[midPoint] REST Authentication

[ANTON OPPERMAN]

Thx Radovan,
  Thx for the reference to the SSO HowTo; sooner or later I will try enabling SSO. Would be nice, if in future,
  enabling SSO could be a configuration option.
  I agree that midpoint should not be an authentication server. For reference and as contribution, I'll describe
  the feature.
#-----------
  In a tightly regulated environment and as part of security best practise, clear case credentials should not be
  stored on a device or in application. The application may also be run from an environment where trust may
  be questionable. In this context, having an authentication mechanism for REST based calls that does not rely
  on passwords - such as mutual authentication with X509 certificates solves the issue of storing the password
  and enhance the overall trust between client and server (midPoint).
  I expect that proper CA issued certificates would be used, but there may be a case for self-signed certificates
  for some implementations or customer.
#-----------
  Unfortunately I do not have the bandwidth to contribute code at this time.
Regards,
  Anton
----Original message----
>From : radovan.semancik at evolveum.com
Date : 11/08/2015 - 09:58 (BST)
To : midpoint at lists.evolveum.com
Subject : Re: [midPoint] REST Authentication
  
    
  
  
    
Hi Anton,
      
      There is a way how to "plug" midPoint into a SSO system. We had
      success with CAS and OpenAM:
      https://wiki.evolveum.com/display/midPoint/MidPoint+and+SSO+HOWTO
      
      I believe that similar approach might be used to support
      OAuth2-based mechanisms with the help of an OAuth server or an API
      gateway. I think that this is the way forward: midPoint is not an
      authentication server. MidPoint's responsibility is management of
      identities, not directly authorization or authentication. There
      are great products that already do auth/autz and we have no plans
      to duplicate their functionality. We rather have plans to
      integrate with them.
      
      Therefore we do not have any specific plans about extended
      authentication mechanisms for REST or SOAP. 
      
      But that does not mean we cannot implement something simple such
      as the X509-based auth (if you are thinking about SSL mutual
      authentication). We can do it if there is a demand. You are the
      first to mention it, therefore I have create a Jira issue:
      https://jira.evolveum.com/browse/MID-2505
      
      Please see the ususal options here:
      https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature
      
      
-- 
Radovan Semancik
Software Architect
evolveum.com
      
      
      On 08/07/2015 12:38 PM, midpoint at mybtinternet.com wrote:
    
    Hi,
      
        Are there plans to support authentication mechanisms other than
      userid & password?
        I would like to see certificate authentication.
      
      Regards,
        Anton
      
      
      
      
      
      
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
    
    
    
    
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150812/10860d21/attachment.htm>