Should we create one user assigned identity for all the services that a resource access or should we create one for each service the resource access?
Example: My WebApp needs access to a eventhub, servicebus, storageContainer etc. Should I create three identities (user_assigned_eventhub, user_assigned_servicebus, user_Assigned_storage) one for each service or create one (user_assigned_webApp) and access all services using this identity?
create one (user_assigned_webApp) and access all services using this identity
This is correct, you just need to create one user-assigned identity, then in your sample, navigate to the web app in the portal -> Identity -> User assigned -> add it to your web app, then you can use this MSI(managed identity) to access other resources. When using MSI to access other resources, the MSI is used to represent the client, the resource side does not need it, so you don't need to create MSI for them.
Related
Is it possible to mix authentication types in a C# ASP.NET MVC web application hosted in Azure?
I have an ASP.NET MVC application written in C# that uses ASP.NET Identity as its authentication system.
A customer has asked if they can sign into the application using their Azure Active Directory (SSO using openconnect id).
I can recreate the application using openconnectid and assign their tenant as the AAD directory but users from my company can not log into the application because we do not exist in the customers Azure Active Directory.
We need to be able to log into the application because we perform data entry tasks for them using the web app.
Has anyone come across a similar issue?
Regards,
Graham
You may need to show login screen with 2 possible options. You redirect the user to their respective identity provider , they get authenticated and bring back the access_token/Id_token to access application resources.
Very much like different OpenID connect providers in the same application(FB, Google, Microsoft etc) and regardless of which provider user choose to get authenticated the token is same to access resources.
I have an application that runs in a Service Fabric(SF) cluster and I wan't to access Key Vault from it.
The cluster hosts a number of applications and I want to give access to a Key Vault for my application without giving access to the other applications. By default an application runs under the same user as the SF cluster, but each applicatiuon has it's own unique name, mine has the name fabric:/application1.
My question is, is it possible to create an Active Directory application account for fabric:/application1 and grant access to the key vault?
I know it is possible to use the RunAs options in the SF manifest, but that requires me storing an encrypted password in the manifest/source code and I want to try and avoid this if possible.
AFAIK,
The only way to have this flexibility is using ClientID & Secret or Service Principal certificates and each application manage their own credentials.
Service Principal Certificate is already integrated to AD, but does not require the application, the user or the Host to be part of the domain, the only requirement is setup an user on AD to grant the permissions on Keyvault.
There are other solutions using AD integration, like Managed identities for Azure resources(Former: Managed Service Identity) but I am not sure if you are able to restrict access per application like you described, because the MI add this as a service in the node, so technically other applicaitons would have access as well, worth a try to validate if you can restrict this.
If you want to try this approach, you can use with Microsoft.Azure.Services.AppAuthentication for implicit authentication of the services running in your cluster, where the nodes are setup with Managed Identities extension like described here.
Something link this:
When you use the Microsoft.Azure.Services.AppAuthentication, the Step 2 will be handled by the library and you won't have to add much changes to your key vault auth logic.
When you run your code on an Azure App Service or an Azure VM with a
managed identity enabled, the library automatically uses the managed
identity. No code changes are required.
The following docs describe other options you can use for KeyVault Authentication.
PS: I've done other KeyVault integrations using Client Secrets and Certificates and they are secure enough, With Certificates you can store it on the managed store or with the application, I would recommend MI only if is a requirement for your solution.
Background
I'm building an application that I want to use ASP.NET identity to manage my authorization to a web api module that I will be deploying to azure (1 project is an azure web app the other is an azure api service).
I'm a bit confused as to how I should leverage roles and claims to work together with how to structure the application or if there is another built in feature in the identity system that would work better for my solution.
My front end is built using Angular and my APIs are in C# (.net 4.6)
My project is:
Each user belongs to one or more group(s). Each user has different permissions in each group. Users can switch between groups (or see aggregate data across all groups they belong to) after they have logged in (i.e. 1 jwt token per login and that token needs to define what groups and what permissions per group the user has).
Question:
I'm not entirely sure how Asp.net identity best practice is to structure this. Should I create a role for each group that exists in the system (potentially thousands) and then give a claim for each permission that a user has within that group (role)?
I need to implement VM creation workflow such that admin creates VM for a user after verifying his request.
Currently, if admin creates the VM, it is marked as owner of this instance.
Can we either change or add another owner to the instance?
Can admin impersonate as another user to create a VM?
An admin cannot impersonate another user. However, in practice this is not the problem you might think, because access to resources in OpenStack is controlled by projects (basically, groups) rather than by individual users.
You can add the admin user to other tenants, and then set OS_PROJECT_NAME (and/or OS_PROJECT_ID) in your environment to the appropriate project when creating resources (such as servers, networks, etc).
When you create a resource as a particular project, any member of that project will have access to that resource.
Note that in earlier versions of OpenStack, projects were referred to as tenants and the correponding variables where OS_TENANT_NAME and OS_TENANT_ID.
I am currently writing a user management application which administers users in a single aspnetdb instance. This single instance contains multiple "applications" which all have roles assigned against the individual applications.
As each user can be a member of multiple applications I use Roles.ApplicationName to cycle through each configured application and then determine which roles they are a member of. After checking each application I set the Roles.ApplicationName back to the original application which is the management application.
The problem I am having is when multiple users eachview an individual application and a request for Roles.GetAllRoles() is made. Most of the time the roles that come back are for the intended application but sometimes the wrong application's roles come back due to other requests cycling over the Roles.ApplicationName per application.
I've since read that Roles.ApplicationName is not threadsafe and therefore should not be used in a web application but I would prefer to have a solution to this rather than having to rewrite the role model in the application.
Also, The aspnetdb applications are created via this administration system and therefore I cannot create multiple RoleProviders, one per application.
Why dont you write a wrapper to do this, off the top of my head you could implement your own role provider, and then put the appropriate synchronization in place.