Defining attributes and referencing them in role-templates works, but how can they be defined as static/saml attribute in xs-secutity.json? Application roles from xs-security can be edited in SAP Cloud Platform Cockpit, but not section ATTRIBUTES! What are the names/values in xs-security to provide this information? Otherwise source of the attribute is always "Unrestricted" and values "empty".
Solution from Capture IDP User attributes in SAP cloud foundry app via SDK UserAccesor API works only for roles created in cockpit.
Maybe there's a working example somewhere i haven't found? How is an exposed attribute then used in extended approuter?
Related
When we initially import users into Okta via our SCIM test app, attributes like name and roles are set correctly in Okta. This appears to be configured here in the "To Okta" provisioning settings:
With the list of attributes and action to apply here:
Roles isn't listed here as an attribute, but they are part of the core schema and are imported if supplied by our SCIM app.
It looks like we can only apply these attributes on the initial create? If you edit the various attributes you'll see:
The "Create and update" option is greyed out. So it seems that you can only set attributes with the initial create. Is there some other way to update Okta with changes made in our internal system?
First, I'm well aware of the multi-realm approach to multi-tenancy in Keycloak. I've taken over a legacy project where nobody thought of multi-tenancy. Now, two years later, suddenly, the customer needs this feature. Actually, the microservices are prepared for this scenario out-of-the-box.
The customer develops a mobile app that authenticates users via API on our keycloak instance with an account number (as username) and a password. Now, he'd like to add an tenant id to the login information.
The customer wants to avoid using several endpoints as a multi-realm solution would demand.
One first idea was to just concatenate tenant-id and account-id on registration. But that's a smelly approach.
So, my thought was that there may be a way to configure Keycloak in a way that I add a custom tenantid field together with username that acts just like a composite primary key in the database world.
Is such a configuration possible? Is there another way to achieve multi-tenancy behaviour using a single realm?
I can't say for sure, but after some research, I found this:
This website lists all of this together with more information:
https://lists.jboss.org/pipermail/keycloak-user/2017-June/010854.html
Check it out, it may help with your data organization in key-cloak.
Late to the party. But maybe for others who are interested. You could try the keycloak extension keycloak-orgs. I am currently building a test stack with it and I am pleased.
A tenant in keycloak-orgs is an organization. You can map organizations and their roles to token claims with a built-in mapper.
"organizations": {
"5aeb9aeb-97a3-4deb-af9f-516615b59a2d" : {
"name": "foo",
"roles": [ "admin", "viewer" ]
}
}
The extension comes w/ an admin interface. From there you can create organizations and assign users to it. There is also a well-documented REST API on the Phase Two homepage (the company who open-sourced the project).
The maintainers provide a keycloak docker image that has the relevant keycloak extensions installed.
If you want a single realm and singe client that serves many tenants, you can just use custom user attribute and e.g. add key(s) "tenant=MyTenant" and then add a client scope and a mapper to include user attributes that has key=tenant
Then the token will carry the user's tenant(s) and you can use that to filter data, add to newly created data etc.
It's only like 4 steps in Keycloak:
Add User attributes using a key-convention.
Add a Client scope that will represent tenants.
Add a mapper to extract the User attributes.
Add Client scope to the Client in use.
Wrote about it here: https://danielwertheim.se/keycloak-and-multi-tenancy-using-single-realm/
I have an MVC application (.Net Framework 4.5) which is been there for the last three years and using Forms Authentication mechanism. This application provides different accounts like Personal, freebie, Enterprise etc. For an enterprise account, we are handling everything in the same application. I.e. Suppose an enterprise called “xyz” created an enterprise account with the application, then we are providing a custom URL like “https://application/xyz/login” and from the URL we are identifying that enterprise. I don’t know the exact reason why they implemented like this as I have seen applications that are having enterprise accounts are created as subdomains (e.g. https://xyz.okta.com). Now the client asked to integrate Okta into this application.
So I looked into Okta and found SAML is the right way to do and ends up in KentorIT Authservices. Initially, I was able to integrate this with a sample MVC application and the authentication part was working fine. With some basic idea about SSO, I have started integrating kentor authsevices into my application. The challenges I found in this implementation are:
1) For Enterprise accounts, Okta configuration settings are different for each enterprise and with my current application implementation, it is not possible to set it in from the web.config. So I have tried to set it from code and I was able to integrate those settings by replacing Configuration.Options.FromConfiguration;. I’m planning to store all configuration related things(Single sign-on URL, Audience URI,Identity Provider Issuer" etc.) in the database so that I can get the information whenever I wanted and I’m assuming that “Identity Provider Issuer Id is unique for each Okta account. In an IdP initiated flow, when the user tries to access the application it will redirect to AuthServices\Acs action method and from that, I’m trying to read the configuration settings. From the request is there any way I can identify from which Okta account call came(like Identity Provider Issuer)? Currently, I set the "Identity Provider Issuer" value (and I think which should be unique for okta account) to the Default RelayState field under General SAML settings tab and I was able to retrieve it from AuthServices\Acs action methods. Does it seem to be a good idea? Please advice.
2) The Enterprise accounts are limited based on the number of licenses (say 50). Suppose if the Enterprise Okta admin intentionally added 55 users all those users can successfully authenticate the application based on the default settings. Is there any way I can handle this scenario. Do I need to keep a record of the list of users that came under a particular enterprise account?
3) From the documents I understand that Kentor authentication service is only for authentication and authorization part has to be done from the application itself. The current application implementation consists of a custom authorization attribute which checks for user permissions that are stored in the database. That should be there as it is and we have to do the authorization based on database permissions. Right?
Expecting your valuable suggestions and please correct me if I'm wrong. Thanks in advance.
Don't use the RelayState for sensitive data unless you cryptographically sign it. It is not protected by any signature when using the POST binding, so the user may manipulate it. To get the issuing idp, check the issuer field of any claim generated by AuthServices instead.
Yes.
Yes, that's the whole idea with Kentor.AuthServies: To plug SAML2 authentication into the security model of .NET to allow you to use any current/traditional Authorization setup.
I would like to know the concept of subservices in OSGi, I tried to find the documentation, but not able to get any material in regards of AEM. I have snippet code.
ResourceResolverFactory.SUBSERVICE, "datawrite"
I tried to check in Felix console, I am able to find ResourceResolverFactory in service tab. But how can i check SUBSERVICE, and the various options available like datawrite etc. & what they standfor.
Thanks
Let me try and explain it in the context of Sling Authentication.
As of AEM6 there are changes in API to stop the abuse of AdministrativeResourceResolver which has been utilized by many developers to get admin resourceResolver without passing any credentials.
As this has been deprecated in AEM6 you need to call getServiceResourceResolver(..) and pass it with subservice name which is mapped to a user via ServiceUserMapper configuration.
e.g. a configuration for writeservice could be AEM-bundle:datawrite=datawriteuser. here we are saying that datawrite which is part of AEM-bundle is mapped to datawriteuser and the privilege available to this user is what will be used by datawrite service.
A Service can be composed of many subservice and those subservices will be mapped to different users quoting sling documentation mail transfer service can be composed of smtp, queue, deliver subsystem and these subsystem can be mapped to mta:smtp, mta:queue, mta:deliver users respectively.
Check these references:
inside Blog entry
Sling Authentication
It is the Name of the authentication information property providing the Subservice Name for the service requesting a resource resolver.
See http://sling.apache.org/apidocs/sling7/org/apache/sling/api/resource/ResourceResolverFactory.html#SUBSERVICE
How do I lower the requested access level of an existing google project?
It's currently asking for:
View your email address
View your basic profile info
Manage your contacts
When all I really want is to authenticate a user for login purposes, and I think all I need for that is:
Have offline access
One of the parameters you are passing when you create a credential is called scope, and contains a list of each of the services your users must authorize.
From the OAuth 2.0 docs, scope contains a string or iterable of strings. Change it to the new scopes you want.