Currently to access the Solace PubSub+ Manager, we log in with a user id and password using a web browser. The authentication method used is "Basic Authentication". Are there any other options available?
I understand that clients to the messaging services can authenticate with Basic, Certificate, Kerberos, and OAuth.
No, we don't have any other options, other than Basic authentication scheme for now to login to Pub Sub+ Manager.
Related
One of my customers wanted to implement SSO using ADFS. I was thinking to do a POC for the same using ADFS in Azure. But one requirement is only some users have ADFS login and other user needs to use custom authentication using the identity provider.
Is it possible to use custom and ADFS authentication in the same web application? Like presenting a page with sign-in using SSO or sign-in with credentials?
My client just shared the federatedmetadata.xml. (Do we need to give the full URL DNS name + metadata URL when you create the new project?).
Is it possible to use custom and ADFS authentication in the same web application? Like presenting a page with sign-in using SSO or sign-in with credentials?
If you're open to it, you could integrate your application with an identity provider, and that provider does this for you.
For example:
Your application integrates with CAS as the IDP, and CAS presents this screen to the end user for the authn attempt. User can choose either option, and then once completed, they will be redirected back to your application to continue, and your application interacts with CAS to validate the user account/session. CAS itself is connected to your own account store, and is also integrated with ADFS.
What do you mean by "ADFS in Azure". The only way to do this is to run ADFS as a VM in Azure. Otherwise, you would use Azure AD.
Yes, you can federate ADFS with other identity providers so they both are accessible from the same login screen.
What other identity providers are you looking at?
ADFS is not a project, it's a server add-on and it's all done via configuration on the Windows server.
In terms of importing metadata, see this.
Currently .Net Core app has APIs with OpenID Connect configured. It gets user token and validates.
Now have a requirement to implement client credential flow for 2 APIs leaving rest with OpenID connect. These two APIs are triggered by another backend system. By providing client id,secret and grant type = client credentials , back end system is able to invoke these two APIs. But problem is it can also invoke other APIs which i don't want.
Looking for a way to achieve this in .Net Core. Please advise
If you implement client credential flow, the access token will include the Application permissions.
If you implement OpenID Connect flow, the access token will include the Delegated permissions.
In order to control which API the client app can access, you need to verify the permission.
You can learn more configuration from how to verify Application permission and verify Delegated permission.
Is there a way to authenticate a user with SAML token using firebase as a backend? The company I am working with requires that SAML is used within the authentication system and I am not sure if this is possible with firebase as a backend.
Thanks
Maybe new GCP service "Cloud Identity for Customers and Partners" (in beta for now) could help you.
Cloud Identity for Customers and Partners (CICP) provides an identity platform that allows users to authenticate to your applications and services, like multi-tenant SaaS applications, mobile/web apps, games, APIs and more. CICP is built on an enhanced Firebase Authentication infrastructure, so it's perfect if you're building a service on Firebase, Google Cloud Platform (GCP), or on another platform, and need secure, easy-to-use authentication.
You can check SAML provider, Firebase is behind the scene.
This guide shows how to enable an existing web application for Security Assertion Markup Language (SAML) 2.0, with Cloud Identity for Customers and Partners (CICP). This will include accepting SAML assertions from identity providers (IdP) as a SAML service provider, verifying their contents, and producing a lightweight JWT that you can use in your application to verify authentication and perform authorization.
Hope it will help.
Updated on February 25th, 2020 :
I published a tutorial on how to integrate SAML authentication with Firebase and Angular app.
You can now use SAML provider with the new Cloud Identity platform. This platform works in combination with Firebase too.
Check Thierry's answer for more details.
Old/outdated answer below:
At the moment there is no built-in SAML provider for Firebase Authentication. See this discussion on the firebase-talk mailing list. From that post:
To support SAML authentication with Firebase Auth, you need to use custom authentication.
When the SAML response is posted to your server, your convert the SAML assertion to a custom token (minted via Firebase Admin SDK) and then pass that token to the client where you signInWithCustomToken. You can add any additional SAML claims to the custom token claims and they will propagate to the Firebase ID token JWT.
It's a valid feature request though, so I highly recommend to file a feature request.
I have used Owin in the past to create a token endpoint in my Mvc Web Api projects to provide oauth 2.0 tokens with "Resource Owner Password Credentials" grant type where access token provider would check a database user table to verify the validity of the credentials supplied by the mobile client (multiplatform App developed with Visual studio tool for Cordova).
In this project, the Web Api will be consumed by a multiplatform Mobile app used by Active Directory Windows domain accounts
I would like to use Owin Oauth 2.0 to grant an Access Token to these users but I don't know how to check the validity of these credentials.
What I was thinking is to put the /token endpoint behind "basic authentication" and in the code of the Access Token Provider get the user from the Identity that, in case of authenticated used, should be automatically created by the Asp.net pipeline.
Is it something that could work?
Do you know any better idea to use Oauth 2.0 for AD Windows Accounts?
Note:
I'm also investigating if Active Directory is able to provide an Oauth 2.0 endpoint by itself.
Here is a pretty good walkthrough of how to use Active Directory Federation Services to obtain an OAuth2 token.
https://technet.microsoft.com/en-us/library/dn633593.aspx.
You'll have to follow all the links at the bottom to get the entire walkthrough.
Note that it refers to using Windows Azure AD Authentication Library for .NET. But according to that documentation, that library is used for both Azure Active Directory and on premises Active Directory.
As for the workflow, once authenticated you'll be able to obtain and present a bearer token to your WebAPI. Your WebAPI then "validates the signature of the token to ensure it was issued by AD FS, checks to see if the token is still valid and hasn’t expired and may possibly also validate other claims in the token. At this point, the client is either authorized and the information they requested is sent in the response or they are unauthorized and no data will be sent." - https://technet.microsoft.com/en-us/library/dn633593.aspx
You could use ADFS 3.0 on top of AD which would provide you with OAuth 2.0 Authorization Server functionality: http://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html
Putting the token endpoint behind "basic authentication" does not help you because you'd be authenticating the client on the token endpoint, not the user. You could put the authorization endpoint behind "basic authentication" though.
I know about ASP.NET Authentication mode (Form, Windows and Passport) and we have used mostly Form based authentication for our web applications. I want to know how IIS takes part in authentication, does it pre-authenticates the request before passing it to the ASP.NET. How can I configure IIS authentication ?
Very broad topic, but essentially, IIS does not authenticate if anonymous authentication is enabled. This relies on the application to do any required authentication (such as Forms, as you mentioned)
If anonymous is turned off, IIS can authenticate using the following methods:
Basic: credentials passed as http header with each request
Digest: sort of a more-secure basic; the password is hashed
Windows: uses client's windows credentials to authenticate
Certificate: requires a specific x509 certificate to be sent by the client
More details: http://technet.microsoft.com/en-us/library/cc733010(v=ws.10).aspx