Q1: Is there a build-in load balancer in OpenAM?
Q2: When configuring site during installing OpenAM,I was confused about load balancer url.Is it a url for proxy like lvs/haproxy/nginx? or What it is?
A1: No, OpenAM does not have a built-in LB
A2: the site URL can point to a VIP on a HW-LB, HTTP reverse-proxy ,etc. Apart from being a prerequisite for SSO Session failover it 'only' controls the communication path between OpenAM client SDK based applications (like Web/J2EE agents) and OpenAM infratstructure. When configured the client SDK use the primary site URL to communicate with OpenAM infrastructure. When there is no site configured OpenAM client SDK will communicate with the 'authoritative' server of a given SSO session directly.
You don't need to configure an OpenAM site just to deploy OpenAM behind an LB or RP
Related
I have 2 websites hosted on IIS. On one website's root config, I have Siteminder module configured. This website has other apps under which it hosts one .Net core WebAPI per app (using inprocess hosting). There are 10 such APIs. Individual api's webconfig does not have any siteminder module and relies on the root site's siteminder verification.
On the 2nd website, we dont plan to use siteminder. But have a requirement to support OAuth2 on the same 10 web APIs as that hosted on the site 1. I was thinking that we could potentially have a simple .Net Core API using YARP reverse proxy package, perform the OAuth2 based token authentication and then reroute the traffic locally to the APIs hosted on site 1. But I dont want to again go through siteminder authentication on site 1 for the rerouted traffic.
Is there a way to support this, without needing to do a dual deployment/hosting of the individual APIs?
Thanks!
I have a website on the namecheap server and an application on microsft azure deploy on Azure App Service I would like to send post requests from my namecheap server to azure which contains the application my questionis this possible and also isn't there a security risk?
thank you for your help
Web programs are accessed through HTTP Requests. The security risk you mentioned does not exist.
In webapp, the security of web application data is what we need to care about.
After passing the authentication, the data can be curd according to the authority to ensure the security of the program.
It is recommended that you deploy the azure webapp program to increase the authentication function, such as jwt token.
I have configured an application behind my application gateway V2 and it is providing multiple logins prompts. I Have enabled cookie-based affinity on my HTTP settings as outlined in the Azure Application Gateway Documentation, Application Gateway supports cookie-based affinity enabling which it can direct subsequent traffic from a user session to the same server for processing. Also I have moved out 1 server from the backend pool leaving only 1 server behind. We are still facing same issues.
Please use Application Gateway V1. I have seen this issue where the server sends negotiate and NTLM and with AppGW V2 the auth fallsback to NTLM where it promts for login for each and every request(CSS file loading).
NTLM / Kerberos is not supported on V2 gateways. No idea why.
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#does-application-gateway-v2-support-proxying-requests-with-ntlm-authentication
I have two VMs with IIS that host my application with Azure Application Gateway distributing the traffic. The gateway is configured to offload SSL and everything is working fine.
However, I'd like to use client certificate authentication on one of the paths of the application - on NetScaler (or some other load balancer) I'd simply put serialized client certificate into HTTP Header (X-Client-Cert).
Can I do something similar with Application Gateway?
At the moment thats not possible, but is in the pipeline of product development of the azure product team.
I have installed OpenAM (OpenSSO) to work with my liferay portal. So authentication for liferay is going now through the openam server. This works fine.
But now I want to secure my own application (EAR) deployed on my glassfish application server.
I can not find any example how to configure my web module to work with openam/opensso.
Can anybody help me how to configure my web application?
The usual approach is to install an OpenAM Policy Agent onto your Glassfish server. The policy agent will intercept all requests to glassfish before allowing them to be processed by the application server, forcing the user to authenticate first if they need to.
Once your policy agent is installed, you will be able to configure it to do many things. Restricting access to some or all URLs in your applications is the most obvious use. Protected applications can also access user details (such as UID or givenName) provided by the policy agent through HTTP headers.
The Glassfish agent is a J2EE policy agent. See here for configuring a J2EE policy agent in OpenAM:
http://openam.forgerock.org/doc/admin-guide/OpenAM-Admin-Guide/chap-agents.html#configure-j2ee-policy-agent
See here for installing the policy agent into Glassfish:
http://openam.forgerock.org/doc/agent-install-guide/OpenAM-Agent-Install-Guide/chap-glassfish.html