Environment: Linux / Apache / Shibboleth SP 2.6
I'm looking for some help with the mapping I would need to do in order to populate the REMOTE_USER variable. I'm not sure what exactly I need to add to the attribute-map.xml file in order to make that happen.
In the shibboleth2.xml file, we have ..
<ApplicationDefaults entityID="https://tap-jmistst-rv02.usmstest.doj.gov/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id"
cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">
What I don't understand is what I need to put in the attribute-map.xml file specifically in order to map the value of NameID to REMOTE_USER
When I hit my application URL, it does redirect to ADFS, and then I see that NameID is populated with my username in the Shibboleth transaction.log. What I'm trying to do is get REMOTE_USER set with that value.
Any help is greatly appreciated
The REMOTE_USER attribute in the ApplicationDefaults element above denotes a list of decoded attributes (in order of preference) that the SP will use to populate Apache's REMOTE_USER.
In order to populate this with the Assertion NameID, you need first to decode this into an attribute ( named persistent-id here but feel free to change it) with
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
and then assign it to REMOTE_USER with
REMOTE_USER="persistent-id"
In your
<ApplicationDefaults>
To get REMOTE_USER parameter populated in Linux (CentOS and RHEL 6 and 7), configure apache with mod_auth_ntlm_winbind. Then you can pass the parameter to your application.
To configure mod_auth_ntlm_winbind, refer: https://hemakhema.blogspot.ae/2017/07/enable-sso-login-in-linux.html
Related
I created a presto custom password authenticator plugin (internal) by making a copy of the LDAP plugin and modifying it. You can see that code here: https://github.com/prestodb/presto/tree/master/presto-password-authenticators/src/main/java/com/facebook/presto/password.
I created copies of the Authenticator, AuthenticatorFactory, and the config, and modified them to basically just take a user/password from the config and to only allow that user in. I also put the new class in the PasswordAuthenticatorPlugin registration code.
I can see the plugin loading when presto is started, but it doesn't appear to do anything despite no errors being present. What am I missing?
Note: I had already found a solution to this, I'm just recording it on SO as I originally came here and found no help.
To make a custom password plugin work, you actually need HTTPS enabled for communication with the coordinator. You can actually see this recommendation at the bottom of their documentation:
https://prestodb.github.io/docs/current/develop/password-authenticator.html
Additionally, the coordinator must be configured to use password authentication and have HTTPS enabled.
So, the steps to make it work are:
Make sure your main config.properties has "http-server.authentication.type=PASSWORD".
Make sure you add a password-authenticator.properties next to config properties with content like the sample in the link above. But make sure you use your string from your authenticator as the name, and that you add your configuration properties instead (user name and password).
Set up a JKS store or a real certificate (some instructions here from Presto for JKS: https://prestodb.github.io/docs/current/security/tls.html).
Add SSL config to your config.properties.
http-server.https.enabled=true
http-server.https.port=8443
http-server.https.keystore.path=/etc/presto-keystore/keystore.jks
http-server.https.keystore.key=password123
Set up your JDBC driver to use the same key store.
I wrote up a blog on it with a bit more detail as well if any of that doesn't make sense. But after doing all this, you should find that it does require a password and it does enforce your plugin.
https://coding-stream-of-consciousness.com/2019/06/18/presto-custom-password-authentication-plugin-internal/
We perform migration from enterprise version Alfresco 4.2 to the 5.1.
There are two Active Directory domains (primary and child) in company, for this reason we configure two LDAP(AD) subsystems in Alfresco 5.1.
Structure of properties:
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap2
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1
Problem is that authentication and synchronistaion work only for one ldap-ad subsystem (ldap1 or ldap2), which have first place in the list of authentication chain (ldap1 and ldap2 don't work together).
Authentication chain screenshot
For a example, if ldap1 have first place in the list, that user's login from ldap2 fails (and conversely!).
In this case I look error in alfresco.log:
Caused by: net.sf.acegisecurity.AuthenticationCredentialsNotFoundException: A valid SecureContext was not provided in the RequestContext
My properties:
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1/ldap-ad-authentication.properties
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s#fake.local
ldap.authentication.java.naming.provider.url=ldap://fake.local:***
ldap.authentication.defaultAdministratorUserNames=fake_user
ldap.authentication.java.naming.referral=follow
ldap.synchronization.java.naming.security.principal=fake_user#fake.local
ldap.synchronization.java.naming.security.credentials=somepassword
ldap.synchronization.groupSearchBase=ou=Archiv,ou=FileServerGroups,ou=Groups,dc=fake,dc=local
ldap.synchronization.userSearchBase=dc=fake,dc=local
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.userOrganizationalIdAttributeNameCustom=distinguishedName
ldap.synchronization.com.sun.jndi.ldap.connect.pool=true
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap2/ldap-ad-authentication.properties
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s#gss.fake.local
ldap.authentication.java.naming.provider.url=ldap://gss.fake.local:***
ldap.authentication.defaultAdministratorUserNames=fake_user
ldap.authentication.java.naming.referral=follow
ldap.synchronization.java.naming.security.principal=fake_user#fake.local
ldap.synchronization.java.naming.security.credentials=somepassword%
ldap.synchronization.groupSearchBase=ou=Archiv,ou=FileServerGroups,ou=Groups,dc=gss,dc=fake,dc=local
ldap.synchronization.userSearchBase=dc=gss,dc=fake,dc=local
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.userOrganizationalIdAttributeNameCustom=distinguishedName
ldap.synchronization.com.sun.jndi.ldap.connect.pool=true
alfresco-global.properties
### Authentication ###
#authentication.chain=ldap1:ldap-ad,ldap2:ldap-ad,alfrescoNtlm1:alfrescoNtlm
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad,ldap2:ldap-ad
Thanks in advance!
Finally, I resolved issue related to authentication users.
I put empty string of parametr:
ldap.authentication.userNameFormat=
for each LDAP subsystems in files ldap-ad-authentication.properties.
After, users from two ldaps could login successfully.
ldap.authentication.userNameFormat
Specifies how to map the user identifier entered by the user to that
passed through to LDAP. If set to an empty string (the default for the
ldap subsystem), an LDAP query involving
ldap.synchronization.personQuery and
ldap.synchronization.userIdAttributeName will be performed to resolve
the DN from the user ID dynamically. This allows directories to be
structured and does not require the user ID to appear in the DN.
If set to a non-empty value, the substring %s in this value will be
replaced with the entered user ID to produce the ID passed to LDAP.
This restricts LDAP user names to a fixed format. The recommended
format of this value depends on your LDAP server.
I'd like to assign multiple user assigned managed service identities to a VM Scale Set in Azure. I can do so by following the the docs.
What I have not figured out yet is how I can request a token for a specific identity.The docs for requesting a token via the IMDS endpoint do not mention any request parameters for specifying e.g. a clientId.
Any clues?
Christian,
You can request tokens for a particular managed identity, by passing in the client_id or object_id in the request. For example: curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/&object_id=<USERASSIGNED_OBJECT_ID>' -H Metadata:true -s
Our docs are being updated right now to properly include this info. Thanks for the note! :)
-Arturo
Previous answers provide the right pointer.
If you are using Azure SDKs to write your code, then you can use Azure.Identity library and the DefaultAzureCredential object as described here - https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme#specifying-a-user-assigned-managed-identity-with-the-defaultazurecredential
I created a key/value map using the platform API defined in this doc. I used the API-scoped url to create a key/value map named countrymap.
https://api.enterprise.apigee.com/v1/o/{org_name}/apis/{api_name}/keyvaluemaps
and plugged in the sample weather api I made while following the tutorials.
However I could not seem to refer to this map when I added a KeyValueMapOperations policy inside the API proxy. I tried adding a mapIdentifier="countrymap" to the definition (based on the samples) but it still does not see it.
<KeyValueMapOperations async="false" continueOnError="false" enabled="true" mapIdentifier="countrymap" name="keyvaluemapoperations-2">
<DisplayName>KeyValueMapOperations-2</DisplayName>
<FaultRules/>
<Properties/>
<ExclusiveCache>false</ExclusiveCache>
<ExpiryTimeInSecs>-1</ExpiryTimeInSecs>
<Get assignTo="my.country" index="1">
<Key>
<Parameter ref="apigee.countryCode"></Parameter>
</Key>
</Get>
<Scope>organization</Scope>
</KeyValueMapOperations>
The policy works if I add an <InitialEntries> definition to the code above.
According to the Key/Value Maps docs:
Key/ValueMaps provide an API for storing arbitrary name/value pairs
that can be access at runtime by custom policies, or for other custom
runtime requirements such as protocol support.
Do custom policies include the KeyValueMapOperations policy? What am I missing here?
As you mentioned, you put the KeyValueMap in the scope of the api. To access that KVM, you'll need to use:
<Scope>apiproxy</Scope>
See the details for configuring the policy here.
Step 1: Verify if teh keyvalumap is correctly created:
/v1/o/{org_name}/apis/{api_name}/keyvaluemaps" --> this should list the countrymap KVM
Step 2: Populate the KVM before trying to do a GET call on it.You can populate it either by using API Calls (apigee.com/docs/api/api_methods/62-update-keyvaluemap) , or by Using PUT operation of KeyValueMapOperations as shown here (apigee.com/docs/api-services/content/persist-data-using-keyvaluemap)
Step 3: Check the entries of KVM
/v1/o/{org_name}/apis/{api_name}/keyvaluemaps/countrymap
Step 4: You can use the same KeyValueMapOperations Polices as given in example to do a get on the KVM
I was also facing this issue and after making below change in KeyValueMapOperations, it started working for me.
<Scope>apiproxy</Scope>
<Parameter>apigee.countryCode</Parameter>
My website is running on .Net and i'm using SDL Tridion 2009.
When a user logs in, I can see that the REMOTE_USER variable is correctly stored in the taf:server:variables group in the claim store (using a .net script).
In my cartridge (java) i'm trying to extract this value, but I can see when printing everything in the claim store this value is blank.
my Java code looks like this:
Map serverParameters = (Map)claimStore.get(WebClaims.SERVER_VARIABLES);
for (Object key: serverParameters.keySet()) {
log.debug("Key : " + key.toString() + " Value : " + serverParameters.get(key));
}
Update:
My cartridge configuration contains the following inputclaim:
<InputClaims>
<ClaimDefinition Uri="taf:server:variables" />
</InputClaims>
This unfortunately doens't help, I've also tried taf:server:variables:remoteuser / remote_user / * with no success.
When I inspect the log, i see the key REMOTE_USER but the value is blank.
I was wondering if anyone else has seen this scenario and knows the solution.
It's perfectly valid for REMOTE_USER to be empty, if the request is done without authentication (i.e. anonymous access is allowed).
So that seems the most obvious issue. You should not expect it to always be set, but you can of course enforce an authentication scheme for the relevant URLs on your server so that it is filled correctly in the cases you want your cartridge to handle.
P.S. The input claim section is not relevant in this case, as the server variables are not set by a cartridge but by the HTTP Module. The input and output claims are only used to determine the dependencies between (and thus the order of) cartridges.