So i'm looking into the possibility of having 1 single API store that can showcase APIs across 2 different domains. We are using WSO2 APIM and have all the components up and running on one domain alright. First would this be possible, we know that there is a firewall between the two domains so we would have to open some ACL's to allow this. Also would we be able to share a single Registry DB or would we need to have a Registry DB located in both domains? I'm hoping someone can provide me with a high level architecture view of how this can be achieved.
Thank you!
So to answer my own question looks like we are going to host the APIM Store on one domain and then use a ADFS to allow the users hosted on the other domains AD to gain access to i
Related
I'm trying to get a proof of concept going for a multi-tenancy containerized ASP.NET MVC application in Service Fabric. The idea is that each customer would get 1+ instances of the application spread across the cluster. One thing I'm having trouble getting mapped out is routing.
Each app would be partitioned similar to this SO answer. The plan so far is to have an external load balancer route each request to the SF Reverse Proxy service.
So for instance:
tenant1.myapp.com would get routed to the reverse proxy at <SF cluster node>:19081/myapp/tenant1 (19081 is the default port for SF Reverse Proxy), tenant2.myapp.com -> <SF Cluster Node>:19081/myapp/tenant2, etc and then the proxy would route it to the correct node:port where an instance of the application is listening.
Since each application has to be mapped to a different port, the plan is for SF to dynamically assign a port on creation of each app. This doesn't seem entirely scaleable since we could theoretically hit a port limit (~65k).
My questions then are, is this a valid/suggested approach? Are there better approaches? Are there things I'm missing/overlooking? I'm new to SF so any help/insight would be appreciated!
I don't think the Ephemeral Port Limit will be an issue for you, is likely that you will consume all server resources (CPU + Memory) even before you consume half of these ports.
To do what you need is possible, but it will require you to create a script or an application that will be responsible to create and manage configuration for the service instances deployed.
I would not use the built-in reverse proxy, it is very limited and for what you want will just add extra configuration with no benefit.
At moment I see traefik as the most suitable solution. Traefik enables you to route specific domains to specific services, and it is exactly what you want.
Because you will use multiple domains, it will require a dynamic configuration that is not provided out of the box, this is why I suggested you to create a separate application to deploy these instances. A very high level steps would be:
You define your service with the traefik default rules as shown here
From your application manager, you deploy a new named service of this service for the new tenant
After the instance is deployed you configure it to listen in a specific domain, setting the rule traefik.frontend.rule=Host:tenant1.myapp.com to the correct tenant name
You might have to add some extra configurations, but this will lead you to the right path.
Regarding the cluster architecture, you could do it in many ways, for starting, I would recommend you keep it simple, one FrontEnd node type containing the traefik services and another BackEnd node type for your services, from there you can decide how to plan the cluster properly, there is already many SO answers on how to define the cluster.
Please see more info on the following links:
https://blog.techfabric.io/using-traefik-reverse-proxy-for-securing-microservices-on-azure-service-fabric/
https://docs.traefik.io/configuration/backends/servicefabric/
Assuming you don't need an instance on every node, you can have up to (nodecount * 65K) services, which would make it scalable again.
Have a look at Azure API management and Traefik, which have some SF integration options. This works a lot nicer than the limited built-in reverse proxy. For example, they offer routing rules.
I am new to OIDC/OAuth2 and am looking to set up IS4 a single sign on server. I have an idea for a design but am not sure if it is a correct use of claims.
We have multiple apps used by different companies. Normally, a given identity would only have access to the resources across these apps for a single company, however some might have access to those of multiple companies (for example, an accountant who did the books for multiple clients).
I was thinking to provide these company ids as claims in the JWT. Would this be appropriate or is there a more commonly accepted way to achieve this?
I'd personally steer clear of this and keep the authorisation side of things inside the client app or API. I.e. company 1 and company 2's databases say that user xyz can access them and they do their checks locally.
I have multiple asp.net mvc websites hosted in sub folders of a main domain. Each website has its own sql server database. Currently users need to sign up to each individual website if they want access but I am looking for a sso solution. I guess a little bit like how ebay works where you can sign up in one country's domain but can log into ebay from any other of the domains ebay has sites for.
I am looking for the best architectural design to achieve this. After a lot of googling this seems to be the only solution that fits the bill but wanted to check first (http://arunendapally.com/post/implementation-of-single-sign-on-(sso)-in-asp.net-mvc). If this is the right approach how does that effect the database design, would the users now only get stored in their own database all of the other websites have access to?
I think that maybe moving the authentication part of your application somewhere else would be a better option.
You could try the approach suggested in your link.
Another option would be to look at external providers.
I'm thinking here about azure active directory (https://azure.microsoft.com/en-us/documentation/articles/active-directory-whatis/ with this example http://www.asp.net/identity/overview/getting-started/developing-aspnet-apps-with-windows-azure-active-directory) or auth0 (https://auth0.com/) for example.
That way you have a separate place for your user accounts which are in a database on the cloud which you don't have to manage. Somthing like azure active directory allows you to also set which users are allowed to access which app, which is also something you need to take into account.
I've created a website within the company that utilizes our active directory server to authenticate. I am concerned about security surrounding setting up relying parties with "localhost" domains.
I've pretty much followed this guide on setup. You'll notice about halfway down the page, there is a step to set up the development environment, localhost:44336 as a relying party.
I am concerned that someone could easily get the location of our federation metadata document, and simply roll their own project utilizing the same port and get access to our active directory. Is this a valid concern, or am I worrying over nothing? What would be a better alternative to having to use localhost in this configuration?
Yes it's safe. The metadata document only describes information about endpoints and about the token that active directory is issuing. It doesn't inherently have anything sensitive about it.
The actual authentication is still going to be handled by AD and unless the curious user already has a way to successfully authenticate against your AD then it's rather useless for him to hookup into that document.
Could they potentially create an app that uses your authentication protocol? Sure, but what would be the point if nobody can actually authenticate against it. Allowing this sort of behavior to happen is one of the points of ADFS.
I would like to redirect a domain to app engine, but my Domain provider only allows me to set information for Primary DNS and Secondary DNS. It means that there is no possibilities to set host records (cname, A, etc)
I think I do have to use a DNS Provider, but I'd like to know your opinion on what's the best way and where to do it.
Thanks in advance
I have been delighted with dns.he.net. It is completely free for 50 domains, and gives you the control you are looking for.