Braindump in Progress...

Comparison: Microsoft Azure B2C vs Okta Identity Cloud

Just something one of my colleagues had written up and thought was interesting to share. I don’t take credit for it nor full responsibility of accuracy of it. Feel free to rebuttal.

FeaturesMicrosoft Azure B2COkta Identity Cloud
Ability to protect other application's API using OpenID Connect and OUATH protocol/frameworkYesYes
API based enrolmentYes but can't register a phone number that will be used as a MFA factor. The reason being not able to do this is because of OpenID Connect restriction over impersonation principle. This feature might come in 2019.Yes. But Okta user management is not yet OAUTH/OpenID Connect compliant
Federated SSO based on SAML and OpenID ConnectYesYes
Force Password ChangeNo (not out of the box but can be done through customisation)Yes
Identity Lifecycle Approvals (both for self-enrolment, API triggerred enrolment)NoYes (very suitable for Okta to act as external identity onboarding tool)
MFA FactorsOTP over SMS and Voice Call (Officially). Microsoft App (Separate commercials, professional service engagement and not out of the box at the moment. Official support is expected in 2019)OTP over SMS & Voice Call, Octa Verify Mobile App TOTP and Push Notification, Security Questions, Fido U2F, RSA SecurID, FIDO2 Microsoft Hello (very good range of MFA options - a major strength)
Non federated SSONo (It's designed as not to be)Yes (a major strength)
Notification templates customisations (SMS and Email)only EmailBoth Email and SMS
Password RecoveryYes (only SMS/Voice Call/Email OTP as Identity Proofing methods)Yes (all MFA factors can be identity proofing methods)
Programming support for customisationC#. (Java Script support is expected in 2019)C#, Java, Java Script (a major strength)
Risk Scoring and Step-up MFA (Adaptive/Contextual)NoNo. Okta Threat Insight product is in beta phase now. They would be integrating with Okta Identity Platform in 2019. Currently Okta Identity Cloud support a tightly coupled MFA policy when it comes to IP/network zones, black listed countries, region/location, devices etc.
Self-activation of credential such as setting a password post enrolled through an APINo (a major drawback)Yes
Syncing from on-premise ADYesYes
User Interface Customisation and support of CORS (cross origin resource sharing)Yes (But require Custom Sign On policies for flexibility) and a separate Azure Blob storage subscription.Yes. Very flexible to host custom pages in Okta Identity Cloud tenant and also for pages hosted in remote servers.
User management API compliant with OpenID Connect and OAUTHYes (major strength on security here)No (Proprietary protocol at the moment. Quite surprising)
User to Application access mappingNoYes (pretty good on security here)
Web based self-enrolment and activationYesYes

By Piyush Khandelwal, ago

MIMWAL Boolean Comparison: Did I do it wrong?

So I had to do some complex workflows for a client. And you know MIMWAL is best for that.

Now I was going to use the Eq() built in function to do a comparison to see if the attribute is coming back is true. The attribute I was comparing to was a boolean. So in the workflow I used an update resource type and had an activity execution condition that if the attribute is true then run the update. 

Naturally I tried this to being with

Umm, didn’t work. Should have matched and executed the WF. Tried various other ways

On doing some debugging I saw that WAL was doing a string comparison to a Int64 type and coming back as a False match even on a (‘True’,’True’) condition.

Then tried something different

Voila!! That worked. Well I don’t know if I did something or if this is the only way to do a boolean comparison in the Eq() function but hey it worked for me.. 

Mental note!!!

Edit: So as per comment below did some more testing and the following execution condition code worked 🙂 even with false value it looked for true. 

See.. I told you I did something wrong 🙂 

By Piyush Khandelwal, ago

Running Multiple Postfix Instances On Same Box To Manage Google Mail Relay & AWS SES

So

I had a requirement where we wanted to have separate postfix instances which individually handles SMTP Relay traffic to redirect to Google Mail Relay & AWS SES. But we didn’t want to get an additional server to deploy postfix separately and add more servers to the farm.

There are more than one ways to do it.. and for particular reasons we wanted to have separate dedicate instances to manage separate configurations easily.

So, basically if you have the postfix package installed on linux, you will have the folder /etc/postfix/ (Depending on Linux Flavour – I am using RHEL7). It will be using default port 25 and 465

Main files to modify are master.cf and main.cf – I am assuming you know how to configure these files.

Configure that instance as your Google Relay.

Now to setup another instance on the same box, run the following commands

 

This will create a /etc/postfix-ses/ folder which is the new separate instance

If you wish to run AWS SES then you need the “cyrus-sasl-plain” package as well in your linux system (yum / apt)

Edit /etc/postfix-ses/master.cf and do the following

The above will run this new instance on port 10025 (instead of default port 25 which /etc/postfix/ is using) and SMTPS on 10465 (instead of default 465 which /etc/postfix/ is using)

Edit /etc/postfix-ses/main.cf and comment out the following

Configure the rest of the as per AWS Guide.

Reload / Restart Postfix Service – the same command will control both instances together.

Now you will have two instances of postfix running on the same box using different ports and thus clients can be told to use them accordingly.

All the logs are in the single file: /var/log/maillog

Logs are tagged with <date> <time> <hostname> <instancename> format so you can grep for different instances.

Done!!!

Note: This site has documented some commands on how to run various commands with multi-instances in Postfix

By Piyush Khandelwal, ago

Batch Process an Array via Powershell for FIMService write back (Or any PS scenario)

So,

A long time ago I wrote a post showing how you can do Composite write-back to FIMService via Powershell. That used “Search-ResourcePaged” command from the Lithnet Module. But it’s not helpful in the scenario where you already have a list of users (say an exported CSV or a text file) you want to perform some action on. In that scenario, XPath is not needed (and might not help if there is no pattern to search) as you already have your objects to work on.

So say, for example, I have a list of 10000 objectID from FIM and want to delete them.

Simple way will be

Pretty simple but will take about 1/sec and take 10000 seconds to do it.

Yeah I am not going to wait that long…

Did some RnD (and Google) and found some different ways of going about it..

One way was doing ForEach -Parallels flag. I tried it but actually had a reverse affect for me… I did it wrong obviously.. It worked but took long/er for some reason (Even with -throttlelimit set)… Moved on… Went above my head for the limited time I had to do the job.

Then found a pretty simple way to do it online and made some modification to suit my scenario

 

Voila!!! it’s done in seconds. It will send batch of 1000 objects at a time to FIMService as a composite request and do them quickly. I did like 10000 in 10-15 seconds or so. You can also import a csv/txt file and create an array as well.

I am not a powershell expert and it may not be perfect or most elegant way of doing it but gets the job done quickly.

You can use the logic for virtually anything and not just to write back to FIMService. But yeah helped me to do large modifications / deletes pretty quickly.

Till the next time…

By Piyush Khandelwal, ago