I'm currently working on an application that uses the Mellon and Keycloak as the identity provider, using SAML for the authentication flow. I'm trying to implement an impersonation feature in my application that would allow a user with certain privileges (e.g. an administrator) to temporarily take on the identity of another user without requiring the original user to log out.
I'm wondering if it is possible to use the Mellon to implement this feature, and if so, what would be the best approach to do so. I've been reading through the Mellon documentation and searching online for examples, but so far I haven't been able to find much information on how to implement impersonation with Mellon.
If anyone has experience with using Mellon and Keycloak together and can provide some guidance or pointers on how to implement impersonation in this setup, I would really appreciate it.
Thank you for your time and help!
Related
I'm a php developer for my firm, and I'm kindoff stuck with this concept form Oauth.
I've been searching the web and read almost every article I could find about oAuth but still it won't get to me how to handle this situation.
I live in the Netherlands so forgive me if my writing is sometimes a little bit off.
I'm working on an application for our company. Its an online work platform, where people can sign up to to find work.
We sell our online application to companies who offer jobs and such.
So we have for every company that buys our web application an url like: http://companyname.onlinejobs.com ( for example ).
So we have backend users that can login in their application and they each have different roles and permissions.
We also have http://onlinejobs.com as a website where everybody can sign up to view job oppertunities and much more.
So we also have a frontend user, that also can have multiple roles, such as a free user and a premium user.
We've build a REST API that holds all methods to add and view jobs and profiles etc etc. We want this API to only be accesible to the clients that we register.
So if I register company1.onlinejobs.com than that in my opinion is a client, and can only use our api.
But now we want to intergrate oAuth to the situation.
We want the API to be protected from any unregistered clients, but we also want to make sure that a frontend free user, cannot access surtain api calls that a premium frontend user can make.
or is that permission based behaviour not something for oAuth?
Wich grant type that oAuth2 uses can we use for our situation?
I really need some help with this guys.. Hope somebody can give me a clear explanation about what to use best, or maybe even not at all.
We had a similar use case and we built our own authorization server that can handle the following use cases
Authentication and authorization from the
web applications
javascript enabled apps [Like SPA apps]
Native apps like windows services or windows apps
We have used the following flows in OAuth2.0
Authorization Code
Implicit flow
Resource owner credentials
Hence, the right choice of the flow needs to be decided on the types of applications that you plan to support.
HTH
Story is that I need to make my website act as Identity Provider (read: IDP). Website itself is on Zend platform. Idea is making a IDP controller by which Service Providers (read: SP) contacts IDP. As it must be part of the website, I would need to include some extension, which could be easily used for responding SAML requests from SP.
I have found list of PHP extensions from:
https://wiki.surfnetlabs.nl/display/OSP/RFC+-+OpenSAMLphp,+a+new+PHP+library+for+SAML+2.0+support
All of these extensions have little documentation or are too complex. For example I haven't found a way to use SimpleSamlPHP in my application and also extracting useful code out of it looks very time consuming (which I really don't have anymore). Also I find all of them hard to implement into website.
I have been googling and checking github for days now, trying to find easy way to use some library (right now I'm trying to implement Lasso, which seems reasonable, but unfortunately lacks good examples / information how to use it as IDP).
Any kind of criticism, ideas, help or tutorial/code examples would be useful.
I wrote a guide about how deploy on an open source software (Tiki-wiki) an IdP using simplesamlphp, and how to connect the IdP to google or salesforce. Take a look:
https://github.com/pitbulk/tiki-saml/blob/master/doc/tiki_wiki_as_idp.rst
SimpleSAMLphp seems intimidating at first but it can handle all the SAML responses for you.
Have you looked at creating custom authentication module - http://simplesamlphp.org/docs/stable/simplesamlphp-customauth
You can tie this module to your existing login mechanism pretty easily.
Check out PingFederate and the PHP Integration Kit from Ping Identity. Alternatively there is the Agentless Integration Kit (instead of PHP) which allows you to integrate using a RESTful API call to the PingFed server instead of embedding any PHP libraries.
HTH,
Ian
Is there a standardized way to set up AD authentication for a web service that does not have direct access to the AD controller? I'm thinking of a cloud application such as Google Apps that wishes to authenticate against an organization's AD.
I have googled around quite a bit but I don't seem to know the right keywords. Maybe someone else can elighten me or give me some search pointers.
FWIW, our applications are written in PHP using Zend Framework.
The most elegant solution to your problem would be using identity federation. The basic idea is to authenticate your user locally like you do on your regular apps and send a security token to your cloud provider, proving the identity of your users.
SAML is the most common federation protocol used for achieving this. Google has a nice page explaining the details and the wikipedia page is also insightful:
There are plenty of identity federation solutions, for example:
Active Directory Federation Services (ADFS)
SimpleSAMLphp
Shibboleth
OpenAM
SimpleSAMLphp may be a good start to familiarize with SAML, as it is.. simple :)
The procedure to connect it to google apps is described here.
ADFS would be an AD-centric solution, but is a bit more complex to configure.
Is there any way that I can integrate the UserCake user management system with MediaWiki? I want to link the accounts in each system so users can log into both with the same username and password.
There is no existing system to do this. You can create an extension for MediaWiki to do this without too much trouble. Basing it off an existing extension is probably a good starting point. By looking at AuthJoomla, AuthBugzilla and AuthSymfony you should get a good idea of how MediaWiki's authentication extension API operates. It's really just a matter of creating the class, getting it to call the relevant UC functions and then loading it as an extension into MW.
Having said that, UserCake seems unmaintained. It may be worth taking this opportunity to migrate your users to another authentication system. If you are using credentials between several applications you might want to look at something like LDAP.
I know that this is a really old question, but UserSpice is the fully PDO/OOP spiritual successor to UserCake and would probably be better equipped to handle this. It would take some modification, but it could be done.
May I recommend that you use other ways to secure you applications. Take a look at Windows Azure ACS that gives you security federation to Facebook, Google, Yahoo and more.
This allows you to focus on your application and not security protocols.
Azure ACS supports many different of protocols and works great with PHP as well as .Net based applications.
I did a quick search and found the http://www.mediawiki.org/wiki/Extension:OpenID that can use Azure ACS. (Access Control Services)
There are other alternatives to ACS such as Ping Identity and OpenSSO; But ACS is a cheap alternative to Ping.
I'm building a website that will require user registration and logon.
I would like to use the facebook connect to let people create a basic account and to log on without having to create a local account themselves - and let them fill in more profile details when they want to.
What other 3rd party authorizations systems are there? Clearly openid is one option. And google seem to have a system too for loging onto other sites with your google logon. Are there any other systems? Does microsoft have one for msn logons? I found some hints but was unable to find any details.
Anyway, the programming question is are there any php libraries that will do this for me across a range of providers? I see ones for facebook and OpenID but I've not seen any library in php that abstracts away the differences? Before I program my own solution are there any libraries for this that I've not managed to find?
Keep in mind that Facebook is likely to become an openid provider in the near future (for some value of near).
If you really want EVERYTHING abstracted for you, JanRain takes care of exactly that task for you as a hosted service. The free version provides enough functionality to get started, and then if your app takes off, you can pay a bit for more functionality down the road.