I am trying to chain 2 adfs instances together. We have an application protected by one ADFS and users that are in another AD that also uses ADFS to protect applications. Now I am trying to give access to an application protected by one ADFS to the users in the Other ADFS.
In the ADFS that has the users in AD, I have set up a new RelyingParty that is the other ADFS instance.
In the ADFS that protects the application I have set up a Claims Provider trust, I did this by pointing at the metadata of the ADFS instance that has the users in Active Directory. This seems to be working.
Now when I try to access my protected application, I get certificate errors for the SSO certs, I click through those then it bounces me to the RP ADFS and a page displays giving me the choice of authentication either AD or my ID ADFS instance. I choose the ID ADFS that I have just set up, click continue and it bounces me to the log in page. After logging in it bounces me back to the RP ADFS server and then I get an error, with a reference number. When I look up the reference number in the event log I see either 2 or 3 errors.
the first is about a revocation list
An error occurred during an attempt to build the certificate chain for the claims provider trust 'http://dev-sso.xxxxxxx.com/adfs/services/trust' certificate identified by thumbprint '54xxxxxxxxxxxxxxxxxxxxxxE28C9A57481'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the claims provider trust's signing certificate revocation settings or certificate is not within its validity period.
The second is
The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadAssertion(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
I decided to disable the revocation list check. I think the issue is a proxy or firewall that sits in the way, in production we will have real certificates and so I think this will be less of a problem.
So not really the answer but enough to move on.
Related
I follow the steps described in the link: http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html to integrate my user pool with cognito identity. But every time I am trying to access amazone S3 using the Authentication providers I get the following error:
E/CognitoCachingCredentialsProvider: Failure to get credentials
com.amazonaws.services.cognitoidentity.model.NotAuthorizedException:
Logins don't match. Please include at least one valid login for this
identity or identity pool. (Service: AmazonCognitoIdentity; Status
Code: 400; Error Code: NotAuthorizedException; Request ID:
ff4da8ad-9a96-11e6-9c64-67a5c841c727)
at
com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:712)
at
com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:388)
at
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:199)
at
com.amazonaws.services.cognitoidentity.AmazonCognitoIdentityClient.invoke(AmazonCognitoIdentityClient.java:558)
at
com.amazonaws.services.cognitoidentity.AmazonCognitoIdentityClient.getId(AmazonCognitoIdentityClient.java:444)
at
com.amazonaws.auth.AWSAbstractCognitoIdentityProvider.getIdentityId(AWSAbstractCognitoIdentityProvider.java:172)
at
com.amazonaws.auth.AWSEnhancedCognitoIdentityProvider.refresh(AWSEnhancedCognitoIdentityProvider.java:76)
at
com.amazonaws.auth.CognitoCredentialsProvider.startSession(CognitoCredentialsProvider.java:561)
at
com.amazonaws.auth.CognitoCredentialsProvider.getCredentials(CognitoCredentialsProvider.java:371)
at
com.amazonaws.auth.CognitoCachingCredentialsProvider.getCredentials(CognitoCachingCredentialsProvider.java:441)
at
com.amazonaws.auth.CognitoCachingCredentialsProvider.getCredentials(CognitoCachingCredentialsProvider.java:76)
at
com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4369)
at
com.amazonaws.services.s3.AmazonS3Client.putObject(AmazonS3Client.java:1704)
at
com.amazonaws.mobileconnectors.s3.transferutility.UploadTask.uploadSinglePartAndWaitForCompletion(UploadTask.java:203)
at
com.amazonaws.mobileconnectors.s3.transferutility.UploadTask.call(UploadTask.java:85)
at
com.amazonaws.mobileconnectors.s3.transferutility.UploadTask.call(UploadTask.java:44)
at java.util.concurrent.FutureTask.run(FutureTask.java:234)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1080)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:573)
at java.lang.Thread.run(Thread.java:864).
Here is the code:
public static TransferUtility getTransferUtility(Context context) {
if (sTransferUtility == null) {
sTransferUtility = new TransferUtility(getS3Client(context.getApplicationContext()),
context.getApplicationContext());
}
return sTransferUtility;
}
public static AmazonS3Client getS3Client(Context context) {
if (sS3Client == null) {
sS3Client = new AmazonS3Client(getCredProvider(context.getApplicationContext()));
}
return sS3Client;
}
private static CognitoCachingCredentialsProvider getCredProvider(Context context) {
if (sCredProvider == null) {
sCredProvider = new CognitoCachingCredentialsProvider(
context.getApplicationContext(),
Constants.COGNITO_POOL_ID,
Regions.EU_WEST_1);
Map<String, String> logins = new HashMap<>();
logins.put("cognito-idp.eu-west-1.amazonaws.com/eu-west-1_xxxxxxxxx", idToken);
sCredProvider.setLogins(logins);
}
return sCredProvider;
}
Here how I get the token
AuthenticationHandler authenticationHandler = new AuthenticationHandler() {
#Override
public void onSuccess(CognitoUserSession cognitoUserSession, CognitoDevice device) {
Log.e(TAG, "***Auth Success***");
idToken = cognitoUserSession.getIdToken().getJWTToken();
AppHelper.setCurrSession(cognitoUserSession);
AppHelper.newDevice(device);
closeWaitDialog();
launchUser();
}
The transferutility is part of com.amazonaws.mobileconnectors.s3.transferutility package.
Thank you for your help.
felini
The problem may be configuration or the way you have created your token (the provider name part looks right). But most likely you just need to GetIdResult.
"Logins don't match. Please include at least one valid login for this identity or identity pool." is coming from the "AWSCognitoIdentityService.GetCredentialsForIdentity" api request (in java i think it is GetCredentialsForIdentityResult)
This can happen when you have an identityId for one identity, then you provide logins for another. If you change identities you need to do a "AWSCognitoIdentityService.GetId" (in java i think this is GetIdResult)
The error is telling you that either it could not find the identity provider associated with the identity pool, or the pool does not have that identity provider configured (I think this generates a different error but not sure) , or it could not associate the identityId with the logins entry token (if the username claim in the ID token did not match the identity it had for instance).
I think you need to either fix your logins dictionary, or do a GetIdResult call to make sure you have the right identityId for the logins hash you are providing.
Or... if it is configuration, make sure that you have the user pool and client id properly configured in the Authentication Providers list as a Cognito user pool authentication provider. Note that if you also configure it in IAM as an identity provider you must have the audience match that same client id. (which also works).
Note: This problem might happen if you configured "unauthenticated" access, then tried to get credentials with a logins hash, but using the unauthenticated identity. I think you would need to do a getIdResult to switch.
It was a configuration problem. I added to an existing identity pool, Cognito user pool as Authentication Providers. I provided the user pool Id and client Id.
Then I click save changes. It was shown in green on the dashboard that my changes was saved. But in reality it was not! That was the reason of the error.
As solution I created a new identity pool from scratch and added during the creation, cognito user pool as authentication provider. Only then it was properly saved after the pool creation.
In case anyone else has the same warning, it is possible to login to a Cognito Identity Pool with an unverified email, but that same user will not be able to authorise against a Cognito Identity Provider, instead this error will be thrown:
Error: Logins don't match. Please include at least one valid login for
this identity or identity pool.
A user can be set to 'Confirmed' via the Cognito console. This does not equate to 'email verified'. The user CAN login to the pool though.
A fully unconfirmed user cannot login at all.
In our current WSO2 setup, after a user performs a self creation, we place his account into a locked state, and send a confirmation email to the address specified during creation. This email has a link which allows the user to verify his account.
For development purposes, we are attempting to get the workflow down using the UserInformationRecoveryService wsdl in SOAP UI. The service which we seem to want is called sendRecoveryNotification. Here is the signature of this service:
sendRecoveryNotification(String username, String key, String notificationType)
The username parameter is simply the username of the WSO2 user in question, which we have. For the notificationType we have been using email, which presumably would trigger an email to be sent to the user. The problem is with the key parameter. It is not clear what value should be used as key, and all our guesses always lead to this error response:
18001 invalid confirmation code for user : tbiegeleisen#abc.com#tenant.com
We also noticed that several other services also expect a key, and it is not clear how to get this value.
Can someone shed light on the workflow for user recovery in WSO2? It seems to be a Catch-22 with regard of requiring a token in order to generate a new token to be sent to a user.
The WSO2 documentation clearly spells out the workflow for recovery with notification. The key which needs to be used is the return value from a call to the verifyUser() SOAP web service. This service itself expects a Captcha which normally would be sent from the UI. Here is a code snippet showing how a recovery notification can be sent:
String cookies = client.login("admin#tenant.com#tenant.com", "admin");
UserInformationRecoveryUtil userInfoutil = new UserInformationRecoveryUtil(webserviceUrl, cookies);
CaptchaInfoBean captchaInfo = new CaptchaInfoBean();
captchaInfo.setImagePath(captchaPath);
captchaInfo.setSecretKey(captchaKey);
captchaInfo.setUserAnswer(captcha);
String username = emailId + "#" + tenantDomain;
String key = userInfoutil.verifyUser(username, captchaInfo);
// now pass the key based on the Captcha along with the type of recovery action
userInfoutil.sendRecoveryNotification(username, key, "accountUnLock");
I'm trying the built-in Authentication of ServiceStack. My approach is 'OrmLiteAuthRepository' so users' information are stored in Sql Server instead of the default in memory storage. I use Postman to test the endpoints.
My target is receiving user rows, updating user information, creating users, deleting an user row. Those are the endpoints I found in Postman after importing (I didn't create those endpoints):
GET 'http://localhost:47391/api/register',
PUT 'http://localhost:47391/api/json/reply/Register'
POST 'http://localhost:47391/api/json/reply/Register'
I tested POST, Sql Server automatically created the tables to store user data. And the data could be written into Sql Server so I have no problem with POST.
But with PUT, isn't it for updating the existing row? I append '/{id}' to the end. But it created a new row in the database instead of updating the existing one. How does it work?
With GET, I got no implementation error.
{
"ResponseStatus": {
"ErrorCode": "NotImplementedException",
"Message": "Could not find method named Get(Register) or Any(Register) on Service RegisterService",
"StackTrace": " at ServiceStack.Host.ServiceExec`1.Execute(IRequest request, Object instance, Object requestDto, String requestName)\r\n at ServiceStack.Host.ServiceRequestExec`2.Execute(IRequest requestContext, Object instance, Object request)\r\n at ServiceStack.Host.ServiceController.<>c__DisplayClass11.<>c__DisplayClass13.<RegisterServiceExecutor>b__10(IRequest reqCtx, Object req)\r\n at ServiceStack.Host.ServiceController.ManagedServiceExec(ServiceExecFn serviceExec, IService service, IRequest request, Object requestDto)\r\n at ServiceStack.Host.ServiceController.<>c__DisplayClass11.<RegisterServiceExecutor>b__f(IRequest requestContext, Object dto)\r\n at ServiceStack.Host.ServiceController.Execute(Object requestDto, IRequest req)\r\n at ServiceStack.HostContext.ExecuteService(Object request, IRequest httpReq)\r\n at ServiceStack.Host.RestHandler.GetResponse(IRequest request, Object requestDto)\r\n at ServiceStack.Host.RestHandler.ProcessRequestAsync(IRequest httpReq, IResponse httpRes, String operationName)"
}
}
How to implement it? I assume I consider the user a normal Web Service entity? and create 'UserService', and requests like:
[Route("/register")]
public class User : IReturn<UserResponse>
{
...
}
BUT there isn't a model class like 'User' due to the tables are created by ServiceStack itself, how to solve this?
Or is there something I am not aware of. Thanks.
The error message:
Could not find method named Get(Register) or Any(Register) on Service RegisterService
Is saying you're trying to call the built-in ServiceStack Register Service instead of your Service. But the Register Services isn't enabled by default, your AuthFeature likely explicitly enables it, either with:
Plugins.Add(new RegistrationFeature());
Or on the AuthFeature:
Plugins.Add(new AuthFeature(...) {
IncludeRegistrationService = true
});
If you don't want to enable ServiceStack's built-in Register Service you'll need to remove the registration where it's enabled.
If you instead want the Register Service registered at a different path, you can specify a different route with:
Plugins.Add(new RegistrationFeature {
AtRestPath = "/servicestack-register"
});
I'm using .NET and creating a DirectoryEntry and the access the NativeObject member to validate a user's credentials against AD.
There are some situations, where the login will fail, because the "User must change password on next logon" flag is set or the user is currently not allowed to logon because the logon times do not match.
I want to distinguish if one of these situations occured or if the user just entered a wrong password.
If I create the DirectoryEntry object with parameter AuthenticationTypes.None, a DirectoryServicesCOMException is thrown if the login failed. The information in this exception can be used to determine e.g. if the "password change" flag is set.
Unfortunately, using AuthenticationTypes.None is not a secure way, as the password is transmitted.
If I create the DirectoryEntry object with the parameter AuthenticationTypes.Secure, a COMException is thrown instead of a DirectoryServicesCOMException. This exception is very generic, as it always has the error code ERROR_LOGON_FAILURE. I cannot distinguish if the user has entered a bad password or if the password has to be changed.
MSDN documentation says: If AuthenticationTypes.Secure is set, the WinNT provider uses NTLM to authenticate the client. I guess this leads to a different behavior where only a COMException is thrown.
Works, but insecure:
var de = new DirectoryEntry(path, user, pass, AuthenticationTypes.None);
Secure, but throws only COMException:
var de = new DirectoryEntry(path, user, pass, AuthenticationTypes.Secure);
The first option uses basic authentication and throws specific DirectoryServicesCOMException, second option uses NTLM and throws only a generic COMException.
Has anyone an idea how I can detect if a user has to change the password, the account is locked or expired, logon times are invalid, ... or if the user has just entered a wrong password ?
Many thanks.
We are using spring security in our web application based on spring MVC.
We are doing authentication using LDAP module of spring security which is working properly. Now I need to get the user password from LDAP for saving in the database.
For this I am using this in my code.
public class PersonContextMapper implements UserDetailsContextMapper {
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<GrantedAuthority> authorities) {
Person.Essence p = new Person.Essence(ctx);
p.setUsername(username);
p.setAuthorities(authorities);
Object passwordValue = ctx.getObjectAttribute("userPassword");
return p.createUserDetails();
}
public void mapUserToContext(UserDetails user, DirContextAdapter ctx) {
Assert.isInstanceOf(Person.class, user, "UserDetails must be a Person instance");
Person p = (Person) user;
p.populateContext(ctx);
}
}
But I am not getting the any value for the password. Its always null.
Please help.
PS. My authentication is successful. It means password entered in the login form is matches properly with the password stored in the LDAP.
It might be that the authentication state of the connection does not have permission to read the value of the userPassword attribute. Most often, applications issue a BIND request to the directory server, including appropriate controls as necessary. The password is included in the BIND request and the directory server changes the authentication state of the connection upon successful completion of the BIND request. In any case, the value of the userPassword attribute is encrypted or hashed more often than not, and applications have no need to read the value.