To add to the list of considerations here: U2F and UAF [1]
[1] https://fidoalliance.org/specifications/overview/ On Mon, Oct 5, 2015 at 11:39 PM Sumanth Chinthagunta <[email protected]> wrote: > JSON Web Tokens (JWT) can be an option. > It will provide claims required for authorization without needing > verification with issuer. > Auth0.com has more info on this method. > JWT can be use to propagate identity along the flow so that it can be used > later by processors > > On Mon, Oct 5, 2015, 7:41 PM Rick Braddy <[email protected]> wrote: > > > SSO is another important consideration. > > > > Spring Security looks like a winner. Very impressive list of support. > > > > > > > On Oct 5, 2015, at 9:34 PM, larry mccay <[email protected]> wrote: > > > > > > The wiki page seems to describe continuing to use Spring Security. > > > I believe this to be a wise choice. > > > > > > I would encourage you to try and expose the capabilities of that > > framework > > > as much as possible rather than providing support for a constrained set > > of > > > providers. > > > > > > SSO integrations are becoming important for a number of ecosystem > > projects > > > and UIs for instance. > > > The ability to add a custom authentication provider will be important > for > > > such usecases. > > > > > >> On Mon, Oct 5, 2015 at 10:10 PM, Tony Kurc <[email protected]> wrote: > > >> > > >> I'd like to see Duo Web two-factor > > https://www.duosecurity.com/docs/duoweb > > >> > > >>> On Mon, Oct 5, 2015 at 10:00 PM, Rick Braddy <[email protected]> > > wrote: > > >>> > > >>> 1) Basic password authentication with Recaptcha after N failed logins > > >>> (encrypted password storage) > > >>> > > >>> 2) 2-factor Google Auth option to supplement password logins > > >>> > > >>> 3) Active Directory / Kerberos auth (with 2-factor option as well) > > >>> > > >>>> On Oct 5, 2015, at 8:56 PM, Joe Witt <[email protected]> wrote: > > >>>> > > >>>> Thanks Rick. If you were to say which of that you'd want 'first' > and > > >>>> then which you can see coming later please advise. > > >>>> > > >>>> All: Please do just that - let us know which you need 'now' and > which > > >>>> you can wait on. > > >>>> > > >>>> Thanks > > >>>> Joe > > >>>> > > >>>>> On Mon, Oct 5, 2015 at 9:53 PM, Rick Braddy <[email protected]> > > >>> wrote: > > >>>>> Matt, > > >>>>> > > >>>>> Here you go: > > >>>>> > > >>>>> - 2-factor Google Authenticator to supplement password auth (e.g. > to > > >>> strengthen password with mobile phone onetime ID or other support > > strong > > >>> auth options) > > >>>>> > > >>>>> - Recaptcha required after N failed password login attempts to > block > > >>> brute force attacks (e.g. 5 failed logins, then captcha required) > > >>>>> > > >>>>> - Password strength policies > > >>>>> > > >>>>> - PAM support provides pluggable authentication options, at least > for > > >>> Linux (better than locally stored passwords) > > >>>>> > > >>>>> - Active Directory Kerberos integration (Windows native and Linux) > > >>>>> > > >>>>> If passwords to be stored locally, must be encrypted. > > >>>>> > > >>>>> Hope that helps. > > >>>>> > > >>>>> Rick > > >>>>> > > >>>>>> On Oct 5, 2015, at 8:34 PM, Matt Gilman <[email protected]> > > >>> wrote: > > >>>>>> > > >>>>>> All, > > >>>>>> > > >>>>>> I've started working on providing additional authentication > > >> mechanisms > > >>> for > > >>>>>> the NiFi user interface. Currently, only two way SSL using client > > >>>>>> certificates is supported to authenticate users. I would like to > > >>> inquire > > >>>>>> about which other mechanisms the community would like to see > > >>> implemented. > > >>>>>> > > >>>>>> We have created a feature proposal discussing some of the options > > >> [1]. > > >>> At a > > >>>>>> high level, in additional to PKI, we are looking at > > >>>>>> > > >>>>>> - Username/password > > >>>>>> -- stored in a local configuration file (ie authorized-users.xml) > > >>>>>> -- stored in a configurable LDAP > > >>>>>> -- stored in a configurable database > > >>>>>> - Kerberos > > >>>>>> - OpenId Connect > > >>>>>> > > >>>>>> What other options are important and should be added to the list? > > >>> Thanks! > > >>>>>> > > >>>>>> Matt > > >>>>>> > > >>>>>> [1] > > >> > > > https://cwiki.apache.org/confluence/display/NIFI/Pluggable+Authentication > > >> > > >
