Configuring a Keystone Service Provider - authentication

I'm configuring the keystone (as SP) for federation, and I have a question about the setup shibboleth [1]. I need edit the shibboleth2.xml file, and add the SP entity ID:
<ApplicationDefaults entityID="http://mysp.example.com/shibboleth">
In my case, would be:
<ApplicationDefaults entityID="http://10.7.49.47:5000/shibboleth">
I don't know if this is the right value. When I try access 10.7.49.47:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth, I receive the error:
Unable to locate metadata for 'http://10.7.49.47:5000/shibboleth'
I want understand better how the shibboleth work with keystone, and how get this Keystone SP entityID. I don't know if I need configure something to make '/shibboleth' works.
I need get this entityID to configure my IdP SimpleSamlPHP, and add the SP there [2].
[1] https://docs.openstack.org/developer/keystone/federation/shibboleth.html
[2] https://simplesamlphp.org/docs/1.5/simplesamlphp-idp#section_5

One I recommend you use HTTPS to connect with shibboleth. If it is you case then ignore.
Two entityId do not need to match with your host or IP. So if you want you can ignore port from entityId. You can use any string for that matter.
Now answer to your question, see my this answer to see steps to integrate shibooleth. Though this is java application steps but it is mostly done in apache http so it is relevant to anybody.
See the step 3 from that post, that is where your apache server knows that this location to protect.
P.S. The path your application listens is /Shibboleth.sso/ not /shibboleth

Related

adding basic authentication to Solr 8.6.1

We are having some difficulty when adding basic authentication to Solr 8.6.1. We are following this document, and we have created security.json file, which is successful (since Solr instance will ask userId and password when it starts.) Our difficulty happens when trying to enable the global authentication settings: we did pass the -Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory system property,and we also set the -Dbasicauth=username:password property as follows:
// the following is the last time of our Solr Dockerfile:
CMD ["solr-foreground", "-Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory", "-Dbasicauth=username:secret"]
However, the calls to retrieve data from Solr all come back with Error 401 require authentication.
Could someone please kindly let us know what did we miss?
You'll have to set the correct options on the client - not on the server. This is a setting that affects how the client that connects to Solr authenticates.
So when running your application, give the parameter to the java command (or configure it to be the default parameter through ant/maven/gradle/etc.
Setting it on the docker container will not do anything useful.

Authorization by ActivePivot

When I try to navigate at http://localhost:8080/content/rest/v4/files/ui/version?recursive=-1&metadata=false I have an error 404 (file not found).
While debugging I can see ActivePivot tries to define is my account granted for /ui/version.
It happens based on hibernate query:
SELECT DISTINCT ent FROM AuditableCSEntry ent JOIN FETCH ent.startAction startAct WHERE path=:path AND ent.endAction IS NULL
So I suspect the authorization should be configured. But I could not find any mentions that. Does anyone hear about configuration steps for AP authorization?
http://localhost:8080/content/rest/v4/files/ targets the endpoint listing files stored in the Content Service.
The file ui/version is a file used by ActiveUI to detect how it is setup. It is initialized by ActiveUI itself, upon the first connection of an admin user.
This initialization process is described in the online documentation.
Basically, having an admin user connect to your ActiveUI application should be enough.

Why can not pass Gui User in jUDDI

After Configuration server Juddi in Eclipse and create environment variable
we get Problem to access to page Gui user and admin and tomcat interface :
I think you are looking at something like :
message java.lang.IllegalStateException: No output folder
I would check the Tomcat logs, the permissions of the user you are running tomcat under, and check the directory that you have installed your tomcat into.
Do not even try to use UDDI
these days. People are moving towards semantic web services ,UDDI is out of the scene.
WSMO and OWL-s are major initiatives for semantic web services. These solutions can provide more precise results.
Here's a few
mDNS/Bonjour/Avahi - can be used to share endpoint information for a web service, or anything else using a TXT record
WS-Discovery - supported by CXF and WCF, shares implementation of a specific interface
ebXML - had a component similar to UDDI
visite this link

Authentication on CRM 2013 with NLB

I have a problem of authentication on a vanilla CRM2013 installed on a NLB. The crm 2013 is working correctly if i use the ip address of the NLB, but if i try to access the NLB using is unique name, it's prompting for credentials and is not authenticating the user (the user is the one that i used for the setup process). Anyone has ever seen something like this? I try to fiddler the request and beside a small difference in a cookie request in the header to me they look the same. Also if i ping the unique name of the NLB it responds with the correct ip address.
The last test that i did was add the name in the host file, and i had the same problem (no authentication), looks like is managing to get to the server but it fails to authenticate. I tried to use localhost address and it worked (on both the single servers), and it worked with the name of the 2 servers that are part of my cluster, it worked with the ip of those servers too. Anyone has any idea why with the ip address of the NLB everything is working as i expect and as soon as I use the name is not working?
Recap:
Address |Status
-------------------------
CRM1.com |working
192.168.1.CRM1 |working
CRM2.com |working
192.168.1.CRM2 |working
192.168.1.NLB |working
NLB.com |not working
Obviously this is sample data, and I know that with the single server i will not use the NLB, I was expecting to have issues with both the Ip and the servername, not with just one of them.
I found out the reason is not working. When you install behind a NLB you need to change some parameters in iss. Since I'm not very good at managing it in the config editor you need to change the section, and update 2 keyvalues from false to true. Step 2-10 of this guide http://blogs.msdn.com/b/niran_belliappa/archive/2014/02/17/network-load-balancing-microsoft-dynamics-crm-2013.aspx

Thread: 505.50 when using custom rewrite provider (the one from samples)

I'd like to know how to troubleshoot IIS URL Rewrite module and custom rewrite providers?
I am trying to do a POC on the URL Rewrite Module for our app. Our mappings are all in the database so I thought using the provider that comes as a sample. Got everything installed and configured, as instructed. Created the stored procedure as well. Now when I hit the alias URL I receive HTTP Error 500.50 - URL Rewrite Module Error. Here are the details about the error:
Module RewriteModule
Notification BeginRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x80070585
In SQL Profiler I see no calls to my stored procedure. The app pool is running under my account (admin rights). No errors in the event logs.
Are there any logs I could look into for more information on what's happening?
I got it working after two days of digging. The samples are good but not good enough: simply using supplied DLLs with supplied config entries doesn't work (for many reasons).
What I ended up doing was getting rid of the DLLs from samples and creating my own provider using the source code from samples and information from this article: Developing a Custom Rewrite Provider for URL Rewrite Module. Then IIS started loading my provider. But in order to make it work correctly I had to get deep understanding of module's config system.
So my answer to my own question -- don't relay on samples alone, they don't work out of the box. Instead, RTFM :) The best place to start is here: URL Rewrite Module Configuration Reference