I've seen that Octopus Supports LDAP integration.
But does it support SAML 2.0 or ADFS integration?
No. Your stuck with windows or forms based authentication.
If you are using Active Directory Authentication with Octopus, there
are two ways to sign in.
Integrated authentication Forms-based
http://docs.octopusdeploy.com/plugins/servlet/mobile#content/view/3048127
ADFS would require changes to server side code which isn't open source.
The Octopus Server -> Tentacle communication uses Public-key cryptography. Perhaps you can alter your design to keep the Octopus Server somewhere accessible and an Octopus Tentacle in the ADFS environment.
http://docs.octopusdeploy.com/display/OD/Octopus+-+Tentacle+communication
Related
Currently working on configuring SSO for Oracle Smartview client that accesses the Oracle EPM suite of BI Tools. Pingfederate SP and Okta Idp configured with multiple AD data sources is configured.
Would appreciate if anyone would share their experience in the approach and configuration steps taken to enable SSO for Smartview
A quick Google indicates that Smart View can consume a header for a user ID. This allows you to use any standard mechanism for header injection available in your IAM environment. You mentioned PingFederate as your SP. You didn't mention if Smartview is behind any proxy (like Nginx or Apache).
Ping has a number of integration mechanisms for header injection, ranging from the various integration kits in PingFederate (Java, Apache, IIS), as well as PingAccess which is the Ping Identity standard WAM tool.
With all of the options available to you for integration, providing you step by step guidance requires more information. I would suggest a call to your Ping account team.
I'm trying to figure out the right architecture from a mix of current .NET authentication/authorization offerings. One question that I haven't been able to find much online information on: What are the benefits of having ThinkTecture IdentityServer 2.0 federate ADFS 2 (which is authenticating domain users using Active Directory credentials), vs having IdentityServer authenticate users against the domain directly?
For my company, I see only 3 possible requirements for ADFS 2, but I'd prefer to avoid installing it if IdentityServer is sufficient (mainly because it's open-sourced, and therefore more readily debuggable, extensible, and understandable):
Claims-based authentication of corporate (Active Directory) users.
Support for Office365 SSO - there are directions for integrating Office365 with ADFS
Federating external (business partner) ADFS services (we don't currently need this, but I'd like to keep the option open)
Is any of this functionality not provided by, or not easily added to, IdentityServer 2.0?
Well IdSrv does not do Windows authentication out of the box. It would be easy to add forms based authentication for AD users - but Windows integrated (SSO) would be more involved.
IdentityServer is a really good product but:
Only authenticates against SQL not AD
Doesn't have SAML support - useful for third party integration e.g. SalesForce
No rich claims rules language
which ADFS does for you.
#leastprivilege answered the first - the rest are definitely not trivial to add.
Don't have much experience with Office 365 but it sits on top of Azure Active Directory which can be hooked up with IdentityServer - refer Federating IdentityServer with Windows Azure Active Directory.
I need to be able to verify if a new siteminder web agent is already registered on the policy server. Is it possible to do this using Java?. I couldn't find the 12.5 SDK details or sample files.
Any input is welcomed.
The PolicyMgmtAPI in the Java SDK is what you are looking for. I have done this sort of thing with the Perl PolicyMgmtAPI (get trusted host, get agent, etc...)
If you want to do this from the Policy Server it is pretty easy. If you plan on implementing this type of thing in an application server you will need to also create a 4.x agent in order to communicate with the Policy Server for the PolicyMgmtAPI calls.
My identity and access management tool of choice is OpenAM utilising their container based policy agents, this approach is not possible however using the Heroku Celadon Cedar stack -- at least it doesn't look possible to me (www.heroku.com)
What is the recommended way to enforce authentication and authorization for cedar deployed apps?
Thanks
/W
I'm not sure about the OpenAM access management tool. However if your application requires authentication or authorization then I would recommend to contact third party services linke TeleSign for their identity and access management sevices.
You can store your users in your own database, or used a hosted identity service like Stormpath (disclaimer: it's awesome).
If you end up using something like Stormpath, you'll basically work with a REST API to create, manage, and authenticate users.
I am migrating one ASP.NET MVC 3 intranet Website to the Windows Azure and DB to SQL Azure.
On Premises my site uses Windows Authentication to authenticate and authorize the user(By Placing AUTHORIZE attribute on controllers).
It would be very kind of you If you can let me know How to go about the same.Thank You In Advance !
You have two choices here:
Use federated authentication and something like ACSv2. This requires a bit of work to setup a relying party, install ADFS2, etc. However, it is the most robust and future proof option. It is a very good option.
Use something like Windows Azure Connect. That will bring Windows Authentication to the cloud by joining your running instances to your domain controller on-premises. In effect, you have something of a VPN between your cloud instances and your on-premises domain controller. There are some caveats to this model today (requires installing agent on DC for instance), but it would be from a 'just works' stand point, the easiest. Longer term, this is less attractive I believe than option #1.
You can get more details for each of these by checking out the Windows Azure Platform Training Kit.
I should also add that you have no option (today at least) of using Windows Authentication with SQL Azure. You must use SQL authentication there, so what I am talking about here only applies to the web site itself.
I'm very successfully using Windows Identity Foundation with Azure AppFabric Access Control Service to authenticate using ADFS v2.
As well as straight authentication, it gives you lots of flexibility over other claims, such as roles (which don't need to be based solely on AD group membership).
In my opinion, its biggest strength is that there is no communication channel required between the Azure platform and your on-premise AD. Everything is done via the browser. From a security perspective, this means that although anyone can reach your application, nobody can authenticate to it unless they can also reach your ADFS server. Access to this can be restricted to on-premise clients only or via VPN, greatly reducing the attack surface.
Also, because ADFS does not need to be exposed externally, it can greatly ease the bureaucratic overhead of deploying it, in my experience.
Only configuration is required, which although it can be a bit of a fiddle initially, is pretty straightforward once you've got to grips with it. You configure WIF to use ACS as it's Identity Provider and create a Relying Party in ACS for the application. Then, you configure ACS to use ADFS as its Identity Provider. You could configure WIF to talk directly to ADFS, but the additional level of abstraction of going via ACS can be useful.
Once you've done your configuration, using the [Authorize] attribute 'just works'.
Note that if you're using Ajax calls into your controllers, you'll need to take some precautions, as Ajax calls don't handle the federated authentication redirect (or the ADFS Shuffle, as I like to call it), but it's nothing that's insurmountable.
All in all, I'm very impressed with the combination of WIF+ACS+ADFS for transparent Windows integrated authentication.