Wsfedsaml2 - Decryption key - adfs

I'm trying to use this api: https://github.com/auth0/passport-wsfed-saml2 to implement a SSO in my application.
I've configured an ADFS serve in a virtual box.
When I try to log in it gives de following message: Assertion is encrypted. Please set options.decryptionKey with your decryption private key.
Where do I get this decryption key? I'm little lost.
Thanks in advance.

With what I understood you have to keep your copy of private key either in your codebase or read it from some enviroment variable.
And in your code
passport.use('wsfed-saml2', new wsfedsaml2({
protocol: "samlp",
// This is the private key (use case where ADFS
// is configured for RP token encryption)
decryptionKey: fs.readFileSync("your+key+path+privateKey")
}, function (profile, done) {
// ...
}));
Hope this helps

Related

Getting "Missing or malformed Token" while using gofiber firebase-auth

I am trying to run Gofiber firebase-auth. I have generated a private key from Firebase Console, Settings -> Service Account -> Generate new private key and have given the file path to:
.env:
GOOGLE_SERVICE_ACCOUNT = 'C:/Users/Desktop/flutter-demo.json'
WEB_API_KEY = "<API_KEY>" // from config section of general settings at firebase console
TEST_USER_EMAIL = "test#test.com"
TEST_USER_PASSWORD = "test123"
which is used in main.go:
serviceAccount, fileExi := os.LookupEnv("GOOGLE_SERVICE_ACCOUNT")
opt := option.WithCredentialsFile(serviceAccount)
But, on accessing any of the Authenticated Routes, I'm getting:
Missing or malformed Token
Can anyone please help, maybe I'm doing some mistake or missing something from the docs
Hi below is an example of using gofiber firebase auth,
https://github.com/gofiber/recipes/tree/master/firebase-auth
Hope this will help you. Thanks
Thanks to Sachintha, one needs to send an Authorization Header token from login with the user name and password, as go firebase auth just a middleware to check whether endpoints are authenticated and it does not provide any authentication or user login.

How should I sign a CSR using a signature created in HSM, in C# .NET Core?

I'm exhausted after looking for an answer for 3 days. I don't know if my suggested flow is wrong or my Google skills have really deteriorated.
My API needs to create a valid certificate from a CSR it received, by signing it with a private key that exists ONLY inside an HSM-like service (Azure KeyVault), which unfortunately doesn't offer Certificate Authority functions BUT does offer signing data with a key that exists there. My CA certificate's private key is stored in the HSM. I'm using ECDSA.
My suggested flow:
Client generates Key Pair + CSR and sends CSR to API
API creates a certificate from the CSR
API asks HSM to sign the CSR data and receives back a signature
API appends the signature to the certificate and returns a signed (and including CA in chain) certificate to the Client
I'm using C# .NET Core and would like to keep it cross-platform (as it runs in Linux containers), so I have to keep it as native as possible or using Bouncy Castle (which I'm still not sure if runs in Linux .NET Core).
I really appreciate your help!
I had faced a similar issue and found a solution. You'll have to use the PKCS11Interop.X509Store library.
The solution uses dotnet core native System.Security.Cryptography.X509Certificates.CertificateRequest::Create method
for generating a certificate.
As per the docs:
Pkcs11Interop is managed library written in C# that brings the
full power of PKCS#11 API to the .NET environment
Pkcs11Interop.X509Store is managed library built on top of
Pkcs11Interop. It's main goal is to provide easy to use PKCS#11 based
read-only X.509 certificate store that can be easily integrated with
standard .NET ecosystem.
Till v0.3.0, implementation for issuing a certificate (i.e signing a CSR) is not available.
With minor modifications in the PKCS11Interop library, I was able to sign the CSR.
Mentioned in Issue #30, the code is now added in the PKCS11Interop.X509Store library version 0.4.0.
The below code is taken from test cases for BasicEcdsaCertificateRequestTest. Test cases for RSA CertificateRequest are also there.
// Load PKCS#11 based store
using (var pkcs11Store = new Pkcs11X509Store(SoftHsm2Manager.LibraryPath, SoftHsm2Manager.PinProvider))
{
// Find signing certificate (CA certificate)
Pkcs11X509Certificate pkcs11CertOfCertificateAuthority = Helpers.GetCertificate(pkcs11Store, SoftHsm2Manager.Token1Label, SoftHsm2Manager.Token1TestUserEcdsaLabel);
// Generate new key pair for end entity
ECDsa ecKeyPairOfEndEntity = ECDsa.Create(ECCurve.NamedCurves.nistP256);
// Define certificate request
CertificateRequest certificateRequest = new CertificateRequest(
new X500DistinguishedName("C=SK,L=Bratislava,CN=BasicEcdsaCertificateRequestTest"),
ecKeyPairOfEndEntity,
HashAlgorithmName.SHA256);
// Define certificate extensions
certificateRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, true));
certificateRequest.CertificateExtensions.Add(new X509SubjectKeyIdentifierExtension(certificateRequest.PublicKey, false));
certificateRequest.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, false));
// Issue X.509 certificate for end entity
X509Certificate2 certificateOfEndEntity = certificateRequest.Create(
pkcs11CertOfCertificateAuthority.Info.ParsedCertificate.SubjectName,
X509SignatureGenerator.CreateForECDsa(pkcs11CertOfCertificateAuthority.GetECDsaPrivateKey()),
DateTimeOffset.UtcNow,
DateTimeOffset.UtcNow.AddDays(365),
new BigInteger(1).ToByteArray());
// Verify signature on X.509 certificate for end entity
Assert.IsTrue(CaCertSignedEndEntityCert(pkcs11CertOfCertificateAuthority.Info.ParsedCertificate.RawData, certificateOfEndEntity.RawData));
// Asociate end entity certificate with its private key
certificateOfEndEntity = certificateOfEndEntity.CopyWithPrivateKey(ecKeyPairOfEndEntity);
// Export end entity certificate to PKCS#12 file
string basePath = Helpers.GetBasePath();
string pkcs12FilePath = Path.Combine(basePath, "BasicEcdsaCertificateRequestTest.p12");
File.WriteAllBytes(pkcs12FilePath, certificateOfEndEntity.Export(X509ContentType.Pkcs12, "password"));
}
Hope this helps.

iOS Swift - Virgil Security user is already registered - private key not found

Context
When using the Virgil Security SDK for iOS swift after authenticating "Alice" and fetching a JWT token, upon registration an error always states that a user is already registered. This happens on first login even after clearing a device or using a new device. Further more when trying the eThree.authEncrypt() method for text an error always states that a private key is not found on the device, even though eThree.hasPrivateKey() is returning true.
Code Tried
do {
let params = try EThreeParams(identity: "Alice", tokenCallback: self.virgil.authWithVirgil)
let ethree = try EThree(params: params)
ethree.register { error in
guard error == nil else {
// Error handling here
print(error?.localizedDescription) //User is already registered
return
}
print("New Registration")
// User private key loaded, ready to end-to-end encrypt!
}
} catch {
print(error.localizedDescription)
}
Questions
Why after clearing a device or using a new device does the code tell me that a user is already registered?
Why does hasPrivateKey return true but then when using authEncrypt there is an error saying there it no private key in the device?
Q1
Why after clearing a device or using a new device does the code tell me that a user is already registered?
Short answer: There is no local private key within a cleared device or within a new device.
From the official documentation.
The EThree.register() function checks whether a user already has a private key saved in local storage, and a published public key on the Virgil Cloud. If the user doesn't have them, the function generates a new keypair for the user, saves the private key locally...
Q2
Why does hasPrivateKey return true but then when using authEncrypt there is an error saying there it no private key in the device?
LocalKeyStorage.retrieveKeyPair() can be used to define private key presence.
Best practice
To support login across multiple-devices Key Backup mechanism can be used.
Q1
Why after clearing a device or using a new device does the code tell
me that a user is already registered?
Registered is not related to the presence of a private key. One user can only have one private key. Once it has been registered to one device it cannot be used in other devices without having made a backup to Virgil Cloud when first adding a user to a device.
Once a user has a private key on one device they can't have a private key on other devices except by fetching the private through Virgil Cloud with a password, or by calling eThree.rotatePrivateKey().

Using GraphServiceClient to retrieve group info of Azure Ad members

i want to retrieve all members of a Azure Ad group within my backend application. I followed the steps here and here and here is my code:
But I always get this error when using the method:
Microsoft.Graph.ServiceException: Code: generalException Message: An
error occurred sending the request.
---> Microsoft.Graph.Auth.AuthenticationException: Code:
authenticationChallengeRequired Message: Authentication challange is
required.
Can someone help me with that? I didn't find this specific error.
Obviously these parameters(clientId/tenantId/clientSecret/groupId) need to be replaced with specific strings.
You could find clientId and tenantId via App registrations-> Overview:
clientSecret via App registrations-> Certificates & secrets:
groupId via Azure Active Directory -> Groups:
You could also store the specific strings in a profile and read the strings in the file.
And the sample will help you to understand it.
AccountController.cs :
IConfidentialClientApplication daemonClient;
daemonClient = ConfidentialClientApplicationBuilder.Create(Startup.clientId)
.WithAuthority(string.Format(AuthorityFormat, tenantId))
.WithRedirectUri(Startup.redirectUri)
.WithClientSecret(Startup.clientSecret)
.Build();
Web.config :
<add key="ida:ClientId" value="[Enter your client ID]" />
<add key="ida:ClientSecret" value="[Enter your client secret]" />
Startup.Auth.cs :
public static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
public static string clientSecret = ConfigurationManager.AppSettings["ida:ClientSecret"];
public static string redirectUri = "https://localhost:44316/";
did you register an app registration in azure ad, create a secret, set the proper api permissions?
there are even quickstarts in the app registration portal that helps you configure the code and give you a pre set up project that you can experiment with.
Also your code seems to be missing scopes, you need to request the appropriate scopes for graph api token to access groups.
I think the documentation here is better: https://github.com/microsoftgraph/msgraph-sdk-dotnet-auth
and if you check the unit tests here for authorization code flow: https://github.com/microsoftgraph/msgraph-sdk-dotnet-auth/blob/dev/tests/Microsoft.Graph.Auth.Test/ConfidentialClient/AuthorizationCodeProviderTests.cs
gives you a good example of how to make it work.

Novell eDirectory with .NET DirectoryServices

In our company, we have a project which should use Novell eDirectory with .net applications.
I have tried Novell Api (http://www.novell.com/coolsolutions/feature/11204.html) to connect between .NET applications. It is working fine.
But, as per requirement, we specifically need .net API to connect not with Novell Api, which is not working. Connection and binding with .NET Api DirectoryServices not working.
Our Novell eDirectory is installed with following credentials:
IP address: 10.0.x.xx(witsxxx.companyname.com)
Tree : SXXXX
New Tree Context: WIxxxK01-NDS.OU=STATE.O=ORG
ADMIN Context is: ou=STATE,o=ORG
admin : admin
password: admin
I used Novell Api and used following code
String ldapHost ="10.0.x.xx";
String loginDN = "cn=admin,cn=WIxxxK01-NDS,OU=STATE,o=ORG";
String password = string.Empty;
String searchBase = "o=ORG";
String searchFilter = "(objectclass=*)";
Novell.Directory.Ldap.LdapConnection lc = new Novell.Directory.Ldap.LdapConnection();
try
{
// connect to the server
lc.Connect(ldapHost, LdapPort);
// bind to the server
lc.Bind(LdapVersion, loginDN, password);
}
This is binding correctly and searching can be done.
Now my issue is with when I trying to use .NET APi and to use System.DirectoryServices
or System.DirectoryServices.Protocols, it is not connecting or binding.
I can't even test the following DirectoryEntry.Exists method. It is going to exception.
string myADSPath = "LDAP://10.0.x.xx:636/OU=STATE,O=ORG";
// Determine whether the given path is correct for the DirectoryEntry.
if (DirectoryEntry.Exists(myADSPath))
{
Console.WriteLine("The path {0} is valid",myADSPath);
}
else
{
Console.WriteLine("The path {0} is invalid",myADSPath);
}
It is saying Server is not operational or Local error occurred etc. I don't know what is happening with directory path.
I tried
DirectoryEntry de = new DirectoryEntry("LDAP://10.0.x.xx:636/O=ORG,DC=witsxxx,DC=companyname,DC=com", "cn=admin,cn=WIxxxK01-NDS,o=ORG", "admin");
DirectorySearcher ds = new DirectorySearcher(de, "&(objectClass=user)");
var test = ds.FindAll();
All are going to exceptions.
Could you please help me to solve this? How should be the userDN for DirectoryEntry?
I used System.DirectoryServices.Protocols.LdapConnection too with LdapDirectoryIdentifier and System.Net.NetworkCredential but no result. Only same exceptions.
I appreciate your valuable time and help.
Thanks,
Binu
To diagnose your LDAP connection error, get access to the eDirectory server from the admins, and use iMonitor (serverIP:8028/nds and select Dstrace), in Dstrace clear all tabs and enable LDAP tracing, then do your bind see what happens on the LDAP side to see if there is a more descriptive error there. Or if you even get far enough to bind and make a connection.

Resources