We have created a website that is using GeoServer and Openlayers to create a mapping tool for some users. The app allows the users to add layers in GeoServer and these are presented in the web app for other users to consume.
We want the website to use the company Azure Active Directory to allow the users to have access. We have tried using the OAuth2 (google one) and LDAP plugin's for GeoServer to try to connect to Azure AD, however we cant get it to authenticate.
Is there a plugin for GeoServer to Azure AD or is there another plugin we can use instead.
Any help on the settings that are needed as well would also be helpful.
You can use a proxy to authenticate against AAD using OIDC and set the authenticated user in HTTP Header to use Header Authentication
You can configure Geoserver to use the built-in role service if you need AAD Authentication only
If you want to use AAD groups as roles in GeoServer you can make AAD groups as role claims in the token and in the proxy you can add these role claims in another header and configure GeoServer to accept those roles
Related
I have a requirement to build a web app that connects to a customer's API (authenticated as the user using the web app). This same web app will need to connect to our own internal API which is authenticated with B2C.
The problem is that each customer has their own authentication server (always Okta) and so I couldn't add an IDP for each customer in a custom policy because I'd have to add thousands and continue to add them.
Is there a way to get IDP configuration programmatically so that I can look up the correct Okta instance?
Any other suggestions are welcome.
I had limited chance to set up the above scenario and test in lab.
Add the app in Okta and set the below parameters, instead of adding app in AAD.
Login redirect URI: https://{yourb2ctenantname}.b2clogin.com/{yourb2ctenantname}.onmicrosoft.com/oauth2/authresp
Change the following settings in the B2C Claims provider
Okta OpenId Connect Settings in B2C Policy:
ProviderName: https://{yourOktaTenant}/oauth2/default
METADATA: https://{yourOktaTenant}/oauth2/default/.well-known/openid-configuration
Reference Link: Use below link for custom policies in B2C:
https://github.com/mleziva/azure-b2c-okta-custom-policy
I have deployed a very simple Azure Static Web Apps in which I deploy a simple documentation site powered by mkdocs (HTML and CSS). I would like to know if it is possible to implement some kind of authentication through Azure AD/MSAL in which only enterprise users could log in using their email and password.
Yes, it is possible. Azure Static Web Apps provides a streamlined authentication experience. By default, you have access to a series of pre-configured providers, or the option to register a custom provider.
Any user can authenticate with an enabled provider. Once logged in,
users belong to the anonymous and authenticated roles by default.
Authorized users gain access to restricted routes by rules defined in
the staticwebapp.config.json file. Users join custom roles via
provider-specific invitations, or through a custom Azure Active
Directory provider registration.
All authentication providers are
enabled by default.
To restrict an authentication provider, block
access with a custom route rule.
Pre-configured providers include:
Azure Active Directory
GitHub
Twitter
https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-authorization
We have a client that owns two separate Azure Cloud tenants: ACloud and BCloud.
ACloud contains their regular SaaS and Azure AD users log in with userName#clientACloud.onmicrosoft.com
BCloud contains only IT/sysadmin users managing cloud PaaS resources and users log in with userName#clientBCloud.onmicrosoft.com
We have deployed an API to BCloud which requires Azure AD authentication. The API is being called from a mobile app written in React. There, users are presented with a login screen and must login using username#clientBCloud.onmicrosoft.com
However, we want users to be able to log in using their normal userName#clientACloud.onmicrosoft.com
Is there a way to configure the API in BCloud to use ACloud’s Azure AD for authentication to an API hosted in BCloud?
One resource from Microsoft recommended using the graph API. I think the graph API would allow the mobile app to authenticate the user’s ACloud account, but that SAML token won’t work against BCloud’s API. We are looking for some way that the API in BCloud can accept user tokens from ACloud, so I suspect there is some configuration we need to make in BCloud to trust ACloud’s Azure AD.
Thanks in advance!
I am using Identity Server for implementing single sign-on and access control. Currently I am using internal(in DB), OpenId and Google as for single sign-on and access control.We have one a requirement to use Windows Azure AD users for the same.Is this possible to authenticate with Azure AD using the Identity Server, and should be able to update role and claims on Azure Active Directory?
I have found one solution i.e. Graph API but it is not part of Identity Server (https://identityserver.github.io).
Thanks in Advance.
If you are using identity server 3 then ws-federation can be used for authentication and roles. You can use following two links to understand it more.
for ws federation authentication:
http://nzpcmad.blogspot.in/2015/12/identityserver-aspnet-mvc-application_7.html
For creating role for the users:
http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/
However if you want to update also the user information, you have to use graph-api
You need to add azure active directory authentication middleware in your application pipeline at your STS server for Azure active directory having all required standard properties.
I have a web application using windows authentication. I also want to authenticate non-domain users against AD. Can I have domain members can enter site directly, and non-members enter their domain username and password.
How can I do this?
It is possible to do this but you probably want to have 2 distinct web applications running accessing a similar set of application code.
Web application 1 is configured to use Windows authentication.
Web application 2 is configured to use Forms authentication. You need to have some additional code in this application which allows a user to authenticate themselves using LDAP against the active directory. This code is placed in an authentication provider if you use ASP.NET.
Assuming your using ASP.NET, you can write a custom provider that first auths against your AD, then a non AD store.
Or you can use multiple providers, ActiveDirectoryMembershipProvider and then for example SqlMembershipProvider.