I want to connect to the server which supports NTLM authentication. I read knowledge article “How To - Implement basic HTTP authentication” on Blackberry developers site, however I did not find any reference for NTLM authentication.
Is Blackberry does not support NTLM authentication over HTTP connection? Any work-around?
Blackberry does support NTLM authentication over HTTP with the aide of a Blackberry Server (BES) component called MDS-CS. The blackberry will pass credentials using basic authentication to the BES, which then will complete the NTLM handshake on behalf of the Blackberry. The only requirement is that Support HTTP Authentication is set to True in the MDS-CS settings on the BES.
Related
I have a Delphi web application developed using Intraweb framework (IW 15), currently user are authenticated with database of the application. Now we need to enable this application with SSO.
Our customer uses SAML2.0 and WS-Federation protocols with ADFS.
I have searched over the internet regarding ADFS and SSO but could not find any details about this.
Is this something where I can send a simple HTTP requests and get a token or some authentication information and allow user to login ?
Is there any component (in built with Delphi or third party) available to implement SSO with ADFS using SAML2.0 ?
I am making an Application that uses XMPP as its communication protocol, but for better user experience for my application I want the end user to be able to register and login via facebook/google or any OAuth2 provider (eg. github).
Does the XMPP protocol itself support user authentication via OAuth like POP3 or IMAP does. I mean what's the appropriate message format for OAuth2 authentication?
The XMPP protocol itself supports SASL authentication, also later Specs of SASL support OAuth2 and OAuth1.a as seen in rfc7228.
Also XMPP supports other bindings except TCP such as Websocket one (RFC7395) or the slower BOSH. In this case you can use the "traditional" apis for OAuth2, in other words do OAuth2 as would be done on a classic Web-based application ans use the XMPP as message/data transfer.
So the answer to your questions is YES it supports OAuth2 as spec says so.
reading this very good blog post (Getting familiar with IBM MobileFirst Platform Foundation OAuth Security) I learned how MobileFirst Platform (7.0 and above) has an integrated OAuth2.0 Authorization Server, which can be used to protect external resource servers.
However what I would like to understand is if it's possible to integrate MobileFirst Platform with another Authorization Server and protect MobileFirst Platform (and external) resource servers. The Authorization Server in this case would be ADFS running on Windows Server 2012R2.
This document from the Product Documentation explains how to use DataPower as OAuth Authorization Server. Can it be used also for other OAuth2.0 Authorization servers ? ( The Authorization Server in this case would be ADFS running on Windows Server 2012R2. )
IBMMobileFirst v8.0 only has support for Datapower as an external authorization server.
If you'd like to use a different AZ server, the only way I can think of is implementing the flow via a MobileFirst SecurityCheck, and have that security check call the other Authorization server.
That way you'd be using both the MFP AuthorizationServer and ADFS (So two Oauth flows, two tokens etc.).
Think of this high-level flow example:
Your resource is protected by some scope, this scope is mapped to a security check in MobileFirst server. When your client attempts to access the resource, your security check is triggered, which will then make a request to the ADFS authorization flow. Your security check would then act as a middle man between the ADFS and the client, and will be successful only when the ADFS has granted a token.
Eventually, when the MFP security-check is successful, an MFP Oauth token will be granted to the client, which will allow him to access the protected resource.
So basically your security check will act as your client against the ADFS Authorization server
A more simple way, would be to make that resource unprotected, and implement your own custom Oauth flow against ADFS - but thats not the original question.
But the plus side of the first option, is that you can always make that same scope (which is protecting your resource) be mapped to something else uninterruptedly (via the console) , like to a different security check which does something else.
For IBM Mobilefirst 7.1 (or 7.0), the flow is pretty much the same, only the terminology is different, in 7.x there are no Security checks, but you can use a Custom authenticator to get the same functionality.
Personal note - If you're not bound to using 7.x, I'd recommend doing it in 8.0
I enabled windows authentication for asp.net mvc project. I'm in company domain, and when I send an get request to server side, I don't see any special stuff like username/pwd in header/body. How does server know who am I? And if I send an ajax call to server, do I need to include username/pwd as part of this call? Please help.
Integrated Windows Authentication uses Negotiate (Kerberos) or NTLM authentication work the same way that Basic Authentication works.
When you send an initial request, the server responds with a 400 not authorized response. The browser sees the accepted types of authentication, and prompts the user for the username/password, or if it knows how to use the current windows login token and is configured to do so, it uses that token automatically.
NTLM Working from Fiddler Perspective
It looks like Indy 10 Tiburon already has experimental NTLM support.
How can I activate the NTLM authentication for the DataSnap server/client applications and use the logon information (user name, password, domain) of the destination DataSnap Server?