I am trying to set up a workflow of authentication to a new kubernetes cluster (Azure AKS) using oauth2-proxy (https://oauth2-proxy.github.io/oauth2-proxy/).
My question is probably pretty dumb, but I am a bit confused.
Is there a way to test a flow like that without having already a valid TLS certificate to use https and a valid registered domain everywhere?
Because for what I see in examples and tutorials everyone is referencing directly with https and registered domains both in Ingress and Oauth2 application (which in my case would be Azure AD App Registration).
There is no way to just have a POC of the tool before buying domains and tls certificates?
Thank you very much!
I would recommend that you start by using proper TLS certificates, because some things don't work over HTTP like they used to do. For example some important cookies will be rejected if set/sent over HTTP.
This is due to the SameSite cookies security property:
see:SameSite cookies
Related
I have configured mutual authentication on an Azure Application Gateway. Currently all client certificates issued by the intermediate CA (as configured on SSL profile) are accepted, but I only want a specific certificate to be granted access, ideally based on the subject of the client certificate. Making changes to the CA that issues the client certificate is not feasible in my case.
Options explored:
Use leaf certificate when configuring SSL profile: app gateway seems to ignore the leaf certificate; all client certificates issued by the intermediate CA are accepted.
Configure a rewrite rule action to pass a server variable (e.g. client_certificate_subject) to backend in a custom request header. This would require changing the backend to interpret the request header, which I’m trying to avoid.
Configure a rewrite rule condition to check server variable (e.g. client_certificate_subject) and conditionally take some action. Ideally the action should set the HTTP response code (without forwarding the request to backend) or rewrite to an error page generated by the app gateway (e.g. HTTP 401 unauthorized / 403 forbidden). Can this be done somehow?
WAF rules don’t seem like a viable option as they don’t have access to server variables
Hoping to find a way of configuring this requirement on the app gateway. Thanks.
I understand that you want to be able to allow specific certificates only based on their subject names etc., to be granted access by the Application Gateway.
You can't use a rewrite rule because in order to "get to" a rule in the first place you have to get through the listener and you can't get through the listener if you can't authenticate with mutual authentication.
At this point, the best way to avoid people from accessing App GW would be to not give the Leaf certificate so they cannot access the same.
Also please note that Application Gateway Mutual Authentication is in preview right now and therefore, it is intended for "Evaluation" and testing, and not production currently. Once it is GA, there will be options to have revocation lists and checks.
Hope this helps. Please do let us know if you have further questions. Thank you!
I'm a relatively new programmer to backend security so very much in the dark about how to set up HTTPS. I'm currently writing an IOS app that is sending http requests to my public EC2 backend domain, however I'm trying to transition this to HTTPS. Right now the backend is running on the developmental Flask server using HTTPS with a self signed certificate. However the problem is that on the IOS app side, it rejects this as invalid so I'm unable to test HTTPS dependant features. I tried to use the domain exception with the infoplist and ip.xip.io but it still complains that someone could be pretending to be this address. Could someone list in a very systematic way how I should approach building this out,i.e are there any free CA's, do I need a cert from a CA, and how to go about properly connecting the app and backend with HTTPS using my ec2 public ip.
Perhaps the iOS app will authenticate properly using a free community certificate. Investigate free certificate authorities, like letsencrypt. There are several. These work like the commercial CAs such as GoDaddy.
Actually the easiest solution was to just use Ngrok
This post became much longer than anticipated, TLDR: Where is my ASFS Federation Metadata located on my server? My overall task to the setup a test ADFS server in order to integrate our current application with ADFS
Hello, I'm trying to integrate our application with ADFS (it's a WPF application with a NodeJS backend), and I'm testing out Auth0 for this job (but if there are other simple solutions, I would be open to that as well - I've found no good guides so far ): espeically as a developer with no AD experience).
Regardless, I think I've set up a single server AD FS environment (locally as server1.local - with AD CS, AD DS and AD FS and that same server is the domain controller/DNS server) and set up an Auth0 relying party using this guide:
https://auth0.com/docs/connections/enterprise/adfs
In the next steps part, it says: try these quickstart guides. So I've downloaded the Angular2 quick start example project to test. But when I go to the enterprise connections and try to set up an ADFS connection, it asks for a ADFS URL
You can either provide the ADFS URL or upload the federation metadata file.
But I can't seem to find my ADFS URL. Not only that, my server is local, so it wouldn't be able to use my URL anyways right? I can just upload the metadata instead?
I've tried going to https://server1.local/federationmetadata/2007-06/federationmetadata.xml and https://127.0.0.1/FederationMetadata/2007-06/FederationMetadata.xml and https://localhost/FederationMetadata/2007-06/FederationMetadata.xml which under endpoints that's the one that shows, but ie says:
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://server1.local again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
I've enabled TLS 1.0, 1.1 and 1.2 and this still doesn't seem to give me my metadata. I've also tried that URL on Chrome and it gives a generic "This site can't be reached"
How do I get my metadata?
In the ADFS configuration, look for what you configured as your federation service name.
Use this in the URL.
https://federation service name/federationmetadata/2007-06/federationmetadata.xml
BTW the federation service name should not be the FQDN of the server.
In my case I want to test a rest-api protected by certificate-authentication.
I want to use the Paw-App to test this REST-API but I can't find a way to insert/upload my client-certificate and the truststore (jks or pkcs12).
I wonder if it is possible in the Paw-App to enable certificate authentication and how to do that, or if there are any plans to implement that besides OAuth and HTTP-Basic-Auth?
Paw now supports client certificates! :)
https://luckymarmot.com/paw/doc/auth/ssl-client-certificates
After checking other SO questions I have single sign on (SSO) working. There are two MVC 4 applications hosted on the same machine with the same domain (foo.example.com and bar.example.com).
Now I would like to get this working so both sites are under SSL for all of their traffic (without writing my own authentication handling as in this example).
I have worked out how to create self signed certificates in IIS7 and tried using one certificate for both sites and also having a separate certificate for each site.
After trying various configurations I am starting to believe it is not possible. I understand that SSO works by passing the authentication cookie between the applications when the web.config has been set up correctly with matching machine keys.
If the two sites are under SSL does this premise break down because of the encryption inherit in SSL? If it is possible I haven't worked out how to set it up.
If it is possible how do I do it:
One SSL certificate for both sites?
Two different SSL certificates?
If it is possible how do I set up IIS?
Any experience with this situation would be appreciated.
SSL has nothing to do with SSO (except that it encrypts user credentials during logon). You can have a single certificate for any number of sites if your only goal is to encrypt the traffic. However, in production you want 2 separate certificates for both of your names - foo.example.com and bar.example.com. Note, browsers will complain if they're self signed because their trust chain cannot be verified. So it's better to buy certificates from trusted authorities like VeriSign, Thawte, etc.
As for setting up IIS check these links: one, two.