I am looking for some information about using multiple authentication provider with WebSphere Liberty at the same time. Requirement is to have AD (LDAP) auth as main authentication and for users not allowed to be listed in AD have a simple database for authentication.
Thanks for any hints.
You can implement a custom user registry to meet these requirements:
http://www-01.ibm.com/support/knowledgecenter/#!/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_sec_custmr.html
If you're looking for the solution of security domains provided in WAS Classic (the full profile), please open an RFE and be sure to vote for it!
https://www.ibm.com/developerworks/rfe/?BRAND_ID=181
Related
Currently working on configuring SSO for Oracle Smartview client that accesses the Oracle EPM suite of BI Tools. Pingfederate SP and Okta Idp configured with multiple AD data sources is configured.
Would appreciate if anyone would share their experience in the approach and configuration steps taken to enable SSO for Smartview
A quick Google indicates that Smart View can consume a header for a user ID. This allows you to use any standard mechanism for header injection available in your IAM environment. You mentioned PingFederate as your SP. You didn't mention if Smartview is behind any proxy (like Nginx or Apache).
Ping has a number of integration mechanisms for header injection, ranging from the various integration kits in PingFederate (Java, Apache, IIS), as well as PingAccess which is the Ping Identity standard WAM tool.
With all of the options available to you for integration, providing you step by step guidance requires more information. I would suggest a call to your Ping account team.
For stormpath to work, is the internet a must?
I want to implement user management on my springboot server hosted for LAN, where the internet might not be available at times.
If this is not possible, what are the other options possible?
Yes, a connection is required, as user info is stored by Stormpath. If your connection is intermittent, enabling caching could help.
For my use case, where I was avoiding cloud based user authentication, I used Spring MVC with JPA, Spring Security with user details stored in my local mysql database.
Following link is one of the best tutorial I could find on the same topic.
https://medium.com/#gustavo.ponce.ch/spring-boot-spring-mvc-spring-security-mysql-a5d8545d837d#.gwxd1jdkj
In spring security I understand that there are different modules catered to different usage and among some of the modules I saw LDAP, CAS and OPENID.
From my understanding
CAS - it is only used for authentication purposes based on a SSO
LDAP - it is based on a LDAP server to authenticate users and
manage them. Am I correct?
OPENID - It is also based on a OpenID Server to authenticate users
If that is the case, why would some people use CAS instead of LDAP? Maybe it is because of different usability? Can anyone shed the difference between the 3 of them why are one more preferred than the others?
CAS as a protocol is a mechanism to provide web single signon. There is also CAS, the software platform that implements that protocol amongst many others, including openid.
OpenId is also an authentication protocol, similar to CAS, able to achieve web single sign on but more in a federated fashion.
LDAP is a protocol that defines how one should talk to a directory server. Most systems use LDAP to talk to a directory to retrieve user accounts, verify them and retrieve attributes associated with them. It has nothing to do with authentication or single sign on. CAS, the software, can be configured to find user accounts from ldap, find attributes from ldap or do other things with ldap.
I am designing a service to handle authentication across a number of hosted platforms. This service will need to be able to manage a number of different protocol for the users: LDAP, Shibboleth, no doubt others.
I was hoping to use the Shibboleth protocol internally and run the service as a Shibboleth IdP where depending on user category, nature of the protected resource, etc. the hard work of the authentication is passed on to the native LDAP, Shibboleth, or other server where the user already has an account.
It seems as though this should be possible, but I have not gotten sufficient clarity from the Shibboleth documentation to work out whether it is, let alone how to do it.
Is this possible? How do I do it? Useful documentation very much appreciated.
Shibboleth is not a protocol; it is the name of the software stak that uses the SAML protocol.
Shibboleth can authenticate users from LDAP, AD (and database via a JAAS plugin).
Documentation on hooking up Shibboleth to use LDAP for authentication and attribute retrieval is at: https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverLDAPDataConnector
We have a vendor portal that is public and a Moodle site that is also public. They are both setup to use the same Active Directory.
Is there a way to configure sso between them?
I've looked into this issue before, and all that I've found is about keeping the user credential in the global Portal session and posting them to the server Moodle login form.
It seems that Moodle does not support LTPA, since this is a proprietary IBM protocol designed for Websphere and Domino. Also the LTPA token do not include the actual password, so Moodle would have to trust Websphere when it says that a particular user has been authenticated at a certain time (timestamp).
May be some one else might have more input on the subject...