We currently have an installation of IBM content navigator that we built a feature inside, this feature shows another web application installed on the same server inside an iFrame, this application connects to CPE using Java WS APIs to do some operations using the ICN logged in user credentials.
The main problem we are facing is that in our current solution the user logs in twice, once to log in to the ICN, and another to log in to the web application, which is undesirable and we need to eliminate this second login and implement some sort of SSO.
One option available is using Kerberos, however as it currently stands the FileNet Java api does not support Kerberos at the moment (only .Net).
Any ideas are much appreciated
References
Using Kerberos on an API Client - https://www.ibm.com/support/knowledgecenter/SSGLW6_5.2.1/com.ibm.p8.ce.dev.ce.doc/sec_procedures.htm
If your web application is deployed on the same WebSphere Cell, you don't need to use Kerberos. Kerberos need to support SSO between WAS and client only, not between application and client.
You don't need to use createSubject(), just get it from security context and provide it to CPE.
Related
I currently have an application running on our Windows Intranet consisting of a backend (Golang) and multiple frontends. Currently frontend users must authenticate to the backend using a password but we want to move to SSO (single sign-on) for improved security and user convenience. The frontend can use SPNEGO to negotiate IAW (Integrated Windows Authentication) which would allow the backend to know the Windows login ID of the frontend user.
I know how to configure the frontend (web browsers) for this and it would be handled automatically in the backend if I was using IIS for the web server. I just need the equivalent code for a Go web server.
https://github.com/jcmturner/gokrb5/v8 appears to support this but I have been unable to get it to work. There is some example code such as https://github.com/jcmturner/gokrb5/blob/master/examples/example-AD.go but I have not been able to understand how to adapt it to my needs. Does anyone have a working example?
I have java web application deployed in same IBM BPM websphere.when user open bpm screen I provide a link to the web application .
I want only the user who logged in BPM should able to access the link but not others How to achieve the same?
If your application is in the same WebSphere cell, the SSO between apps is enabled by default. Check this page Single sign-on for authentication using LTPA cookies, your second application just have to have security constraints defined (role, resources) and mapped to specific group of users or all authenticated.
If other app is in different WebSphere cell you would need to import there LTPA key from your BPM cell. Also see other constraints from the link above.
I have written a web application that is, typically, installed internally by customers (based on IIS/MSSQL server).
When a customer wants to provide external access to the application, we offer the following supported scenarios:
Publish the application in their DMZ (pretty standard deployment).
Use our own platform where we host the application in our own cloud infrastructure for them.
However, because I have more and more customers who misunderstand the requirements for publishing an internal application, I would like to add a "one click" way of providing that service.
My idea is to have a reverse proxy installed on the customer's web server that will connect to a cloud server we control. When the application starts, it will connect to our server, authenticate and maintain the connection. When a user wants to use the application, she will use an URL that directs it to our server (say https://myapp.mycompany.org/CustomerID or https://CustomerID.myapp.mycompany.org). The server will then lookup the list of connections from reverse proxy to find the one matching the customer ID and, if found, use that connection to relay the end user connection.
In essence, that is the same thing as what Azure Application proxy or TeamViewer do, only without the need for using Azure AD or TeamViewer.
Is there an existing framework I can use for building such a service ? I know I can write it on my own but that is quite a large development.
We're getting ready to rewrite an old native windows mobile application that accesses data through a VPN. We'd like the new version (.NET Windows 10 mobile application) to access data through web services that are protected by Okta. What is the best way to do this?
Thanks!
The best way to do this depends on how the web services are protected.
The main thing to keep in mind is that you don't want to store any secrets on the mobile application.
In an ideal world, these web services would be secured with something like OpenID Connect (OIDC), allowing you to authenticate against Okta (the "IDP") to get access to the web services (the "Relying Parties").
However, the real world is messy, where some web services are protected via SAML, OIDC, OAuth, custom headers, etc.
Without knowing more about your setup, my recommendation would be to build against OIDC, using a proxy server (or "API Gateway") as needed to secure your web services using OIDC.
One of my co-workers at Okta has written a sample iOS application in Xamarin that implements OIDC, I suggest taking a look at the ViewController.cs file in that repository.
Just I have installed Oracle Weblogic Server and configured RESTFul Service. Developer can able use in office network but when I placed it in proxy server then It is supporting.
As per discussed with developer, need to set cross domain access control security. Can anybody help me how to I can set that from Oracle weblogic Administrator control?
Client side they are using javascript & actionscript to call that service.
I would suggest trying to use SOAP UI to test the service through the proxy service and see what the behavior is. You might want to change the proxy server to not cache the result from the URL during testing.
You can use web.xml to configure security roles and map them to WLS credentials/roles. If you have added a username and password then you should be able to test this from SOAPUI.