I am trying to create a skill that will reach out to an application that uses Basic authentication to render APIs (albeit i know this is bad practice). I was wanting to go down a route similar to account linking, however seems they enforce the usage of OAuth 2.0.
Is there an alternative to this or am I forced to use OAuth 2.0 in order to request APIs to a 3rd party application?
My wanted workflow:
customer enables skill
Skill card request for username/pw combo
after setup, the skill can be utilized fully
Not sure if its helpful, but Im using Lambda to run my skill source code.
That is a terrible practice.
First of all, what if your user's password includes case sensitive letters and numbers and possibly other characters?
You can use Literal Slots but they are not case sensitive and probably won't return a number-word combination either. For example your user's pass is Word123 literal slots may return word one two three
https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/alexa-skills-kit-interaction-model-reference#literal-slot-type-reference
I am not sure if you can force user to spell his password's characters and so then you can try to detect the password though... Again this sounds like a terrible practice.
So as you mentioned: Users link their accounts using the Amazon Alexa app. Note that users must use the app. There is no support for establishing the link solely by voice
I guess you have to do the linking the way amazon requires
https://developer.amazon.com/blogs/post/Tx3CX1ETRZZ2NPC/alexa-account-linking-5-steps-to-seamlessly-link-your-alexa-skill-with-login-with-amazon
I'm thinking of using an MBaaS such as Firebase or Kinvey for my next app, and am wondering if any exist which encrypt application data end-to-end (i.e. such that the encryption keys are never shared with the service provider). This seems feasible in theory, since the server is not expected to do any computation on the data, only store it and deliver it to clients.
Does such a service exist? I've found ZeroDB and Crypton, but neither are available as services AFAICT, which means I'd have to administer, scale, and back them up myself. I also thought of using something like Firebase and encrypting my app's data before I pass it to the Firebase API, but I'm wary of writing a one-off crypto layer like that unless I have to (i.e. I'd rather use something that's been peer-reviewed).
Alternatively, if no such service currently exists, why not? Is it technically infeasible, or is there just no market for it?
Edit: This seems closest to what I'm looking for, but considering the broken links on their website I'm guessing it's defunct: Adreneline Mobility
The answer to your question is actually available on the market. CloudMine offers end-to-end encryption (disclosure - I work at CloudMine). They have a largely healthcare focused offering so it has to stand up to HIPAA and other government regs around data security.
Here's a good overview video on security featuring CloudMine's CTO. The first 45 sec. provide some more information on our encryption techniques.
I know I'm being the "sales guy" right now but I'm happy to hop on a call to share what we've built and discuss your specific use case. You can email me at nick at cloudmineinc.com if you're interested.
Virgil Security (full disclosure - I work there) has an end-to-end encryption SDK that works for any endpoint, and also has a special integration with Firebase. It's open source, of course. Check it out and feel free to ask any questions of the team here or on Slack - https://e3kit.readme.io/
I'm totally new to SAML. I want implement SSO for my ASP.NET Website. I got the SAML assertion from my client. I would like to know what are all other requirements I need to get it from my client and what setup I need to implement at my end.
Can anybody help me out in this.
Thanks in advance.
The first thing that I would do is avoid writing the SAML code yourself. There's plenty out there. #Woloski (above) has some. My company has some (I work for the company that makes PingFederate). There's some open source stuff, too. I've seen good connections from KentorIT authServices. If this is your first foray into SAML, then my bet is that ADFS is way overboard. I'll be honest, the groups we see most commonly at Ping is when they decide to go "all in" with SSO. The first one or two connections are easy. Tehn it becomes a management nightmare rapidly thereafter. The reason I say to avoid writing your own, is because there are a LOT of nuances to SAML, with massive pitfalls, and headaches you just don't need.
As the service provider (SP), you need to tell your client (Identity Provider, or IdP) what "attributes" you need from them to properly connect their users to their account in your application (maybe a username?). In addition, you can ask for additional attributes to ensure their profile is up to date - phone number, email, etc. It's up to the two of you to determine what you need (and what they'll give you). Obviously, they shouldn't send social security number, if you have no need for it.
You also need to decide if you will do SP initiated SSO (will the users get links to documents deep inside your app?), or if just IdP initiated (Or will always just come to the front door?) will suffice. What about Single Logout? Do you (or they) want to do that? [Personally, I suggest NO, but that's a different topic]
What about signing the assertion? Your cert or theirs? If you're doing SP-init, do you need to use their cert or yours for signing the AuthnRequest? Do you need encryption of the assertion, or maybe just a few of the attributes?
Generally, you do all of this with a "metadata exchange". You give them your metadata that says "this is what we need". They import that metadata to build a new connection, fulfilling the attributes your app needs with calls to their LDAP or other user repository, as well as doing authentication (if required). They finish building their connection, and export THEIR metadata, which you import to build your connection (thereby making sure you all agree on certificates). You hook it to your app, and away you go.
I make this sound easy. It is, and it isn't. Rolling your own can mean issues. Lots of them. With some being so minute that it takes pros hours (and days) to see it. When it works, it works, and well.
HTH -- Andy
you can use something like ADFS to accepto SAML Assertions. ADFS gets installed on Windows 2008 or 2012.
You would need to ask your customer
the signing certificate public key and
the sign in URL.
Then you would create a "Claims Provider Trust" in ADFS and enter those details. Then a "Relying Party Trust" that represents your application. Finally you would have to configure your application with ADFS using WIF. This blog post have more details:
http://thedotnethub.blogspot.com.ar/2012/12/adfs-20-by-example-part1-adfs-as-ip-sts.html
Also you can use Auth0 to accomplish the same without setting up any software on your side (disclaimer: I work there).
In investigating federated authentication, I've been running into a protocol alongside SAML: HTTP-FED.
Curiously, I can't find any technical documentation for this protocol.
What is it? Is it, like I suspect, a claims-based protocol for use with HTTP instead of WS- services?
HTTP-Fed appears to be a creation of a commercial vendor (Symplified). It has not been ratified by any standards bodies (that I've found) which is why you probably can't find much on it. From what I've read on their website, it appears to essentially be a fancy name for credential caching/credential replay across the internet. From their site -- http://www.symplified.com/http-federation/
"... HTTP-FED leverages the existing HTTP login mechanism at the SP.
The implication of this is that no changes to the SP (destination
application) are required and no special software is needed by SPs,
thereby reducing the effort required to federate domains."
It's not a standard so there's no info on how you'd implement it outside of buying their product. If you're looking at Web SSO for Cloud Applications, I'd stick with actual standards (SAML, OpenID, OAuth, Open ID Connect) that are designed with security in mind for this type of activity.
I am sending email from my asp.net application, and I wanted to see if anybody could recommend a third party that will actually send the emails. Ideally they should have some sort of web service available that I can send a request to.
Mike,
Check out some of the following. They have API's that may or may not be of use/interest to you that your application could interface with. I am sure there are others, a few months ago I went through about 5-10 providers and these are the three that stuck for me.
They send out emails to your list for you and provide you with a list of what got through, viewed, subscribed, unsubscribed, etc. The best part of their services is that they have whitelist agreements with the major email providers (hotmail, yahoo, gmail, etc) so your emails don't end up in the Junkmail box.
If you wanted to automate the sending of an email through these I am pretty sure you could write an http agent to do the interaction with the website if it isn't quite there in the API how you would like.
www.constantcontact.com
www.icontact.com
www.mailchimp.com
Each have their subtle differences that should give you a starting point for what you're looking for. Good luck!
I have used http://www.authsmtp.com in the past for an SMTP server. This was especially effective when sending from Amazon EC2 instances. It was great to have someone else manage blacklist issues etc. You should be aware of though with their service there is a limit on number of unique "from" addresses used (upgradeable of course).
Very easy to use the standard System.Net.Mail API's and just specify an smtp server in web.config
<system.net>
<mailSettings>
<smtp deliveryMethod="network">
<network
host="mail.authsmtp.com"
port="2525"
defaultCredentials="false"
userName="ac55555"
password="your-password-here" />
</smtp>
</mailSettings>
</system.net>
Some of the companies that I've worked with in the past include: Responsys, Acxiom Digital, PeopleSoft, Seibel, Eloqua, Marketo, Constant Contact, Blue Hornet, Mail Chimp and Exact Target.
The only 1 that I can verify first-hand as having an API that will actually allow you to send email without logging in and doing something manually via their UI is Responsys.
Does your ISP/hosting provider provide an SMTP server? If no, what about just using that, by way of the System.Net.Mail libraries? It's not a web service, but it's trivial to use.
Mike
I think you have to look at what kind of mails your are sending from your application.
If it's only the mail with a password when user signing up for a website, or is occasional sending a reminder from a desktop application, then stick with your business ISP and there SMTP server. Just write your own mailer using the System.Net.Mail.
At the other hand are you mass mailing thousands of people regularly then you have to be concerned about at least two things:
Not getting your URL blacklisted.
The percentage delivered mails
And just those two things a professional mailing provider can do much better than any one else. On top of that the provider gives you a lot other benefits, so as reports, click through rates, etc.
I'm using www.Aweber.com for my own business and have so for years with great satisfaction. For a client I have implemented the service from www.Getresponse.com and they are also great.
I believe those two are the best of the trade, used by a lot of marketing people and Getresponse I know have a api you can program against.
And if you want to support me - here are my affiliate links:
www.Aweber.com
www.Getresponse.com
CakeMail is, as far as I know, the only solution that meets all of your criteria.
Typically, it is used to create email campaigns and send them, and as such it offers all the features you would expect from an email campaign manager. For sending individual emails, you would simply create a new campaign, add the recipient to that campaign, and send it out. You can resend the campaign if necessary. All managed through the API.
It works on a per-recipient basis, instead of fixed mailing lists as the other solutions mentioned require. There is also no sending fee outside of the credit costs, which you would experience with a comparable solution such as Campaign Monitor.
We will be using CakeMail in exactly the same configuration in the near future.
I think I understand what your problem may be. I have a software program that I market and I want to send out newsletters to several thousand people.
Originally, I purchased Spd E-Letter from Pensaworks. It is an ASP script using Access or SQL Server. I installed it with my website and because all the ASP was provided, I was able to add customizations as I desired.
The great thing about a solution such as this is that you are in control of your data. You are not storing your data in someone else's database. If for any reason, they cut you off, a third party will not give you your data back.
It worked very well for me for several years ... until I changed webshosts and the SMTP limits at the new webhost were too low. The ISP limited batches to 50 emails (I think that's the number) at a time and wouldn't let me send out more than a couple of hundred emails an hour.
I looked at dozens of 3rd party providers of this service, from ConstantContact to Bravenet to everyone else. If you were to go with one, the ones that most of the Marketing Gurus use are AWeber and GetResponse. They all charge monthly rates that increase as your volume increases and it will end up costing you a chunk of change, so you better be making good revenues from the mailings to make it worthwhile.
Switching to such a service may be frustrating. Many of them don't let you just add your existing list, but require that you contact all your people and get them to opt in again. Many will also require you always use double-opt-in signups, where they have to respond to an email before they get added. You'll have to consider this in selecting a service.
What I was going to do was find an SMTP service that I can use to send my mailings to. I looked around for awhile but this was not a service that was easy to find. Basically, I wanted someone to accept my e-mails and send them out. Simply an SMTP server.
It so happens, I found out that Plimus, the service I use for selling my software was a partner of a webhost that provided SMTP services for them. The webhost was DewaHost, and you can get a hosting account specifically for their servers dedicated to SMTP. You do need to contact DewaHost directly to sign up with them, but their monthly rates are reasonable, up to about $40 a month for unlimited emails.
There are, of course, others. You can look up "SMTP Server Hosting" on Google but I can't vouch for the others. You'll notice DewaHost quite high up on that list.
In your comment on your own question, you say you'd like "some sort of nice neat online interface which shows all of the emails we sent, and allows me to resend them if the user requests". I think you're running into trouble trying to get a service to do that. If you're already using your own ASP.Net program to generate your own emails and maintain your list, it should be your own program or an add-on to it, like the Spd E-Letter that I used.
If you want an ASP.Net solution, there are several packages available, for example Absolute Newsletter.
I hope this helps you.
Louis
Depending on your usage requirements, have you considered using gmail? Google provides a nice secure smtp service and cool (free) goodies for hosting your own domain email using google.
To add to Matt's answer above, CakeMail also offers a Relay API Class that allows for one-off emails. You can interface with our API with one of our libraries.
Cheers,
Francois # CakeMail