I am new to OpenAM and trying to secure my webservices using OpenAM. I have installed J2EE policy agents using below information in the link.
https://wikis.forgerock.org/confluence/display/openam/Installing+Tomcat+6.0+Policy+Agent
I need to provide security for my REST APIs. So where should we need to configure the REST APIs in the OpenAM console.
Please provide me some links where i get some information.
OpenAM policy agents are the OpenAM proprietary way to achieve (Web)SSO and authorizations. You could configure URL policies as described in the docs https://backstage.forgerock.com/#!/docs/openam/13/admin-guide#chap-authz-policy, however the REST client must obtain an SSOToken and send this along when accessing the REST service.
You could also use OAuth2 which would be a standards-based approach.
Related
I am finding it hard to understand how I can differentiate multiple client applications using oAuth 2.0.
Using APIM I mapped my backend webservice to Azure API Gateway Service URL. I have configured Oauth 2.0 with grant type as client credentials because its a service to service integration.
In Oauth registration, I have mapped my client and backend app Id's with secret keys - (OauthSample1.0).
It doesnot have the provision to configure multiple clients for the same backend service.
And, in my API, i can add only one Oauth reference - (OauthSample1.0). Even if i would go ahead and create multiple Oauth 2.0 references for different clients, technically it cannot work with the API configuration.
This means I can have my API validate only one specified client using one oAuth 2.0 reference.
If I want my API to be accessed by different partners / Client applications, my understanding is that I would need to create different Clients in Azure AD. But unfortunately not able to design the solution here.
The official doc for protecting your API using OAuth 2.0 covers the steps required in detail.
To summarize, the steps are
Register an application to represent the API
This app is setup to expose an API
Register separate applications to represent each of your client applications
These apps would also have a secret generated for the client credential flow
These apps would have been granted access to the exposed API
Setup a Validate JWT policy to pre-authorize requests.
Your clients would have to get the token using the client credentials flow before making the requests.
Also, if your clients are services that directly access the APIs, then you could setup app roles that show up as Application Permissions instead of Delegated Persmissions.
We have a vendor membership management solution to manage our members, Netforum Pro. They provide a Web API via Rest or Soap for external applications to authenticate.
We would like to use Moodle as Learning Management System for our members. However, Moodle has an authentication plugin for SAML.
Can we use OneLogin as a middle agent in this situation?
Thanks
Linh N.
OneLogin acts as Identity Provider and has toolkits that will help you authenticate requests when used by application providers. In your case it looks like Moodle has already the functionality that you would implement with the OL toolkit and that NetForum is the Identity Provider. So using OneLogin won't help much.
You should look into http://documentation.abila.com/netforum-enterprise/2017.1/Content/Admin/Security/SAML.htm
I face frequent disconnections on my application which connects to Docusign REST API using the Docusign SDK. The application runs in a windows VM , in which internet access is regulated through corporate proxy and firewall
To overcome this problem , I want to pass the network credentials to the Docusign SDK classes , so that the credentials be passed to RestRequest of RESTSharp. I can see the credentials property in RestSharp, but no equivalent method to pass the same to Docusign SDK.
Please help , anyone knows how to make this work in corporate proxy env?
DocuSign Rest Api does not support windows authentication. See this for the various forms of authentication supported by DocuSign Rest API.
Single SignOn
However DocuSign supports single sign-on with your organizations identity provider.
Here is the related documentation
single-sign-on-implementation-guide PDF
single-sign-on-overview
Video
Here is a cool video overview of the authentication mechanisms with docusign api.
I am new to grails and Azure. I have a grails API that uploads and downloads documents to Azure blob storage. The API is used by consumers who need to be authenticated using Oauth 2.0. I found a grails plugin https://grails.org/plugin/spring-security-oauth2-provider that claims to provide oauth tokens for authentication. Is this the best way to authenticate a grails API service?
Azure also seems to provide Oauth 2.0 authentication to an active directory. Instead of using the grails plugin, how is it possible to leverage Azure's Oauth authentication for an active directory to grant access to the grails API?
We are using Spring Security Core Plugin and OAuth2 Provider to secure Grails API. It will secure the API's, by restricting access to authorized users based on their role.
You can have in depth look how Spring Security Core Plugin provides the base for the OAuth here.
Configuring the spring security core and spring security rest grails plugins to set up a token based authentication is the simplest and straightforward way to implement authentication for a grails API.
I am looking at Windows Azure ACS as an alternative to implementing my own username / password scheme in my app. This will be a publicly available website.
In addition to using SSO providers such as Google or Facebook, can I use Windows Azure ACS to support username/password authentication?
I see that it supports Active Directory as a provider. I am not sure this is the right thing as I have always thought of Active Directory as an "enterprise" provider.
Windows Azure ACS does not support username/password authentication in the form you need. Shahin outlined it in details.
Your options really are:
Windows Azure Active Directory (WAAD)
Identity Server (IdSVR)
While classic on-premises Active Directory deployed with a Domain Controller option is indeed quite enterprisy, WAAD is not exact copy of the same in the Cloud. I would actually recommend that you give a shot and try out. Using the WAAD Graph API you can fully automate user management in WAAD.
Your second option is based on IdSVR. This is full-featured Identity Server and Security Token Service. It is developed against the best practices in security and is quite easily extensible! While it does not provide out of the box support for user management (user registration, password reset, etc.) it is ASP.NET MVC 4 application. So you can very easily add this features yourself. There actually is an open enhancement planned for User Management API and UI.
Both WAAD and IdSVR integrate well with ACS, so you can provide seamless support for social identities along with own login.
Another service that is still in Beta/Preview is the SocialSTS project. It is kind of extension to Azure ACS and is designed to help you add more identity providers (such as LinkedIn, Twitter, GitHUB, Amazon Login, etc) to your Access Control Service.
You can authenticate directly with the ACS by using Service Identities, but they are not intended to be used for end-user authentication, as the page explains:
Service identities are not intended to be used as end-user credentials. In ACS, service identities are most commonly used in REST web service scenarios, over the OAuth WRAP protocol, where a client requests a SWT token directly from ACS to present to the web service.
I believe this is the only way to directly get a token from the ACS.