I am using custom authentication for one app, and now all apps which I create I need to switch to that custom schema to be able to login.
How to solve that?
Well, I have a workspace and - in the same workspace - there are 11 different applications. Some of them user my "custom" authentication scheme, while others use Apex Authentication. I never had to switch all applications to either of them (i.e. the custom scheme, as you're saying).
So:
while in App. Builder
choose any application
navigate to Shared Components
go to Authentication Schemes
select authentication scheme (from the list)
I presume that would be "Application Express Authentication"; currently, it is "Custom scheme" (or whatever its name is)
click Make current scheme to switch to chosen scheme
Related
I have an MVC application (.Net Framework 4.5) which is been there for the last three years and using Forms Authentication mechanism. This application provides different accounts like Personal, freebie, Enterprise etc. For an enterprise account, we are handling everything in the same application. I.e. Suppose an enterprise called “xyz” created an enterprise account with the application, then we are providing a custom URL like “https://application/xyz/login” and from the URL we are identifying that enterprise. I don’t know the exact reason why they implemented like this as I have seen applications that are having enterprise accounts are created as subdomains (e.g. https://xyz.okta.com). Now the client asked to integrate Okta into this application.
So I looked into Okta and found SAML is the right way to do and ends up in KentorIT Authservices. Initially, I was able to integrate this with a sample MVC application and the authentication part was working fine. With some basic idea about SSO, I have started integrating kentor authsevices into my application. The challenges I found in this implementation are:
1) For Enterprise accounts, Okta configuration settings are different for each enterprise and with my current application implementation, it is not possible to set it in from the web.config. So I have tried to set it from code and I was able to integrate those settings by replacing Configuration.Options.FromConfiguration;. I’m planning to store all configuration related things(Single sign-on URL, Audience URI,Identity Provider Issuer" etc.) in the database so that I can get the information whenever I wanted and I’m assuming that “Identity Provider Issuer Id is unique for each Okta account. In an IdP initiated flow, when the user tries to access the application it will redirect to AuthServices\Acs action method and from that, I’m trying to read the configuration settings. From the request is there any way I can identify from which Okta account call came(like Identity Provider Issuer)? Currently, I set the "Identity Provider Issuer" value (and I think which should be unique for okta account) to the Default RelayState field under General SAML settings tab and I was able to retrieve it from AuthServices\Acs action methods. Does it seem to be a good idea? Please advice.
2) The Enterprise accounts are limited based on the number of licenses (say 50). Suppose if the Enterprise Okta admin intentionally added 55 users all those users can successfully authenticate the application based on the default settings. Is there any way I can handle this scenario. Do I need to keep a record of the list of users that came under a particular enterprise account?
3) From the documents I understand that Kentor authentication service is only for authentication and authorization part has to be done from the application itself. The current application implementation consists of a custom authorization attribute which checks for user permissions that are stored in the database. That should be there as it is and we have to do the authorization based on database permissions. Right?
Expecting your valuable suggestions and please correct me if I'm wrong. Thanks in advance.
Don't use the RelayState for sensitive data unless you cryptographically sign it. It is not protected by any signature when using the POST binding, so the user may manipulate it. To get the issuing idp, check the issuer field of any claim generated by AuthServices instead.
Yes.
Yes, that's the whole idea with Kentor.AuthServies: To plug SAML2 authentication into the security model of .NET to allow you to use any current/traditional Authorization setup.
In my work we have users who access a Web based tool called Microstrategy that serves different reports from different projects. Users are added to various groups in the Developer tool by importing them from the selected domain they are on into a specific group that gives them access to only the project > report they require. Most users come from one main central domain, some others are still on old domains.
I am currently involved with admin on this system and I am experiencing a problem I cannot get to the bottom of. I think they problem lies in no man's land, I don't know if it is a problem with network, domain, or something else?
Most users will be set up with authenticated login, meaning that when they click on the respective link for their report they are logged straight in using their windows credentials.
In this particular case however the user does not seem to be able to login, but can get in by manually typing their username in (username and password) to access.
I'm not sure what the problem is, why it won't authenticate automatically like most of the others do? I don't know if this makes any difference but when I RDP into the machine I cannot see the C drive due to 'admin restrictions on effect on this pc'.
I don't know what this restriction is and if it is a symptom or related to the login problem. Is there a way of fault finding this?
Thanks
Andrew
The answer to this partly depends on the version of MicroStrategy you are using.
Forget about RDP to the server, you won't need that.
Assuming you have access to edit and change users with the Developer tool, open Developer.
In the tree on the left,
open the "project source" (the top level of the tree)
then Administration
then User Manager
then find the user, most likely within one of the groups you have set up
right click on the user and choose Edit
go to the Authentication section
There's a few relevant things here.
Is the user linked to a windows user? (they should be for the access you want)
Is the tickbox ticked "user cannot use standard authentication to logon"
You probably don't want to allow that if the standard at your workplace is auto login
I am using vaadin 7, and jboss 7.1.1. There is a business requirement for very granular ui access. There will be parent windows per business function, and in that window functions relative to it. Business requires enabling and disabling those functions within, per user, so as an example, a parent window that represents employees, and when you click that you enter the child window which has functions like editing, deleting, viewing, adding,etc etc but that access must be customized to the user using it, so user x can update but not delete, as an example.
So what i came up with was to store that information in the database. In the database there will be a users table with username and a user guid. Then a parentview table and and parentchildren table and then lastly a userview table. i will store in the userview table the users guid and either the view they have access to and what type of access as in read,write,update,etc... I will on the ui login authenticate against ldap, get the users information and guid and use the guid to pull the users view access from the userview table in the database and store it in the vaadin session, and then on the ui, read that from the session and show the correct access.
I am not sure if this is the best way which is why i am asking if my solution is ok? I have been reading lots of doc's around security but non seem to achieve what i want. Another point of keeping it in the db, is that i can create a user admin ui which can edit the users access simply by updating the db, i dont want to redeploy or do anything with the webserver, I would prefer a ui user access control module and for someone with rights to it to administer that access. I would really appreciate insight and some ideas into this.
Thanks guys, I would appreciate any input.
What you want to achieve, regardless of the environment you are in and technology you are using, is fine-grained access control / authorization.
The way to do that is to use authorization frameworks. Spring Security has one for instance. I'm not sure whether Vaadin comes with anything.
In our company we use Vaadin to develop a management portal and we then use XACML to apply fine-grained decisions to the portal such as which functions to enable for which users and even which items to display in a Vaadin table.
Generally speaking you want to look at the field of attribute-based access control (NIST ABAC). ABAC lets you define authorization constraints based on different factors/parameters such as user attributes (location, department, role...) and resource attributes (where the resource can be data, widgets, functions... You name it).
I actually delivered a webinar yesterday on the topic of fine-grained authorization for Java MVC apps. I think it could prove useful for you.
If you go down the XACML path, you do not need to create a custom database with the information inside as you have done. All you need to do is write authorization policies e.g. a user in purchasing can use the purchasing functions.
There are several open source XACML implementations as well as vendor solutions such as the one I work for, Axiomatics.
I hope this helps. I've also written a lengthier answer here which covers the broader field of authorization.
Is there a way to allow the user to add additional items to one group in the settings bundle? Specifically, I a would like the user to be able to specify a list of URLs and Site Names within Settings. The functionality is almost exactly the same as the Twitter app that allows for a list of usernames and passwords and in the mail app where the server name, inbound and outbound email server names/addresses are maintained. I am familiar with doing this with archive, CoreData and SQLite within the app, but would prefer to keep key settings outside the app as I would like to intentionally distance the config data from the user interface.
Thanks
Derrick
Unfortunately you're pretty limited with what you can do in the settings. There isn't any way to run code, so there can be no add buttons or changes to the model - its basically predefined key value pairs. Twitter and mail are first-party apps so they can do things in settings the rest of us can't.
I'm trying to figure out how should I integrate facebook login system in my existing application through facebook c# sdk.
I have a web forms application and I'm authenticating users by standard Login control.
I'm using MembershipProvider, RoleProvider and ProfileProvider.
I'm thinking I should persist FacebookUniqueID and put it into relation with existing informations on my Membership Users table.
I'm wondering wich is a correct approach to this.
Considering I have a custom Profile Provider that uses a custom sql table, it would be fast to add a FacebookUniqueID property to my user profiles and use it in my login workflow:
Login through facebook;
retrieve facebookUniqueID;
retrieve userName for the user that
have this specific facebookUniqueID,
then
FormsAuthentication.SetAuthCookie(userName, bool);
What about providing an overload for the previous method taking facebookUniqueID as parameter?
Please let me know what do you think about this from any perspective and if anyone knows a simple working example
I think you are on the right track. We implement a similar solution (though we have rolled our own custom membership/role/profile etc and don't use the built in approach.)
You also will have to handle the situations that occur when a new user (without an existing account) logs into your site via Facebook.