APIPythonOpen-Source Solutions

I thought that maybe I could answer that we can manage users through our Delphix API Web services so we could interface this way with an in-house SSO application.
Could you suggest other/better answer ?
Thanks
Marie

Hi Marie,

The link below shows how you can configure and use LDAP for user authentication

https://support.delphix.com/hc/en-us/articles/202922426-Configuring-and-Using-LDAP-with-the-Delphix-...

Thanks
Ron

Hi Ron,
Thanks for your answer.

 I talked already to my customer about Delphix LDAP implementation for user authentication but they don't use LDAP nor Active directory.
 This customer wants to be able to create or delete a user from a unique application  for security reasons.
When someone leaves the bank, they delete the user from their  application and they are sure that this  user is deleted automatically from each different application he could use.

Do you know any Delphix customer which has developped its own sso application ?

Thanks.
Marie

Hi Marie,

Just a rough idea. What about using additional component between Delphix Engine and custom SSO server? I'm thinking about i.e. OpenLDAP server exposing a user to Delphix via std LDAP protocol and being managed by custom SSO server.

It needs some installation, configuration related to the OpenLDAP. Additionally interface between OpenLDAP and custom SSO server is necessary but it does not seem to me as something difficult.

What do you think about it?

Regards,
Piotr

Hi Piotr,

it seems to me a good idea.

But could you confirm that, in this architecture, you don't need anymore to create delphix users within Delphix ?
Or do you think you can create them through the OpenLDAP protocol ?
Best regards,
M

Marie

Hi,

If custom SSO server is able to interface required information about existing user to OpenLDAP then at Delphix part it is just a configuration necessary like described in Ron's post. In this case Delphix would use existing user provided by OpenLDAP.

I think the difficulty is to make custom SSO server talk to OpenLDAP and pass required information about existing user. I don't know if the client's SSO solution is flexible enough to make it work.

Best Regards,
Piotr

In this case, would the Delphix privileges affected to delphix users be maintained in the customed SSO application repository ?

Best regards
Marie

Hi Marie,

My idea is that user privileges are maintained in custom SSO and by custom SSO. However there is one weak point. Custom SSO server has to maintain two parallel user info datastores in this case. Its own and additional one in OpenLDAP. This is done by interfacing to OpenLDAP some basic information regarding users related to Delphix. If OpenLDAP contains basic information about user it can expose it to Delphix via standard protocol and enable user authentication and authorization.

The process is external from Delphix but the drawback is that we are doubling user information and make SSO server responsible for maintaining parallel user "database".

Example 1:
We want to allow user Tom login to Delphix console.
1. Custom SSO operator defines user Tom in standard way.
2. Custom SSO server has to connect to Open LDAP and create there necessary information about user Tom (additional interface functionality in custom SSO server.... Is it possible to implement?).
3. We have to configure user Tom in Delphix in standard way. We point that it will be authenticated by LDAP (our OpenLDAP server). We don't store user's password in Delphix.
4. User Tom is able to login to Delphix console. During login process Delphix engine connects OpenLDAP and authenticates it in standard way.

Example 2.
We want to disable user Tom. Make its account inactive.
1. Custom SSO operator disables the user in standard way.
2. Custom SSO server interfaces this information to OpenLDAP.
3. User Tom is not able to login to Delphix because it is not active in OpenLDAP.

The questions are:
1. Is SSO owner willing to maintain additional store with limited user information in OpenLDAP? Security concerns may play a role here.
2. Is it possible to create interface between custom SSO server and OpenLDAP server? Is custom SSO flexible enough to implement this?

What SSO solution is used currently?

Regards,
P

Thanks for your comments and your help , Piotr

Actually, I don't know in details. I only know that's an in-house (internally developped) SSO application.
I have sent an email yesterday to my customer asking for their SSO application specifications.

At this time, I understand we need  also to configure users in Delphix the standard way (with LDAP authentication) et define privileges within Delphix. Authentication will be done through the Open Ldap Server.
 
Create, delete users or modify user password can be done through CLI mode or WEB services API.
I didn't see anything to set the privileges to a delphix user else than using the GUI.
Is there another way ?

Thanks
Marie

Hi Marie,

It is possible to add Owner/Auditor privs using CLI. You just have to create "authorization" object.

Example:
LandsharkEngine>authorization
LandsharkEngine authorization>
LandsharkEngine authorization>create
LandsharkEngine authorization create *>
LandsharkEngine authorization create *>set user="user1"
LandsharkEngine authorization create *>set role=OWNER
LandsharkEngine authorization create *>set target="Dev Copies/R11_DEVDB"
LandsharkEngine authorization create *>commit
LandsharkEngine authorization>

I haven't tested adding authorization using Web Services API. I'll do it later and let you know but I think there is no problem with it.

Regards,
Piotr

I didn't see it.
Thanks, Piotr.

I will keep you informed when I receive more information from my customer about their in-house SSO application.

Best regards
Marie