How would a common secret that hold the details of a DB address, username and password would look like in Azure Key Vault?
Would all these details be found in the secret's value?
As JSON? (what is the common content type)
I tried placing them in the value - as it is a string everything goes. I just didntsee ANY examples of such secrets and were wondering if i am missing something...
Related
So I created an enterprise application and have it configured for SAML based SSO. As I understand it, I've configured it so that the Unique User Identifier (Name ID) should be set the the email of the user within Azure.
When I attempted to login to test or use my new application through the portal, I can see that the NameID value in the response is actually set to a random string of characters (zReN4-W7ufefDDEh4pJ19K7pcMV84O5RKHSeOQ6wArU) which I assume unique identifies my user. I've tries altering the source attribute of the Name ID as well as the name identifer format but it always comes back as the exact same string in the response.
The application I'm trying to log into requires that the name ID be set to the user's email address and I don't understand why it's not being shown that way in the response. Any ideas why this is happening?
The NameID value is a targeted identifier that is directed only to the service provider that is the audience for the token. It is persistent - it can be revoked, but is never reassigned. It is also opaque, in that it does not reveal anything about the user and cannot be used as an identifier for attribute queries.
Generally, if the user does not have value in mail attribute, then Azure AD would send persistent format for Name ID and set random value in it.
For more information on the SAML Protocol can go through this article and similar question
I am looking for a secure way to pass a secret key when the user scans a QR-code and goes to my url. This secret key is the key that is connected to one of my products(a smart speaker). If the secret key is valid, the user will be asked to login or register to couple their account to the product on my webpage.
However after my research, QR-codes only pass data that is visible in the url. This brings along security issues even if the key is encrypted: the problem of users typing in adjacent values, the keys get saved in browser history (this means malicious code could sweep through a user’s browsing history and extract passwords, tokens, etc). They’re probably saved in my server’s logs and memory, ... .
Is there a more secure way to pass secret information via a QR-code to a url?
Long story short - there is not. One usually would pass secrets as headers or in the body or the request, but you don't have this kind of flexibility when using QR codes.
Without understanding your business requirements fully, I would try to tackle the problem in the following way.
Embed the secret in the url. Encode it to a QR code. Hide the code in the products package for the customer to find after buying and opening the product.
After using the url redirect the user to a page to create some credentials or use some federation protocols to create an account.
After the account has been created, mark the urls secret as invalid.
You can put the secret data in the fragment part of the URL (after #) then it won't get sent to the server, but can be read by JavaScript in the web page.
I'm looking to get at an Azure function app's list of operational endpoints for each function, in particular the secret code that needs to be passed in to invoke the function.
I've tried lots of current answers in SO but all only seem to work with Function App's which use Files as the secret storage type.
We have a requirement to use Blob storage which is also the default in V2 function apps.
What I'm really after is the code piece that comes after the function name when it's retrieved from the Azure portal, I can manufacture all the other pieces before that myself.
For example https://mytestfunapp-onazure-apidev03.azurewebsites.net/api/AcceptQuote?code=XYZABCYkVeEj8zkabgSUTRsCm7za4jj2OLIQWnbvFRZ6ZIiiB3RNFg==
I can see where the secrets are stored in Azure Blob Storage as we need to configure that anyway when we create all the resources in our scripts.
What I'm really look for is how to decrypt the secret stored in the file. I don't care what programming language or script the solution may be written in, I'll work with it, or convert it to another language that we can use.
Here's a snippet of what the stored secret looks like in Blob storage, it's just a JSON file.
I'm wondering if anyone out there has some experience with this issue and may be able to help me out.
For now it's not supported to get the true key value programmatically. you could just view your key or create new key in the portal. You could find the description here: Obtaining keys.
If your function is a WebHook, when using a key other than the default you must also specify the clientId as a query param (the client ID is the name of your new key):
https://<yourapp>.azurewebsites.net/api/<funcname>?clientid=<your key name>
More information refer to this wiki doc: WebHooks.
I created a linked service in data factory using keyvault option about some months ago. I wanted to create a new linked service some days ago and I understood the UI for linked service creation has been changed!
Previously based on this article https://learn.microsoft.com/en-us/azure/data-factory/store-credentials-in-key-vault#azure-key-vault-linked-service there were two option 1. connection string (needed DB name, server name and username and password for DB)2.KeyVault(Just needed secret name and keyvault connection).
While now those two options has been changed to 1.password 2. Keyvault. and the weird part is that in both two options DB name, username and password are mandatory! which is not acceptable because the point of using keyvault is not to share DB properties with developers and just sharing the secret name.
Does someone have any opinion about it??
You can edit the json code of linked service to make it reference connection string.
Here's the format, then click finish button, it will be published.
Yes. It has been changed. Now you only need put your password into your azure Keyvault.
You old linked service will still work. But the new UI will only support password only azure Keyvault.
I am trying to retrieve all keys that are saved in my key Vault using
keyVaultClient.GetKeyAsync(keyVaultVaultAddress).GetAwaiter().GetResult();
but getting below error
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
However I am able to get Key details by KeyURI using below code
keyVaultClient.GetKeyAsync(keyURI).GetAwaiter().GetResult();
Can someone please help me in retrieving all keys that are saved in my Key Vault.
Thanks
Just to restate what was in the comments for an answer (to help others locate in the future):
Instead of using the keyVaultClient.GetKeyAsync() that is used to get a single key, use the keyVaultClient.GetKeysAsync() - note the 's' after Key, to get a list of keys.