I have github enterprise configured. I use keycloak for authentication.
Sign up/ login flow is like this,
Users click sign in with SAML from github enterprise.
Then they are redirected to keycloak login page.
Where they can choose github.com for signup.
After successful authentication from github.com users are redirected to github
enterprise.
Now a new user has been created in keycloak with username as of github.com username and email as of github.com email.
But in github enterprise, user's username is created by parsing the first part before the # of email id and user's email id is not getting updated in github enterprise user account even though github enterprise is receiving email id from keycloak.
Users get the following notification, saying them to add one email address.
If an user don't add their email, they don't get email for events like organization invitation, password reset.
This not what i want. I also not what the users to manually add email id to their account.
I want get github enterprise user's username and email to be the same as of keycloak.
How can i achieve this ?
We have extracted saml response from keycloak to ghe by inspecting the /consume request in browser network. When SAML response is decoded (using samltool.io), we identified that keycloak is not sending email attribute to ghe.
Github used the following attributes for updating profile information. So keycloak needs to send attribute in variable specified in this field.
We have found that there is some builtin "Mappers" available in client which can be used for sending some specified predetermined attributes to client applications.
Select your client -> Mappers -> Add builtin. Select the required mappers and click Add.
Open x500 Email and set "SAML Attribute Name" to the variable same as the variable name set on github. Provide some Property and Friendly Name.
Now you will get email address in user's account.
Related
An APEX email error is received when trying to utilize the "Send With DocuSign" URL button on the contract object in Salesforce. This button was just created to meet the requirements to move from a JavaScript button. The button does not trigger an error in Sandbox, works as expected. But I can not replicate in production without getting the error shown below. Any idea on how to get this resolved?
Developer script exception from Franklin Madison Group : DocuSignAPICredentials : Please verify that you have been granted access to DocuSign, your account settings are correct and that you have responded to all activation emails.
Apex script unhandled exception by user/organization: 0053n000007GFbq/00D70000000Je65
Visualforce Page: /apex/dsfs__docusign_editenvelope
caused by: dsfs.UnauthorizedException: Please verify that you have been granted access to DocuSign, your account settings are correct and that you have responded to all activation emails.
Class.dsfs.DocuSignAPICredentials.getInstance: line 71, column 1
Class.dsfs.DocuSignAPICredentials.getInstance: line 56, column 1
Class.dsfs.AccountFeatures.getInstance: line 139, column 1
Class.dsfs.EnvelopeController.loadEnvelope: line 164, column 1
Cause
Common causes for the issue are listed below,
The DocuSign user associated with the Salesforce user sending the envelope is not active
The Salesforce user has not been added to the DocuSign users list in DocuSign Setup settings (in Salesforce)
You are attempting to use Salesforce Login Access on behalf of a user "not yet Authorized DocuSign eSignature for Salesforce (DAL)"
Note: If the user hasn't authorized already, please refer to Step 4 in this article
Solution
Before continuing, ensure that you are on the most recent version of DocuSign eSignature for Salesforce (DAL). If you are on an outdated version, some of these steps will be unavailable.
To resolve this error, you’ll need to verify both issues that cause this error has been addressed.
First, you’ll need to verify that this Salesforce user has been added to DocuSign.
To verify if a Salesforce user has been added properly:
Navigate to DocuSign Setup.
Select User Management, then select Add User.
Enter the name of the user in the Value box. When they appear in the search results, select the checkbox next to their name and select Continue.
Assign the appropriate permissions to the user and select Apply. If your package is up to date and a DocuSign user already exists for this user, the Salesforce user will be mapped to their existing DocuSign user.
Click Done to finish.
Second, verify that the DocuSign user associated with this Salesforce account is active.
To check if a user is active in DocuSign:
Navigate to the DocuSign web app and select Settings.
Navigate to Users and search for the user in question.
If the user is not active, select Actions > Resend Invitation to send the invite to the user again.
To activate a user:
The User will need to navigate to their email client and open the invitation email.
Click the link in the email to activate.
Create a password and security question.
Once the user is active, have the user attempt to send an envelope from Salesforce to confirm the issue is resolved.
Additional Troubleshooting
If the DAL Admin and all users are noticing the same error, try to disconnect and reconnect.
Steps to Disconnect [Note: Disconnecting accounts will remove the DocuSign Gen and DocuSign Negotiate permissions for the Salesforce users that were given access under the old connection. You have to re-add DocuSign users and permissions in your organization.]
Steps to Reconnect
If the Salesforce Administrator attempting to make this change is unable to access the DocuSign Setup object, ensure that they have the correct permission set assignment to access the object.
To view permission set assignments in Salesforce:
Navigate to Setup, select Users.
Navigate to the user in question and open their profile.
Navigate to Permission Set Assignments, if the DocuSign permissions are missing, edit the section and add DocuSign Administrator.
Note: If you are running both DocuSign Apps Launcher and legacy DocuSign eSignature for Salesforce, you will see duplicate permission sets with similar names. Add both to ensure correct permissions are applied to the user.
Retest to see if the user can access DocuSign Setup. If it’s still failing, follow the steps in this article to navigate to the DocuSign Troubleshooting page and select Delete DocuSign Credentials. You should then be able to navigate to DocuSign Setup and reestablish the connection between DocuSign and Salesforce.
We have a web app (SPA Angular app talking to a .Net Core Web API) which uses Auth0 as the authentication server.
Now, I'm not sure if this would be an "invite flow" or "invite-only flow", or something else, but basically, a user will go to our web app, and create an account on our system. Our API then creates an Auth0 account for this user using the Auth0 Management API. This user is then considered the Administrator. She can then create as many users as she wants for her staff. For each user she creates, our API creates an Auth0 user using the Management API.
Since, as far as I'm aware, a user must be assigned a password at the moment of creation (i.e. you cannot create a user without a password), the administrator must pick a password for each user she creates.
Additionally, each time a user is created, Auth0 automatically sends out an email to that user asking them to verify their email address. When the user follows this link, it takes them to the Auth0 login screen where they have to fill in their email address and password.
My problem is that, unless the administrator tells them what password she picked for them, there's no way of them knowing.
My question is: is there a way to defer picking a password until the user logs in for the first time? So, when the administrator creates the user, she doesn't pick a password. Then, upon the user's first login, they pick their own password.
Alternatively, if a password MUST be set at the moment of creating the user, could this password be displayed to the user in the email verification email? I would essentially treat this as a temporary password, as I would also require the user to change their password upon first logon in this case.,
Thanks
I use Google API PHP Client in my website.
Once User login with Google after click Google Login button on my site.
I collect data from Google Response that's contain Google Profile ID data.
CHECK, Register and Login logic
If Profile ID not exist in my user table: I will store this visitor Google ID + another data from Google Response to mysql user table.
If profile ID is exist: I set visitor with session, and this user will login directly without need to entered password.
Is it secure to do this logic system for login and register? Is possible to hacker by pass Google ID with this Google PHP API client that's already build with unique token, client id and client secret.
I use PDO driver with prepared query.
Since Google Php client process is working in backend with multiple layer security by google (token, client id, client secret) + my server security (ex: CSRF protection); I personally consider Google PHP client is secure. Otherwise Google Account is hacked by someone who's can login client Account. But point of question is "is it Google Login secure? (PHP CLIENT)", the answered is 'Yes, is trusted and secure'. Because if someone can hack email account, hacker also can reset most of social and media accounts registered with that email even without Login Google button, because most of site with public user use email as verifiaction.
I am attempting to add google as an identity provider to wso2. I have
it configured to the point where wso2 send me to google for
authentication and google returns an email address. wso2 is then trying
to use the email address as the username. It is using the following
ldap filter query:
(&(objectClass=account)(uid=myemail#domain.edu))
When it should be using something like:
(&(objectClass=account)(mail=myemail#domain.edu))
How do I affect this change in wso2?
The solution was to edit repository/conf/user-mgmt.xml and fine the line:
(&(objectClass=account)(uid=?))
and modify it to:
(&(objectClass=account)(|(uid=?)(mail=?)))
This allows it to find the ldap entry if it is passed a username or an email address.
I'm following this tutorial and it works like a charm. But many things are harcoded so I need to change them. I have to check in DB if the username and password are correct and so on... But I don't understand how API keys (or service keys) works.
On the tutorial code, the service key is passing through HTTP header, and then the login method checks if it is matching with username and password provided. But if each user has a unique service key, how users can pass it through HTTP header? Users put their usernames and password into form fields and then press the login button
The tutorial says that the service key is provided to the user by email or other methods. But how the user enters it in the HTTP header of the login form? Where this service key is coming from?
The service key is to give access to the API, not individual users. So take twitter for example: twitter users log in with username and password and don't need a service key. But if you wanted to build your own twitter platform where users can log in to your page and see their tweets in your app (like tweetdeck), you'd need to get a service key to use the twitter API, and you'd send this key along with your http requests from your server to twitter every-time a user logs into your page. Service keys are a way of identifying clients (ie applications) using the API, not specific users using the application.