I am trying to send saml response from my shibboleth idp to a service provider
How can I pass the friendlyname instead of urn:oid in saml response? Right now, my saml response contains the urn:oid only,
for instance, 'urn:oid:0.9.2342.19200300.100.1.6': '106',
what I need to to pass is a key called "productid" along with this response,
'productid: '106',
below given is my attribute-resolver.xml where I've passed the friendlyName as productid for roomNumber(urn:oid:0.9.2342.19200300.100.1.6)
<resolver:AttributeDefinition id="productid" xsi:type="ad:Simple" sourceAttributeID="roomNumber">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:roomNumber" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.6" friendlyName="productid" encodeType="false" />
</resolver:AttributeDefinition>
Can I please get some insights into this?
According to the doc for SAML2 String looks like you should be able to do:
<resolver:AttributeDefinition id="productid" xsi:type="ad:Simple" sourceAttributeID="roomNumber">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:roomNumber" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="productid" friendlyName="productid" encodeType="false" />
</resolver:AttributeDefinition>
although you're encouraged to make sure the attribute is unique by its scope.
Related
I have created a custom B2C_1A_SIGNUP_SIGNIN Policy.
Used Google Authentication.
When I hit the create button mypersonaltenantid gets validated through a Azure Function.
I am presented the error message You already registered, please press back button and sign in instead.
Before executing this policy i made sure this user does not exist-
After the error message is displayed i look inside B2C: The user was created incl. my custom claim with value mypersonaltenantid.
I was assuming that i am transferred to a different page after signup. Is this assumption wrong?
Created a Issue and got the final hint.
Looks like a action was performed twice. In my case I had a Base policy and a extension policy which had a ValidationTechnicalProfiles section.
Base.xml
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ValidationTechnicalProfiles>
Extension.xml
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="REST-ValidateTenantId" />
<ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ValidationTechnicalProfiles>
My assumption after both files get merged:
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="REST-ValidateTenantId" />
<ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ValidationTechnicalProfiles>
But it looks like the merge is performed like this:
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="REST-ValidateTenantId" />
<ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
<ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ValidationTechnicalProfiles>
Of course that explains why AAD write is performed twice.
From my point of view the error message is quite misleading.
I am working with the SocialAndLocalAccountsWithMFA starter pack and have discovered an issue. When I register a user I am prompted to setup MFA which works as intended. However, when I try to login with SSO I am being prompted for MFA again.
I have verified that I am not sending prompt=login.
I have attempted to search for an answer with no results or dead ends.
here is code snippets from my trustframeworkbase.xml
<OrchestrationStep Order="7" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>isActiveMFASession</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
</ClaimsExchanges>
</OrchestrationStep>
Here is my SM-MFA
<TechnicalProfile Id="SM-MFA">
<DisplayName>Session Mananagement Provider</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" />
</PersistedClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="isActiveMFASession" DefaultValue="true" />
</OutputClaims>
</TechnicalProfile>
I think you have used "SM-MFA" technical profile inside "PhoneFactor-InputOrVerify" technical profile. So till this "PhoneFactor-InputOrVerify" technical profile is called, the claim "isActiveMFASession" will not exist and it will trigger MFA every time. Hence, this OrchestrationStep isn't being skipped, because the "isActiveMFASession" claim doesn't exist.
Based on this question... the REST API endpoint is validating the external IDP email and is correclty returning an error back in the case the email is not valid.
return Content(HttpStatusCode.Conflict, new CustomResponseContent
{
Version = "1.0.0",
Status = (int)HttpStatusCode.Conflict,
UserMessage = message
});
Now I'd like to detect this error and use it in a subsequent OrchestrationStep like this:
<OrchestrationStep Order="3"
Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="REST-ValidateSignInEmail"
TechnicalProfileReferenceId="REST-ValidateSignInEmail" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- Taken from here: https://medium.com/the-new-control-plane/creating-an-error-page-for-an-azure-ad-b2c-custom-policy-flow-fb2692a3b50f -->
<OrchestrationStep Order="4"
Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals"
ExecuteActionsIf="true">
<Value>extension_Flag</Value>
<Value>False</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SelfAssertedRegError"
TechnicalProfileReferenceId="SelfAsserted-RegError" />
</ClaimsExchanges>
</OrchestrationStep>
If step 3 returns a conflict, I'd like to show the error message in step 4 using the custom error page implemented as described here.
I see that step 4 executes based on extension_Flag.
Is there any way I could retrieve and store the result from REST-ValidateSignInEmail and use it in the flag for step 4?
Note: when the user journey finishes executing I see the following AADB2C error in the URL. It comes from the REST API endpoint error (409 - Conflict)...
https://mywebsite.azurewebsites.net/#error=server_error&error_description=AADB2C%3a+user%40gmail.com+is+not+valid.%0d%0aCorrelation+ID%7a+7777f77-7afd-7777-a777-7c77b7e77b7b%0d%0aTimestamp%7a+2019-11-09+14%3a40%3a57Z%0d%0a&state=7777c77a-77ad-414a-84df-3c131ed81ba7
The error_description message is what I'd like to pass to step 4.
I did this in a different way... instead of returning a Conflict [409] status, I changed the REST endpoint to return an OutputClaim like this:
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_isEnabled"
PartnerClaimType="IsEnabled" DefaultValue="false"/>
<OutputClaim ClaimTypeReferenceId="errorMessage"
PartnerClaimType="ErrorMessage"/>
</OutputClaims>
This way I have a claim to check on step 4. Note that I also return an errorMessage from the endpoint. This error message will be later passed to SelfAsserted-RegError Technical Profile.
Depending on the validation done in the back-end, extension_isEnabled will get True or False.
On step 4 we check extension_isEnabled:
<OrchestrationStep Order="4"
Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals"
ExecuteActionsIf="true">
<Value>extension_isEnabled</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SelfAssertedRegError"
TechnicalProfileReferenceId="SelfAsserted-RegError" />
</ClaimsExchanges>
</OrchestrationStep>
Step 4 will only be executed when extension_isEnabled is false. If it is true we SkipThisOrchestrationStep and the SelfAsserted-RegError Technical Profile won't be called at all. The UserJourney flow continues as expected.
while making request for EnhancedAirBooking for getting the error response INVALID BOARD POINT
But it works fine for other flightNumber and MarketingAirLineCode.
Sample RequestBody for which getting the above error response:
<soap_env:Body>
<EnhancedAirBookRQ xmlns="http://services.sabre.com/sp/eab/v3" version="3.0.0" HaltOnError="true">
<OTA_AirBookRQ>
<HaltOnStatus Code="UC" />
<HaltOnStatus Code="NN" />
<OriginDestinationInformation>
<FlightSegment FlightNumber="572" DepartureDateTime="2018-07-15T22:05:00" NumberInParty="1" Status="NN" ResBookDesigCode="K">
<DestinationLocation LocationCode="JNB" />
<Equipment AirEquipType="74H" />
<MarketingAirline Code="SA" FlightNumber="7572" />
<MarriageGrp Ind="false" />
<OperatingAirline Code="LH" />
<OriginLocation LocationCode="FRA" />
</FlightSegment>
</OriginDestinationInformation>
<RedisplayReservation NumAttempts="9" WaitInterval="9000" />
</OTA_AirBookRQ>
<OTA_AirPriceRQ>
<PriceRequestInformation Retain="true">
<OptionalQualifiers>
<PricingQualifiers CurrencyCode="CHF">
<PassengerType Code="ADT" Quantity="1" />
</PricingQualifiers>
</OptionalQualifiers>
</PriceRequestInformation>
</OTA_AirPriceRQ>
</EnhancedAirBookRQ>
I think it's because you are sending the request with a different flight number. You should be sending FlightNumber="7572" in the FlightSegment node, not "572".
It is sufficient to provide Marketing Carrier and Marketing Carrier Flightnumber. What leads to confusion here, is that you passed the operating flight number in the node where the marketing carrier flight number is expected. If you want to pass the "572" it should be done in the operating carrier part, but its not required to have it at all.
The below piece of code was written in struts-config file.but i am not able to understand it.
<action path="/showWelcome"
type="com.code.base.presentation.struts.actions.StrutsIoCAction"
name="LoanDetailPageLoadForm"
parameter="GET_WELCOME_PAGE"
input="welcomePage"
validate="false"
scope="request">
<set-property property="requestDTOKeyName" value="ItemDataRequest" />
<set-property property="responseDTOKeyName" value="ItemDataResponse" />
<set-property property="exceptionDTOKeyName" value="ProfileSekerException" />
<set-property property="businessServiceId" value="ItemsDataMgmtService" />
<forward name="success" path="welcomePage" />
<forward name="failure" path="sysError" />
</action>
My question is
what is the usage of path attribute?
what is the usage of parameter attribute?
what is the usage of input attribute?
what is the usage of <set-Property>?
Help me guys on this.
Note:
as per my understanding there should be "showWelcome.jsp" page in the application but it is not there.(then what is use of that?)
It specifies where the action is mounted. For example, this action would respond on http://yourservice.dom/showWelcome.
Parameter is the string you get by calling ActionMapping.getParameter(). Any string you want to pass to your action.
Input is a path where the user would be redirected if he fills the form incorrectly. As there's validate=false, I'd say that would never happen.
Obviously, it sets a property on com.code.base.presentation.struts.actions.StrutsIoCAction. I think it calls setter, i.e. it would call setRequestDTOKeyName(), setResponseDTOKeyName() etc.
But if you're going to use struts for a considerable time, QA won't get you far, read some docs on struts' config file.
Following on from #Alamar's response...
There is no showWelcome.jsp. "/showWelcome" is the URL, but that does not correspond to the name of any actual filename on the server. If this action's configuration contained a line like this:
<forward name="success" path="showWelcome.jsp" />
Then it would mean that if the action class (StrutsIoCAction) returns success, a file called showWelcome.jsp would be executed. However, as you can see, the actual configuration is a forward to "welcomePage", which is probably not a file but instead the name of another action (also defined in struts-config).
Note: "forward" just means that execution is passed to this other action, it does not mean that the user is redirected to another URL.