Is it possible to authenticate to Icingaweb2 through AzureAD (SAML/oauth2/openID) ?
This thing is actually possible to achieve with usage of
https://github.com/bitly/oauth2_proxy
After this proxy is installed and configured, run it with -set-xauthrequest info is in github repo wiki/readme
Set up icingaweb2 for external authentication by adding:
[autologin]
backend = external
into authentication.ini file
In icingaweb2 you need to add:
fastcgi_param REMOTE_USER $http_X_User;
into nginx/apache configuration.
If you will use same cookie name and secret pair in oauth2 proxy configuration, you will be authenticated to all your systems (Graylog SSO plugin, Icinga2, any your site) with pure SSO experience.
Depending on how much information is available, you can add a custom application to Azure AD.
This way only allows the connection to be SAML.
Related
Q: Is it possible to deploy Shibboleth without SSL?
Intro: We need to deploy Shibboleth in our testing environment. This environment is not visible from the Internet, so we are not able to add some valid certificate -- so it warns us that we are using a self-signed certificate. Our app can't go through this warning, and we are not able to automatically test if login via SAML works properly.
We use a docker image shibboleth-idp with our setup.
I think that we can change settings of Jetty and turn off SSL, but I am not sure how and if Shibboleth will be OK with that.
Question: "we can change settings of Jetty and turn off SSL, but I am not sure how and if Shibboleth will be OK with that."
Answer:
(1) Yes. Shibboleth is OK without SSL for demo purpose only. In other words, on the testing environment, you can change settings of Jetty and turn off SSL, and then run Shibboleth IdP with Jetty on the HTTP port of 8080 instead of the HTTPS port of 8443.
I have validated SAML authentication/federation provided by Shibboleth IdP/Jetty/HTTP port:8080 without SSL for Shibboleth SP. In other words, Shibboleth IdP runs on the Jettp HTTP port 8080 (instead of HTTPS port 8443) provides SAML authentication/federation for Shibboleth SP successfully.
Remarks:
(I) Usually the deployment of Shibboleth IdP on the production environment leverages proxy to redirect external HTTPS port 443 to internal HTTPS port 8443 of Jetty.
Correspondingly the deployment of Shibboleth IdP on the testing environment leverages proxy to redirect external HTTPS port 80 to internal HTTPS port 8080 of Jetty.
(II) Shibboleth IdP should run on Jetty with HTTPS port when deployed on the production environment.
(2) Security And Networking of Shibboleth IdP demonstrates that Jetty HTTPS key and certificate are NOT the keys and certificates used by Shibboleth IdP, which indicates that Shibboleth is OK without SSL for demo purpose only.
Use of browser-facing TLS key and certificate
This key and certificate is not used by Shibboleth directly, and you SHOULD NOT use this key (or certificate) in any of the other capacities described below.
(3) How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the instruction on building a SAML-based Authentication/Authorization Provider using Shibboleth SAML IdP and OpenLDAP.
Shibboleth SAML IdP is responsible for identity federation.
OpenLDAP is responsible for identity authentication.
(I) To run Shibboleth IdP with Jetty on the HTTP port of 8080, you only need to execute the commands below to modify the configuration before building both IdP and SP Docker images. For your convenience, the Shibboleth IdP without SSL provided by this GitHub repository has been validated.
cd shibboleth-idp-dockerized/ext-conf/conf/
cp idp.properties idp.properties.backup
cp idp.properties.without.ssl idp.properties
cd -
cd shibboleth-idp-dockerized/ext-conf/metadata/
cp idp-metadata.xml idp-metadata.xml.backup
cp idp-metadata-without-ssl.xml idp-metadata.xml
cd -
cd shibboleth-sp-testapp/shibboleth-sp/
# Edit shibboleth2.xml to update IdP entityID and metadata without SSL.
vi shibboleth2.xml
<SSO entityID="https://idp.example.com/idp/shibboleth">
-->
<SSO entityID="http://idp.example.com/idp/shibboleth">
<MetadataProvider type="XML" file="idp-metadata.xml"/>
-->
<MetadataProvider type="XML" file="idp-metadata-without-ssl.xml"/>
(II) I have validated SAML Single Sign-On (SSO) provided by Docker-running Shibboleth SAML IdP (Identity Provider) and OpenLDAP for the following enterprise applications. In other words, I leveraged Docker-running Shibboleth SAML IdP and OpenLDAP to log in to the following enterprise applications successfully.
Microsoft Office 365
Google G Suite
Salesforce
Dropbox
Box
Amazon AWS
OpenStack
Citrix NetScaler
VMware vCloud Director
Oracle NetSuite
(III) Another StackOverflow question Setting up a new Shibboleth IdP to work with an existing SAML SP discusses the SAML configuration between IdP and SP.
I have a client that can only make requests without authentication information.
I would like to use HAProxy or a similar proxy solution to add OAuth authentication to these client requests.
I already succeeded to add a Bearer token to the client requests. See below for the haproxy.cfg with some placeholders.
frontend front
mode http
bind *:8080
default_backend servers
http-request add-header Authorization "Bearer {{ .Env.ACCESS_TOKEN}}"
backend servers
mode http
server server1 myserver.com:443 ssl
The problem is that the access tokens have a TTL of 24 hours. So I need to refresh them or get a new token periodically.
Does HAProxy support this already?
I can write some script to get a new access token periodically, update the config and restart HAProxy. Is this a good approach when running HAProxy in docker? Are there better solutions?
You could give a try to create/test your script using Lua, it is now supported in the latest versions, check How Lua runs in HAProxy.
An example of this but using Nginx + Lua, can be found in this project: https://github.com/jirutka/ngx-oauth
Is it better to store the config server username and password as an environment variable (both in the client and server), or by using a keystore? The keystore password is anyway stored as an environment variable, so why actually use a keystore? Or is there a better way to implement authentication in the Spring Cloud Config server?
In our case, config server is ONLY for backend services, but not for clients. We have multiple clients, like iOS, Android and Web app. Each kind of client will manage their own configurations.
Furthermore, we simply use HTTP basic authentication on config server, and store the username and password as instance variables. So the username and password will be not be exposed in source code level. On the other hand, our config server is not exposed to public network.
Hope this will give you some hints.
I have used ldap based camunda-auth to login to the application using HttpBasicAuthenticationProvider provided by camunda, where how can I implement https login and is it supported by camunda (or) we need to use spring security?
Please send any link related or config to camunda - https implementation.
I am not sure I understood you correctly- you want to set up camunda to have TLS and additionally you want LDAP authorization?
To set up TLS, you need to configure it directly on Tomcat server.
First you need to obtain/generate certificates.
Then you need to point to those certificates in server.xml configuration file.
Just google "TLS on Tomcat". I'm sure there are hundreds of tutorials how to do this step by step.
When it comes to LDAP integration - follow documentation:
https://docs.camunda.org/manual/7.8/installation/full/tomcat/configuration/#ldap
we have formsauthentication using Machine keys if it is to be hosted on web farm
How can I host authorization server (say WebAPI) in web farm which will produce same bearer token ?
Do I need to setup same Machine Key configuration on all servers?
Do I need to setup same Machine Key configuration on all servers?
If you're using the OAuth2 authorization server that is part of OWIN/Katana (OAuthAuthorizationServerMiddleware), yes.