can Shibboleth work without a LDAP, but directly based on oracle database?
It can if you're willing to implement your own JAAS module for the UsernamePassword authentication, or you can write your own code for External Authentication for the IdP.
However, if you're using just the code that ships with the IdP, then even if you want to use Oracle or another database for your user attributes in attribute-resolver.xml, then you'll still need some kind of authentication mechanism like LDAP or Kerberos.
It's a total pain, especially for test or proof-of-concept systems.
Related
I'm struggling to send a Rest API request to Oracle Database (using Postman).
first issue: there are three types of Autonomous Databases (ATP, ADW, AJS) that will help me. I already created all 3 types in my oracle cloud server.
what type of authentication do I need to use? It seems "Basic Auth" with user: ADMIN and password that I defined?
What API endpoints are available to use? it is a bit confusing, in the attached screenshot I reach different articles that I'm not sure which one to use!
ORDS and SODA for REST (3) supports many different authentication mechanisms. JSON document store REST services (you choose ADJ) are intended to be used in server-to-server interactions. Therefore, two-legged OAuth (the client-credentials flow) is the recommended authentication mechanism to use with the JSON document store REST services. However, other mechanisms such as HTTP basic authentication, are also supported.
The default when installing on Autonomous is HTTP basic authentication. Most of examples uses database schema ADMIN, which is REST-enabled by default.
A good first start point is :
If you are working with ADJ, https://docs.oracle.com/en/cloud/paas/autonomous-json-database/ajdug/create-applications-ords-autonomous-database.html
If you are working with other ADB flavors : https://docs.oracle.com/en/cloud/paas/autonomous-database/adbsa/ords-autonomous-database.html#GUID-E2E921FF-2D80-4E32-9660-28506D10BADB
Those documentations provide links to the documentation referred in your image.
e.g to see the SODA collections availables, the endpoint is https://your-ords-uri/ords/admin/soda/latest/.
To find the URI (Service Console / Development / RESTful Services and SODA) :
As I said, the default is basic Auth. You can also disable security and allow anonymous access for Development and Testing
For relational tables, there is additional privileges to be managed using ORDS PLSQL package before using Postman. Follow the documentation
Hope that this can help
I'm currently running on WebSphere Liberty version 19.0.0.7 with ldapRegistry configured. I am able to successfully login using the configured ldap, and I am interested in retrieving the full profile attributes for a logged in user. My first thought was to use WIM client api, but I'm not 100% positive if that is a public api intended to be used for this purpose. I'm also aware that I can retrieve the data via ldap directly and possibly through scim api.
In short, what is the correct api that I should be using to load the profile for the currently logged in user that utilizes the configuration already provided for my ldap registry? With that knowledge, I can take the additional steps to research how to move forward.
Thanks.
As Ryan mentioned above, use the SCIM API.
https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_scim.html
https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/rwlp_sec_scim_operations.html
The SCIM API requires configuring TLS as well as making the calls with a user who possesses either the reader or administrator role.
I need quick help regarding Identity server.
There is a client requirement to not allow any public hosted application to directly talk to the database. In Identity server's case, the Identity server will be hosted publicly for token endpoint, and it queries the database for operational data (went for Db approach with reference tokens because IDsrv will be on NLB). Is there any workaround for this? or is this standard practice?
Thanks
If you don't want IdentityServer to talk directly to the database, you will need to implement & register custom implementations of ICorsPolicyService, IAuthorizationCodeStore, IClientStore, IConsentStore, IRefreshTokenStore, IScopeStore, and ITokenHandleStore, that call off to some an external app that can talk to the database.
Normal operating procedure is to have IdentityServer talk directly to the database. I don't see much merit in separating the two.
FYI: You don't need to use reference tokens if you are using load balancing. Check out the deployment docs.
I want to build an web application in Oracle APEX, where i want users to enter into the database server through the application server, thus i can ensure more security in my application. IF this is hard, then is there any other way where i can ensure more security in a web application in Oracle APEX?
Oracle APEX is a very stable and secure environement.
As is,
you can encrypt and enforce high level passwords for the users
you can lock account to avoid brute force attacks
Devs and admins have accounts locked after a few attempts by default to avoid this issue
The service can be easily configured with any SSL
Webservices, like most of them, can be programmed to use access_tokens and other validations.
To my knowledge any additions security could be configured on the server and firewall. So I would say that you can do I lot, but it is up to you to perform good practices when defining your system's security.
Hope ity helps and good luck! :)
My application currently relies on JDBC realm authentication. Recent needs have forced us to think about having LDAP authentication as well. We are thinking about using Active Directory for both authentication as well as authorization (roles). As a standalone test, I was able to authenticate my application with AD. But here is the confusion I have going forward.
If the user chooses LDAP authentication when he logs in, I authenticate the user with AD, get the user's roles and do I replicate(create a new) windows user in my database?. I have to have the user in the database, because many parts of the application is designed to retrieve the user from database
If the users chooses local login, I still should have JDBCRealm somewhere that I should use to authenticate the user. Is it possible to have multiple realms in tomcat? (I sort of know it is possible, but havent seen much documentation around it)
Any thoughts, comments, suggestions would immensely help me
Thanks
K
If you can run your app on Tomcat 6, there is a realm called CombinedRealm that will let you do what you are trying to do: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm. It is possible to do what you want in older versions but it's a real pain. You basically will have to implement your own custom Realm. I've not yet used this new CombinedRealm, but if it works as advertised it will save you a lot of effort and pain. Trust me.