We want to allow our users to authenticate on MAXIMO via our external F5 BIG-IP firewall. Is it possible to setup MAXIMO to integrate with this appliance and use authentication token issues by this firewall. BTW, we are deploying MAXIMO on AWS cloud and would need to tunnel these tokens back to the on-premise firewall appliance.
Yes, Maximo does support Security Assertion Markup Language (SAML):
https://www.ibm.com/support/knowledgecenter/SSLKT6_7.6.0.8/com.ibm.mbs.doc/securgroup/c_saml_security.html
Related
I have an internal web application (ASP.NET) that I want to expose to the internet, preferably thru Azure Application Proxy. The requirements are to use an existing external keycloak server for user authentication, the keycloak server is hosted separately from our Azure. I have read that Azure Application Proxy requires Azure AD ( not sure about this), but it is not clear if Azure AD can be connected/use an external Keycloak server.
My question is can Azure Application Proxy be made to work with an external KeyCloak service to authenticate and authorize users, or is there some other way to expose the internal web application to the internet with Azure and an external Keycloak server.
Using Azure is not a fix requirement, but it is preferred.
Using the external Keycloak server is required.
Thanks in advance for any help with this.
I have a mobile app, that I want to use to securely consume an API endpoint that is located on premise server.
Is it possible to do it using Azure Application Gateway and VPN? And what VPN? is it site to site or point to site?
Yes it is possible to do it using Azure Application Gateway and point to site VPN. You can use Open VPN protocol to connect from Android, iOS (versions 11.0 and above). You can follow this blog for any additional details on implementation, which uses Point Site VPN to connect using a android device. You can also refer to the official documentation for additional help on making this decision.
I am working on secure NiFi to authenticate users through Azure Active Directory. How can I do that? I found resources using LDAP. But we don't have any Local Active Directory or LDAP other than Azure AD. We are using Tableau where Tableau users are authenticated through Azure Active Directory. It gets synchronized once in a day with tableau server's user list. Now my plan is to do the same user authentication for NiFi users with Azure AD. How can I do that? Any guidelines and help is greatly appreciated. Thanks.
It appears Azure Active Directory supports OpenID Connect authentication, which Apache NiFi supports. You can read about that on Microsoft's site, and there are definitions for each property for configuring OpenID Connect in NiFi in the Administrator's Guide.
In general, you will need to:
Configure TLS for NiFi (no authentication mechanisms are enabled when TLS is off)
Configure the OpenID Connect endpoint and client ID/secret in nifi.properties
Configure users & groups
There are step-by-step instructions for configuring OpenID Connect & NiFi on Bryan Bende's blog.
Note: I understand avoiding "doc link only" answers, but that's the question and reposting all the steps is overkill.
For security concerns I'm planning to not allow Azure services to communicate with Azure services but the services it is only working with.
For example, I've some web apps that uses Azure SQL Databases. Should I only add the outbound IP addresses of Azure Web Apps in the Azure SQL server firewall?
or I need to do something else?
This is not as easy as it should be. SQL Azure is not designed to be virtual network friendly so your only options are "Allow all Azure services" or hard-coded IPs. Unless your web apps have static IPs however, this won't be possible without writing a custom updater for the database which picks up IP address changes.
You could install a SQL server onto a VM and use virtual private networks, otherwise, make sure the login credentials are secure and accept the fact that an Azure client from anyone could attempt to connect to your database server.
The best way to lock down your SQL Database is with AAD Integration, and Managed Service Identities. Azure will provision an AAD identity for your application, and only code running in that application will be able to generate an Access Token for that Identity. Then you can provision it as an AAD user in your SQL Server.
This has the (large) added benefit of removing the secrets from the application, so you don't have to configure your application with a Client Secret, or a SQL Login/Password.
You can also run your App on a VNet, and configure your SQL firewall to only permit access from that VNet using Virtual Network service Endpoints For Azure SQL Database.
Or use the newer and much better Private Link for Azure SQL Database.
Some of the ways to secure the connection to the sql database that could be considered in this case are -
As you mentioned you are already thinking of configuring a firewall to whitelist the allowed IP addresses. The firewall could be configured both on the sql server level and the database level(we can use SSMS to configure the firewall at the database level).
We can encrypt data. Of course this would be encryption at rest. And the good news is the application connecting to the database need not change to query encrypted data.
The third way would be the traditional way(even if we were not using azure db) we would prevent unauthorized access by creating users/roles/permissions.
A very nice feature I found Azure db provides is the Threat Detection Capability. If you turned that on we would be notified of the possible vulnerabilities of the current db/server setup. And also where can we make improvements to fix those issues.
Connect your Azure function with your SQL DB using private endpoints and VNET integration. Your app service will need to be standard or premium. Even Premium function plan will do. This LINK talks about it.
Authenticate your azure function on your SQL DB using managed identities. See this link for info on how to do that. Managed identities
In short yes.
You can possibly make this more secure by creating vnet connection from the web app and creating a service endpoint for SQL. I'm not sure that will work, but worth a try.
My client wants 2FA when accessing VMs in Azure. Is this possible at all? I was thinking about Azure Directory Domain Services, but couldn't find anything related.
You can make use of Azure Application Proxy to surface RDP functionality of Azure VMs to the internet. Application proxy is protected by Azure Active Directory, and thus, you can use 2 factor authentication (if you have the premium SKU) to protect the initial login.
You can use a service such as Duo Security for Windows VMs.
For ssh 2FA to Linux VM, you can use Google Authenticator PAM module library