How to configure external authentication schemes after service startup - identityserver4

I want to roll my own instance of identityserver4 as authentication instance for a service I am hosting in the cloud.
My concrete scenario is that I want to be able for customers to set up using their ADFS in a self service manner similar to how slack, expensify or namely allow this.
I know how federating works. Usually in the Startup in ConfigureServices you add the following
services.AddAuthentication()
.AddCookie("cookie")
.AddSaml2p("idp1", options => {
.....
.AddSaml2p("idp3", options => {
and so on and I can use the same of the scheme to later challenge the external ADFS. But this is only and always happening at the startup of the service. When a customer is configuring the connection to his ADFS later my service is already up and running and I don't want to restart my service to be able to configure the federation between my identityserver and the external provider.
Is there a way to configure this without restarting the service?

There's 2 options as I see it:
https://www.identityserver.com/documentation/dynamic-authentication-providers
OR - as I had to a couple of years ago before anything like the above existed - creating your own version of the authentication handler (surprisingly few changes required) to accept parameters via the properties passed to ChallengeAsync(). In the case of OIDC all I needed to override was the authority URL and client ID since it's I'm only using id_token.

Related

OSB - Get endpoint from business services to log this endpoint

How can i get in a proxy flow the business service endpoint?. I want to log this endpoint in my log file.
I use OSB 11.1.1.7.
Thanks
Try with $outbound/ctx:transport/ctx:uri from proxy.
This can be achieved with use of "Message Tracing" functionality. Look under "Operational Settings" tab. Make sure to set the detail level to "Full".
Unfortunately there is no OOTB functionality to access service endpoint value inside OSB pipeline. Context variable $outbound/ctx:transport/ctx:uri mentioned before is only used to override default endpoint URI. ctx:uri is never initialized on the outbound variable. This information can be found in chapter "39.4.1.2 transport" of "Fusion Middleware Administrator's Guide for Oracle Service Bus"(https://docs.oracle.com/cd/E28280_01/admin.1111/e15867/context.htm#OSBAG326) .

Do we need Keystore/JKSKeyManager in IDP initiated SSO (SAML)?

I've successfully implemented SSO authentication using Spring-SAML extension. Primary requirement for us to support IDP-initiated SSO to our application. Well, by using the configurations from spring-security-saml2-sample even SP-initiated SSO flow also works for us.
Question: Is keystore is used in IDP-initiated SSO (if metadata has certificate)? If not used, I would like to get rid of keystore configurations from securityContext.xml.
Note: SP-initiated SSO and Global logout is not needed for us. We use Okta as IDP.
This is a good feature request. I've opened https://jira.spring.io/browse/SES-160 for you and support is available in Spring SAML's trunk with the following documentation:
In case your application doesn't need to create digital signatures
and/or decrypt incoming messages, it is possible to use an empty
implementation of the keystore which doesn't require any JKS file
- org.springframework.security.saml.key.EmptyKeyManager. This can be the
case for example when using only IDP-Initialized single sign-on.
Please note that when using the EmptyKeyManager some of Spring SAML
features will be unavailable. This includes at least SP-initialized
Single Sign-on, Single Logout, usage of additional keys in
ExtendedMetadata and verification of metadata signatures. Use the
following bean in order to initialize the EmptyKeyManager:
<bean id="keyManager" class="org.springframework.security.saml.key.EmptyKeyManager"/>

Sitecore Active Directory Module

Currently we have our Active Directory (LDAP) domain controller defined in the ConnectionStrings.config file. Is it possible to configure a second domain controller, as a fail-over option?
For example, recently Domain Controller 1 failed, and I had to manually change the connection string to point to Domain Controller 2 - but the website was generating errors in the mean-time (for several hours of down-time).
We are running Sitecore version 6.5
(Sitecore.NET 6.5.0 (rev. 120706) )
No, it's not possible to configure a fail-over partner.
You could put a loadbalancer in between the two domain controllers.
You could actually do that. There are options with the AD module that allow for connecting to multiple domains and/or using multipe providers. All pipelines in Sitecore are extendable, so there's nothing to stop you from setting this up. You could easily do some custom coding to catch exceptions during login and switch to a different provider. The trick is just doing the custom coding.

Configure Tomcat for Kerberos and Impersonation

I would like to configure Tomcat to be able to connect to AD and authenticate users accordingly.
In addition, I would also like to invoke some web services (in this case, Share Point) using the client credentials.
So far, I've managed to successfully configure Tomcat to use SPNEGO authentication, as described in the tutorial at http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. Note that I have used Tomcat's SPNEGO authentication (not Source Forge's or Waffle).
I did not use Source Forge's implementation since I wanted to keep things simple and use Tomcat's as provided out of the box. In addition, I wanted all the authentication and authorization to be handled by Tomcat, using the SPNEGO as the authentication method in WEB.XML and Tomcat's JNDI realm for authorization.
Also I have not used WAFFLE, since this is Windows only.
I'm using CXF as my Web Service stack. According to the CXF documentation at http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29, all you need to do to authenticate with the a web service (in my case, Share Point) is to use:
<conduit name="{http://example.com/}HelloWorldServicePort.http-conduit"
xmlns="http://cxf.apache.org/transports/http/configuration">
<authorization>
<AuthorizationType>Negotiate</AuthorizationType>
<Authorization>CXFClient</Authorization>
</authorization>
</conduit>
and configure CXFClient in jaas.conf (in my case, where Tomcat's server JAAS configuration is located, such that my jass.conf looks like:
CXFClient {
com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=true debug=true;
};
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/tomcatsrv.corporate.intra#CORPORATE.INTRA"
useKeyTab=true
keyTab="C:/Program Files/Apache/apache-tomcat-7.0.27/conf/tomcatsrv.keytab"
storeKey=true
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/tomcatsrv.corporate.intra#CORPORATE.INTRA"
useKeyTab=true
keyTab="C:/Program Files/Apache/apache-tomcat-7.0.27/conf/tomcatsrv.keytab"
storeKey=true
debug=true;
};
Yet, when I'm invoking the web service, it is invoked under the service username (i.e. Tomcat's username configured in AD and in tomcatsrv.keytab), rather than the client's username (e.g. duncan.attard).
So my question is this: Is there some way in which the client's username can be delegated (or use some sort of impersonation) to CXF so that when I invoke Share Point's web service (e.g. I want to upload a file using Copy.asmx), the file is uploaded as duncan.attard and not as tomcat.srv.
Thanks all, your help is much appreciated.
Technically, this works perfectly. Here's the recipe:
You do not need a login module name if you work with credential delegation.
You have to make sure that the user account is eligible for delegation.
Take a look at the implementation of Tomcat's GenericPrincipal, it will save you the GSS credential if there is one. Cast request.getPrincipal to GenericPrincipal and get the credential.
Now say you have the credential:
Construct a Subject with the Principal and the GSSCredential as private credential.
Wrap the CXF code into a PrivilegedAction.
Pass the constructed subject and an instance of your privileged action to the Subject.doAs method and the system will construct an AccessControlContext on behalf of the passed subject and will invoke everything in JAAS on behalf of that context. CXF should use those if it is implemented correctly. This is like su or sudo on Unix.
The easiest way to test that is to create an InitialDirContext in the privileged action on behalf of the client to your Active Directory. This is how I test a working credential delegation environment.

Calling GAS Script published as a Service from GWT

I have created a Google Apps Script doPost script that I have published as a Service, only available to myself (as described in https://developers.google.com/apps-script/guide_user_interfaces#RunDecision, section "Publishing a Script as a Service").
I have now a URL like https://sites.google.com/a/macros/[google apps domain]/exec?service=[service key]
I want to call this service from a Google App Engine GWT application, but I don't know how to manage with authentication.
If selecting the "Allow anyone to invoke this service" then "Allow anonymous access", then I can call this service from AppEngine, but in my case, I absolutely need the authentication.
Do you have any idea how to handle it ?
If you only need to call this script from server to server and both of the endpoints are in your ownership, you could use a shared secret to do so, e.g.
Apps Script:
function doPost(e) {
if(e.parameters.secret != 'mysecret') {
return ContentService.createTextOutput("Nice try!");
}
// your code here
}
and transmit it with the request. If you only share your script with "Anyone having the link" that should provide reasonable security - make sure you never log that request nor include it in an error message however ;)

Resources