I am trying to implement Spring saml in jax-rs. Is it possible to use spring saml in non spring application(jax-rs). I am doing this using AbstractSecurityWebApplicationInitializer class by passing SecurityConfiguration.class to it. I am getting this message in my console. I am not able to redirect it to the Identity provider.
[http-nio-8080-exec-2] DEBUG org.springframework.security.saml.context.SAMLContextProviderImpl - No IDP specified, using default http://www.okta.com/exka6ervpp4VHG9Gq5d6
19:14:48.273 [http-nio-8080-exec-2] DEBUG org.opensaml.saml2.metadata.provider.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://www.okta.com/exka6ervpp4VHG9Gq5d6
19:14:48.273 [http-nio-8080-exec-2] DEBUG org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://www.okta.com/exka6ervpp4VHG9Gq5d6
19:14:48.273 [http-nio-8080-exec-2] DEBUG org.opensaml.saml2.metadata.provider.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://www.okta.com/exka6ervpp4VHG9Gq5d6
19:14:48.273 [http-nio-8080-exec-2] DEBUG org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://www.okta.com/exka6ervpp4VHG9Gq5d6
19:14:48.273 [http-nio-8080-exec-2] DEBUG org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://www.okta.com/exka6ervpp4VHG9Gq5d6
19:14:48.274 [http-nio-8080-exec-2] DEBUG org.springframework.security.saml.SAMLEntryPoint - Using discovery URL from extended metadata
19:14:48.274 [
Related
I have added the Quarkus quarkus-elytron-security-ldap dependency to my project to enable basic auth on my REST services. I have configured it in my properties file as below. I know that it is connecting successfully to the LDAP repository, but it never finds the UID when doing a search:
quarkus.security.ldap.dir-context.principal=uid=serviceLdapAccount,ou=Systems,ou=Users,DC=COMPANY
quarkus.security.ldap.dir-context.url=ldap://some.server.com
quarkus.security.ldap.dir-context.password=*****
quarkus.security.ldap.identity-mapping.rdn-identifier=uid
quarkus.security.ldap.identity-mapping.search-base-dn=DC=COMPANY
I have confirmed that the user definitely exists in the repository and is included in the search base. But I always get this response:
[io.qua.ver.htt.run.sec.BasicAuthenticationMechanism] Found basic auth header requestAccountName:***** (decoded using charset UTF-8)
[org.wil.security] Obtaining lock for identity [requestAccountName]...
[org.wil.security] Obtained lock for identity [requestAccountName].
[org.wil.security] Trying to create identity for principal [requestAccountName].
[org.wil.security] Executing search [(uid={0})] in context [DC=COMPANY] with arguments [requestAccountName]. Returning attributes are []. Binary attributes are [].
[org.wil.security] Identity for principal [requestAccountName] not found.
Why can't it find the identity?
The seach-base-dn needed to be more specific:
quarkus.security.ldap.identity-mapping.search-base-dn=ou=Systems,ou=Users,DC=COMPANY
What I had before should work though, imo.
I have an endpoint defined in OpenAPI spec :
paths:
/employee:
get:
parameters:
- name: sourceSystem
in: header
description: ID of organisation
required: true
schema:
type: string
security:
- apiMyHeaderKey: []
components:
securitySchemes:
apiMyHeaderKey:
type: apiKey
description: 'API Key to authorise requests.'
name: MyKey
in: header
So I have two headers - 'sourceSystem' which is mandatory and also 'MyKey' which is of type 'apiKey'
The above spec is being developed as a Open API spec 3.0 as a YAML file and then I am importing it into Anypoint Studio ( Mule 4.4 runtime )
When I am running the API locally , 'sourceSystem' is being mandated by mule BUT 'MyKey' is NOT .
So I am wondering why ?
In the real world - this API will be deployed behind a gateway so all incoming requests will first hit the gateway and then request will hit our api .
So I think the API key check will happen in gateway and if all good only then will the request get forwarded by gateway to API
This is an educated guess , not sure if this is why mule is not enforcing apikey though it is defined in the specification ?
why is mule ONLY enforcing 'sourceSystem' and not 'MyKey' authorization ?
Thanks
New to WSO2 so be gentle. I'm building an instance of Ellucian's Ethos wso2 identity server (version 5.10.0) and when I point it to Active Directory the Tomcat server does start and I can login as the admin user I created in Active Directory for Ethos, but when I run "wso2server.bat -Dsetup" I see errors like the following in the wso2carbon.log file and I want to know if I should be worried.
ERROR {org.wso2.carbon.identity.scim.common.internal.SCIMCommonComponent} - Error occurred while setting SCIM attributes for the Admin org.wso2.carbon.user.core.UserStoreException: Error in adding SCIM metadata to the admin in tenant domain: carbon.super
[LDAP: error code 16 - 00000057: LdapErr: DSID-0C090D77, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'CN=ouruser,OU=OurContainer'
ERROR {org.wso2.carbon.identity.scim2.common.utils.AdminAttributeUtil} - Error occurred while updating the admin user's attributes in Tenant ID : -1234, Error : One or more attributes you are trying to add/update are not supported by underlying LDAP for user : ouruser org.wso2.carbon.user.core.UserStoreException: One or more attributes you are trying to add/update are not supported by underlying LDAP for user : ouruser
I intend for AD to be treated as a read-only LDAP database so I have "eis.admin.create.user" set to false in the eis_config.properties file and the Ethos admin user I created in AD does not have AD admin privileges. AD is only being used for authentication and for pulling attributes and releasing them to service providers. Could it be trying to write attributes to the Ethos admin user I created in AD?
Or is it an attribute mapping issue (mapping AD attributes back into Ethos?). I noticed in the eis_config.properties file the following mappings section
eis.add.claim.logonname=sAMAccountName
eis.add.claim.upn=userPrincipalName
eis.add.claim.objectguid=objectGUID
eis.add.claim.udcid=udcid
eis.add.claim.personid=employeeNumber
eis.add.claim.challenge.question.uris=
eis.add.claim.challenge.question.1=
eis.add.claim.challenge.question.2=
eis.add.claim.resource.type=pager
And i know for a fact that attributes like "udcid" are specific to Ellucian products and are not an LDAP attribute in AD so I set it to "cn". And for the attribute mappings above that are blank I mapped them to real AD attributes to see if I could get rid of the errors but they remain.
Any thoughts?
Have you tried eis.add.claim.employeeType=memberOf in your eis_config.properties file?
And are the AD values correct for:
eis.admin.role.name=,
eis.admin.username=,
eis.userstore.ConnectionURL=,
eis.userstore.ConnectionName=,
eis.userstore.ConnectionPassword=,
eis.userstore.UserSearchBase=,
eis.userstore.UserNameAttribute=,
eis.userstore.GroupSearchBase=,
eis.userstore.SharedGroupSearchBase=,
eis.userstore.defaultRealmName=,
along with the user-mgt.xml settings?
Postman request details
I am using IBM Websphere 8.5 Liberty server and trying to send a POST request via Postman.
In controller I want to get org.springframework.web.multipart.MultipartHttpServletRequest.
But I am getting application server specific SRTServletRequest31 class inside controller class.
How to resolve it?
In my spring configuration file I have following entry.
<bean id="multipartResolver class="org.springframework.web.multipart.commons.CommonsMultipartResoler">
The issue got resolved after adding the servlet filter entry for in parent project deployment descriptor. (web.xml).
org.springframework.web.multipart.support.MultipartFilter
I'm testing out the OneDrive SDK .NET sample app here. However it's unclear to me what values I need for the AadReturnUrl and AadTargetUrl constants which are used with the AdalAuthenticationProvider and OneDriveClient classes respectively. The GitHub readme for the project refers to this page, but that page isn't clear either.
Also: for a native client app, what value do you use for the the Redirect URI when you configure the app in Azure AD? Is this value related to the required URLs above?
Edit: I tried the suggestion from the first comment and received the following error, from this code in FormBrowser.SignIn (where AadReturnURL = http://myactualdomain.onmicrosoft.com; this is a native app, and I assume this can be a 'dummy' URL if I don't have the means to display a web page):
var adalAuthProvider = new AdalAuthenticationProvider(FormBrowser.AadClientId, FormBrowser.AadReturnUrl);
this.oneDriveClient = new OneDriveClient(FormBrowser.AadTargetUrl + "/_api/v2.0", adalAuthProvider);
authTask = adalAuthProvider.AuthenticateUserAsync(FormBrowser.AadTargetUrl);
Exception thrown: 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' in Microsoft.IdentityModel.Clients.ActiveDirectory.dll
Microsoft.IdentityModel.Clients.ActiveDirectory Error: 4 : 10/24/2016 22:05:41: e9c2c5cd-1750-4d0f-b3a2-f373f7de309a - d__0: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50001: The application named https://myactualdomain-my.sharepoint.com/_api/v2.0 was not found in the tenant named myactualdomain.onmicrosoft.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: 16192303-40e9-4944-b376-d25d4ff52b73
Correlation ID: e9c2c5cd-1750-4d0f-b3a2-f373f7de309a
Timestamp: 2016-10-24 22:05:40Z
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.VerifyAuthorizationResult()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.PreTokenRequest()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__0.MoveNext()
ErrorCode: invalid_resource
StatusCode: 0
OneDriveApiBrowser.vshost.exe Error: 0 : 10/24/2016 22:05:41: e9c2c5cd-1750-4d0f-b3a2-f373f7de309a - d__0: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50001: The application named https://myactualdomain-my.sharepoint.com/_api/v2.0 was not found in the tenant named myactualdomain.onmicrosoft.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: 16192303-40e9-4944-b376-d25d4ff52b73
Correlation ID: e9c2c5cd-1750-4d0f-b3a2-f373f7de309a
Timestamp: 2016-10-24 22:05:40Z
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.VerifyAuthorizationResult()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.PreTokenRequest()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__0.MoveNext()
ErrorCode: invalid_resource
StatusCode: 0
AadTargetUrl should be the URL of your service. For example, https://contoso-my.sharepoint.com/_api/v2.0/ would be the URL for your OneDrive for Business on the Contoso tenant. You can get more information about getting your target URL using the Discovery Service.
AadReturnUrl is the redirect URL you configured in the Azure Management Portal (as you correctly surmised). It's commonly something like http://localhost:8080 for local apps, but could be something different for web apps. You can get more information about that in the article you already linked.