I have crawlers running on VMs in Azure. After work is finished the Data crawled needs to be distributed to users across the internet depending on their access level. What I need help with:
1. How to onboard users? My idea was to use Azure AD
2. How to organize pipeline from the crawlers to end users but some access rules and data filters need to be applied before using. What is the most effective way? My idea was to use Azure Functions and then Azure siglalR so my clients (desktop, mobile) can get data very fast. All that would be organized as a Logical app?
Please help. I am just starting my programming experience so sorry if my question is naive.
How to onboard users?
Azure AD would be a good choice for you. With Azure AD, it will be convenient to manage the users.
How to organize pipeline from the crawlers to end users but some access rules and data filters need to be applied before using.
Based on the description you provided, you will expose the data crawled as rest api, right? If so, you can integrate your api with Azure AD, then you can control the user access as you need. You can add app roles in your application and assign users and groups to roles, then different users will have different roles to access your api.
Reference:
How to: Add app roles in your application and receive them in the token
Integrating with Azure Active Directory
Related
I am building an ERP and I decided to deploy it on AWS. I already coded my frontend in REACT and my backend in python Django. They are both Dockerized and I will deploy them with on ECS Fargate and with PostgreSQL on ECR. All of this contained in a VPC.
I want to create 1 VPC per client/company with their own pool of users authenticated with either Django or cognito. I'm not sure yet.
But I am wondering if I can have a landing page with my domain name where clients would be signing in with a cognito pool, giving them access to their respective VPC in a subdomain. And then signing in as a user in that VPC on a different sub-pool. Won't I have a token conflict being on the same domain?
I think having those 2 layers of auth would avoid chances of having clients accessing the wrong database.
(example: new user created in the wrong pool)
This is my first post, although I use this forum a lot. I hope it is clear. Let me know if you need more details
thanks
Update: so it seems I'm trying to do a multi-tenant application. I made I diagram to show what I am going for. The setup for each individual VPC, I'm almost done and got a good idea how to implement it. It's the top part that can't wrap my head around.
enter image description here
I think there should be not "two layers of authentication".
You should authenticate users with Cognito only once and assign authenticated users an IAM role. This IAM role and policies linked to it are used to control user access to different AWS resources.
There are several ways to achieve this. Some of them are depending on AWS service quotas, overall application and service arhcitectures etc.
You may find this AWS document useful: https://docs.aws.amazon.com/cognito/latest/developerguide/multi-tenant-application-best-practices.html
If you are able to provide a conceptual architecture diagram with all the AWS resources you are intending to use, there will be a change that you receive more detailed answers.
Problem statement
I need to make finding all the available active directory groups and their relationships in a tree and forest structure for each an every enterprise application held on an AD Domain Server easy to identify and understand by business user and technical users via an Existing IT Service Request web based application.
What I am hoping to achieve as an outcome is:
Knowledge of an API that I can connect to extract this metadata from and synchronise with the IT Service Request Application
Knowledge of what metadata AD Domain Servers are capable of providing
Knowledge of how to connect and synchronise the meta data from the IT Service Request Web based Application without compromising security
You didn't say which language you want to use. I will assume you will use one of the .NET languages, since that is by far the easiest to interact with AD.
To read the Active Directory Schema, you can use ActiveDirectorySchema.GetCurrentSchema(). That will return a ActiveDirectorySchema object that you can use to read much of the information you would want to know. There are example for how to use it here.
For your 3rd point: to read this data you have to be authenticated as a user of that domain (or a trusted domain). Authentication is already built in. When you use ActiveDirectorySchema.GetCurrentSchema(), for example, it uses the credentials of the current user to authenticate.
I have dozens of Azure Active Directory API's and SPA's that talk to each other. Here is an example:
User - Has roles necessary to use SPA and API 1
SPA - Talks to API 1 using Delegated Permissions
API 1 - Talks to API 2 using Application Permissions
API 2
These SPA's and API's each have a single Application and Client ID in Azure Active Directory but they are multi-tenant, in that they serve internal users in multiple countries using Role Based Access Control (RBAC).
All of the above applications run internally but I have a new requirement that we need to hand over the SPA application to users external to the company and that they should not be able to see parts of the SPA for other tenants and also they must not be able to call API's for other tenants. How can this be achieved?
For your scenario, I think you can use Azure AD App roles for it.
For example:
You can create two roles in the Azure AD applicaiton for the SPA. One is Admin,who can access whole SPA site and API 1. One is User, who can only access part SPA and cannot access the API 1. Then you can assign roles to users.If you have AAD basic or Premuim , you can assign roles to groups.
After finishing this, you will get the roles information in id_token. So that you can give them different access to your SPA. The rest work should be built in your SPA to deliver different access to different users.
You can also read this blog written by joonas for more detials.
Addtional, this answer is just a solution as I thought, it may be a little different from your realtic scenario which I cannot test.
Hope this helps!
I'm using passport-azure-ad library to authenticate people into our app. We are using v2.0 endpoint. I have created multiple applications in Microsoft app registration portal. And have a lot of redirect url's because we have a lot of different environment apps. It was registered under my Microsoft employee account. Now I need to transfer ownership to another developer. How can I do it? Do I need to recreate all this apps in another account? I assume that this will create a new app id's and thus will ask for permissions for all users again. Is there a way to transfer ownership and not recreate all apps again?
Assuming you created your applications using your Azure Active Directory account (like your Microsoft Employee Account) you will have access to an "Owners" field where you can add new owners to the application which are in the same tenant as you.
If you are trying to transfer an application to a user from a different Tenant or using an MSA account, that is not currently supported, but something that is being considered for the future.
If you need to create a new application id, you will not be able to transfer the consent that you had from the first app over to this second one. That is just not really possible nor something we would look to support due to the security implications.
I have build a web application based on Azure. I have a web api service as backend and angularjs as frontend hostet in Azure.
I want to create a login page with individual user accounts. After some reading I found different user authentification strategies. Some use SQL database for managing user accounts. Some use Azure Active Directory. When I have to use Azure AD and when SQL databese?
my opinion is to compare what the benefits you will get
Azure AD:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-whatis/
For IT Admins, Azure AD provides an affordable, easy to use solution
to give employees and business partners single sign-on (SSO) access to
thousands of cloud SaaS Applications like Office365, Salesforce.com,
DropBox, and Concur.
For application developers, Azure AD lets you focus on building your
application by making it fast and simple to integrate with a world
class identity management solution used by millions of organizations
around the world.
Azure AD also includes a full suite of identity management
capabilities including multi-factor authentication, device
registration, self-service password management, self-service group
management, privileged account management, role based access control,
application usage monitoring, rich auditing and security monitoring
and alerting. These capabilities can help secure cloud based
applications, streamline IT processes, cut costs and help assure
corporate compliance goals are met.
Do it yourself with your database,you will have to do all above yourself e.g SSO with Office365
So you have to ask yourself what your app does? and choose the approach fits your needs
The application managing its own user accounts in SQL is called forms based authentication. It's how most internet applications used to work, but it came with a lot of downsides.
Users had to remember a password for each site, but often reused passwords across multiple sites. If one site got hacked and lots the password database, user's accounts on other sites could become compromised.
To prevent this, sites had to make sure that they stored passwords correctly (salted and hashed with a slow algorithm) and apply other kinds of operational security to protected the database.
Then token based authentication came along which let applications delegate the authentication piece to an external 3rd party. This allows users to log in to multiple apps with the same username and password.
Most of these 3rd party login providers like Google, Microsoft, Facebook etc. have specialist working on these services and are therefore more likely to be secure than anything you create yourself.
So, unless you have really good reasons not to, I would recommend using a 3rd party login provider like Azure AD and possibly others.