I have a question. we have an app under symfony 5.4 which provide SAML connector via the OneloginSamlBundle bundle.
This app is installed is different customers.
Normally in majority of customers, when we connect to their idp, we have an answer like this :
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
...
<saml:Subject>
...
<saml:AttributeStatement>
<saml:Attribute Name="uid">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">john_doe</saml:AttributeValue>
</saml:Attribute>
and we are able to map the attribute uid with the username in our application
The problem is we have with a customer which use AD FS is the response is like this :
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ... >
<Subject>
<NameID>john_doe</NameID>
...
</Subject>
And as in the bundle we have this code to retrive the attibute, it doesn't work
$entries = $this->_queryAssertion('/saml:AttributeStatement/saml:Attribute');
Do you know if AD FS could be configured to send a response with <saml:Attribute> ?
I find the solution :
customer added a claim rule (https://help.blackboard.com/Learn/Administrator/SaaS/Authentication/Implement_Authentication/SAML_Authentication_Provider_Type/SAML_Setup_Guide_for_ADFS) with the good Attribute Name and even the xml message is without the saml: prefix, it worked
Related
I'm trying to implement the "on behalf of" flow in an application using ADFS 2016 as STS. As a reference, I look at this Microsoft tutorial (https://learn.microsoft.com/en-ca/windows-server/identity/ad-fs/development/ad-fs-on-behalf-of-authentication-in-windows-server). It's working as it should, I can login into my web application and then use my original access token in UserAssertion to generate a new access token with the proper audience to call my API BUT I found absolutely no way to include any user informations (sub, name, email, upn etc.) into the access token for my API, even if I set claim rules into my ADFS configurations for the API.
I checked the communication between my app and adfs using Fiddler and everything looks like the informations in the tutorial. See the screen shot of the "on behalf of" request below :
Here's the resulting access token :
Finally, here's the code I use to generate my new access token :
private async Task<string> GetAccessToken(ClaimsPrincipal user, string originalAccessToken)
{
var authority = "[authority]";
var context = new AuthenticationContext(authority, false);
string userName = user.FindFirstValue("upn");
var userAssertion = new UserAssertion(originalAccessToken, "urn:ietf:params:oauth:grant-type:jwt-bearer",userName);
var cc = new ClientCredential("https://localhost:44387/", "[client_secret]");
var result = await context.AcquireTokenAsync("https://localhost:44339/", cc, userAssertion);
return result.AccessToken;
}
Have you struggle with that scenario and if yes, did you find a way to fix this ?
Thanks
I've only used the Microsoft On Behalf Of flow with Azure AD and not ADFS, but it looks like you need to send a more detailed scope in your User Info request.
Maybe try sending 'openid profile email', to indicate that you want that type of detail, as in Section 17 of my blog post. Of course this assumes that this type of data has been registered for all users.
TROUBLESHOOTING
Looks like one of these will be the cause:
A suboptimal Microsoft library that does not allow you to send the required scope
Or ADFS 2016 perhaps lacks the scope features that work correctly in Azure AD
I would concentrate on making extra sure you are sending the correct form URL encoded request message, using a tool such as curl, Postman or a plain C# HttpClient. Here is the code I used to send the correct scope - using an open source library rather than a Microsoft one:
Sample NodeJS Code
If you can get the scope sent correctly then you should have a resolution either way:
Either you get the correct data and can update your code
Or the behaviour you want is not supported by ADFS
Good luck ...
I'm using FOSOAuthServerBundle with Symfony 2.7.
I would like to use scopes to differenciate two types of clients :
scope_default : the client can only access the authenticated user information
scope_master : the client can read everything
I added the property reachable_scopes in my Client Entity.
How can I make sure a client won't ask for the scope_master if he isn't allowed to ?
Thank you !
I am looking forward to developed the Spring MVC + Apache Oltu + Linkedin integration example. In this example, you need to send Client ID and Client Secret to access the private resource from the Linked in Site.
First Step - we need to create App in Linkedin, follow the steps: http://codeboxr.com/how-to-create-linkedin-app.html
Once App is created, you need to make sure you've given value for the redirect URL.
In the java code I used
setScope("r_network w_share r_basicprofile")
setState("987654321")
When I used the following code:
request= new OAuthBearerClientRequest("https://api.linkedin.com/v1/people/").buildQueryMessage();
I get the following errror. Could anyone please?
Could not access resource: 401 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error>
<status>401</status>
<timestamp>1429554559432</timestamp>
<request-id>QJWNLL5PWX</request-id>
<error-code>0</error-code>
<message>Unknown authentication scheme</message>
</error>
An important thing, I am getting correct details below, but seems accessing private resources:
{"access_token":"SQXZVmVM05AOzDB_DdBm5iaJkrEC8oK-FgE1m1snEZbMcKUODew9I0ZQ6NWc8JtGDxTtEd-yyPul0FtF3-hG4ah6LZ9P4oaSVuhhtybRFmjfsZcJwOs5Lm2IDUGQnjmq5EdT3PVR7Bocq31VBXg0JtkQdImab945oicO_w2j6CjlByp-bWw",
"expires_in":5108376}
It seems that you're successfully obtaining an OAuth 2.0 access token, you'll need to pass access_token in a query parameter when making API calls. That's how OAuth 2.0 authentication is handled (OAuth 1.0 required the access token to be in the header whereas OAuth 2.0 relies on a query parameter).
For example:
GET https://api.linkedin.com/v1/people/~?oauth2_access_token={your-access-token}
Please follow the link, if in case requires more details: https://developer-programs.linkedin.com/forum/unknown-authentication-scheme
If you send token along with the request to access protected resources, then you should be getting the following details.
The corrected code snippet:
request= new OAuthBearerClientRequest
("https://api.linkedin.com/v1/people/~?oauth2_access_token="+oAuthResponse.getAccessToken()).
buildQueryMessage();
In My Example, I am getting the following HTTP 200 OK response, just wanted to show you..
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<person>
<id>LLIyXMKhNI</id>
<first-name>FirstName</first-name>
<last-name>LastName</last-name>
<headline>Spring Developer at Amazon</headline>
<site-standard-profile-request>
<url>https://www.linkedin.com/profile/view?id=154416688&authType=name&authToken=ipNL&trk=api*a4360331*s4423501*</url>
</site-standard-profile-request>
</person>
Hope this will be help you.
OpenAM version -12 , Agent version 3.5 and 3.3 , tomcat version 7
I have tried to follow the link https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/authentication-ldap-sso/sso-openam-06052012 to set up my J2EE Agent. Let me paste the steps after asking the question(see at the end)
but I am getting the error as asked below
Not able to configure J2ee agent on adding my customized data store for users
I have tried to use 3.5 version installed and uninstalled multiple times and tried previous version.
There is a nice discussion on this topic at http://database.developer-works.com/article/16009911/%22Cannot+obtain+Application+SSO+token%22+error
but it did not help me much.
I am using LDAP so I have used LDAP realm and subjects are showing up ok. Also I am observing that the policy tab has changed quite a bit from how it is described in the Blogs.
Now with the roadblock I am not sure how to proceed as the error is not giving me any clue what to do. I even added the file named AMConfig.properties in the classpath with username and password of the agent and tried the username and password of the OpenAM admin too as suggested in the discussion mentioned. but that too did not help.
The issue is the Tomcat now is not starting and giving error that AMConfig.properties properties are needed
I know the OpenAM Realm setup is good as I am able to login via this realm to another application (Liferay) where I just have to give the URL for use OpenAM integration. but after uninstallation of the agent the tomcat starts without any error and i am able to login to the application
-------------------Step copied from 1st link(modified)--------------------------
1. Configure your OpenAM agent (tried both 3.5 and 3.3 version on tomcat 7)
a. Log into OpenAM as the admin user and navigate to "Access Control -> (Your Realm) - where in my case LDAP Realm (other application using it without issue)
b. Select Policies -> New Policy
c. Enter Share as the policy name and then create 2 new URL Policy agent rules
d. 1st Resource Name = http://:/share/*
e. 2nd Resource Name = http://alfresco.domain.com:8080/share/*?*
f. Add a subjects - already part of LDAP Realm
g. Now select Agents -> J2EE - > (your J2EE agent)
h. Select the Application tab
i. Login Processing -> Login Form URI - add /share/page/dologin
j. Logout Processing -> Application Logout URL - add Map Key = share - Corresponding Map Value = /share/page/dologout
k. Not Enforced URI Processing - Add 2 entries - /share and /share/
l. Profile Attributes Processing - Select HTTP_HEADER and add Map Key = uid - Corresponding Map Value = SsoUserHeader (This is what I called my header in the alfresco-global.properties file - see below)
Auth chain
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
alfresco.authentication.allowGuestLogin=true
SSO settings
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyUserName=
external.authentication.proxyHeader=SsoUserHeader
NOTE- It does not seem possible to configure SSO where the Guest login has been disabled. There are webscripts used on the Alfresco repository that need guest login.
That concludes the setup for Alfresco and OpenAM
For Share you need to have the following section uncommented in your share-config-custom.xml
alfresco/web-extension/alfresco-system.p12
pkcs12
alfresco-system
alfrescoCookie
Alfresco Connector
Connects to an Alfresco instance using cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
alfrescoHeader
Alfresco Connector
Connects to an Alfresco instance using header and cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
SsoUserHeader
alfresco
Alfresco - user access
Access to Alfresco Repository WebScripts that require user authentication
alfrescoHeader
http://alfreso.domain.com:8080/alfresco/wcs
user
true
Notice I am not using the SSL cert and in my alfrescoHeader connector I have used SsoUserHeader (as setup in OpenAM) and the endpoint uses the alfrescoHeader connector
Now you need to add the OpenAM filter to the Share web.xml file
Add the following filter just before the Share SSO authentication support filter
Agent
com.sun.identity.agents.filter.AmAgentFilter
Add the following filter mapping to the filter-mapping section
Agent
REQUEST
INCLUDE
FORWARD
ERROR
----- End ----------
The error message is a bit misleading: the Cannot obtain application SSO token in general means that the agent was unable to authenticate itself. When you install the agent, the agent asks for a profile name and a password file, those values need to correspond to the agent profile configured within OpenAM.
To test if you can authenticate as the user, you could simply try to authenticate as the agent by making the following request:
curl -d "username=profilename&password=password&uri=realm=/%26module=Application" http://aldaris.sch.bme.hu:8080/openam/identity/authenticate
In the above command the realm value needs to be the same as the value for the "com.sun.identity.agents.config.organization.name" property defined in OpenSSOAgentBootstrap.properties (under the agent's install directory).
Having bad username/password combination is only one of the possible root causes for this exception though. It is also possible that during startup the agent was unable to connect to OpenAM to authenticate itself. In those cases the problem could be:
network error, firewall issues preventing the agent from contacting OpenAM
SSL trust issues: agent's JVM does not trust the certificate of OpenAM's container (only problem if you've installed the agent by providing OpenAM's HTTPS URL and the certificate is self-signed or just simply not trusted by the JVM)
I am trying to configure a custom user provider in synfony 2 to create a login mechanism using the DB as a storage system. Just as the tutorial says I have added this definition to my security.xml
<provider name="in_db">
<entity class="Nourdine\BusinessBundle\Entity\AuthenticatedUser" property="username" />
</provider>
unfortunately this break everything and I get a nasty:
InvalidConfigurationException: Unrecognized options "entity" under
"security.providers.in_db"
What am I doing wrong?
thanks
Which tutorial are you following?
The official cookbook is recommended: http://symfony.com/doc/current/cookbook/security/custom_provider.html
In your security config, you are giving the User class as a provider. Big difference.
Your UserProvider needs to be a service. You then provide it's service id under providers.
Unless you are trying to use the AuthenticatedUser's repository?