There are many solutions for third-party decentralized authentication that are pretty simple to set up: log in with Facebook credentials, OpenID, OAuth etc.
How can I do something similar inside the firewall, in a Windows domain environment?
The scenario:
Python web application inside the firewall, hosted on a Linux server.
Users have Windows desktops and authenticate to a Windows domain
I know I can validate a username/password against Active Directory using LDAP, but that is not what I want. I don't want my app to handle the username/password at all. I want it to work as OpenID does, i.e. my app redirects the user to some sort of Windows identity provider web page.
Is there a out-of-the-box Windows/IIS solution for this?
EDIT:
Could Windows Identity Foundation be what I'm looking for? Or perhaps WIF has the building blocks?
At the risk of giving too many answers, it sounds to me like ADFS 2.0 is your path of least resistance. As far as integrating claims based access into your python application, I've seen pysaml2 recommended as a way to do this, but I can't speak from experience.
I'm not a Windows guy, but Crowd from Atlassian:
Will run on Windows
Can authenticate against Active Directory
Includes an OpenID provider
So if you're application can handle OpenID, you'd have everything you need.
WIF together with Azure ACS will provide this out the box. e.g. Adding a Custom OpenID Provider to ACS… with JUST ONE LINE of PowerShell Code.
Or you could integrate with Dot Net Open Auth either with your own STS or using something like Identity Server.
Related
How to authenticate users using only external system logins on the superset.
like this.
Is this possible?
I've never used Python at all, but I need to customize a superset.
The external login system is an oauth 2.0 based authentication system.
I want to authenticate using a token stored in local storage or using a login page provided by the authentication system of an external login system.
Is this possible?
If user authentication is not possible with an external authentication system alone, please explain how to use Superset's user authentication and external authentication system together.
You can begin with the official documentation on superset, although you'll probably have to tinker further to get it working:
https://superset.apache.org/docs/installation/configuring-superset#custom-oauth2-configuration
Task: add Kerberos active directory authentication to an insecure reporting and data manipulation desktop application. This app is...
written in Stackless Python 2.7
uses Twisted for client-server interactions
Client is compiled to an exe and runs on Windows
Servers run on Linux (Red Hat)
Currently we pull the Windows network ID (logon name) from the user's account and pass to the server, which looks up what permissions that user is configured to have, and passes back menu options which provide access just to those features. Main weakness is that one could send a different username to the server and access other permissions.
Therefore Kerberos. (And LDAP, from what I read.)
Question:
Does Twisted provide a built-in Kerberos setup?
authkerb perhaps?
I found authkerb after a ton of searching, but I don't see feedback from anyone using it. I'm not sure where to start. If anyone has experience with this, or if you've run across any relevant info to implementing Kerberos specifically with Twisted, I'd appreciate it immensely!
I've never touched anything like Kerberos before, so I read up on it:
kerberos.org/software/tutorial.html
technet.microsoft.com/library/cc961976
web.mit.edu/kerberos/krb5-latest/doc/appdev/init_creds.html
web.mit.edu/kerberos/krb5-1.12/doc/user/tkt_mgmt.html
Also found tips on what to avoid:
faqs.org/faqs/kerberos-faq/general/section-83.html
Twisted does not.
However, http://calendarserver.org, which is bassed on Twisted, does have kerberos authentication, and was the originator of the https://pypi.python.org/pypi/pykerberos project. It should serve as a workable example.
I would like to know how to implement single sign on in a python web application. The application would run on a Windows Server in an Active Directory domain.
The clients would also be in the domain.
What I would like is that the authentication occurs automatically, like Windows Authentication in Asp.Net (The browser automatically authenticates the user using NTLM or whatever, without ever popping a credentials window).
Is there a library that supports handling the authentication against Active directory or better yet, that generates all the required http headers ?
The application would probably be developped using flask or bottle.
It would also be cool if there as a wsgi middleware that does this authentication automatically.
Try sso.py. I haven't tried it myself, but it looks promising.
I'm trying to add an Ldap authentication backend to a Django project running over GAE.
The project runs ok. The only problem really is Ldap is not supported by GAE. I mean:
import ldap
will generate a server error. Nonetheless, I do know that I could make my own modules available through zipimport.
Does anybody have any experience solving similar issues? Can this sort of workaround be an effective solution considering lower level dependencies?
Thanks!
A.
App Engine doesn't let you open sockets directly. Unless the LDAP server you're planning to connect to has an internet-visible HTTP front-end, you need a Plan B. (E.g., you could periodically upload extract from LDAP to your App.)
See http://code.google.com/appengine/docs/python/runtime.html#The_Sandbox
I am using python language for google app engine based iphone application .I want to install/access ssl on python. I am unable to find a way to install/enable it in python file. please guide me how can I make my application to connect to ssl As I want to Apple enable push notification services on my application Its urgent.
See the App Engine Python documentation on setting up secure URLs. Note that this will only work when accessed via your appspot.com domain - it's not possible to have SSL on a custom domain through App Engine, currently.
Nick Johnson has already provided a link and mentioned that this functionality is not currently available on your domain (only on apps running on Google's hotspot domain).
Obviously, most developers need their apps to run on their own domains, so this is a very highly requested feature. Fortunately, Google has recently added this feature to their GAE roadmap indicating that it will be available soon. Unfortunately, we don't know what 'soon' means.