This question already has an answer here:
Differences between Form and Adapter Based Authentication in Worklight
(1 answer)
Closed 7 years ago.
What are the differences between the form based Authentication and Adapter based authentication in IBM worklight which is best for security
The main difference between Form and Adapter Based Authentication is that Form Based Authentication is using MobileFirst internal classes and methods, and When using Adapter Based Authentication you are responsible for the authentication procedures (which should be located inside an adapter) - you only declare in the securityTest what procedures to use for login and logout.
Related
I am using IBM MobileFirst Studio Plugin 7.0 and was following the tutorials for adapter based authentication here Documentation.
I see that the isInternalUserID is not used to create the userIdentity object unlike the form base authenticator Dcumentation . Can it be used? Or is it specifially so that the code to create the userIDentity needs to be done in the adapter?
There are two parts to the answer:
a) When using a custom security test, "isInternalUserID" is used to identify a particular realm as the one that will be used for creating user identity. If a realm is marked with "isInternalUserID" it means that only this realm is used for user identification.
There must be exactly one such realm for every security configuration that is applied to a mobile or web resource.
b) Adapter based authentication allows the flexibility to develop custom authentication logic within a MobileFirst adapter. This is why you see that userIdentity is created and assigned with adapter logic ( unlike the form based sample).
However, you will note that the generated identity is still assigned to the realm , that is marked "isInternalUserId" in the security test.
More details:
Understanding predefined Worklight authentication realms and security tests
Security Tests
Implementing adapter-based authenticators
I am trying to achieve SSO for applications deployed on Lotus Domino HTTP Server using an access management system (OAM). I have few questions around LTPAToken & Domino HTTP servers.
Env Details:
a. Domino HTTP Server 7.0.2
b. Applications deployed are based on Java.
Is LTPAToken mandatory for an application to work on Domino HTTP Server?
Can application create a session using headers variables etc, without the LTPAtoken.
Thanks,
Malli.
To answer your two questions:
LTPA token is used by the session authentication method "Multiple Servers (SSO)". The Domino HTTP server supports basic authentication and session authentication too which both do not require the use of a LTPA token.
Yes - see answer to 1.
You can learn more in the Securing section of the IBM Domino knowledge center - specifically in the following sections:
http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/conf_nameandpasswordauthenticationforinternetintranetcl_c.dita
http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/conf_multiserversessionbasedauthenticationsinglesignon_t.dita
Planning to use ADFS to federate. One big challenge that we find is that not all applications are claims aware, also every application has a different role based access. In such a how can we achieve 100% SSO Authentication and Authorization using Identity Claims.
In case ADFS cannot support such a requirement, What other vendor solutions are available which can supports such a requirement.
A claims-aware application in the .NET world uses WIF / WS-Federation to get a set of claims in a SAML token which are then used to control user access and functionality.
ADFS only answers to WS-Federation or SAML requests.
So to get a non claims-aware application to use AFDS, the application needs to be changed to add support for either of these protocols.
Refer: SAML : SAML connectivity / toolkit and the links inside the post.
Or you could go the other way and put something like an OpenAM agent around the applications and then federate OpenAM and ADFS.
ADFS on Server 2012 R2 has a new feature as part of the Web Application proxy, refer Create a Non-Claims-Aware Relying Party Trust.
There's a walkthrough here - Walkthrough Guide: Connect to Applications and Services from Anywhere with Web Application Proxy
and a good example here - First Impressions – AD FS and Window Server 2012 R2 – Part II.
When a user enters the login and password I can not display his profile (information from the database) in the next page, I used SQL Adapter to ensure the connection with the database, but until now the only thing that I can do is to visualize the information using an "alert" in JavaScript not in the page that follows the page of authentication.
I'm using Dojo if it is necessary to mention.
As you did not ask anything technical, I will point you to the Getting Started material. Familiarize yourself with Worklight adapters and authentication concepts (also look at the sample applications). If you then have a technical question, ask.
Worklight Adapters
Authentication in Worklight
To display data retrieved via a SQL adapter, see this question (it does not implement authentication, you'll need to combine the two on your own): How to use adapter inside the application in worklight
Is there an apache module that implements Kerberos authentication for use by Tomcat and also supports Kerberos delegation?
I've already looked at mod_spnego and it throws away the SSPI context it creates only keeping the principal name. Instead, I'm looking for a module that would allow for the delegation of the ticket sent to Tomcat - that is, taking the service ticket sent for authentication and using it server side to access another service on behalf of the user.
EDIT: To clarify, I need to impersonate under Win32 using the GSS/SSPI context so when legacy code connects to another server, the delegated credentials are used.
WAFFLE (Windows Authentication Functional Framework) now provides that feature starting from v1.4beta.
It provides a ServletFilter that uses native Windows APIs to authenticate the user, either using Basic or Negotiate authentication. The user then can be impersonated, and native APIs calls will be performed with the access token of the impersonated user.
How about using the JAAS realm and using the kerberos 5 JAAS module?
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JAASRealm
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
Looks like it might require a little coding, but the pieces should be there.
Here's a http://spnego.sourceforge.net/credential_delegation.html tutorial. It implements Kerberos/SPNEGO as an HTTP Servlet Filter and supports credential delegation.