In IBM Worklight Application Center Group / User management. I don't have LDAP, WAS User list.
I am able to create new groups and if i try to create some users, Application center will search for the users in LDAP/WAS user group, If that user is not available in the LDAP or WAS user group. It will create the user with username and display name. How to set the password for those users.
You cannot set password for users internally inside IBM Worklight Application Center, that is, there is no Application Center UI for it. You must set it by configuring the web server. The web server authorizes who can access the web application, but Application Center (as web application) does not manipulate the authorization mechanism of the web server itself. Application Center is no web server administration tool (and that's by design, for web server security reasons). Hence it assumes the user list and passwords is handled externally to Application Center.
For instance, in Tomcat, you edit tomcat-users.xml. In Websphere Application Server, including Liberty profile, there are several mechanisms, for instance edit server.xml. If you use LDAP, you must add the user to your LDAP. All this happens outside Application Center.
Related
Do we have any in-built feature to authenticate and authorize a user from mobile iron to SharePoint?
User will be authenticated via mobile iron now he must be login to SharePoint seamlessly.
With MobileIron you can use Kerberos Constrained Delegetion (KCD) for seamless authentication to a system behind the MobileIron Sentry / accessed through the Sentry. There is a dedicated document available through support access from MobileIron where this stuff is explained in detail.
At this point I'll only point out the overall process to access SharePoint with the MobileIron Web#Work browser:
You have to deploy a user certificate through MobileIron for user
authentication.
Also you need to setup KCD for the Sharepoint Site /
Webserver: Active Directory (AD) ServĂceAccount for obtaining
Kerberos Ticktes from Domain Controller (DC), Configuring Service
Prinicipal Name for the ressource you want to access, and
authentication delegation for the service account & ressource.
Configure an Web#Work config with service definition to access the dedicated SharePoint Site with KCD.
If all is in place the access / authentication process is as follows:
When the device connects to the sentry to access the configured Sharepoint Site / Webserver it authenticates with the user certificate to the Sentry and sends the requests to the ressource. The Sentry goes to to the Key Distribution Center (KDC), that's a service on an AD DC, requests a Kerberos ticket for the user with the service account and attaches this ticket to the forwarded web request to the SharePoint web server.
As you can see it's not very simple to set it up but works fine and the users will love you ;-)
I've managed to setup two virtual machines in my local windows 7 laptop. Both of them are Windows server 2008 R2. One acts as Active Directory Domain controller and also as Active Directory Federation Services, and one other as the web app server. This second one is where I've set up my claims aware asp.net mvc web application and I also plan to setup ThinkTecture Identity Server later as my way to authenticate against custom username and password outside AD.
I've successfully implemented the installation and configuration needed for connecting our ASP.NET MVC apps through ADFS. They include :
Configure first server as Domain Controller and add domain account store (add user as testing -> this user belongs to Domain Users Group).
Configure first server also as active directory federation services.
configure relying party trust identifier from federation metadata generated from FedUtil.exe in second server.
Configure group claim mapping and assign Domain Users to this group.
Configure web apps server to be claims aware agent.
The one that's always troubled me is that every time I access my apps, it successfully prompts login dialog box. Once I enter My AD account and password, it always gives me the following error message : "There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: c558ed55-b203-42cc-b6bd-3d66bddb96cd".
Any idea from you guys how to get this to work?? Any suggestion and ideas will be highly appreciated.
Have you looked in the event log?
Open Event Viewer > Go to Applications and Services Logs > AD FS 2.0
You'll see an list of errors which should give you some more guidance.
If you see the ADFS login screen, you can get to ADFS so I suspect it's something to do with your RP configuration.
Just to check - you are using ADFS 2.0 which you downloaded?
I need to use the .Net token (or FedAuth cookie) to get in Domino credential from Active directory
The same need is describe in:
Lotus Notes and c# SSO.
Internet users are loged in a Share Point application and have to open a form in Domino.
My Domino Server is configured Assistant Directory, the users are managed in Active Directory and not in names.nsf. This works good. I can make a POST to log automatically a user of the AD.
But Share Point don't have the user password! Ideally it would be cool to POST the cookie... or run an agent that will inquire in back end the Active directory with the cookie to verify it. Is there a way to do this?
My Domino is 8.53 so I can't use SAML (if someone did this with Domino 9.0 I will be pleased to know :-).
There is a SSO using SPNEGO which can be setup on windows-based Domino servers.
More information about it can be found in the Domino Administration help (steps are very well documentd) and here:
Wiki: Deploying Windows single sign-on for Web clients (SPNEGO) in an existing Domino environment
Basically the steps to enable this are (details in notes admin help and the linked document):
Set an SPN on your windows server (to allow this server to pass Kerberos tickets to the AD)
Enable SSO on the Internet Site / Server doc
In the SSO Configuration: add all servers you will need SSO and enable windows-based SSO
Add a name mapping to your Person docs (Kerberos Principal Name Field) and set notes.ini entry WIDE_SEARCH_FOR_KERBEROS_NAMES=1 on your domino server to include this field in the namelookup
Configure browser: IE: trusted sites (add your host names), Firefox: add domino host to network.negotiate-auth.trusted-uris
Hope that helps - Michael
You could generate your own Domino Ltpa token (cookie) from sharepoint upon login. So long as the domains are set up ok, the browser should pass this to the Domino server and automatically log them in.
Feel free to contact me directly if you need specific help.
We are developing a self registration app.
Our app allows users to register for web apps and is deployed on a weblogic 10.3.5 app server. The weblogic is connected to a local ldap system.
Once the user registeres with our app we call corporate servces to generate a user id. password activation, authentication is all handled by the corporate servcies. which also has a corporate ldap that contains all users in the company.
The approach works fine for 'new users' ie users that are not present in the corporate ldap or the local ldap: users enter their details and are issued a user id which we then copy into the local ldap once the user activates their account.
The use case we're grappling with at the moment is how to handle 'existing' users that wish to register. These are users that are currently in the corporate ldap and wish to 'register' with our applications. They get rejected during the normal registration process as they already exist in the coroporate ldap.
What i'd like to do is force them to login (simply so they don't register on behalf of somone else) and once they're logged in simply copy their data into the local ldap.
The problem is even if they are successfully authenticated by the corporate service, they don't (yet exist) as far as the weblogic server is concerned. is there a way to obtain the user id that comes with the authentication token ?
The authentication method is SAML 1.1
The application is a standard Java EE servlet based webapp using the struts2 framework.
Any ideas would be much appreciated.
Within WebLogic, you can define multiple authentication providers and set them up in the order you would like the system to use. Since you are copying data over, you would have to programmatically check for the existence of the account before attempting to create it on the LDAP server.
It would be a lot simpler if you use the external LDAP server directly instead of copying the data to the internal LDAP server, letting you attempt logging the user in and creating the account only while catching the appropriate exception.
I want to use a role based access control for the authorization of one of the applications on a WebSphere application server, but as far as I've seen the users and roles are defined on application server level, and not for a single application. Is it right, or in case it isn't could you please tell me how the define the roles in for my application?
The problem with declaring the roles on server level is that there are multiple independent applications on the server.
1) To do this kind of role based mapping you need to have security enabled in WAS.
2) After you installed your application, open the admin console of WebSphere Application Server. List the installed application, click on your application. You should find a link called "Security role to user/group mapping". The wizard will then guide you to map the role you want to the application.