I have a private Docker registry sitting behind a secure instance of Apache / Ubuntu in Amazon cloud. Apache handles the corporate authentication via Shibboleth module (single-sign-on). So, using a web browser, there is no issue in searching and deleting container images in the registry after successful authentication. However, the command "docker login https://some.domain" including username, password and email from a different server just hangs and does not respond. Unfortunately, Apache, docker registry and shibboleth logs are not very helpful either even in debug mode.
I will be very keen to hear from anyone who has experience in securing a private docker registry via Apache & shibboleth where corporate enterprise IDs and SSO are required.
Shibboleth authentication via the Apache mod_shib module requires redirecting the end-user back to their home Identity Provider (IdP) where they will then be redirected back to the application's Service Provider (SP) with a valid session. This is a great pattern for fully-web-based applications, but this model can't be applied to command-line applications or applications that can't follow this model of web-based redirection.
Related
We have an application running on Tomcat currently and using LDAP as the means to authenticate users to our enterprise AD.
It is required to migrate this application to cloud (on AWS EC2) and to integrate with ADFS over SAML for login with MFA enabled.
Wondering if there are any guides on the the steps to be followed to make this happen ? What are the configurations that I need to enable in ADFS for my application and what configuration changes are needed on tomcat server.xml to have the connector integrate with ADFS rather than LDAP. Thanks.
Regards,
Raunak
Not a Tomcat guru but from the point of view of ADFS and SAML:
You need to use a client-side SAML stack in your application. This provides the SAML plumbing.
You then need to add a SAML RP to ADFS.
For MFA, typically you use Azure AD to provide the MFA.
(There used to be an on-premises ADFS MFA Server - that is now deprecated).
If that is not an option, there are third-party providers.
How can we generate idp-metadata when using Apache Directory service with Shibboleth IDP? I am working on setting up an SSO environment on my local using Shibboleth SP, Shibboleth IDP, Apache Directory services. Currently when I try to access my application from the Apache server, I get the following error on the page :
opensaml::saml2md::MetadataException
opensaml::saml2md::MetadataException at (http://localhost:91/WebUI/)
Unable to locate metadata for identity provider (https://localhost:9443/idp/shibboleth)
Usually, in case of production scenario, we get the idp-metadata from client and just need to enter the location etc in shibboleth2.xml, but I am setting everything on my local, so need to know how to generate and use idp-meta data.
Thanks,
Ritesh
Is it generally possible to have a Microsoft Azure in the background to act as a SSO Authentication server for Apache auth?
The example is:
There are many users inside the Microsoft Azure
I have a Webpage on a Linux server served by Apache2
The webpage should be protected (exactly like basic-auth) by Azure (via SSO)
If the user is signed in into Azure and has rights, he can see the website
If the user is not signed in, he will be redirected back to Azure's login-page and after successful login will back to the webpage.
Is this generally possible?
If so what technologies/modules do I have to use for apache in order to speak with Azure?
Thanks for any hints towards the right direction.
Update
The Azure server is already fully configured. I just need to sort out the end on Apache.
I think what you are looking for is Azure Active Directory. it is an Identity as a Service product that supports modern protocols like OAuth, OpenID Connect. There's a client SDK called ADAL (Active Directory Authentication Library), but since it's standard protocols, you can integrate with other standard based authentication libraries. For example, the node.js tutorial shows how to use passport.
You didn't mention what web stack you are using but it's most likely listed here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-developers-guide/
On a side note: if you can host your app on Azure Web App Service then it has built in integration with Azure Active Directory, so you can add a layer of authentication on top of your website without modifying your application code.
More info on that here: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
I am working on implementing WebSeal single sign-on so that the user does not have to enter credentials for a particular web application if the user is already logged in via Windows authentication. Can anyone please point me in the right direction. I am new to Web Seal
WebSEAL has something called junctions. You can create webseal junctions and configure it to application webservers. Suppose if your SSO solution involves 3 applications, three webseal junctions has to be created. Webseal will act as reverse proxy in this case. So when a user trying to access anyone of the application, He will be challenged with a login screen from webseal. User will be authenticated against LDAP(u need to map your ldap in webseal) and his session will be maintained at webseal.Once authenticated user information will be sent to application servers via junction in HTTP headers. Now when user access other two application, he will not be challenged with authentication. His information will be sent to application servers directly via headers as webseal maintains his session.
For more info:
https://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1359-00/en_US/HTML/am51_webseal_guide16.htm
WebSEAL supports Windows single sign on using SPNEGO protocol & Kerberos Authentication. Read this link for configuration steps:-
https://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1359-00/en_US/HTML/am51_webseal_guide78.htm#sso-windows-desktop
I have a web application that calls an object of a referenced dll/api that calls a wcf service.
Machine 1 = where the wcf service resides
Machine 2 = IIS server, the web application that uses the api that calls the service from Machine 1
My code:
using (WindowsAuthenticationContext ctx = identity.Impersonate()){
//Call to the API goes here
}
When I access the website from Machine 2(IIS Server), It works. But when I access the website from another client machine, it gives me an error "The Request Token Could not be satisfied".
NOTE: The api is already final, and cannot modify it anymore.
Any help would be greatly appreciated.
Thanks
You cannot do NTLM and then Kerberos over multiple hops (servers). You need to use Kerberos to delegate windows authentication over all the hops.
You need to configure SPNS to enable kerberos to delegate authentication across machines.
To configure these, you will have to issue the following commands - assuming you have right to modify AD:
SETSPN -S HTTP/Machine1 ADDomain\AppPoolCredential1
SETSPN -S HTTP/Machine1.domainname.com ADDomain\AppPoolCredential1
SETSPN -S HTTP/Machine2 ADDomain\AppPoolCredential2
SETSPN -S HTTP/Machine2.domainname.com ADDomain\AppPoolCredential2
Where ADDomain\AppPoolCredential is the credential of the app pool - note you cannot use Network Service as the app pool credential to get Kerberos delegation to work. You need to use a domain account.
IN AD, you need to enable the following objects for allow Kerberos Delegation:
ADDomain\AppPoolCredential1
ADDomain\AppPoolCredential2
Machine1
Machine2
For more information, see here
NTLM works in the machine with the local security context. If you want to use NTLM over different machines these machines should share the same security context like Active Directory Domain. If your site (where machines are in) does not have the same security context this would not work. You can use client certificate by changing the service's config. Not changing the dll or code.