Here is the senario. I am trying to create a drupal 7 site that will serve as my openid connect server for another site that is being created in python. We want to have single sign on for the python site so that user will be synchronized between both the drupal site and the python site.
Question:
Does anyone know of a step by step tutorial (or can you tell me how) to setup a drupal site to do this?
I don't know anything about drupal and I am having a very difficult time trying to get the openid connect module properly configured to allow sso. I think I have successfully installed the openid connect, openid connect sso, and oauth 2 modules as well as the oauth2_server_php library.
Where I am stuck:
when I go into the oauth2 settings, the "Use openid connect" check field is not present. According to one tutorial I have seen, it's supposed to be there.
When you configure openid connect, the 3 url endpoints (Authorization endpoint, Token endpoint and UserInfo endpoint) are a mystery to me and I don't know what to put in them. Right now my drupal server is running on my local host webserver. "http://localhost/drupal"
So you are basically trying to implement the OpenID connect protocol and then use that from a python based website. I guess you already have googled that and trying to implement your own.
And the second portion is how will your python website use this newly created openid connect implementation.
We already have an openid connect implementation and also a step by step guide for sites wanting to use it.
If you want to consider an alternate, We have a step by step guide with sample code in Java as well as PHP on how to use miniOrange as your OpenID connect provider, here.
SO this guide will take care of your "another site in python".
Python samples are being added as we speak so stay tuned or ping me if you are interested.
Related
MaxScale from v2.5 has a nice web Gui based on REST API. However it has default credentials admin:mariadb. Does any one know how to change this?
I've searched around in Mariadb Docs, but found the only options you can change is to add ssl cert's for the web gui to encrypt passing passwords and switch off\on the auth at all. Any ideas?
You can use the maxctrl command line client to manage users. The MaxScale administration tutorial has a section on how to create new users and to remove old ones.
The REST API tutorial also has a section on how to harden it for a more secure installation.
After searching form wordpress documentation and google, i haven't find any proper way to achieve my goal : able to login to wordpress from custom third party application built with nodeJs.
The steps is check if couple username / password is administrator and process tasks on my external app.
Anyone has already used the REST API of wordpress to auth user? WITHOUT INSTALLING ANY PLUGIN , i just want to get response from server if my couple username/ password is true and is administrator, i know i can asks the database to check but i want to pass throught the built-in wp rest api.
Thank you.
The simple answer is no, and here is why
While cookie authentication is the only authentication mechanism
available natively within WordPress, plugins may be added to support
alternative modes of authentication that will work from remote
applications. Some example plugins are OAuth 1.0a Server, Application
Passwords, and JSON Web Tokens.
Source: Wordpress Official Handbook
However there is a painful and insecure way of doing it with plain HTTP authentication which is not recommended.
Recommended way of doing this securely is to get WordPress JWT or oAuth Server extension and deal with standard authentication process which is more convenient and secure, WordPress already lists them which are referenced in the quote. Hope this helps!
I am new to tableau. I have this complicated problem in our system, where I am trying to use trusted authentication to by-pass tableau login. We have installed Tableau server (ex: 1.2.3.4) and have added the webserver (ex:1.3.3.4) to its trusted hosts list. In order to connect to the servers, we use Cisco VPN our IP is dynamic.
The tableau reports are to be integrated to a asp.net web application hosted in the webserver (1.3.3.4), which has an existing login mechanism. So, I would like to avoid/by-pass the tableau login. To achieve this, I am trying to use trusted authentication. When I tested this in the webserver (1.3.3.4) as mentioned in the link : http://kb.tableau.com/articles/knowledgebase/testing-trusted-authentication, it returns ticket value only when I send the client IP. But when I try to access the embedded tableau reports, I am unable to get the reports. Instead, I get "Could not locate unexpired trusted ticket" error. Also, I am unable to find ways to retrieve VPN IPs of the clients from my webserver. My requirement is to find a proper way to avoid tableau login (using trusted authentication) while embedding the reports in our asp.net web application.
Is there any other possible way of implementing the same or am I missing something? Since I can't find any proper examples for the same, I am posting this question. Kindly provide me your valuable inputs in finding a suitable solution.
Thanks in advance.
I have a requirement to integrate an ASP.NET web application with active directory - basically they want to be able authenticate and authorize with AD.
I realise this is relatively simple, but what I want to know is how I can simulate the AD for developing and testing against. I don't have AD available to me (right now) and don't cherish the thought of setting it up even if I had hardware available to run it on.
What other options are available to me? I've seen ADAM mentioned in a couple of places but this doesn't seem to provide the federation services I need (and seems a little out dated). Would it be possible to use Azure for this? I want to keep costs (time-wise as well as money) to a minimum.
I have managed to set up an active directory environment suitable for development using a Microsoft Azure VM.
A brief summary of the steps I went through to get this working are below. Although it sounds scary setting up AD and ADFS, the windows server 2012 interface makes it incredibly easier, barring a few gotcha's I mention below - it takes a while for them to install as well.
Create a new azure windows server 2012 VM and add endpoints for http and https.
Install the AD role on the VM
Install the ADFS role on the VM
Create an ASP.NET MVC 4 app (on your dev machine) and verify it is working correctly.
Run the app through IIS (not IIS express - this just makes SSL etc easier).
Ensure the site has a https binding set up
Install the Identity and Access tool for VS2012
Right click your project to select the identity and access tool.
The path to the STS meta document will be https://<your VM url>/FederationMetadata/2007-06/FederationMetadata.xml (you may need to download this file manually if your certificates are self signed).
Back on your VM, in ADFS create a relying party trust for your application.
Run your MVC app again and you should be redirected to your VM for authentication and then back to your app again (but this time using https).
If you are using the default MVC template, in the top right corner assuming you have set up the claims correctly, you should see Hi, <user>#<domain>
The main articles that I followed to achieve this are as follows:
http://blogs.rondewit.com/post/MVC-2b-ADFS-20-Federated-Authentication.aspx
http://garymcallisteronline.blogspot.co.uk/2013/01/aspnet-mvc-4-adfs-20-and-3rd-party-sts.html
Below is a list of gotcha's that I hit (in no particular order).
When setting up the relying party trust enter the data manually and ensure you set the Relying part WS-Federation Passive protocol URL and the relying party trust identifiers correctly. The first is simply the https url that ADFS will redirect back to after authentication has completed - https://localhost for example. The second is an identifier used to identify the application that is trying to authenticate. One of the identifiers entered must match the realm attribute of the wsFederation node in your MVC 4 apps web.config.
When logging in the username should be of the form <domain>\<username>
I couldn't get Windows Authentication to work with any browser other than IE. For this set up to work with Chrome I had to change the order of the local authentication types in the web.config of the adfs/ls application so that forms authentication appeared first. To get to this, open up IIS manager on your VM, expand default web site/adfs/ls, right click ls and select explore.
At the time of writing I haven't been able to login with an AD user I created myself - I've probably just not set it up correctly. When setting this up initially, I'd suggest trying to connect with the admin user you created through the azure portal when you created the VM.
Once I finally managed to authenticate correctly AntiForgeryToken html helper started throwing an exception, talking about missing claims. Ensure that you have added a claim rule to your relying party trust, that sets either the name or name id claim. Then in Application_Start do the following: AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name; as explained here.
It is also worth noting that the Identity and Access tool allows you to setup authentication with Azure ACS and more noteworthy, a development STS. For my requirements, I need to be able to integrate with ADFS, but if you're just experimenting with claims based authentication, one of these may be a better option than the process that I have gone through above.
Consider ADFS and ws-federation.
Ws-federation is an enterprise sso protocol that gives you cross domain authentication/authorization in a sso manner. Adfs is a free implementation of the protocol that sits on top of the active directory. It is relatively easy to set up.
But having a client application that expects a ws-federation identity provider, you can substitute the provider with any compliant provider, your own or the identityserver which is another free implementation but can use a membership provider. The completely custom implementation on the other hand would give you a chance to set up and serve an
arbitrary identities.
The is a small learning curve for this approach but benetifs are:
cross domain sso
support for multiple browsers for free (kerberos/ntlm based ad authentication could be unsupported on some browsers)
works in an intranet and the internet
support for advanced scenarios like for example you can set up your cloud Office365 to authenticate against your local adfs
adfs 2.0 is free component dowloadable from msdn
I need to implement application that supports LDAP authentication.
I want to know in detail how such network works. Can you recomend some reading about it, a book perhaps with broader explanation of LDAP authenticated networking or at least some online tutorials. I would like to see step by step guide of creating such network and if possible, cross platform theory with samples in Win and *nx systems.
Thanks.
LDAP System Administration is the book I read when I first started with LDAP.
That and the OpenLDAP Administrators Guide.
In addition to gacrux, I'd suggest looking at
Lightweight Directory Access Protocol (Wikipedia) for an introdcution
LDAP Linux HOWTO by Luiz Ernesto Pinheiro Malère
Understanding LDAP (part 1) and Understanding LDAP (part 2) on devshed.com
LDAP and OpenLDAP (on the Linux Platform) slides
Are you looking to build new LDAP server infrastructure, or are you looking to use an existing service?
If you're building infrastructure, then Understanding and Deploying Directory Services has long been the book to get. It clearly explains what LDAP is, how to design your schema and directory information tree layout, and how to choose an appropriate directory topology.
If you're trying to authenticate users against an existing LDAP service, you would be best served by reading the library docs for your language. The typical process for authenticating users goes like this:
Take the user's user id and search against LDAP for that user to obtain the disinguished name (or DN, a unique name for each entry in the LDAP tree).
Use the retrieved DN and the password the user provided to "bind", or authenticate against the LDAP server as that user.
Check the return code from the server to determine whether the bind was successful.
Based on the results of the previous step, allow or disallow the user.