Would like to implement FIDO authentication for our web application using 'windows hello' as authenticator & 'WebAuthn' protocol.
Please let me know the steps involved.
Which windows OS version & its build version supports windows hello ?
How to set up FIDO server?
How to integrate our web application with FIDO server?
Is FIDO can be used to authenticate back end web api end point access?
FIDO2 functionality was initially released in Windows 10 version 1803
Set up a FIDO Server - You'll need to make a couple design decisions first.
2.1. Pay an IAM solution provider that already offers WebAuthn / FIDO2.
2.2. Build WebAuthn / FIDO2 functionality into your existing authentication system.
2.2.1 Integrate with an authentication service. The authentication service hosts the infrastructure, your app just calls their API.
2.2.2 Spin up standalone WebAuthn / FIDO2 servers on your own infrastructure and integrate it with your existing authentication system.
2.2.3 Integrate WebAuthn / FIDO2 libraries into your existing authentication system (uses existing infrastructure).
How you integrate depends on your design decisions outlined above. If you want to learn about integrating a library into your existing authentication system then I would recommend Yubico's Passwordless Workshop.
WebAuthn / FIDO2 supports various uses cases. Learn more at the FIDO Alliance.
Related
We are looking into implementing authentication using the OIDC protocol on a web application deployed on WebLogic Server 14.1.
According to one comment here "Weblogic's OIDC functionality is available only from Weblogic Version 12.xx.".
However, I only find SAML support, OIDC integration seems to require to use Oracle Access Manager (OAM).
I'd prefer not to require a separate product, so I would appreciate any feedback about your experiences doing OAuth integration with WebLogic with or without OAM.
References: OAM 11.1 FAQ
We are planning to build a web application which will use ADFS for authentication. The web application will be hosted on an AWS instance but will be talking to on-premises or cloud ADFS.
can I use ADAL(Active Directory Authentication Library) for federating authentication and saving authentication context in this scenario? if yes is there any drawbacks?
When you say "cloud ADFS" you mean ADFS in a VM in the cloud?
ADAL is for mobile and native devices.
Normally a web application will use OWIN e.g. like this.
If you are not using ADFS 4.0, then use WS-Fed or SAML as per this.
These are for Azure AD but the principles are the same.
How implement an Component that publish secure services Rest , conditions:
These services should be secured by OAuth 2.0.
This component will is the Resource Server.
The Authorization Server is third party component implemented with Spring OAuth2.0 and Deployed in JBoss Server.
The client app will be called to resouce server, using JavaScript or RestTemplate Client.
Since you are already developing other legs of the OAuth2 solution using Spring Security, there is no reason to not use it as OAuth implementation for Mule as well.
http://www.mulesoft.org/documentation/display/current/Configuring+the+Spring+Security+Manager
There is some also prepared things in Mule, if you run the commercial version, check htis out: http://www.mulesoft.org/documentation/display/current/Mule+STS+OAuth+2.0a+Example+Application
Given that if we are running on a full WebSphere Application Server v8.5.5 profile which has support for both OAuth and SAML ( http://ibm.co/1bUqrJJ and http://ibm.co/1es8Hgv ), Can a Worklight 6.1 environment take advantage of either without needing some other external authorization service such as a DataPower or ISAM in between the device and the Worklight Server?
Worklight (5.0.x, 6.0.0.x, 6.1.0) does not provide any OAuth support on either the client or server. So any integration you're going to do will require some work on your part.
See related questions about Worklight and OAuth:
How to implement OAUTH 2.0 in IBM Worklight 6.0
IBM Worklight - How to use Google authentication in a Hybrid application?
OAuth support is something that Worklight product designers are thinking about, but I cannot comment further.
is the SAML protocol (Sing Sign ON) used soley for web apps and web services, or is it also used for standard applications?
REVISED:
I am looking for some windows (Standard Applications (not web based)) protocols for Single Sign On
If you are looking at Windows specifically, why not use Kerberos and Integrated Windows Authentication? It's built into Active Directory and Domain Controllers. It doesn't really work once you start crossing into the Internet and different security domains but it works well behind your firewall in a corporate environment.
However, SAML can be used for desktop applications. I've run into applications before that would retrieve the Kerberos ticket from the Desktop, make a WSTrust/RST call to an STS to validate the Kerb token and get back a SAML token in the RSTR that would be embedded into a Web Services call that the desktop application needed to make.
SAML allows secure web domains to exchange user authentication and authorization data and by definition would require an internet connection to do so. So no you would not want to use it for a desktop application.
Revised
here are the links for active directory implementation with Delphi.
http://www.agnisoft.com/white_papers/active_directory.asp
http://adsi.mvps.org/adsi/Delphi/index.html