Anonymous_User Absent Member.
Absent Member.
233 views

Bypass SAML or Kerberos in OSP

Hello,

Is there any URL for authentication in OSP that will bypass SAML or Kerberos and use Name+Password? I don't want to authenticate
administrative and high privileged accounts trusting a third party IDP.

Best regards,
Tobias
Labels (1)
0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Bypass SAML or Kerberos in OSP

On 06/02/2015 05:04 AM, Tobias Ljunggren wrote:
> Hello,
>
> Is there any URL for authentication in OSP that will bypass SAML or
> Kerberos and use Name+Password? I don't want to authenticate
> administrative and high privileged accounts trusting a third party IDP.
>
> Best regards,
> Tobias

Greetings Tobias,
If you configure for Keberos integration with OSP and a user does
not have Kerberos configured in their browser correctly then they will
be redirected to the "normal" ID and password screen after being told
they are not configured correctly.



--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Knowledge Partner
Knowledge Partner

Re: Bypass SAML or Kerberos in OSP

On 6/2/2015 8:49 AM, Steven Williams wrote:
> On 06/02/2015 05:04 AM, Tobias Ljunggren wrote:
>> Hello,
>>
>> Is there any URL for authentication in OSP that will bypass SAML or
>> Kerberos and use Name+Password? I don't want to authenticate
>> administrative and high privileged accounts trusting a third party IDP.
>>
>> Best regards,
>> Tobias

> Greetings Tobias,
> If you configure for Keberos integration with OSP and a user does
> not have Kerberos configured in their browser correctly then they will
> be redirected to the "normal" ID and password screen after being told
> they are not configured correctly.


How about SAML?

So for example, if your SAML is to some other directory, how would you
ever login as uaadmin again?

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Bypass SAML or Kerberos in OSP

On 2015-06-02 15:23, Geoffrey Carman wrote:
> On 6/2/2015 8:49 AM, Steven Williams wrote:
>> On 06/02/2015 05:04 AM, Tobias Ljunggren wrote:
>>> Hello,
>>>
>>> Is there any URL for authentication in OSP that will bypass SAML or
>>> Kerberos and use Name+Password? I don't want to authenticate
>>> administrative and high privileged accounts trusting a third party IDP.
>>>
>>> Best regards,
>>> Tobias

>> Greetings Tobias,
>> If you configure for Keberos integration with OSP and a user does
>> not have Kerberos configured in their browser correctly then they will
>> be redirected to the "normal" ID and password screen after being told
>> they are not configured correctly.

>
> How about SAML?
>
> So for example, if your SAML is to some other directory, how would you ever login as uaadmin again?
>

Exactly. As soon as you choose to trust an external IDP you must have some kind of authorization policies that exclude
administrative accounts from that federation.
You can solve this by combining proxy and federation in access manager using different IDP's for the different proxies
(protected resources) but that is a complicated setup and I'm not even sure it is supported.

Best regards,
Tobias
0 Likes
Knowledge Partner
Knowledge Partner

Re: Bypass SAML or Kerberos in OSP

On 6/2/2015 10:08 AM, Tobias Ljunggren wrote:
> On 2015-06-02 15:23, Geoffrey Carman wrote:
>> On 6/2/2015 8:49 AM, Steven Williams wrote:
>>> On 06/02/2015 05:04 AM, Tobias Ljunggren wrote:
>>>> Hello,
>>>>
>>>> Is there any URL for authentication in OSP that will bypass SAML or
>>>> Kerberos and use Name+Password? I don't want to authenticate
>>>> administrative and high privileged accounts trusting a third party IDP.
>>>>
>>>> Best regards,
>>>> Tobias
>>> Greetings Tobias,
>>> If you configure for Keberos integration with OSP and a user does
>>> not have Kerberos configured in their browser correctly then they will
>>> be redirected to the "normal" ID and password screen after being told
>>> they are not configured correctly.

>>
>> How about SAML?
>>
>> So for example, if your SAML is to some other directory, how would you
>> ever login as uaadmin again?
>>

> Exactly. As soon as you choose to trust an external IDP you must have
> some kind of authorization policies that exclude administrative accounts
> from that federation.
> You can solve this by combining proxy and federation in access manager
> using different IDP's for the different proxies (protected resources)
> but that is a complicated setup and I'm not even sure it is supported.


I 4.02 using a Header auth, for SAML via the SSO Provider model (meh
that is interesting to set up!) you can have your class that does the
header add in on one port, and not on anotehr and it fails back to
Username/password.

OSP needs something like this.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Bypass SAML or Kerberos in OSP

On 2015-06-02 14:49, Steven Williams wrote:
> On 06/02/2015 05:04 AM, Tobias Ljunggren wrote:
>> Hello,
>>
>> Is there any URL for authentication in OSP that will bypass SAML or
>> Kerberos and use Name+Password? I don't want to authenticate
>> administrative and high privileged accounts trusting a third party IDP.
>>
>> Best regards,
>> Tobias

> Greetings Tobias,
> If you configure for Keberos integration with OSP and a user does not have Kerberos configured in their browser correctly
> then they will be redirected to the "normal" ID and password screen after being told they are not configured correctly.
>
>
>

Hello Steven,

Ok, but for SAML there is no way to authenticate with name+password? We will be using NetIQ Access Manager but Access Manager
will use and "external IDP" which we have no control of. We can configure authorization policies in Access Manager that denies
administrative accounts and other high privileged accounts but if we do that we need a way to authenticate them.

We have successfully tried a combination of federation and proxy in Access Manager for OSP that can solve this but it is a
complicated setup and I was looking for easier ways to solve this.

Best regards,
Tobias
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.