I've 2 distinct webapp:
a CRM webapp which show customer resume to office users
a portal webapp for customer users
my CRM webapp use a combination of LDAPManager and InMemoryManager with a BasicAuthenticationFilter and BasicAuthenticationEntryPoint
my portal use a classic JDBC Manager with a standard UsernamePasswordAuthenticationFilter
Now, I need access transparently to my portal from my CRM webapp.
For example, I work in office on the CRM webapp. A customer call me and ask explanations about what is mentionned in Portal.
I would be possible for office user to access Portal as a customer from a http link in the CRM customer account page.
So I would bypass my LoginUrlAuthenticationEntryPoint and access directly to the customer account.
EDIT after Michael help, I realize that I need to keep a trace of which CRM user access to which portal account :
My questions are :
- should I use PreAuthenticatedManager or RunAsManager?
- do I need declare a 2nd EntryPoint?
- what about AuthenticationFilters?
- Is to possible to recover a user BASIC authenticated from my CRM webapp in my new portal AbstractPreAuthenticatedProcessingFilter ?
I have the following assumption / conclusion from your explanation:
1) The CRM user repository and the portal user repository have different users
2) CRM users should not know portal users passwords
I do not think you need to use RunAsManager.
(When you use RunAsManager it mean you first authenticate as a CRM user in the portal and then replace the authentication by a portal user authentication. I do not think you can authenticate a CRM user against the portal user repository.)
I suggest to create your own “AuthenticateAs” functionality: when a CRM user press on a link in a CRM page of a portal user it will be authenticated in the portal as a portal user without providing a password.
How it works?
1) When a CRM user presses a link the parameter with an encrypted portal user name is added to URL.
2) When the request with an encrypted portal user name access to the portal application, a new created PreAuthenticatedProcessingFilter decrypt the user name and authenticate the user
That’s it :)
Couple of comments:
1) Please use AES-258 algorithm to encrypt / decrypt the user name
2) Please ensure that the key for encrypt / decrypt can not be accessed by HTTTP
3) You can extend AbstractPreAuthenticatedProcessingFilter for your
PreAuthenticatedProcessingFilter
4) I strongly suggest to create two roles in the portal application: USER_WRITE_ROLE and USER_READ_ROLE. When a CRM user access using “AuthenticateAs” authentication - it should get USER_READ_ROLE. When a portal user access using regular authentication - it should get USER_ WRITE_ROLE.
5) You should think how a CRM user will perform the logout for a portal user (otherwise he always will work on the first user). The simplest way I can think about it - PreAuthenticatedProcessingFilter should process each request (even it authenticated) and if it contains the parameter with the user name to clean the portal user session and to perform the new authentication.
Please tell me what you think about the suggestion and tell me if you need any additional clarifications.
Best regards,
Michael
P.S. Added after the question was edited.
The simplest way to track CRM users on the portal is to add the additional encrypted parameter to the URL with the CRM user name
Related
I am building a web application for a client, where I will have to set it up on their Windows Server via IIS. I will have to integrate their base of users into my application via Active Directory (not Azure Active Directory). I have already included Windows authentication into my application and it seems to work on my local computer.
What I want to know is:
How to change the login prompt into my custom login page?
How to change the username of the authenticated user (right now when I sign in, I have to write down the name of the device and the name of the user. for example: _device/_user). What I want is for the user to simply be able to only write their username, not device name.
How to manage the access of the users, and how to add roles to them inside the application. Since the user is signed In. I now want to know how do I assign this user a certain role, so I can restrict access to certain pages based on that.
I have been looking through some documentation but not much is mentioned about Active Directory integration or the questions that I have listed above.
Steps;
You need to have System.DirectoryServices and System.DirectoryServices.AccountManagement references in your project, if you want to access AD.
Configure AD name and AD Organizational Units in appsettings.js ActiveDirectory": { "ActiveDirectoryDomainName": "Your Domain", "ActiveDirectoryOrganizationalUnits": "Your AD units" }
In your class method:
Fill your user object with AD values like userPrincipal.EmailAddress,userPrincipal.GivenName,userPrincipal.Guid.Value and etc.
If you want to manage users with roles, then take the GUID from AD (userPrincipal.Guid.Value) and store it another table and map that GIUD with required roles.
Note: If you can share some images and codes
I try to give new users in our domain access to our VSTS. We have MSDN enterprise subscriptions via MPN. The subscription is assigned and visible for the user if he logs in my.visualstudio.com with his work account. If the user tries to access the VSTS at [ourprojects].visualstudio.com he gets “VSTS login fails with 401 not authorized – [user] has multiple accounts associated with it. Your work or school account does not have access to [ourprojects].visualstudio.com, but your personal account does have access. “.
Signing in with the personal account as suggested by the error message leads to another error: “This Microsoft account does not exist.” This is correct. The account in charge is definitely a work account in Microsoft Azure Active Directory. So the first error message is somehow strange and leads into the wrong direction.
Our domain accounts are synchronized with Azure Active Directory (AAD). I can see the new users both in our domain and AAD. The user can login into my.visualstudio.com with his work account. So sync with Windows Server AD and AAD looks working correctly. MSDN assignment works, too.
Loggin into my.visualstudio.com redirects to the login page of our domain. thsi is corect and works fine. But this redirect does not take place loggin into VSTS.
For other older accounts in our domain VSTS access with work account works completely fine. Has anybody experienced similar problems?
Finally I talked to Microsoft support. It turned out that this VSTS account is not backed by Azure Active Directory. It has to be converted to do so.
To check if a Azure DevOps/VSTS account is backed by AAD, you can look in the settings page ("gears"->Settings) of Azure DevOps at the very bottom.
I am trying to configure Grafana for my organization. I was able to configure LDAP and MySQL database pretty easily but when I try to invite a new user to an org in Grafana, it always asks the user to join Grafana.
This would be an OK behavior if at that point Grafana would authenticate against LDAP. Instead, it creates a new user in its own database. This would lead to conflict with LDAP in case the user's AD passwords changes.
This works perfectly when a user had previously logged in to Grafana. An invite sent after would directly take the user to login page.
Is it possible to do the same in case the user is not already registered in Grafana? I really want to avoid saving user credentials in Grafana database.
Any help would be appreciated. Thanks.
I am not a Grafana expert, but looking through the source code on GitHub it certainly seems that new user registration will not go through LDAP. This is obvious in the LDAP related configuration file where you see the read-only credentials needed to look up users in the LDAP directory. A read-only administrator in LDAP will not be able to create new users as this would be necessary during a registration step. The code also indicates that registration creates temporary users in the internal store.
I need to build an app with Office 365 API and tried several examples provided here: https://msdn.microsoft.com/en-us/office/office365/howto/starter-projects-and-code-samples.
I manage to login to tha app with a user from within my own Azure Active Directory, e.g. user.name#tenant.onmicrosoft.com.
But, whenever I use another Office 365 account from another domain e.g. user#pivabo.be I get this error:
AADSTS50020: User account 'user#pivabo.be' from external identity provider 'https://sts.windows.net/908b6c6d-f582-461d-9e73-88a4e48f5d88/' is not supported for application 'df1a02fd-f096-46df-9b5a-5cf1b0f9ef6d'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.
The defined application in Azure is set to Multi-tenant!!
I also tried to add the foreign users to my AAD but everytime I get the message "This Microsoft account does not exist"
EXCEPT: I also made a hotmail account which I was able to add to my AAD and with this account logging in to the app was succesfull. But, without adding it to my AAD I get the above error message.
Any help would be welcome.
Make sure you are using "https://login.microsoftonline.com/common/..." and not "https://login.microsoftonline.com/[your tenant name]" when forming authorization link.
I am late to the party, but what it fixed for me was that I had to use "common" as tenantId.
Using the Jenkins OpenID plugin I'm able to configure Jenkins to use my Google Apps OpenID as a provider. Anonymous users are still able to access that application (they have read access only), but I want to have it so that users are forced to login using the Google App domain or they are denied access.
I'm currently using the Jenkins Authorization setting of "Logged in users can do anything", I've tried using the "Matrix based authentication" and denying anonymous users, assuming logged in users would still have permissions, is there a special group value I can use for "logged in users" in matrix based authentication?
It seems like "Matrix-based security" will only work for specific users when using Google Apps OpenID (I don't believe Google apps for domains has support for OpenIDTeam extension
Yes there is a special group you can use to do this but finding the information about how to do it isn't obvious.
If you hover over the 'Overall - Read' column on the Matrix-based security table you'll get the solution.
It states
The read permission is necessary for viewing almost all pages of Jenkins. This permission is useful when you don't want unauthenticated users to see Jenkins pages - revoke this permission from the anonymous user, then add "authenticated" pseudo-user and grant the read access.
I use the following technique in combination with the OpenID plugin which allows me to specify a Google Apps for Business domain to secure Jenkins with
Warning: Make sure you've got a backup of your installation before you start because if you get something wrong you may lock yourself out of your Jenkins. Unpicking the plugins and settings would take longer than just restoring from a backup.
Ensure your choice of OpenID provider is still working ok with your current 'Logged in users can do anything' setting
Select the 'Matrix based-security' mode for Authorization
Add a new 'authenticated' group (lower case 'a') to the Matrix-based security table.
Use the 'check all' icon at the right hand end of the new 'authenticated' row to tick all the permission boxes.
Use the 'check all' icon at the right hand end of the 'Anonymous' row to untick all the permission boxes.
Save the settings
Reload Jenkins
Now each time a user wants to see Jenkins they have to be already signed into their Google Account and no-one can get to see any Job names or views without login.
Hope this helps.