I'm wondering if I'm going about this wrong... but still....
For security reasons, it would be preferred that an App used integrated security to talk to its database, using the app's Service Principal AAD account.
But how to set this up using ARMs, hopefully with no manual steps?
For example, when creating an ARM that creates an environment from scratch, starting with the App Service... how does one create an App Service Principal (or trigger the creation of one automatically?), in order to use it as a parameter when developing the new sql server and database?
Can one set up a Service Principal account before an app is installed, and then associate it to the newly installed app? That way one could pass the name of the Service Principal as Parameters.
Thank you for any advice on whether:
it's actually possible (maybe ARMs actually can't be pushed that far, and security accounts are considered outside the scope of infrastructure provisioning),
if so, how!?!
Thank you.
IntegratedSecurity is not applicable to Azure SQL.
I'm currently figuring out how to do it with MSI.
https://learn.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview
Related
Sorry no code here because I am looking for a better idea or if I am on the right track?
I have two websites, lets call them A and B.
A is a website exposed to the internet and only users with valid account can access.
B is a internal (intranet) website with (Windows authentication using Active directory). I want Application B (intranet) to create users for Application A.
Application A is using the inbuilt ASP.NET JWT token authentication.
My idea is to expose a Api on the extranet website (A) and let (B) access this API. I can use CORS to make sure only (B) has access to the end point but I am not sure if this is a good enough protection? We will perform security penetrations test from a third party company so this might fail the security test?
Or
I can use entity framework to a update the AspnetUsers table manually. Not idea if this is feasible or the right way or doing things.
Any other solution?
In my opinion, don't expose your internal obligations with external solutions like implementing APIs etc ...
Just share the database to be accessible for B. In this way, the server administration is the only security concern and nobody knows how you work. In addition, It's not important how you implement the user authentication for each one (whether Windows Authentication or JWT) and has an independent infrastructure.
They are multiple solution to this one problem. It then end it really depends on your specific criteria.
You could go with:
B (intranet) website, reaching into the database and creating user as needed.
A (internet) website, having an API exposing the necessary endpoint to create user.
A (internet) website, having data migration running every now and then to insert users.
But they all comes with there ups and downs, I'll try to break them down for you.
API solution
Ups:
Single responsibility, you have only one piece of code touching this database which makes it easier to mitigate side effect
it is "future proof" you could easily have more services using this api.
Downs:
Attack surface increased, the API is on a public so subject to 3rd parties trying to play with it.
Maintain API as the database model changes (one more piece to maintain)
Not the fastest solution to implement.
Database direct access
Ups:
Attack surface minimal.
Very quick to develop
Downs:
Database model has to be maintained twice
migration + deployment have to be coordinated, hard to maintain.
Make the system more error prone.
Migration on release
Ups:
Cheapest to develop
Highest performance on inserts
Downs:
Not flexible
Very slow for user
Many deployment
Manual work (will be costly over time)
In my opinion I suggest you go for the API, secure the API access with OAuth mechanism. It OAuth is too time consuming to put in place. Maybe you can try some easier Auth protocols.
I have an enterprise application which needs to synchronise user information from the centralised source. We have been so far been integrating using LDAP with AD using a daemon process.
However, In our next deployment we need to integrate with PeopleSoft HRMS (9.1). The application needs to periodically synchronise users with the PeopleSoft HRMS.
I wanted to check how to proceed on implementing this?
Is there a standard module which would expose these details or does it allow LDAP communication?
Any direction on how to consume user records will be helpful.
Webservices can be implemented with Integration Broker: https://docs.oracle.com/cd/E41633_01/pt853pbh1/eng/pt/tibr/concept_IntroductiontoPeopleSoftIntegrationBroker-076593.html
A more low-level approach could be done with an Application Engine.
Your enterprise application could generate an XML/csv.
You would make a record in peopletools that corresponds with the fields in the XML/csv file. Then you make a fileLayout. If you drag this fileLayout into the Application Engine peoplecode window, you get a template of what your code should be and you'd have to complete it with some paths to files and minimal logic to process and import the data into your user tables.
Remember you can schedule Application Engines with reccurence, so after setting this up all you need to worry about is that the file gets updated.
If you require validation you should also look into feeding the data to a Component Interface after reading it in via Application Engine.
I have separated out the web servers from corda application.
I created a demo spring web application and moved REST APIs to web controller layer.
I am getting NodeRPCConnection using hard coded [for now] username/password/host/port. [hardcoded in properties file]
Now I have to implement production-grade User-Authentication/Login through web application.
I Would like to know ,
Whether there will be one web application require per corda node ?
or one web application serving all corda nodes ?
What are the recommendations/ suggestions for implementation of user
authentication/login [rpcuser].?
If i have separate system users , how do i map them to rpcusers ?
do i need to create a separate db in middle layer for this mapping ?
To access corda node we always need to get NodeRPcConnection before invoking different flows.
so How we should move incoming traffic [ Dynamically ] to particular corda node ?
Any suggestions / guidelines will be helpful.
Thanks.
It sounds like you plan to run lots of nodes yourself? It's really up to you how you structure this - there's no one right answer. If your nodes are run by different organisations then they'd run one web server internally for each of them.
If you're running lots of nodes on behalf of others, you would probably use a separate RPC connection for each potential identity that's being controlled from the web app, as we're working on support for multiple identities per node so in future you would only need one node, and you'd be able to act as different identities by using different RPC users.
Is there a way to log in to Microsoft.Azure.Management.Fluent as myself instead of as a service principal?
I want to use .NET instead of Powershell or the Azure UI to automate management tasks (via F# scripting), but I don't want to have to create a service principal that has my same permissions first. I just want to be able to use my own identity and permissions. SdkContext.AzureCredentialsFactory has various overloads for getting Azure credentials for a service principal, but I want something more like Powershell's "Login-AzureRmAccount" command that lets me log in as myself.
Is this a supported scenario?
For .Net4.5.2 there is FromUser method that you can use
For .NetCore there is FromDevice method that can be used.
First one will let you use your username/pass. The second one will require you to follow the steps provided in the service response Message object (Opening a browser with the provided link and using provided PIN for authentication).
I have a SharePoint application that needs to integrate with very sensitive databases. The data required is from multiple databases; almost 40 different databases on different servers.
The suggested design was to have a web service to integrate with, which will then connect to the required database based on the required business logic. However the concern is, if someone somehow got access to the server hosting this web service, all the database connections will be there.
Another suggestion was to have a dedicated web service for each database. This way even if someone got access to this web service, only one database connection will be there.
The question is, is there any known design that can work for this situation to add more security to the database connections?
The answer really depending on your specific requirements. an easy way of doing so is to use "Open Data Protocol" OData. and then secure it with windows directory login, or perhaps ASP.NET login.
take a look at http://www.odata.org/ and http://msdn.microsoft.com/en-us/library/ff478141.aspx