I would like to create an adf application , this web application will have different user roles like manager,normal user and admin .
First, I want to check users when they try to login into system by getting users info from database. I mean authorization should be provided by adf security from database Users table
Then according to this user's roles, specific web pages should be shown to logged users. Users should see only pages that its responsible pages.
I dont know how to do it, I need your guidance
Users and roles are Weblogic's concern (presuming you are using Weblogic), you may find a great example on how to load users and roles from the database here:
http://soadev.blogspot.co.uk/2010/04/sqlauthenticator-simply-best.html
For enabling security in an ADF application, I presume you have found already enough info, but just in case:
https://docs.oracle.com/middleware/1212/adf/ADFFD/adding_security.htm#ADFFD877
Related
I am new to powerapps, and I need to create an app with AzureAD authentication. But I am confused by this authentication. Do I understand correctly that I don't have to implement user sign-up and login screens, because every user which will be added to AzureAD would be able to login to microsoft account and will have an access to my powerapp?
So, I don't have to write any code for user signup/login/forgot password?
But in the Internet I saw that some people use AzureAD.getUser() and Office365.User. When do I need it?
PowerApps is building enterprise apps for your organization staffs. This app has to be developed, published and shared to AD users, and users can sign-in using Active directory single sign-on.
You can invite/share with AD individuals, security group or O365 group. But not Distribution groups. You can share the app to all users by sharing with “Everyone”.
Even PowerApps can be shared with external users (guests) but they must be guest users of an Azure Active Directory tenant.
How to share a PowerApp?
Yes, no signup or login other than Microsoft AD login/challenge screen.
Those snippets will be used to get current logged in user details.
Everything #ArunVinoth said and to add a little more info about:
But in the Internet I saw that some people use AzureAD.getUser() and Office365.User. When do I need it?:
These are PowerApps connectors (API wrappers) that allow you to surface AD/O365 data within the app for your users.
Example:
You may have a way for users to lookup contact information for people within the org.
You would add the Office365Users connector to your application
Then execute the .SearchUser method from that connector to display contact info based on user input.
These connectors are not for authenticating to the app, but rather providing lookup capabilities for your users. Or automating these lookups for your app logic.
Was not able to find a way to discover all the sites of an organization:
creating a site with user2
approving the app with an admin
using 'https://graph.microsoft.com/v1.0/sites?search=' does not show the new site.
Only once i add the admin to the site group I find the new site.
how can I find all the sites?
Do I need to get an access token for each user?
For example with this token I can access all the drives but can't find the sites.
There are a couple things going on related to what you're asking and I'll try to address each of them:
1) We don't have an officially supported way to discover all of the sites and site collections in a given tenant today. The "search=*" query may give you the results you're after but it is not guaranteed in all scenarios. We're looking at this scenario but do not have formal support in the product today.
2) Search results are security trimmed, when using delegated permissions the search API will only return sites that the logged in user has access to. This could explain why you needed to add the Admin first before it showed up.
3) To use search in scenarios where you do not want security trimmed results you will need to user Application permissions and have the Tenant Admin perform the application consent flow for the entire tenant. This is a fairly broad permission but is required for some scenarios.
I have little problem. In my application users are auth via Azure AD and his user profil is in DocumentDB.
When Administrator delete user profile I need to force log out the deleted user.
How to do it? Delete action deleting ad and documentdb entry.
Based on the description, you want to sign-out the users after the administrator delete the users profile from documentDB.
If I understood correctly, it is more likely building a real time application that nofify the specific client when the delete action is performed. I am trying to explain it using a figure below:
And for building the real time application, we can use the SignalR. And you can refer more detail about it from links here.
And another solution for prevent the deleted users to access the proteced resrouces, you can check it before the users access the resources.
I'm building a sitecore 7.2 using asp.net MVC 5.0. The site will have login and each user will be roles.
We need to show/hide the site menu items based on logged in user Roles. The user detail and roles are stored in SAP backend.
Could someone please advise what's the best way to achieve above?
Essentially you will want to map the roles stored in your backend system to Sitecore Roles. Potentially look into creating a custom Role Provider (see in document below)
Once logged in, requests are made to Sitecore are made in context of that logged in user. Therefore if the user, or their role, does not have permission to view an Item, it will not be returned in the request. This effect means that your Menu will not display items they do not have permission to access.
You and Content Editors can control what users and roles can access via the Security Editor and view their access rights via the Access Viewer in the Content Editor.
This documents will have everything you need - http://sdn.sitecore.net/upload/sitecore6/sc61keywords/security_api_cookbook_usletter.pdf
http://sdn.sitecore.net/upload/sitecore6/securityadministratorscookbook-usletter.pdf
Its also worth noting that Sitecore's seucirty manages roles as Ors. So if one of the user's role has permission to see an Item, then the user can see it.
If you require the roles to be Ands; every role must have permission before its displayed to the user, check this post out - http://www.sitecore.net/learn/blogs/technical-blogs/john-west-sitecore-blog/posts/2015/03/require-membership-in-multiple-roles-in-the-sitecore-aspnet-cms.aspx
You need the roles for the current user from SAP? There is an Odata API for that: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bde6197817511e10000000a42189b/content.htm
You could query the API in real-time, but it would of course require a login to SAP for the current user.
Or - you could use another API and connect via a service user.
We want to implement SSO functionality in our organization, but we're not really sure what our options are, and what the benefits / disadvantages for the different solutions might be.
-We have multiple old ASP(Active Server Pages) sites which should use SSO
-We have multiple ASP.net web-Applications which should use SSO
-We want Sharepoint to use the SSO
-CRM (Biztalk?) integration (Additional information about the user, such as Address, company, etc )
Since we're primarly .net, c#, Microsoft oriented, my first idea was to use Active Directory.
I've also noticed that there is something called ADAM (Active Directory Application Mode), and ADFS (Active Directory Federation Services), but I can't really say I understand when/where these should be used.
Here is a brief overview of the different web-applications
-"My Personal Page" : User log's into an application where they can modify their personal information along with their company-information and their employees. (Asp.Net)
-E-learning application (ASP)
-CMS system for web-publishing (ASP.Net)
-Sharepoint sites
I haven't really been able to find any articles that can tell me "AD is a great choice! , you can use it everywhere", so If anyone has got any experience /feedback to give me on this, it would be really helpful.
Also: How should rights/roles be managed ? Should all access/rights/roles for each application be stored in AD, or should this be stored in the applications themselves.
IE : AD stores the roles:
"Cms" <-allowed to login to the cms system
"Cms.Article.AddAllowed" <-allowed to add article
"Cms.Article.DeleteAllowed" <-allowed to delete article
Or should this information be split up, so that AD holds information about which applications the user is allowed to log into, while the application itself holds information about what the user is allowed to do within the application when logged in
AD rights:
"Cms" <-Allowed to login to the cms system
Cms rights:
"Article.AddAllowed" <-allowed to add article
"Article.DeleteAllowed" <-allowed to delete article
So, when the user logs in, they are first authenticated against AD, and if that goes ok, the rights for the Cms application is fetched from a rights-table in the cms system ?
What are my options ? What other solutions other than AD do I have ?
Thank you for any feedback, its much appreciated !
We have done something similar in my organization. Here is the overall flow:
User requests web page
User is redirect to login screen along with SAML request
User authenticates against Active Directory
User is passed back to request web page with SAML response
User group/rights information is retrieved from database
If user requests page from another website same process occurs however if the user still has a session or selected the "remember me" feature then user does not have authenticate and gets logged in directly.
We use Sharepoint, but have not setup SSO yet. I believe Sharepoint gets the rights of the user from its own backend database/system. We also have a homegrown system to update user's groups/rights. I know Sharepoint can use web services so you could possible update Sharepoint when using a centralized user management system (of course you'd have to build that). The main thing is finding out where Sharepoint gets its information about the user and how you can tie your existing system to it...
I wouldn't rely on Active Directory to store group/rights information. It a pain to deal with compared to a database and is not flexible. It's fine for authentication and password management you just have to tie the user on Active Directory to your database system.
As far as I know, Active Directory is only practical for users within your domain. You would need an administrator to manage all those users and to add new users.
I've been working on a project myself where I wanted users to sign in, just to know their identity. I did not even care about their access rights but just wanted an identity on every visitor, something more reliable than an IP address, cookie, session key or whatever else. So I first asked my administrators if I could use Active Directory for this project. Sure, I could. But the webhost wasn't connected to our company domain so I would end up with only one user. Yeah, my administrator is a bit sarcastic sometimes.
So I started to explore SSO options. OpenID like this site is a good option and you could even implement your own OpenID server and require all visitors to sign on there first. It's a very powerful technique and you have less worries about managing users in your project. (Because the OpenID provider takes care of this.)
However, I ended up using CardSpace instead. :-) With CardSpace, every user can create their own user-token and store it on their own system. To log on, the website just asks for the card and the user just clicks on it. Those cards can be migrated to other systems but tend to be tied to a single computer and user, most of the time. (Although users can share a card!)
Rights and Roles are a different matter than Authentication. People always think they're connected while in reality, these are two different things. First, use OpenID or CardSpace or another authentication technique to verify the identity of the user. It doesn't matter how they're identified, you just need an identifier.
Next, you need rights and roles. Roles are basically just user-groups and you can connect an identity to a group. Or to multiple groups. And rights would be linked to roles, not users. But how you're going to divide these roles just depends on the applications. Just remember that someone who is an administrator in your version control system should not be an administrator in your customer database. Roles tend to be application-defined, thus every application could manage their own rights and roles and just needs a way to link these to an identity.
I myself just needed identities so I knew whom to blame when something ended up messed up. Then again, when there's only 5 users, things tend to become quite simple.