API/Python/Open-Source Solutions

Expand all | Collapse all

Can Delphix interface with an In-house Single Sign On solution ?

Jump to Best Answer
  • 1.  Can Delphix interface with an In-house Single Sign On solution ?

    Posted 12-19-2014 09:16:00 AM
    I thought that maybe I could answer that we can manage users through our Delphix API Web services so we could interface this way with an in-house SSO application.
    Could you suggest other/better answer ?
    Thanks
    Marie


  • 2.  RE: Can Delphix interface with an In-house Single Sign On solution ?
    Best Answer

    Posted 12-19-2014 09:44:00 AM
    Hi Marie,

    The link below shows how you can configure and use LDAP for user authentication

    https://support.delphix.com/hc/en-us/articles/202922426-Configuring-and-Using-LDAP-with-the-Delphix-...

    Thanks
    Ron


  • 3.  RE: Can Delphix interface with an In-house Single Sign On solution ?

    Posted 12-19-2014 10:29:00 AM
    Hi Ron,
    Thanks for your answer.

     I talked already to my customer about Delphix LDAP implementation for user authentication but they don't use LDAP nor Active directory.
     This customer wants to be able to create or delete a user from a unique application  for security reasons.
    When someone leaves the bank, they delete the user from their  application and they are sure that this  user is deleted automatically from each different application he could use.

    Do you know any Delphix customer which has developped its own sso application ?

    Thanks.
    Marie


  • 4.  RE: Can Delphix interface with an In-house Single Sign On solution ?

    Posted 12-19-2014 11:39:00 AM
    Hi Marie,

    Just a rough idea. What about using additional component between Delphix Engine and custom SSO server? I'm thinking about i.e. OpenLDAP server exposing a user to Delphix via std LDAP protocol and being managed by custom SSO server.

    It needs some installation, configuration related to the OpenLDAP. Additionally interface between OpenLDAP and custom SSO server is necessary but it does not seem to me as something difficult.

    What do you think about it?

    Regards,
    Piotr


  • 5.  RE: Can Delphix interface with an In-house Single Sign On solution ?

    Posted 12-19-2014 01:18:00 PM
    Hi Piotr,

    it seems to me a good idea.

    But could you confirm that, in this architecture, you don't need anymore to create delphix users within Delphix ?
    Or do you think you can create them through the OpenLDAP protocol ?
    Best regards,
    M

    Marie


  • 6.  RE: Can Delphix interface with an In-house Single Sign On solution ?

    Posted 12-19-2014 01:38:00 PM
    Hi,

    If custom SSO server is able to interface required information about existing user to OpenLDAP then at Delphix part it is just a configuration necessary like described in Ron's post. In this case Delphix would use existing user provided by OpenLDAP.

    I think the difficulty is to make custom SSO server talk to OpenLDAP and pass required information about existing user. I don't know if the client's SSO solution is flexible enough to make it work.

    Best Regards,
    Piotr


  • 7.  RE: Can Delphix interface with an In-house Single Sign On solution ?

    Posted 12-22-2014 07:54:00 AM
    In this case, would the Delphix privileges affected to delphix users be maintained in the customed SSO application repository ?

    Best regards
    Marie


  • 8.  RE: Can Delphix interface with an In-house Single Sign On solution ?

    Posted 12-22-2014 09:47:00 AM
    Hi Marie,

    My idea is that user privileges are maintained in custom SSO and by custom SSO. However there is one weak point. Custom SSO server has to maintain two parallel user info datastores in this case. Its own and additional one in OpenLDAP. This is done by interfacing to OpenLDAP some basic information regarding users related to Delphix. If OpenLDAP contains basic information about user it can expose it to Delphix via standard protocol and enable user authentication and authorization.

    The process is external from Delphix but the drawback is that we are doubling user information and make SSO server responsible for maintaining parallel user "database".

    Example 1:
    We want to allow user Tom login to Delphix console.
    1. Custom SSO operator defines user Tom in standard way.
    2. Custom SSO server has to connect to Open LDAP and create there necessary information about user Tom (additional interface functionality in custom SSO server.... Is it possible to implement?).
    3. We have to configure user Tom in Delphix in standard way. We point that it will be authenticated by LDAP (our OpenLDAP server). We don't store user's password in Delphix.
    4. User Tom is able to login to Delphix console. During login process Delphix engine connects OpenLDAP and authenticates it in standard way.

    Example 2.
    We want to disable user Tom. Make its account inactive.
    1. Custom SSO operator disables the user in standard way.
    2. Custom SSO server interfaces this information to OpenLDAP.
    3. User Tom is not able to login to Delphix because it is not active in OpenLDAP.

    The questions are:
    1. Is SSO owner willing to maintain additional store with limited user information in OpenLDAP? Security concerns may play a role here.
    2. Is it possible to create interface between custom SSO server and OpenLDAP server? Is custom SSO flexible enough to implement this?

    What SSO solution is used currently?

    Regards,
    P


  • 9.  RE: Can Delphix interface with an In-house Single Sign On solution ?

    Posted 12-22-2014 02:06:00 PM
    Thanks for your comments and your help , Piotr

    Actually, I don't know in details. I only know that's an in-house (internally developped) SSO application.
    I have sent an email yesterday to my customer asking for their SSO application specifications.

    At this time, I understand we need  also to configure users in Delphix the standard way (with LDAP authentication) et define privileges within Delphix. Authentication will be done through the Open Ldap Server.
     
    Create, delete users or modify user password can be done through CLI mode or WEB services API.
    I didn't see anything to set the privileges to a delphix user else than using the GUI.
    Is there another way ?

    Thanks
    Marie


  • 10.  RE: Can Delphix interface with an In-house Single Sign On solution ?

    Posted 12-22-2014 03:46:00 PM
    Hi Marie,

    It is possible to add Owner/Auditor privs using CLI. You just have to create "authorization" object.

    Example:
    LandsharkEngine>authorization
    LandsharkEngine authorization>
    LandsharkEngine authorization>create
    LandsharkEngine authorization create *>
    LandsharkEngine authorization create *>set user="user1"
    LandsharkEngine authorization create *>set role=OWNER
    LandsharkEngine authorization create *>set target="Dev Copies/R11_DEVDB"
    LandsharkEngine authorization create *>commit
    LandsharkEngine authorization>

    I haven't tested adding authorization using Web Services API. I'll do it later and let you know but I think there is no problem with it.

    Regards,
    Piotr


  • 11.  RE: Can Delphix interface with an In-house Single Sign On solution ?

    Posted 12-22-2014 04:02:00 PM
    I didn't see it.
    Thanks, Piotr.

    I will keep you informed when I receive more information from my customer about their in-house SSO application.

    Best regards
    Marie