We integrated Alfresco in our enterprise integration platform using CMIS.
Now we are wondering if there is an official or unofficial way to run queries against the alfresco cmis api using runAs similar to a REMOTE_USER for SSO login sending the username for the permission downgrade in the request header/body since the integration platform has no end user credentials and should not handle alfresco tickets on a per user basis.
The only way I found so far was Jeff's suggestion made in Alfresco Community OAuth2 SSO via CMIS to configure Alfresco for external auth but then we have to handle per user sessions from the integration platform to Alfresco instead of using one session sending the user in the request which we use in other custom java code.
Related
We have a hybrid Active Directory scenario - an on premises Active Directory server synced with an Azure AD tenant.
We are in the process of migrating our on premise Exchange email accounts to 365.
We have a SPA (JavaScript) that displays calendar events retrieved from a dotnet core web API.
The web API only allows access to users in a specific AD group.
The SPA uses the Fetch API to call the web API with credentials.
The web API currently uses EWS to connect to our on premise Exchange server to read calendar events, using its app pool identity.
The above systems have been developed in-house and run on our internal servers.
We want to update the Web API to read calendar events using the MS Graph API, on behalf of the user. We would like to use the simplest available solution.
We have tried to use the AcquireTokenByIntegratedWindowsAuth method but receive the following error: 'Integrated Windows Auth is not supported for managed users'. My limited understanding of why this doesn't work is because we do not have an ADFS on premise.
One of the Microsoft samples shows a SPA acquiring an access token and passing the token in the header as part of the web API call. This would require us to update the SPA and web API code. We're willing to do that if it's the only solution, but I am hoping someone might offer an alternative where we only need to update the web API.
I'm having separate Dotnet Web Service API to authenticate users. How can I configure it with WSO2 API Manager?
I have already configured WSO2 API Manager with external IDP (Keycloak). Is this is what im looking orcan be achieved in different way.
If you are looking for a way to replace your user store(LDAP/AD/JDBC), with your Dotnet service, you might want to write a new custom user store manager extending the CarbonRemoteUserStoreManger class. There, you should invoke your custom APIs to authenticate, retrieve users. Then you can add a secondary/primary user store with your custom user store manager implementation.
If you want to configure your Dotnet service as a Federated IdP in the API Manager server, you might have to write a Custom Federated Authenticator to communicate with your Dotnet service to authenticate the users. There you should be overriding the initiateAuthenticationRequest and processAuthenticationResponse.
Editing the answer with the new context on issue
In order to generate or validate tokens with an external party(Dotnet service), WSO2 needs to know the service contract of that service beforehand. How you fetch that information to the WSO2 APIM server is by writing an extension to the Key Manger service of the WSO2 APIM server.
By default WSO2 APIM has the implementation to talk to its own Key Manager component and the WSO2 Identity Server. But you need to write the logic (request/response templates) to validate tokens with your dotnet service. This is the official documentation for this. These two Medium posts as well are written on that topic.
Blog 1
Blog 2
Basically, you need to write a simple java extension project to the mentioned interface, so that WSO2 knows how to talk to your service. A sample such implementation written for Okta as a Key Manager is pointed here.
Regarding your concern on validating both the token types;
Yes, it's possible using a custom key manager interface as described above. Once you receive the token at the API Manager side, if you can distinguish if the token was issued by your Dotnet service or by WSO2 itself from your Java logic (May be the token length), then your logic should divert the validation request respectively to WSO2 default Key Validation service (Call super()) or to your Dotnet service call. If you can't distinguish between the two tokens just by looking at them, then you can try both the servers to check if either can validate it. (There's a security vulnerability in that.)
Hope this helps.
I want to create an ASP.NET MVC application that will authenticate to an Azure tenant and get the information about the underlying tenant info such as subscription ID etc. -
This similar thing has been done by another application here - https://overcast.sharegate.com/login
Let me know any article or related info for this requirement.
As Nick said, you could use Tenants Rest Api to get the tenants for your account.
Use Azure ad Implicit grant flow to get your access token with your username. And send the request to Tenants with access token as http header. Then you will get all the tenants for your account and the detailed message like tenantId, tenantName.
If you just want the Azure Subscription details, you can use the following:
Subscriptions - Get REST API
Microsoft.Azure.Management.ResourceManager NuGet package. The Azure SDK for .NET consists of the Microsoft.Azure.Management.ResourceManager Namespace and the ISubscriptionClient Interface that would let you get information about your subscriptions and tenants.
However, if you're looking to access information across the Microsoft Cloud services and build unified but unique user experiences, check out the following resources about Microsoft Graph:
Building ASP.NET MVC apps with Microsoft Graph
Module: Build ASP.NET MVC web applications with the Microsoft Graph .NET SDK
For implementing the sign-in experience to Microsoft through an ASP.NET MVC solution, take a look at this document.
We are using WSO2 IS 5.2.0 for user authentication and SSO across our applications. We have multiple web applications built on java technology.
All the apps are registered in WSO2 service provider and we are able to successfully authenticate user and able to do SSO.
User is prompted for login when he tries to access one of the apps for the first time. Once user logs in, he is able to access any application.
We are using HTTP redirect to achieve this. On the applications side we are using WSO2 java API (org.wso2.carbon.identity.sso.* package) to get the authenticated user details and claims information.
Now we have one more application in .Net (ASP) which we want to integrate into our application suite which should also use the existing SSO infrastructure.
Can someone please let us know how to integrate WSO2 and .Net application for user authentication and SSO. If it is HTTP redirect, then how do we decrypt user information from the SAML Response in .Net application?
Is there any webservice interface available which we can directly call from .Net application which can provide function to get user information by passing samltokenId?
There is a sample written using .NET in here [1] but it seems it is still undergoing development. I have asked the question in WSO2 Architecture mailing list[2] about the state of it (You can follow for more information) but still you can use it to get some understanding (Or as a full working solution maybe).
[1] https://github.com/wso2/samples-is/tree/master/dotnet-agent-saml-sso
[2] [Architecture] [IS] SAML SSO Agent for .NET
I have setup a WSO2 API Manager. When I create a user in WSO2 using web console/ using admin services, I want to send a user activation email with link to the user.
Can someone point me to documentation OR steps to do this?
I am using MySQL to store my users.
EDIT: I am using WSO2 API Manager version 2
EDIT: When I try to access
https://:9443/services/UserInformationRecoveryService?wsdl WSDL is not found.
What are steps to install UserInformationRecoveryService in WSO2 API Manager?
You can use UserInfoRecoveryService for this requirement. You may need to install Account and credential management feature. You can refer this blog to understand how to install that featurs
Thanks
Isura