Anonymous_User Absent Member.
Absent Member.
442 views

Back-end app using NAM to query for auth status?


Up to this point, all of our back-end applications have a login page
(userid/password) that queries our eDir via LDAP. We use NAM to
front-end the web apps and usually do a FormFill for SSO

However, we are having to setup some new web apps that will service
both our internal users, and users maintained by a third party directory
that we have no control over.

We have setup (and it works) NAM as an SP to the external IdP via SAML.
(user logs in to the "other" external site, and gets allowed access to
our stuff via NAM and SAML)

The question:

Since we do not have the passwords (nor can we get them) from this
external directory, what are our options to configuring OUR web
applications to authenticate the users (both our users and the external
users)?

We thought that there would be some mechanism to have the web
application query/read/accept something that NAM can provide to tell it
that the user has already been authenticated.

I think we could somehow code the web app to use SAML to query our NAM
IDP (?)
or
Use the J2EE agent (but I'm not particularly keen on agent-based
stuff)

Is there some other mechanism? Like have NAM send something to the
web app (kinda like how the IDM UserApp works where you send an identity
injection with the userid, but then a SAML assertion and the IDM UserApp
"reads/accepts" that?)

I'm not a programmer, but looking for options (rather "high-level"
description) and then maybe a pointer to some doc site or web code that
I can point the developers to.

Thank you


--
The opinions expressed are my own.
Check out my OES2 Guides:
Installing OES2 SP2:
http://www.novell.com/communities/node/11600/oes2-sp2-installation-guide
Upgrading to OES2 with ID Transfer:
http://www.novell.com/communities/node/11601/oes2-sp2-migration-guide-transfer-id-scenarios
GroupWise Migration with OES2 ID Transfer:
http://www.novell.com/communities/node/11602/groupwise-migration-netware-oes2-sp2-transfer-id
------------------------------------------------------------------------
kjhurni's Profile: http://forums.novell.com/member.php?userid=734
View this thread: http://forums.novell.com/showthread.php?t=445928

Labels (1)
0 Likes
9 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Back-end app using NAM to query for auth status?

kjhurni wrote:

>
> Up to this point, all of our back-end applications have a login page
> (userid/password) that queries our eDir via LDAP. We use NAM to
> front-end the web apps and usually do a FormFill for SSO
>
> However, we are having to setup some new web apps that will service
> both our internal users, and users maintained by a third party
> directory that we have no control over.
>
> We have setup (and it works) NAM as an SP to the external IdP via
> SAML. (user logs in to the "other" external site, and gets allowed
> access to our stuff via NAM and SAML)
>
> The question:
>
> Since we do not have the passwords (nor can we get them) from this
> external directory, what are our options to configuring OUR web
> applications to authenticate the users (both our users and the
> external users)?
>
> We thought that there would be some mechanism to have the web
> application query/read/accept something that NAM can provide to tell
> it that the user has already been authenticated.
>
> I think we could somehow code the web app to use SAML to query our NAM
> IDP (?)
> or
> Use the J2EE agent (but I'm not particularly keen on agent-based
> stuff)
>
> Is there some other mechanism? Like have NAM send something to the
> web app (kinda like how the IDM UserApp works where you send an
> identity injection with the userid, but then a SAML assertion and the
> IDM UserApp "reads/accepts" that?)
>
> I'm not a programmer, but looking for options (rather "high-level"
> description) and then maybe a pointer to some doc site or web code
> that I can point the developers to.
>
> Thank you


Why not using automated provisioning by NAM when a user authenticates
via SAML? This user is then created in your local directory which your
webapp can use.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Back-end app using NAM to query for auth status?


Thanks Ed. We are planning on doing that, however, while it creates a
default password, we have some Federal government mandated security
thingy that prohibits us from using a password (ie, 10,000 users with
the same password--not good).

However, it's possible that we could have NAM write some sort of unique
value (randomly generated maybe?) that the webapp could call.

The ultimate goal is to have a time valued token/cookie that ONLY NAM
can generate that the webapp can use/read/accept. Ideally if we could
figure out how the UserApp team coded UserApp (it can use/read the SAML
security cert from NAM/eDir AND it can still accept good old
userid/password via LDAP against eDir), that would be great.

We can toss around a few ideas, but I was hoping for some sample code
snippets (for the webapp itself) to be able to give to our web
developers.


--
The opinions expressed are my own.
Check out my OES2 Guides:
Installing OES2 SP2:
http://www.novell.com/communities/node/11600/oes2-sp2-installation-guide
Upgrading to OES2 with ID Transfer:
http://www.novell.com/communities/node/11601/oes2-sp2-migration-guide-transfer-id-scenarios
GroupWise Migration with OES2 ID Transfer:
http://www.novell.com/communities/node/11602/groupwise-migration-netware-oes2-sp2-transfer-id
------------------------------------------------------------------------
kjhurni's Profile: http://forums.novell.com/member.php?userid=734
View this thread: http://forums.novell.com/showthread.php?t=445928

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Back-end app using NAM to query for auth status?

kjhurni wrote:

>
> Thanks Ed. We are planning on doing that, however, while it creates a
> default password, we have some Federal government mandated security
> thingy that prohibits us from using a password (ie, 10,000 users with
> the same password--not good).
>
> However, it's possible that we could have NAM write some sort of
> unique value (randomly generated maybe?) that the webapp could call.
>
> The ultimate goal is to have a time valued token/cookie that ONLY NAM
> can generate that the webapp can use/read/accept. Ideally if we could
> figure out how the UserApp team coded UserApp (it can use/read the
> SAML security cert from NAM/eDir AND it can still accept good old
> userid/password via LDAP against eDir), that would be great.
>
> We can toss around a few ideas, but I was hoping for some sample code
> snippets (for the webapp itself) to be able to give to our web
> developers.


Injecting a SAML assertion in a header is indeed ideal as its
timebombed.

You could maybe also do something funky with a loopback driver that
automatically generates a random password. Challenge is tho how to get
it out and inject it...

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Back-end app using NAM to query for auth status?


I like the idea of the assertion thingy into the header.

Is there any sample code (that you know of) for the 'web app" on how to
consume said header?

Thanks!!!!!


--
The opinions expressed are my own.
Check out my OES2 Guides:
Installing OES2 SP2:
http://www.novell.com/communities/node/11600/oes2-sp2-installation-guide
Upgrading to OES2 with ID Transfer:
http://www.novell.com/communities/node/11601/oes2-sp2-migration-guide-transfer-id-scenarios
GroupWise Migration with OES2 ID Transfer:
http://www.novell.com/communities/node/11602/groupwise-migration-netware-oes2-sp2-transfer-id
------------------------------------------------------------------------
kjhurni's Profile: http://forums.novell.com/member.php?userid=734
View this thread: http://forums.novell.com/showthread.php?t=445928

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Back-end app using NAM to query for auth status?

kjhurni wrote:

>
> I like the idea of the assertion thingy into the header.


NAM can do that out of the box.

> Is there any sample code (that you know of) for the 'web app" on how
> to consume said header?


This entirely depends on the web application and what code it is
written in.


--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Back-end app using NAM to query for auth status?


edmaa;2144908 Wrote:
> kjhurni wrote:
>
> >
> > I like the idea of the assertion thingy into the header.

>
> NAM can do that out of the box.
>
> > Is there any sample code (that you know of) for the 'web app" on how
> > to consume said header?

>
> This entirely depends on the web application and what code it is
> written in.
>
>
> --
> Cheers,
> Edward


Yeah, I see the policy I have for IDM UserApp Formfill.

All our apps are written in either java (deployed on WAS) or ColdFusion
(also running on WAS)


--
The opinions expressed are my own.
Check out my OES2 Guides:
Installing OES2 SP2:
http://www.novell.com/communities/node/11600/oes2-sp2-installation-guide
Upgrading to OES2 with ID Transfer:
http://www.novell.com/communities/node/11601/oes2-sp2-migration-guide-transfer-id-scenarios
GroupWise Migration with OES2 ID Transfer:
http://www.novell.com/communities/node/11602/groupwise-migration-netware-oes2-sp2-transfer-id
------------------------------------------------------------------------
kjhurni's Profile: http://forums.novell.com/member.php?userid=734
View this thread: http://forums.novell.com/showthread.php?t=445928

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Back-end app using NAM to query for auth status?

kjhurni wrote:


> All our apps are written in either java (deployed on WAS) or
> ColdFusion (also running on WAS)


maybe this helps you in the right way?

http://download.oracle.com/docs/cd/E17802_01/webservices/webservices/doc
s/1.6/tutorial/doc/XWS-SecuritySamples7.html

I'm by far a java coder so writing this kinda stuff is well beyond my
skills

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Back-end app using NAM to query for auth status?


hehe, you and me both. I can't even write a .bat file hardly.

But at least there's "something" I can give to my app dev people.


--
The opinions expressed are my own.
Check out my OES2 Guides:
Installing OES2 SP2:
http://www.novell.com/communities/node/11600/oes2-sp2-installation-guide
Upgrading to OES2 with ID Transfer:
http://www.novell.com/communities/node/11601/oes2-sp2-migration-guide-transfer-id-scenarios
GroupWise Migration with OES2 ID Transfer:
http://www.novell.com/communities/node/11602/groupwise-migration-netware-oes2-sp2-transfer-id
------------------------------------------------------------------------
kjhurni's Profile: http://forums.novell.com/member.php?userid=734
View this thread: http://forums.novell.com/showthread.php?t=445928

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Back-end app using NAM to query for auth status?

kjhurni wrote:

>
> hehe, you and me both. I can't even write a .bat file hardly.


hehe

> But at least there's "something" I can give to my app dev people.


Ok, let us know when you have more questions. you can always email me

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.