oracle apex should process authentication mechanism.
I have already done with windows authentication and need to explore more options (like ldap authentication, integrating WCF/webservice authentication) . Upvote for helpers.
This page from the APEX documentation explains the process of user authentication and guides you through the available options.
Another option might be to use the Thoth Gateway and use windows integrated authentication. See the section "Features in Thoth that are not in mod_plsql" at
https://github.com/mortenbra/thoth-gateway
snippet from site:
Integrated Windows authentication (if the virtual directory that contains the Thoth Gateway is set up with integrated Windows authentication, you can get the username of the authenticated user via owa_util.get_cgi_env('LOGON_USER'))
It sounds like what you're looking for is "session management". After a very brief glance at Oracle's docs, it looks like the Oracle Apex server generates a session ID, which is passed over the underlying http(s) channel as part of the URI. Oracle docs also talk about session timeout and similar stuff.
My team is getting started with Desire2Learn Valence, and our Shibboleth authentication seems to be derailing the initial API Key authentication process.
We have our App ID and Key, but the Valence authentication form is sending us to our Shib login (not our direct login, as it does for the "Lake Valley University" sample) and it never makes it back to Valence to complete the process.
Any suggestions on how to configure or change this so it works?
Valence authentication is based on deep-linking (ultimately the Valence Authentication page directs the user back to the app with some key information attached).
Therefore, the LMS' authentication system has to be configured for deep-linking, which occasionally is not true for some systems. Also there are particular versions of the shibboleth authentication system required to support that deep-linking.
The Valence authentication process flow follows the links the deployment team (or site administrator) provides in the DOME for Tools.Login.OrgLoginPath and Tools.Login.OrgMobileLoginPath. This will be why you are going to the Shib page instead of the built-in page. Some Shibboleth customers create a portal page to give users a prompt and choice of which system to authenticate against. All the pages in the process have to pass along the deep-linking url as the ?target= query parameter.
As it is not returning to the app this suggests it needs an updated version of the Shib product (IPAS). I would open a help desk ticket for this item and refer to the fact that you are doing this for using it with Desire2Learn Valence authentication.