we would like to develop a new node.js based application using some SSO technology.
More applications will join then after using the same SSO infrastructure and logic.
We do not have specific requirements on the SSO itself, but it need to authenticate users
via a local DB (managing user name and passwords)
via our enterprise AD
via some external/federated SSO (I guess via SAML or so)
Also if it would support XACML it would be great.
I believe one of the most complete solutions on the market is the WSO2 Identity Server... but we would be open for others too.
The main question though is simply:
Is it possible to have such a solution in node.js?
Or do we need to shield node.js behind some (Apache) server to get SSO?
What would be the best approach?
Any inputs would be appreciated.
I've used azure active directory in my node.js projects for authentication, this might work as you are using active directory. Here is a sample.
Related
So my project has got a two asp.net projects. One is for showing date(User Interface) and the another one is API(for background processes like login, database calls and etc.). Right now my app has Username and Password feature to login. I have setup a startup class in my API which authenticates the user and pass the user token. Now I want to add a feature to login through Azure portal.
Can anyone suggest me a good practice in this situation? Like I don't want to change my code and just add a feature. Should I make changes in API or Web or Both? Meanwhile I was reading about expose api in app registration. Will it be appropriate to use it just for login purposes?
Azure AD supports OAuth2, OIDC and SAML. See more information here. It is probably best to introduce the mechanism through the API first, since it would apply to the frontend as well (though slight modifications may be required there as well).
I want to implement login and logout functionality and retrive user details like username and user role using Azure Active Directory.
We are using Docker to deploy Spring cloud microservices project on Azure cloud. Could you please suggest me steps to get user details?
Do we need to secure all microservices edge points using Spring cloud OAuth2 security using JWT or just we can secure one web microservice ? Do I need any permission ,specific user roles to implement this?
You can find Azure's documentation about OAuth 2.0 support for AAD here
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-protocols-oauth-code
I've got an application that's using OAuth 2.0 with a different Authentication Server, and I'm about to see if I can use AAD as the Authentication Server. But, whatever ends up being your Auth Server, the rest of the application should be the same...
The Auth Server handles the log in (typically as a Single-Sign On pattern)
The Auth Server will return a Json Web Token (at some point, depending on the Grant Type being used to retrieve it)
The JWT should be included in each subsequent request to ensure the caller has authorization
From a Spring perspective, you'll need at least a SSO Client (denoted by the #EnableOAuthSSO annotation). If everything in hosted by that process, you'll need that JWT to call subsequent methods. If you have processes hosted in other processes, it's likely you'll want them secured as well. Using the #EnableResourceServer annotation will configure Spring Security to look for the JWT, just not attempt to retrieve one if the request does not have it.
Unless the endpoint is meant to be publicly accessible, you will want to secure it. Of course, I really don't know the context of your application, so this statement is purely an uninformed opinion based on zero knowledge of what you're trying to do with your application. Take it for what it's worth.
EDIT
This has become a little more complex than I originally thought. I have been able to write some code to dynamically retrieve the public key from Microsoft in order to validate the returned JWT.
But, the main issue is the fact the Azure AD supports Open Id Connect when acting as an Identity/Authentication Server. And, at the moment, spring-security-oauth2 doesn't support Open Id Connect.
I was able to make some small changes to the spring code, but I did ask the question to the Spring group and they are actively working on adding support for Open Id Connect. They hope to have a release two months (ish?).
For the short term, the oauth2 support doesn't support Open Id Connect. Given this is the protocol used by AAD, the current version of oauth2 won't work with AAD. That said, I will be happy to wait for the official support which shouldn't be too long.
I am quite new to the world of Xamarin and mobile development, but have been asked to create a simple cross-platform mobile app which is able to log into a secure web server, download some SQL data and then display it in the app.
What I am trying to understand is how to get the mobile app to request the data from my web server securly. I've seen and read a lot of information about requesting data from a web server using HttpWebRequest, but none of the examples describe how to secure this data. Also I see a lot of info about creating a REST API, but again I am not sure if thats the way I need to go?
Can anyone give me a really simple breakdown of the steps I will need to implement in order to achieve this? I feel like I'm drowning in a sea of web technologies and not sure which way to swim :)
I will be using IIS as the database and the Xamarin App will need to run on both iOS and Android.
Any help greatly appreciated!
Mike
It´s a bit confusing the way you want to implement this and the level of security you need. There are many techniques to secure your app and your server. Some are easy to implement and others not so easy.
What I understand is that your application will be hosted on IIS. There is no such thing as a IIS database. IIS is just an application server by Microsoft.
The most common technology hosted in IIS is Asp.NET and Microsoft SQL Server database. But others can be used, like php (installing some extensions) and mysql server. Anyway, using just php in IIS is a bad decision IMO, as there many other light weight and better servers to do that.
Xamarin has nothing to do with server security. Xamarin is just a client technology and the security must reside on your server application.
That said, there are many good practices you should follow to make clients more secure:
Never store user passwords or sensible data on a local store (device database, settings, file system, etc)
As others suggested, send your data to the server through https protocol (SSL must be configured on the server side)
If you must save critical data on the device, use an encryption
algorithm (there are tons of libraries to encrypt local SQL
databases, just google it)
In case you go for Asp.NET I suggest that you go ahead and integrate Asp.Net Identity. It´s the standard authentication/authorization system for ASP.Net and the built-in features will handle you user database as well as security issues you would hardly find out by yourself (ie: storing passwords "as is" in the database is a big security hole)
Afterwards, you will have to choose an authentication (login) system. There are multiple choices but the industry standard would be oAuth2. Use refresh tokens if you want to make oAuth2 more secure. oAuth is supported by Asp.Net identity and Xamarin. For Xamarin you can use an oAuth .NET client library or make simple http calls (HttpWebRequest) to request tokens, refresh tokens, etc.
About REST API: I think that´s the way to go, no matter what client or server stack you´re using. Again, Asp.NET has a WebApi that will enable REST on your application.
If all this sounds like too much, don´t worry. When you create an Asp.Net application in Visual Studio using a template, you will get a ready app with REST (WebApi) and authentication/authorization/security (Asp.Net Identity) by default.
It´s important that you implement oAuth correctly both in the server and the client side. Otherwise you could face some security problems
I am completely new to ADFS. I need to access the ADFS server through node.js. I am searching for good reference notes, with implementation. And suggest me which protocol is best for requesting. Video tutorials are also heplful.
I assume what you want is to authenticate users in AD (via ADFS), for your nodejs based web app. I'd recommend looking first at passport.js.
ADFS supports 2 protocols for web sites: WS-Federation or SAML-P. WS-Fed might be simpler. We open sourced the strategy for WS-Fed and SAML that we use in our product. A strategy is essentially a plug-in for passport.
That strategy should give you a good start.
ADFS v3.0 exposes OAuth2. *
You could use Passport.js with OAuth support or Kong with OAuth support.
You could go the ADFS 2016 OpenId Connect route for ease of implementation (passport.js, only a feature request for kong).
If you're going the Azure route, there's one (passport-azure-ad by the Windows Azure team) specifically for that.
It includes OpenID Connect, WS-Federation, and SAML-P authentication and authorization.
Otherwise, versions disallowing etc., I recommend Eugenio Pace's answer.
Then, check these, is a complete solution (not a video tut)
Using Active Directory Federation Services to Authenticate / Authorize Node.js Apps in Windows Azure
http://seroter.wordpress.com/2013/04/22/using-active-directory-federation-services-to-authenticate-authorize-node-js-apps-in-windows-azure/
pretty fresh tut. (2013/04/22)
I'm developing an application with Grails.
Im trying to implement an SSO-functionality. But I can't authenticate the users via windows session, because some of them has another windows passwort as the domain password.
(I retrieve the users via LDAP) So, how can I authenticate them?
Scenario should be following:
User goes to the Grails-Site
Popup appears where the users has to fill in with his credentials
After that, he has never to authenticate again...
Does anyone of you has some experience with it?
I think if you need SSO for many grails applications a good choice is to add saml support to your grails applications using this plugin and then build an IdP (there are many in many languages) and connect the IdP to your ldap.
SAML is standard and is the future.
If you need more info about saml check the saml entry at wikipedia. There you can find links to documentation and software.