How do we use IBM Appid to auth Kibana users ? - ibm-appid

Has anyone used IBM AppID on IBM Bluemix.net to auth Kibana users ?
We found this tutorial which uses keycloak, we assume IBM Appid is a similar configuration ?

Following this blog, you can use the Bell plugin with Kibana to create a custom App Id authentication strategy: https://steemit.com/kibana/#r351574nc3/2am2se-effing-better-auth-with-oauth2-for-elk
Example config:
server.auth.strategy('appid', 'bell', {
config: {
authHost: appid.providerHost,
userInfoUrl: appid.userInfoUrl
},
location: appid.redirectUri,
password: appid.password,
provider: appid.provider,
clientId: appid.clientId,
clientSecret: appid.clientSecret,
});

Quick update.. A couple of options: 1) Search-Guard product, 2) X-Pack or 3) ReadonlyREST (not verified).
And no, there is no free lunch. The OpenSource (Basic) edition does not include Security features you're looking for. The most popular approach, in case if you want to stick with free components, is to put another reverse proxy before the Kibana and do authentication there. Both Apache and Nginx do have modules and solutions that would allow you to do authentication and AppID integration. It is relatively easy if you know what you do. Otherwise, prepare for a bumpy road and that's one of the reasons why aforementioned solutions (X-Pack, SG, ReadonlyREST) might be worth paying for.

Yes, this is correct. Both App ID and KeyCloak are OAuth2 and OpenID Connect providers. The major difference between them is the fact that KeyCloak is manage-it-yourself software product, while App ID is a fully managed service.
KeyCloak provides a KeyCloak Gatekeeper container image that you should be able to configure as an authentication proxy in front of Kibana and use App ID as your identity provider.
https://www.keycloak.org/docs/latest/securing_apps/index.html#_keycloak_generic_adapter
There are also some other OIDC proxies you might be able to use as well.

Related

Securing REST API using GRAILS, GROOVY, ORACLE with API KEY

I have a naive question.
I am looking for some web application that implements Authentication and Authorization mechanism using api keys.
Example Case: Users authenticate themselves using an api key (apikey generation
mechanism is either GOOGLE or any other free service). The logic identify the user along
with the provided apikey and release resource access delegation accordingly]
For me the optimal case is to use Grails framework with oracle database.
Is there any web application for that?, otherwise how would I follow step by step to accomplish it?
I would do a search on the Grails plugin site for oauth plugins:
http://plugins.grails.org/
Look at what they offer, and maybe look at the code to see how you can extend them to get what you want.
I would also take a look at the Spring Security Rest plugin.
It really depends on authentication methods that you're using. I suppose in order to secure REST APIs, you can probably write a filter/interceptor to check against any third party auth that you desire. I reckon that you're probably having the idea of using JWT authentication for this, right?

How to secure custom parts of Identity Server

I want to extend IdentityServer 3 with a 'admin' part where users can manage things like users, clients, etc. This part should be secured by the same ID server implementation (same app in IIS). Do I have to build a separate app or can I extend the same ID server solution? How do I configure the OWIN start up then? When I have
app.Map("/Identity"....)
how do I add:
app.UseOpenIdConnectAuthentication
This results in an 'external' login provider, but that is not what I want. I also tried to add:
app.Map("/admin", config => config.UseOpenIdConnectAuthentiaction())
But that does not work as well, so:
How to have ID server and a client combined in one Solution?
Please help.
Have a look at IdentityManager provided by developers of IdentityServer. This will get you up & running very quickly.
Security Model
The security model can be configured to only allow users running on the same machine or can be configured to use any Katana based authentication middleware to authenticate users.
Hosting Options
IdentityManager is hosted as OWIN middleware. It can be configured with the UseIdentityManager extension method for Katana
This is how you "Get started"

Best ADFS protocol support for node js

I am completely new to ADFS. I need to access the ADFS server through node.js. I am searching for good reference notes, with implementation. And suggest me which protocol is best for requesting. Video tutorials are also heplful.
I assume what you want is to authenticate users in AD (via ADFS), for your nodejs based web app. I'd recommend looking first at passport.js.
ADFS supports 2 protocols for web sites: WS-Federation or SAML-P. WS-Fed might be simpler. We open sourced the strategy for WS-Fed and SAML that we use in our product. A strategy is essentially a plug-in for passport.
That strategy should give you a good start.
ADFS v3.0 exposes OAuth2. *
You could use Passport.js with OAuth support or Kong with OAuth support.
You could go the ADFS 2016 OpenId Connect route for ease of implementation (passport.js, only a feature request for kong).
If you're going the Azure route, there's one (passport-azure-ad by the Windows Azure team) specifically for that.
It includes OpenID Connect, WS-Federation, and SAML-P authentication and authorization.
Otherwise, versions disallowing etc., I recommend Eugenio Pace's answer.
Then, check these, is a complete solution (not a video tut)
Using Active Directory Federation Services to Authenticate / Authorize Node.js Apps in Windows Azure
http://seroter.wordpress.com/2013/04/22/using-active-directory-federation-services-to-authenticate-authorize-node-js-apps-in-windows-azure/
pretty fresh tut. (2013/04/22)

Can JaaS be used for Rest?

I didnt find anything according this issue.
Can jaas be used to secure my rest service? When yes, are there any advantages compared to basic/digest auth + ssl? Should I use jaas over basic/digest auth for my rest service?
Yes you can use JAAS to secure a REST (or any other type of) service.... as long as your REST container provides the ability to hook JAAS Login Modules.
Most containers I know, do, Tomcat and Jetty in particular.
JAAS is no so much about how the credentials are formatted or made available (Form Login, Basic auth, etc...) but more about how you validate them. You may want to check a local file, query an DB or an LDAP server...
JAAS is not only authentication, but authorization too. Once you have passed the authentication phase, the roles and permissions you provide to the user. All containers that implement JAAS will provide a seamless integration between the JAAS module and the authorization scheme provided by the container such as the one provided by web.xml for servlets.
Since JAAS is a standard and is now part of the JRE, you will find a lot of ready-made modules and documentation on the web to help you build your own if need be.

Centralized Authorization Service?

Are there any open source centralized authorization services available? There are lots of solutions for centralizing the authentication information (eg: CAS and JOSSO), but what about the authorization information?
There are some really good authorization frameworks (eg: Spring Security (formerly Acegi) and Seam Security), but it seems that I have to composite these into individual tiers or services. In other words, I can't run them standalone very easily. With a SOA, it seems like it would be very valuable to centralize not just the authentication but the authorization information as well (ie: roles, permissions, rules, etc.).
Any suggestions?
Are you looking for something that supports XACML? If so, the closest to open source you can get is the OpenSSO project which has portions of what you seek.
The openly available Kerberos implementations provide Client Service Authorization as well as Client Authentication.
Read about Using Kerberos 5 on Red Hat Linux.
Hum, maybe you can use a SSO solution and create a service which returns all the authorization information (roles, permissions, rules, etc) and make each application use this service to get each authenticated user authorization information.

Resources