For your information I tried to search for the different links but I didn't find the right answer. The below link looks like the same problem but there is no proper answer for this
Artifactory: SAML SSO group matching not working
I am facing a problem with respect to artifactory group association with SAML. Tried to follow the process mentioned in the below link but it doesn't work. Any kind of help is much appreciated.
https://jfrog.com/knowledge-base/how-do-i-configure-artifactory-saml-sso-with-adfs/
Our goal is to create the same group in artifactory which is present in ADFS. So that we can give permissions to that repective group in artifactory. But the problem is people are able to login using their domain credentials where as if we provide the permissions to the group it doesn't work as expected.
If you need more clarity I am happy to explain more on this issue.
The ADFS side is handled by other team even they are not sure why it is not working. Is there any bug in artifactory? I have configured SAML with jenkins it works super fine.
I will try to elaborate about the process.
After a login request, the user and it's groups are available for Artifactory in the assertion response that is sent back to Artifactory by the SAML Identity Provider. The data should be available in the assertion XML response, as long as the Identity Provider configured to include it. For example, the Identify Provider can exclude the groups information and include user data (i.e. username, mail) only.
In order to ensure that Artifactory can assign the user to the SAML a group, you will need to do the following:
Configure the ADFS to include the user groups attributes on login response. You have mentioned that this is handled by other team, but you can see how this can be done in the link that you have attached in your post.
Create the relevant groups in Artifactory, or import them to Artifactory from another authentication provider (such as Artifactory LDAP integration group screen). It is mandatory that there relevant groups will be existed in Artifactory.
Open the Artifactory Web-UI SAML configuration screen, mark the Auto Associate groups checkbox
Edit the Group Attribute textfield, and put the SAML attribute name of the group declaration. The group attribute name that required is the one that is returned in the SAML assertion response.
In the assertion it should look like this:
<saml:AttributeStatement>
<saml:Attribute Name="memberof">
<saml:AttributeValue>group1</saml:AttributeValue>
<saml:AttributeValue>group2</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
In your case, you can either get the group association attribute name from the other team that managed your ADFS as you have mentioned, or just view the assertion in any kind of SAML tracer browser plugin (as long as the ADFS was configured to send the groups attributes)
Once you have the above configured, when a SAML user will log in into Artifactory, the user will automatically be associated to the group that returned by the SAML assertion response (as long as the group exists in Artifactory)
Note: the SAML groups association is not persisted and valid for the current login session only, therefore, if you will edit the user/group screen in the UI, will not that the user/group association, however, if you grant a permission for a specific resource to the group that you expect the user to be assigned to, you can see that the user who logged in is capable of using the granted permission.
Related
I am working on a school project which basically acts like a Messenger with Events etc.
Recently I came across DDD and I decided to try to implement it's concepts in my project.
I ran into a problem, where each time I want to edit an entity I need to check, if a currently logged user has rights for it.
I have CommmunicationChannel entity (AR) which has ICollection<CommunicationChannelMessage>. When I want to edit message I need to load CommunicationChannel entity, find CommunicationChannelMessage in it and then check if currently logged user is the author of the message.
I decided to create DomainService MessageManager, which has method Update(CommunicationChannel channel, string messageId, string newContent).
This method loads the message or throws NotFoundException, after that it check, if user has right to it and if not throws ForbiddenAccessException.
Basically, domain layer now has a responsibility to check if currently logged user has rights to do something. The idea behind this is that there will be no place in code, where I can forget to check permissions of the user. I can only call methods from this manager and they check permissions everytime.
So my question is following. Can a domain service have a reference to ICurrentUserService (returns entity of currently logged user). Shouldn't the check of user permission be application specific concern in Application layer instead of domain layer?
Thank you so much for your answer.
Stricto sensu DDD does not states anything regarding application layering, besides :
domain layer must use object modeling
domain layer is where business rules are implemented
Now the problem must also be split in two different security concepts : authentication (find user identity) and authorization (is user allowed). Authentication is always an application cross cutting concern, usually handled by an asp.net middleware like Kerberos, OIDC, etc ...
You have two approaches possible for your authorization problem : consider the identity verification as a business requirement or a security cross cutting concern.
In case of a business requirement, author must exist in the domain model, at least as a login/username property on message. Add a parameter to your Update() method for actual user identity to be compared with message author. Your controller can pass the user identity from asp net core authentication or any external auth service if a conversion is required.
If you want to make that a cross cutting concern, you don't need to model message author (unless useful for another business requirement). Make a custom middleware, or insert a security layer somewhere in your architecture (a more precise answer would require insights on your actual architecture).
I'm looking for some guidance and have had a hard time finding a straight answer via Google.
I am building a web app using Google Cloud Platform and Firebase and would like to grant users access to only their own subdomain. So for example, if user 1 is part of the organization Lakers, I would like the domain they use to be lakers.myapp.com. If user 2 is part of Bucks, their app would be hosted at bucks.myapp.com. When somebody who is not authorized visits one of these domains, they should not be able to view anything since they are not authorized under that subdomain (just like any normal web app). I have the login all set up and can redirect the user to their subdomain, but what is the process of checking that the user is authorized to view that subdomain?
If the answer has many parts, I would be happy to receive some links to resources on how to do this; I wanna be sure it's done right.
For the first part: (Can we restrict users ( Identity ) based on the GCP domains ?) , then answer is yes. The Resource Manager provides a domain restriction constraint that can be used in organization policies to limit resource sharing based on domain. This constraint allows you to restrict the set of identities that are allowed to be used in Identity and Access Management policies.
Organization policies can use this constraint to limit resource sharing to a specified set of one or more Google Workspace domains, and exceptions can be granted on a per-folder or per-project basis. For more information about adding exceptions, see Override the organization policy for a project.
For the second part:(How do I lock down Firebase Database to any user from a specific email domain ?). If you're using the new Firebase this is now possible, since the email is available in the security rules.
In the security rules you can access both the email address and whether it is verified, which makes some great use-cases possible. With these rules for example only an authenticated, verified gmail user can write their profile, please see the Stackoverflow Link for more details.
I'm trying to fetch the different standardized data to make a custom post targeting form.
So I'm accessing the different endpoints mentioned at https://developer.linkedin.com/docs/ref/v2/standardized-data
When using a client_credentials token (app token) I get "Not enough permissions to access ****".
When using an user token I can access without a problem.
The question is why do I need an user token to get this data that is global and, according to its definition, used to standardize data across the LinkedIn platform
"Not enough permissions to access" when it looks like your permissions SHOULD work, usually means you need to be a LinkedIn "Partner":
https://developer.linkedin.com/partner-programs
What exactly do you have to do to authenticate users against an external source while accessing pages on a CQ publish instance?
From what I have read, a custom AuthenticationHandler can be used for this. The AuthenticationHandler can be configured to be called against the paths requiring authentication and inside the extractCredentials() method, the users will be authenticated against the external source and an AuthenticationInfo object will be returned.
If the supplied credentials are invalid, null would be returned from this method to indicate the same. The SlingAuthenticator will then call requestCredentials() where the user can be redirected to the login page.
Is this understanding correct? If so, what does SlingAuthenticator do with the AuthenticationInfo object returned from extractCredentials()?
In some places, having a custom LoginModule (by overriding AbstractLoginModule) is also suggested for the same purpose. Are these 2 different approaches (custom AuthenticationHandler and Loginmodule) for having custom authentication or are they used together somehow? If so, how do they interact?
And also, the concept of CUG (Closed User Group) can be used to redirect users to the login page if they don't have access to a page. Can CUG still be used with a custom auth mechanism or it only works if the users are present in CQ repository?
Any light shed on this would be much appreciated :)
Your understanding is correct. The AuthenticationInfo object ultimately contains a JCR user id -- but rather than having to use the JCR password for the user, a 3rd party service basically says "this user has authenticated successfully and can access the repository as X".
Example: you're using OpenID or SAML to verify a user is X. user X is then mapped to a user Y in the repository.
I haven't used LoginModule but from what I'm reading, that's just extending login processing for the JackRabbit repo. So, rather than using AuthenticationHandler to redirect a user to some other place and processing the response, you're plugging further down into the chain where there's already AuthenticationInfo (or something like that) being given to JackRabbit to verify and return a session for a user.
So, let's say you did successfully authenticate with OpenID but the user you're mapped to doesn't exist. You could write a login module to create the user in this case (and assign user to a default group). For instance, if user came in with a gmail id, the JCR user could be gmail_$id. And the login module, seeing the name starts with gmail, will know it's ok to create that user automatically.
As far as CUG, yes, all the above can be used in conjunction with it. Basically, if a request doesn't have access to a resource and the request hasn't been authenticated, the authentication handling system kicks in. If a user has authenticated but still doesn't have access to the resource (e.g. not part of a group that can read it), a 403 will be generated.
I just don't still get Claim Based Authentication/Authorization workflow.
The application allows authentication via Facebook.com
After the user is authenticated, an admin can give her/him a claim of having the role of Manager, which creates another claim (where?)
Of course, this claim won't be on the facebook.com server, question 1: where should that claim be stored?
When the user log in again later, I get the claim of facebook.com and I should get the claim from the application. and merge them?
How is the workflow? Trying to understand claims in practical usage.
Basically, Facebook tells me that I'm john#doe.com, and 'field in the blanks' adds a claim that I'm also a manager of domain.com
then I pass those claims to domain.com?
How should I configure in asp.net the application at domain.com to trust Facebook and 'filled in the blank piece' and request claims from both?
I guess I'm using external providers for Authentication and my own provider for Authorization, how this is created on ASP.NET (web API / MVC)?
UPDATE (for clarification)
Let's get backwards. I create a web application where users can register.
'Somehow' there's an trusted ClaimsBased authority somewhere (this should be another application??) where I request the claims for a particular user to see if have particular rights on my application.
So I imagine something like :
/authserver/claims
and my validation checks if X claim is met to do certain operations.
later I add to Facebook. now I have
/facebook/claims
which tells me the user is X
and
/authserver/claims to see if can do operation X on resource Y.
how this is managed on ASP.NET? and where my own claims should be created/exposed/developed.
I think I'm missing something fundamental here.
I think the important thing to understand is the difference between authentication and authorization.
Authentication - the act of confirming the truth of an attribute of a datum or entity.
Authorization - the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular.
So, typically for secured system, the workflow starts with Authentication. When a user first connects/uses a system, then are not authenticated (lets say this user is of a type/group Anonymous). The act of the system determining the user is not authenticated is an Authentication in and of it self. Based on being Anonymous, then the act of the system determining what that type of user anonymous has access too is now authorizing what the user can do. For very secure system, the only access anonymous has is to the login screen/page. Once logged in the user is assigned a unique identity and assigned some type of group policy/role (if not already created).
with a web-based application and having a website (#1) authenticate for another website(#2) it becomes a bit more complicated. When I log into StackOverflow(#1), I use my Gmail(#2) account. I get redirected to Google with some special way for Google to know that the page I came from/to go back to. This could be a special key/url combination or for less restrictive access, usually has to do with return url (after I say, yes, where I go back too). Google will create a special authentication token that is specific to the url I am returning to. It is tied to the URL because that means that my token on StackOverflow won't allow me or anyone else to log into say NewEgg for example (in other words someone at StackOverflow with access to the database can't use my token to authenticate as me on some other website, but technically they could log in as me on StackOverflow, but they own the website, so that doesn't really matter). Now I am authenticated on StackOverflow (but technically StackOverflow doesn't even need to know any information about me, just my Token).
On StackOverflow as a new user, a new account is created. This account probably has a one to many relationship to my unique account on Stack Overflow and multiple of logins (and type of logins, OAuth, OpenID or SO Login). Once the account is created, I have whatever access they have setup by default. If I need more or some trigger (lets say based on my Reputation points :) I now have access to Administrative functionality (given some role). That role is tied to my account and indirectly tied to my authentication. This means that I can create additional logins (say a Local SO Login) but keep my Account.
As for each Authentication resource (Google, Facebook, etc) there will be difference schemes for Authentication, but there will always be at least a token (or more than one token) for a website to say who I am (in a generic way).
So website #1 (Stack Overflow) has requested website #2 (Google) to Authenticate me. But only website #1 knows what am I Authorized for.
For role specific functionality, there are a good number of answer on SO dealing with ASP.Net Identity and the Role Manager:
Creating Roles in Asp.net Identity MVC 5
mvc 5 check user role
A much more Indepth look into Identity with MVC - Extending Identity Accounts and Implementing Role-Based Authentication in ASP.NET MVC 5
If you're using ASPNET.Identity (http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity), you can add a Role claim type to the user. It'll be associated with the userlogin, so when the user authenticates with Facebook, these user claims will be added and available in MVC.
See the following code fragment:
var acRes = await UserManager.AddClaimAsync(userId, new Claim(ClaimTypes.Role, "MyRole"));