Is there a way to add agents to my Flex project without single sign on enabled? Our business model requires us to connect clients with agents who are independent contractors. From both a practical and legal standpoint, we can't provide them with something like an Active Directory or Gmail account.
When I add agents "locally", the lowest level of access I can grant to an agent is developer. This role allows agents to make changes to our underlying application.
Is there a way to grant users access as agents without SSO? If there is no way to do this through the UI, I am open to a solution that requires a custom JavaScript / React plugin.
I talked to Twilio support and non-SSO agent assignment is not an option
Related
What is the benefit of implementing Active Directory based Security to servers like Jenkins?
The only benefit I can think is the admin of the sever does not need to add/remove users because user can login themselves using AD credential.
But In my case I do not want to have the whole company access my server. the server is only used by my team. How can I disable the whole company from login in. (case1)
Besides, I want to grant different permissions to different members in my team. The new members get less permission, the experienced team members get more permissions. I believe this is very common. But using Active Directory based Security looks like they get the same permission because they are in the same groups (case2)
So why should I use Active Directory based Security? Can I resolve the above two cases in a server configured with Active Directory based Security?
Some corporate environments make this a security requirement. In said environments they usually have an internal request system where users can request they have their credentials added to an appropriate group for access to Jenkins. This is better than Jenkins own database and having them email you, the Jenkins administrator.
Once AD Authentication is configured in Jenkins and appropriate groups created in AD you can do a one-time setup of those groups with the Role-Based Strategy plugin in Jenkins and define what those groups have authorization to do.
Plan your groups well and it is a function that you will no longer have to worry about.
Warning: Be very careful when switching over from Jenkins own database user authentication to AD authentication. If you don't get the BindDN details just right you can get locked out.
I recently switched to a new company where my manager wants me to develop entirely new cloud based project in MVC. I have never worked on a project from the start and I think this is a good opportunity for me to lead.
However, I think the requirements of the clients are bit confusing.
Here is what he wants:
Client should be able to access the cloud hosted application from his network with single sign on. He wants to use his active directory for that.
There are different users in active directory, they will have different roles (I think we can handle this on database side. Create different roles and assign roles to users).
Client has to add vendor info in the application. But for this, system should send an email to vendor with the url of the cloud application. He wants user to login to the application using 2 Factor Authentication. So, send dummy password with url, and send OTP to his mobile number. Just like registering to any system.
Now my questions are:
Is it possible to have 2 different types of login mechanisms in the same application? SSO for client and 2FA for outside vendors?
If yes, could you please guide me in the right direction?
what things I need? Which framework, design pattern should I prefer?
How do I proceed ?
I am currently setting up an ASP.NET MVC application that will be hosted on the Windows Azure platform. The application may be used by hundreds of third parties, each with their own group of individual users, which will need to be authenticated by logging in. I am looking at using Windows Azure Active Directory (WAAD) for the authentication piece.
Obviously I can use WAAD to set up individual logins for each user, then add them to a group which has been set up for the third party they belong to.
This will likely be sufficient for most third parties. However, some may already have their own Active Directory (AD), which may or may not be a WAAD, with all of their users as members. I am wondering if there is a way that I can, relatively easily, provide a way for them to connect their Active Directory to my WAAD, allowing their directory users to authenticate with our WAAD.
I have read about integrating an on-premises AD with WAAD, either through synchronisation or using a federated login. However, all of the articles seem to be aimed at "your" on-premises AD linked with "your" WAAD. Obviously since you manage both directories there is inherent trust there. However, for obvious reasons, I only trust third parties to authenticate their users and do not want to open up a mechanism where they may be able to manage my WAAD and affect other people's users or groups.
So...
Can I connect a third party AD with my WAAD and let them authenticate their users for my application, without compromising the security of my WAAD?
If so, what is the best way to configure this set-up? Would I use the standard federated services software, for example, or is there something more suitable?
1) You can definitely expose Azure AD applications to users from other Azure AD tenants, without the need to manage their directories or give them any access to yours. The Azure AD documentation refers to those kind of app as "multi-tenant". You can find a detailed example in https://azure.microsoft.com/en-us/documentation/samples/active-directory-dotnet-webapp-multitenant-openidconnect/.
2) multi-tenant applications operate under the assumption that all the participating directories have their corresponding Azure ADS tenant. That is the case when, for example, they did set up Office365 or any other cloud service. Direct federation would not work in this scenario, given that the just in time provisioning of apps and the enforcement of permission and access rules relies on the directories and users being stored in shared infrastructure (though still completely isolated form each other, as is always the case in sound multitenant systems).
Please try the sample, hopefully it will help making the above more concrete. HTH
You can also look at the Azure AD B2B and B2C (in preview) options - https://blogs.technet.microsoft.com/ad/2015/09/16/azure-ad-b2c-and-b2b-are-now-in-public-preview/
We're using Jenkins (and precisely Cloudbees) for couple years. Well, it works.
Not I have new use case when I would like to allow trigger build remotely (w/o user account in Cloudbees).
Looks like it's impossible (standard token trigger mechanism requires an account in Cloudbees).
The only one way that I see it to set-up instant message integration (e.g. Jabber) and trigger builds in chat. It's nice solution that I would like to have, but ... it doesn't work for me. No errors and no messages (I tried different jabber servers).
Because I have only one such weird user I don't want to install special software (like Jabber/IRC server) and wanna use existing (like Gtalk or similar).
Any thoughts will be welcome.
standard token trigger mechanism requires an account in Cloudbees
You can use the Build Token Root plugin to bypass authentication long enough to check the token.
In the long term it would be desirable for Jenkins to let users create non-user principals that would have their own API tokens and SSH keys (but no UI login) and a restricted subset of permissions, so you could freely create a one-off principal for a specific purpose such as triggering builds. The infrastructure for such a feature does not exist today, however.
I am using access control on Jenkins with openid plugin. Users are authenticated through Google account.
But i also need to have users created on Jenkins internally. i.e role based access control.
Is there a way to configure Jenkins to make it possible to use multiple access control mechanisms at the same time ? Currently i can only select one.
Any plugins to make it possible ?
No, your users need a google apps account to login.
But that shouldn't be a problem with https://wiki.jenkins-ci.org/display/JENKINS/Role+Strategy+Plugin