I know the users can be configured in server.xml like this way :
<!-- The users defined here are members of group "appcentergroup", thus have role "appcenteradmin", and can therefore perform administrative tasks through the Application Center Console. -->
<user name="appcenteradmin" password="admin"/>
<user name="demo" password="demo"/>
<group name="appcentergroup">
<member name="appcenteradmin"/>
<member name="demo"/>
</group>
But if there is thoundsand of users, how to configure mobileFirst using the user credential in database to login mobile client (IBMAppcenter)?
The default configuration added by IBM Application Center is to read a limited set of users from basic file based registry. The pre-defined roles are mapped to these users.
When you have thousands of users, it is most likely in a LDAP. In this scenario, you should configure your application server with this LDAP and have Application center validate the users against the LDAP. Role mappings are associated such that after the user validates successfully against the LDAP, it is assigned the appropriate role.
More details here:
Configuring LDAP with Liberty
Configuring LDAP ACL management
AppCenter LDAP JNDI parameters
Related
I'm doing a proof of concept for federating SAML into Cognito. I've setup Shibboleth v3, and once I finally got the log level set, I can see the SAML being sent back to Cognito, which just redirects to my configured page with ?error_description=Error+in+SAML+response+processing%3A+Invalid+SAML+metadata.+&error=server_error in the URL. The user pool in Cognito is set to require an email address, and I think I've got the attribute mapping set correctly, but it's not really easy to tell. Here's the SAML I'm seeing in the logs (minus a couple of URLs for anonymization's sake):
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
Destination="https://{DOMAIN}.auth.us-east-1.amazoncognito.com/saml2/idpresponse"
ID="_cc28aebe7ae433f549a7df77e8a2fbaa"
InResponseTo="_d34b0821-c6eb-408d-b687-5fb2b71422dd"
IssueInstant="2019-06-10T18:00:23.314Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp1.example.com:8443/idp/shibboleth
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
URI="#_cc28aebe7ae433f549a7df77e8a2fbaa">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>3wL9vw0MsEuSGO+0bir/6GQV1FVNQHw4fLgAXteHQK0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
LvCSLdm87hWsK480jhv/8JXBciPmGmAeUVxkGpAKUal5omnmpASXflSBHutkRwyPzD6mXMgSk3xL
f0IfWwspbA3ixmbbeEwQciel+2Y4WxwPpWreV1aLHMLYSj8x8ZdiDSioczMwRpQSqVo6RCX98ayo
riTBwTaoIQTHcE6xdDb98zDVCL+tCvrgkT3fhl0Z9HBxDvdy/YyrEuv0QVTj9SHiTI6heY5AhvA8
3qCAaGdbsNc0jqvy6AUAp1VBy8QJGpWMvChXJnO8srUEKkVBhGRfScCaO2uDcpa90zAlSuD1B7Q7
vVVrahRCB2lJHEmAyM2XeNNwN+DbyFU2Lcz4Kg==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDVDCCAjygAwIBAgIUIBWSFzIstjdAx2yVXLC40xKOIYAwDQYJKoZIhvcNAQELBQAwJzElMCMG
A1UEAwwcaXAtMTAtMjAzLTEwLTkxLmVjMi5pbnRlcm5hbDAeFw0xOTA2MDQyMTU1MDhaFw0zOTA2
MDQyMTU1MDhaMCcxJTAjBgNVBAMMHGlwLTEwLTIwMy0xMC05MS5lYzIuaW50ZXJuYWwwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaaLJ5lqB8eWuIiKPhDVsxOBncTnVS7wjjQOJ6pkSJ
El8G1MnMIb5xaQBv9luwq88+EcmWIZDzt4Yj326tmz4lwweWa4VI3iVfk6eZl7Zpwlcj57dtvA8B
MhcmbqX56Kb3pmTLf4VAI8hPoHdmKNYFapy+uM4b6ubvLx1NxlzgWfZ3o0ZrTuOpNpFgXJB+FGMS
au4lOCvOVchU7ymch2qwP/iFSUnNcviL9k/M4tSIkbf+Tb9o9SQrJhwcBMdQDfsLKnDhEtvovX12
H70smzVCg/H3AVUE+Qne5Cget90xKKRtQcSV2Q4jIS0mRGc5XVEQEiVzOLvx6DyLXUs926JxAgMB
AAGjeDB2MB0GA1UdDgQWBBT0+FXPDXOe+gtZsNA+dnzPvJysWzBVBgNVHREETjBMghxpcC0xMC0y
MDMtMTAtOTEuZWMyLmludGVybmFshixodHRwczovL2lkcDEuZXhhbXBsZS5jb206ODQ0My9pZHAv
c2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAaM1kS0CoKBy4l1wRihbvsfX78FCmKk4woWEk
a0st/c42ntf7nU8b/4C6SV9Jl7rhij18um6tF6dv+pVsH5KrDQbdH3xwF24ekDqosEaHSxcmY79k
1TePd00xH8/udeKRFc+78LnkygnzulZZ748XKj9/ehUkfbrhWhGP3333Nruj5Ptlv7d4upCxtQ+g
dYmHIzFt26MHR5jxcwYWPd/4M1ElakevscWOBjKTpScOnMYOikzyZpS+p7hD5/z4OfKv6AWLPdek
eWVXGlZhRKhtp15tRrUpQucZFMh+YNOm9IlBRBeh5Qw4KQgg1KvkNy1+iA9vfptn+f2CtPhF+cxx
3Q==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="_4df74e3ced3d853e5a0c329e0f7c83cb"
IssueInstant="2019-06-10T18:00:23.314Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://idp1.example.com:8443/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp1.example.com:8443/idp/shibboleth" SPNameQualifier="urn:amazon:cognito:sp:us-east-1_MyLIE83bf">AAdzZWNyZXQxrczu0aLzz4zQafYgy5VN8rTutrL827I6iPTAGPVAGJlJKAcQIHAdkWP1uqtsYqAccnsy0GPpTNx8GgTudWw6Q5ovEh/zSlYq+A/eExrAuT5sJlatEGua7boJDq63t1fESo4qOmz3uW+Pbik=
</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="10.203.10.25"
InResponseTo="_d34b0821-c6eb-408d-b687-5fb2b71422dd"
NotOnOrAfter="2019-06-10T18:05:23.730Z" Recipient="https://{DOMAIN}.auth.us-east-1.amazoncognito.com/saml2/idpresponse"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-06-10T18:00:23.314Z" NotOnOrAfter="2019-06-10T18:05:23.314Z">
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:cognito:sp:us-east-1_MyLIE83bf</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-06-10T18:00:12.508Z" SessionIndex="_c1e143fa5c01b3642d1ce4573bfe9465">
<saml2:SubjectLocality Address="10.203.10.25"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>bob#example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="Role" Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">arn:aws:iam::{ACCOUNT}:role/FederationWorkshop-ReadOnly,arn:aws:iam::{ACCOUNT}:saml-provider/idp1 </saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="RoleSessionName" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">bob</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Is there something simple I'm missing (the intricacies of SAML and SSO are definitely not my wheelhouse at this point in time).
Question: "Why is Cognito rejecting my SAML assertion?"
Quick Response:
Three potential root causes of this issue:
(1) Your SAML assertion does NOT carry/deliver all the attributes required by Cognito (see the detailed answer and resolution below).
(2) Attributes do NOT meet the format required by Cognito.
For example, (Note that please replace "ACCOUNT_NUMBER" with your aws id assigned by Amazon AWS (e.g., 123456789012))
attribute #1: awsRoles
attribute #1 value: arn:aws:iam::ACCOUNT_NUMBER:role/shibbolethidp,arn:aws:iam::ACCOUNT_NUMBER:saml-provider/Shibboleth-IdP
attribute #2: awsRoleSessionName
attribute #2 value: winston.hong#example.com
(3) Attribute values do NOT registered at Cognito through ADMIN console of Amazon AWS (see (II) Important Remarks on Role later on).
Remarks
(1) Adding SAML Identity Providers to a User Pool states that Audience URI/SP Entity ID of User Pool (NOT Identity Pool) is urn:amazon:cognito:sp:your-User-Pool-ID.
(2) How to enable secure access to Kibana using AWS Single Sign-On describes how to utilize AWS SSO to access Kibana (Amazon Elasticsearch Service, an AWS internal service).
An example of two important SAML SP parameters for User Pool (NOT Identity Pool) is provided below.
(I) Application ACS URL: https://<Elasticsearch domain name>.auth.<AWS region>.amazoncognito.com/saml2/idpresponse
(II) Application SAML audience: urn:amazon:cognito:sp:<user pool id>
Question: "The user pool in Cognito is set to require an email address, and I think I've got the attribute mapping set correctly, but it's not really easy to tell."
Answer:
Your SAML response indicates that your attribute mapping is NOT set correctly.
(1) Attribute "RoleSessionName" carried by your Shibboleth IdP v3 SAML response to Cognito is NOT required by Cognito.
<saml2:Attribute FriendlyName="RoleSessionName" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">bob</saml2:AttributeValue>
</saml2:Attribute>
The correct attribute "RoleSessionName" carried by Shibboleth IdP v3 SAML response to Cognito should be your E-mail address "bob#example.com" instead of your given name "bob".
<saml2:Attribute FriendlyName="RoleSessionName" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">bob#example.com</saml2:AttributeValue> </saml2:Attribute>
(2) Resolution:(minor revision may be required depending on your data repository such as LDAP)
Add attribute resolution
<resolver:AttributeDefinition id="awsRoles" xsi:type="ad:Simple" sourceAttributeID="employeeType">
<resolver:Dependency ref="myLDAP"/>
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="https://aws.amazon.com/SAML/Attributes/Role"
friendlyName="Role" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="awsRoleSessionName" xsi:type="ad:Simple" sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP"/>
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
friendlyName="RoleSessionName" />
</resolver:AttributeDefinition>
into "attribute-resolver-full.xml" or "attribute-resolver.xml" (depending on your Shibboleth IdP configuration). Shibboleth IdP Attribute Resolver Example.
Note that OpenLDAP attribute "employeeType" is used to carry the role of Amazon AWS. Your data store/repository may use different attribute to carry the role of Amazon AWS.
(I) The following OpenLDAP attributes have been mapped with AWS configuration through AWS administration console.
mail: winston.hong#example.com
employeeType: arn:aws:iam::ACCOUNT_NUMBER:role/shibbolethidp,arn:aws:iam::ACCOUNT_NUMBER:saml-provider/Shibboleth-IdP
(II) We provide the official link of configuring Amazon AWS with Google G Suite to describe SAML IdP configuration steps (performed through AWS administration console):
Cognito Configuring Your Identity Pool for a SAML Provider states that
Before configuring your identity pool to support a SAML provider, you must first configure the SAML identity provider in the IAM console. For more information, see Integrating third-party SAML solution providers with AWS in the IAM User Guide.
Integrating third-party SAML solution providers with AWS states that
Amazon Web Services cloud application – This article on the Google G Suite Administrator Help site describes how to configure G Suite as a SAML 2.0 IdP with AWS as the service provider.
Access the link of Google G Suite Amazon Web Services cloud application, and then Click "Step 1: Set up Amazon Web Services as a SAML 2.0 service provider (SP)", you can get the following SAML configuration steps of Amazon AWS for Cognito.
4. log in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
5. In the navigation pane, select identity providers and then click Create SAML Provider.
6. Select SAML as the Provider Type, and give it a name such as GoogleApps.
7. Upload the IDP metadata you saved earlier from the Google Admin console SAML settings.
8. Click Next Step and on the following page, click Create.
9. Click the Roles tab on the left sidebar and click Create a New Role to create a role which will define the permissions.
10. Select Set role name. This name will be displayed next to the login name on the AWS console.
11. Select Role for Identity Provider Access.
12. Select Grant Web Single Sign-On (WebSSO) access to SAML providers. Click Next Step.
13. Leave the Establish trust settings as they are. Click Next Step.
14. Use the Attach policy settings to define the policies your Federated Users will have. Click Next Step.
15. On the following page, review your settings, then click Create the Role.
16. Select your Google service from the identity providers list and note the Provider ARN. This contains your AWS Account ID and the name of the provider (example: arn:aws:iam::ACCOUNT_NUMBER:saml-provider/GoogleApps).
17. Click Save to save the Federated Web single sign-on configuration details.
Important Remarks on Role
(a) OpenLDAP attribute "employeeType" is Role in my validation experiment with AWS console.
(b) Ensure that OpenLDAP attribute "employeeType" is mapped with your AWS configuration setting "Role"**
(c) Replace "GoogleApps" with "Shibboleth-IdP" for Provider Type
(d) Set role name (e.g., shibbolethidp or googleapps, which will be converted by AWS into arn:aws:iam::ACCOUNT_NUMBER:role/shibbolethidp or arn:aws:iam::ACCOUNT_NUMBER:role/googleapps)
(III) For your convenience, I have made the 9th commit to upload the Amazon AWS SP metadata and corresponding SAML configuration to How to build and run Shibboleth SAML IdP and SP using Docker container.
Note that I have logged in to Amazon AWS account ("ACCOUNT_NUMBER", e.g., 123456789012) with username "winston.hong#example.com" successfully using Shibboleth IdP running with Docker Container with the 9th commit.
By performing the Shibboleth SAML IdP configuration with reference to the 9th commit to How to build and run Shibboleth SAML IdP and SP using Docker container, you can log in to your Amazon AWS account ("ACCOUNT_NUMBER", e.g., 123456789012) with your username (such as "winston.hong#your-company.com") federated by Shibboleth IdP..
(IV) My SAML response for successful login to AWS is provided below for your reference.
<saml2p:Response Destination="https://signin.aws.amazon.com/saml"
ID="_fc89710799c4c2c540341e94bf7132d5"
IssueInstant="2019-06-11T18:49:38.300Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_91749d5ecb8512c0c5d658a77cb25928"
IssueInstant="2019-06-11T18:49:38.300Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer>https://idp.example.com/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_91749d5ecb8512c0c5d658a77cb25928">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>mDAgwb9ZJxc+01sC99lAlAIAOEoiTgzHVTm4F9bdn/0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
LWiL3+CdU6y86zBLx3vG6na1o46EUgiN7iV+b4J2lPvZK7+Oeu6XSenJlzo/cUMT19pYYrDMM652
3lDAJCuOKPx4zTRIcabGrgzTKgmen0SHqWPxeL7t23RB6+v5AUvVw02tXqQhlggKEe3H+1T1k5q0
cGc1xw5CQtI8zE6GK7nG1INnU7mo872H9x+zM1zy3yyvrWOkHHhVFqQQ1Tu+0ev4BIhTQaVgC+pM
/ZvpctNjDMl1q4RSt1qumC+KFsYZlbrsLG7AvGJuR39wt/HV7F8Je3AUGGwMtGjkpRDuN1lIHrMq
VzFf/5eKUv20rEk3aOxoV/sMfcuhWo27+NjE1g==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDPDCCAiSgAwIBAgIVALPPoC598LJ6ZJJJXCA2ESASlN4AMA0GCSqGSIb3DQEBCwUAMB8xHTAb
BgNVBAMMFGlkcXNhbWwuaWRxdWFudGEuY29tMB4XDTE3MDYwMjIxNDI0NloXDTM3MDYwMjIxNDI0
NlowHzEdMBsGA1UEAwwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAs4ml4G592b059YDgyD/MLWQKaKrc0/24Ufbl/JY7wOI1RpxW8DlbCvibzQge6Tu
/8LVy4GIDb8QLxmCfFKYn97HC68TgXVJ+m+sQm+e4SVg6V2q+JY94LLcoFVe8+78ZIYT23KLkTv2
RlHzes/sL1YaPSK4UuN+/ezppyX2t9BGNfuiUKA0KCf7wMFuQ07Fr65FTcGXQyxhPyaNrXjrNMJa
LqwpCaesVdVzoqPevYVN3+nzAvOWoEbi6IcwnF07D0FYren/GPRXPAk5sP6fF3X0rJCkSq+d5t5P
0gWONlvm9WlUrKadmeiibCtR2lGQ/dZGmyUzIILsuOwu4yp/EsI3AgMBAAGjbzBtMB0GA1UdDgQW
BBREpZrZlnm8YrbSFcl59WRR5IY2FTBMBgNVHREERTBDghRpZHFzYW1sLmlkcXVhbnRhLmNvbYYr
aHR0cHM6Ly9pZHFzYWQCV63ubc+tsfzCvL48k35RzLAD15DIdbS9pZHAvc2hpYmJvbGV0aDANBgk
AAOCAQEAEvrdnSvK2C2rcRr7kXn4Q/NaEovuUeqaNs1k/2+dSqs8rroM+m3Iq8RlBcmKnP/+mET3
wwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiLRXay9y1uJXyZx37RDkGu8SD7+zf8znM+TCsX/qAP
6Ve95WAeX4uB8Aeol3LULe1dePsRb/1RNpKsm8NomVzCwBXK9vyv8t3IVN40jZMaaTtR0YR22fTu
qTyIMarMPO0Eh0f1FHraYaXfyop1OJcYlISpYe+c4vNvAXwEtHkZD2Iu/2aEMGcvBo3uq6OYVDXO
fI3CvoB7sRtxURtj+vVSZKjDe6s7+lRcE1tpDkwOEEuDzA==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.example.com/idp/shibboleth"
SPNameQualifier="urn:amazon:webservices"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>AAdzZWNyZXQx/wu+MEcVaUwjGOXhDKAO/5KXLD2AcDGnu1DyoP2C4ztOF01Su6tTJDytykrsv7W2dSV4FkL42ORYDiipBEuwiRSbnvViKbFBkHYN4YUmQzttx3DPNW/w42tMjLrY2iyn7sAUgQSVNGRHyMAH</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="192.168.150.10"
NotOnOrAfter="2019-06-11T18:54:38.412Z"
Recipient="https://signin.aws.amazon.com/saml"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-06-11T18:49:38.300Z"
NotOnOrAfter="2019-06-11T18:54:38.300Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:webservices</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-06-11T18:49:38.041Z"
SessionIndex="_79ee919a4e3fcd2f6d13702b60bfd357"
>
<saml2:SubjectLocality Address="192.168.150.10" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="Role"
Name="https://aws.amazon.com/SAML/Attributes/Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="RoleSessionName"
Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>winston.hong#example.com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
(3) Amazon AWS provides the configuration guide How to Use Shibboleth for Single Sign-On to the AWS Management Console.
Shibboleth provides the configuration guide Shibboleth IdP with Amazon Cognito
(4) How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the instruction on building a SAML-based Authentication/Authorization Provider using Shibboleth SAML IdP and OpenLDAP.
Shibboleth SAML IdP is responsible for identity federation.
OpenLDAP is responsible for identity authentication.
(I) I have validated SAML Single Sign-On (SSO) provided by Docker-running Shibboleth SAML IdP (Identity Provider) and OpenLDAP for the following enterprise applications. In other words, I leveraged Docker-running Shibboleth SAML IdP and OpenLDAP to log in to the following enterprise applications successfully.
Microsoft Office 365
Google G Suite
Salesforce
Dropbox
Box
Amazon AWS
OpenStack
Citrix NetScaler
VMware vCloud Director
Oracle NetSuite
(II) I have validated Shibboleth IdP with Amazon AWS Management Console with reference to How to Use Shibboleth for Single Sign-On to the AWS Management Console
(III) We developed our former version of Zero-Password Authentication and Authorization System in Java and leveraged Shibboleth IdP to provide SAML SSO for enterprise applications.
We developed our current version of Zero-Password Authentication and Authorization System with scalability and high availability in Scala to provide SAML SSO natively for enterprise applications without Shibboleth IdP.
Another StackOverflow question "Setting up a new Shibboleth IdP to work with an existing SAML SP" provides valuable information and discussions on Shibboleth SAML configuration.
I used PHP, LightSaml for my SSO SP Initiated
I had my service which I wanted to be an IdP and outside service which were a SP.
After I wrote my own script for receiving SAMLRequest, sending SAMLResponse and sent XML Metadata to the SP owner (he configured Cognito by this)
I had the same error in the browser console
error_description:Error in SAML response processing: Invalid SAML metadata.
So there are few steps which caught my attention while fighting with this error:
Check if all data in XML Metadata are correct
Check if your SAMLResponse include relayState and "InResponseTo" parameter in < samlp:Response > (which is ID of SAMLRequest)
Check if nameID format is correct and it is the same as server needs
Check if EntityId is correct in all places
Check attribute mapping in Cognito
I published my API application into Azure using APP Service. But I want to restrict my API’s from the external users.
I know there is an API management concept is there in Azure but it’s a big concept. and also there is an ipSecurity feature to restrict the specified IP addresses but I don't want this.
so I want simple way to restrict the external users to access my production API’s.
Can you please tell me what are the best enterprise practices for implementing the above feature?
To prevent unauthorized access to your API, you should protect the API using Azure AD and enforce users to authenticate/authorize themselves before they can access the API.
You would need to create an application in Azure AD for that. To prevent external users from accessing your API, you should make this application single tenant. This will ensure that only users from the Azure AD where the application is created can access the application.
Please see this link for more details on how you can accomplish this: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad.
Depending whether your App is a B2B or B2C app, Azure has two Identity as a Service offer:
Azure Active Directory B2C
Azure Active Directory (B2B)
You can restrict based on IP. In App Service go to properties to find Outbound IP Addresses, for those apps you want to be able to connect to the API. Then in the web.config of the API, deny all apart from those. This can be used in addition to authentication.
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="true"> <!-- this line blocks all apart those listed below -->
<clear/>
<add ipAddress="xx.xx.xx.xx"/> <!-- block an IP -->
<add ipAddress="90.100.100.23" subnetMask="255.255.255.0"/> <!--block network 90.100.100.0 to 90.100.100.0-->
</ipSecurity>
</security>
...
...
</system.webServer>
</configuration>
Using WAS 8558 and on one of the URL pattern, need to invoke JAAS module.
Entry in web.xml
<security-constraint>
<display-name>SampleConstraint</display-name>
<web-resource-collection>
<web-resource-name>Sample</web-resource-name>
<url-pattern>/wasauth</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>
Users allowed access to spoke Identity Provider</description>
<role-name>FIMAnyAuthenticated</role-name>
<role-name>FIMUserSelfCareAnyAuthenticated</role-name>
</auth-constraint>
Entry in server.xml
<jaasLoginContextEntry id="system.FIM_OUTBOUND" name="system.FIM_OUTBOUND" loginModuleRef="myCustom, hashtable, userNameAndPassword, certificate, token"/>
<jaasLoginModule id="myCustom" className="com.*.SampleLoginModule" controlFlag="REQUIRED" libraryRef="customLoginLib">
</jaasLoginModule>
<library id="customLoginLib" apiTypeVisibility="spec, ibm-api, api">
<fileset dir="/" includes="com.**_8.0.0.jar"/>
This flow is using Federated repository feature (Liberty) for authentication.
Above mentioned settings allow user to get authenticated against repository however JAAS module is not getting invoked.
If I convert JAAS entry to system.WEB_INBOUND using WSLoginModuleProxy - JAAS module gets invoked.
Liberty does have appSecurity-2.0 feature enabled.
Is there any other configuration which needs to be done?
When the Liberty profile performs authentication for protected web resources it uses the system.WEB_INBOUND JAAS login configuration entry. So any custom login modules that you have configured in it will be called.
If you have configured your custom login modules in your own or a different JAAS configuration it will not be called by the server during web authentication. Your application. however, can call it directly.
We need to set up a CAS server to do SSO with our applications(all in JAVA).
Here is my situation:
CAS1: Existing CAS server, based on ORACLE LDAP(we have no control of the CAS1 and the LDAP). We plan to ignore this one.
Several applications integrated with this CAS.
CAS2: We plan to setup a new CAS server based on MS Active Directory, because we have a lot of new users. We plan to maintain them in AD.
Still the same applications we plan to setup SSO too with our CAS2.
What we need is that both users from existing LDAP and our new AD can log into the applications by SSO.
Is there a simple way, like setup my new CAS to use both LDAP and AD. So user from both sides can login our applications. This is a better way I think if possible. Is there an example in detail?
Can I setup federation between the two CAS? Is it possible for Jasig CAS?
Please help! Thanks a lot!
Yes, it's possible for CAS to authenticate against multiple sources. In your authenticationManager bean, you should have a property named authenticationHandlers; in there, define multiple AuthenticationHandler beans. For my setup, I have a local file (for monitoring users from Munin/Nagios) authentication handler and a BindLdapAuthenticationHandler:
<property name="authenticationHandlers">
<list>
<!-- This is the authentication handler that authenticates
services by means of callback via SSL, thereby validating
a server side SSL certificate. -->
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" />
<bean class="org.jasig.cas.adaptors.generic.FileAuthenticationHandler" p:fileName="${cas.localuser.file}" />
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:timeout="10000"
p:filter="${ldap.auth.filter}"
p:searchBase="${ldap.base.dn}"
p:ignorePartialResultException="true"
p:contextSource-ref="contextSource"
p:searchContextSource-ref="searchContextSource"
/>
</list>
</property>
Just add more authentication handlers for the other things you want to authenticate against. Check out https://wiki.jasig.org/display/CASUM/LDAP for the CAS LDAP handlers and https://wiki.jasig.org/display/CASUM/Active+Directory for the CAS Active Directory handlers.
The way it works, CAS will try to authenticate against each handler in order. The first one that succeeds results in a successful CAS login. So if you have a record in LDAP with uid=jsmith and a record in AD with cn=jsmith and they both have the same password, whichever one is defined first in CAS will always win! You should thus make sure that you have no login ID collisions between your systems, or you may open yourself up to some undesirable side effects (especially if jsmith in LDAP is not the same person as jsmith in AD).
If you use SAML validation (such as for mod_auth_cas) you may have other considerations as well. You can define an attributeRepository bean which lists the properties to return from a person's record when they authenticate and the service validates the ticket using /samlValidate. I don't know if there's a bean class available that will let you pull from multiple directories, but if you aren't using samlValidate this may not be an issue for you anyway.
So is there a better way possible? Well, if it's possible, collapse down to one source of authentication truth.
Regarding CAS federation: no. You may be able to set up the servers such that they trust each other's tickets, but instead I would recommend using one CAS environment (which could be clustered if you want) authenticating against as few sources of authentication truth as possible.
I'm able to protect Worklight console with an user inside worklight.properties file (on Liberty or WAS environment).
How can I protect console with a LDAP user (outside of the worklight.properties file)?
Yes, you can do this.
You will need to edit your authenticationConfig.xml as follows:
Add a LDAP loginModule
Add a LDAP realm
Update the existing "WorklightConsole" custom securityTest to use the new realm
After the above changes, once loading Worklight Console and entering the user credentials,
these should be handled by the loginModule to authenticate against the LDAP server.
See the following IBM Worklight Getting Started training module, which is about this very topic:
Using LDAP Login Module to authenticate users with LDAP server