While going through the openAm document I found that when a session is invalidated by admin, openAm notifies the agent about this, but suppose I have multiple copy of my application which are situated in geographically distributed location sitting behind a load balancer, how will the particular agent will be notified in case of a session invalidation happening, I guess sticky session wont help in this scenario as no request is going from my application side.
Every instance of your application has to be protected by an agent and ever agent has a separate agent profile where the unique notification URL has to be specified. Create an agent group and add all agents to that group, only keep the notification URL unique. If OpenAM can not reach the notification URLs , agents have to be configured in polling mode (minimal polling time ... one minute).
Related
Whats the best way to go about building the following (I'm new to azure so not sure about what approach to take).
I want a user to be able to start a long running (1-60 minute) 'service' on the server which they
can then interact with via a web interface.
The instance of the service will be specific to the user, and live as long as the user
maintains a connection to it.
The service has complex state which changes in response to commands given by the user.
The user will also be able to request state data from the service.
Most of the time the service will just be waiting for a user
request.
Once the user closes the connection to the server it should cease to be.
I am doing SAML SSO in my project , the scenario is I am preparing SAML Auth Request URL ,there is a login page where 2 radio buttons are there for Internal/External User ,In both radio case I have to prepare SAML Auth with the IDP Urls provided to me , I was able to prepare and it redirected me to Microsoft login page ,I been given credentials in that domain to login ,the issue is one person sitting in US tries to login with the credentials was successfully able to login ,got the SAML Response and it redirected him to Redirect URL ,when I took the same credentials of him ,tries to login from my machine ,I got error like you are not authorized ,I been confused what does happen ,we are using the same credentials but machine is different ,Is there any settings in Azure Active Directory which checks NETWORK/Machine/IP as well ?
Yes, they do sign-in risk detection based on many factors.
Location is one of them.
The one you probably hit is this one: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events#impossible-travel-to-atypical-locations.
It is impossible for this user to have traveled that large of a distance in such a short time,
so it gets flagged as suspicious and blocked.
I've had this happen as well when I signed in to an account through a VM in another continent.
It does learn typical locations over time though, so it might start working later.
The algorithm ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The system has an initial learning period of 14 days during which it learns a new user’s sign-in behavior.
You should have your own user id :)
Im running a Azure Webapp with application insight.
I know Microsoft cant show the real IP (Client_IP) so I add the real IP address to all requests (Ip).
I have a visitor client_id="h9zbt" that in the last 24h is using 48 different client_IP adresses.
The same user also has several real IPv6 adresses.
I like to block this IP from my website, but I think this looks so strange.
Is it really the same user?
How is Application insight tracking the User_Id?
Image link
Usually application insights is automatically opening a session automatically for each user (look for the ai_session key). Therefore the default user scope would be a session scope.
You can override this behaviour by sending a user context if you have some kind of sign-in. (https://learn.microsoft.com/en-us/azure/application-insights/app-insights-usage-send-user-context)
I find it likely that it's the same user on the same device, just using several IP-addresses, maybe as an unsuccessful attempt to stay anonymous.
User IDs should persist across user sessions to track how users behave
over time. There are various approaches for persisting the ID.
A definition of a user that you already have in your service.
If the service has access to a browser, it can pass the browser a cookie with an ID in it. The ID will persist for as long as the cookie
remains in the user's browser.
If necessary, you can use a new ID each session, but the results about users will be limited. For example, you won't be able to see how
a user's behavior changes over time.
The ID should be a Guid or another string complex enough to identify
each user uniquely. For example, it could be a long random number.
If the ID contains personally identifying information about the user,
it is not an appropriate value to send to Application Insights as a
user ID. You can send such an ID as an authenticated user ID, but it
does not fulfill the user ID requirement for usage scenarios.
mentioned in Azure doc.
https://learn.microsoft.com/en-us/azure/application-insights/app-insights-usage-send-user-context
I'm trying out the new model for unified app authentication using passport-azurea-ad from this reference https://learn.microsoft.com/en-us/azure/active-directory/active-directory-v2-devquickstarts-node-web
The integration is successful,but every time I do login,I get redirected to a page where I get to choose from my existing microsoft accounts or add a new one.
Why is the session or account not getting picked up automatically, if the user is already logged into his azure or microsoft account?
My requirement is user session should be picked up automatically(not for the first time where he gives consent) if he is logged into his azure account or micrososft account
this page needs to be avoided , if he is already signed in
The reason is a technical limitation. Let me see if I can explain briefly:
When a request comes to the v2 endpoint (login.microsoftonline.com), the v2 endpoint can not detect the presence of an existing consumer account session (login.live.com).
Therefore, the v2 endpoint must make a query (via an iframe hosted on the login.microsoftonline.com page) to login.live.com to detect if a consumer session exists or not.
If a consumer session exists, the v2 endpoint should show the user an 'account selection' screen, like the one you depict in the question.
If a consumer session does not exist, and the user only has one business session, it could auto-login the user with that business account. However, by this time the user has likely already been waiting for a second or so for the query to login.live.com to complete. It might be a strange user experience if the page auto-completed after a second.
The v2 endpoint could definitely show a loading spinner or something to hold the user until the decision can be made, but it was decided that having the user click a tile was an acceptable alternative.
I have an application where an user can belong to many companies. The user access the company portal via compnaysubdomain.example.com). When an user access a compnay portal I have to update the roles he have for that company (By checking the subdomain and the database).
I created a request event listener for that, which parses the subdomain, queries the database and adds the new roles to the user. The problem is I need to be able to to access the security context so I can update the user roles, so my listener priority has to be less than Firewall priority. But, if firewall listener is executed first, It checks for the user Roles immediatly which are not updated yet based on the company.
Any suggestions?. May be I need to implement a Custom Firewall Listener or something like that. I dont want to overcomplicate.
Thank you.
Ok. I have decided to create A Firewall listener to achieve this.
I followed the tutorial http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html but only created the Firewall LIstener. The token and provider I am using the one that I was already using.