We run our domains via Google. We have those domains verified in Azure for various purposes.
What I'd like to accomplish is to allow my user that use O365 to be able sign in with their Google Credentials. As I understand it, this is done through federation, SAML, and SSO. I've followed Google's instruction on setting this up and have hit a snag.
Using PowerShell's Set-MsolDomainAuthentication command I get an error every time I try to change the Authentication method from Managed to Federated. I can confirm that I can see the domains and their managed status via PowerShell commands, so I am at least connected to our Azure.
Set-MsolDomainAuthentication : Unable to complete this action. Try again later.
At line:1 char:1
+ Set-MsolDomainAuthentication
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.Online.Adm
inistration.Automation.SetDomainAuthentication
Azure logs show the attempt as
DirectoryManagement
Set domain authentication
Failure
Microsoft.Online.Workflows.ValidationException
Any help and direction is welcome. I've been searching high and low for solutions.
Side note: I have tried the convert command as well, with no luck.
Found a solution using this method rather than googles prescribed method.
https://medium.com/#james.winegar/how-to-single-sign-on-sso-between-g-suite-and-office-365-with-g-suite-as-identity-provider-idp-5bf5031835a0
IMPORTANT SIDE NOTE: For some reason or another, you cannot federate multiple domains with the same entityID in Azure. The workaround is to add spaces to the end of the entityID and Location URLs.
In my instance, I edited the metadata.xml and added the space within the quotes. There are two Location URLs in the XML, make the same change in both of them.
IE entityID="https://accounts.google.com/o/saml2?idpid=yourGoogleId "
And Location="https://accounts.google.com/o/saml2/idp?idpid=yourGoogleId "
Repeat this process for each additional domain from the same entityID. Keep in mind this is NOT a supported workaround, so use with caution.
Solution:
Run the following command:
Set-MsolDomainAuthentication -Name <domainName> -Authentication Managed -ActiveLogOnUri <ActiveLogOnUri> -FederationBrandName <FederationBrandName> -PassiveLogOnUri <PassiveLogOnUri> -SigningCertificate <SigningCertificate> -IssuerUri <IssuerUri> -LogOffUri <LogOffUri> -MetadataExchangeUri <MetadataExchangeUri> -PreferredAuthenticationProtocol <PreferredAuthenticationProtocol>
Related
I am trying to build a proof-of-concept integration with Azure Cloud into another system. I am not an Azure subject matter expert, so I am struggling with the end-to-end integration.
I am having trouble associating a "Network Security Group" to the "Network Interface". I am able to create both, but they do not not associate to each other until I manually go into the Cloud Portal and associate.
I am using the following:
API Documentation:
https://learn.microsoft.com/en-us/rest/api/compute/virtualmachines
API Explorer:
https://resources.azure.com
I am calling the following end-points in order:
publicIPAddresses
https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/publicIPAddresses/{resourceName}?api-version=2018-07-01
networkInterfaces
https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/networkInterfaces/{resourceName}?api-version=2018-07-01
networkSecurityGroups
https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/networkSecurityGroups/{resourceName}?api-version=2018-07-01
virtualMachines : https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{resourceName}?$expand=instanceView&api-version=2018-06-01
Everything else works except the NSG associating to the NIC.
Within the "networkSecurityGroups" message, I pass in the following parameter under the properties node.
"networkInterfaces": [{
"id": "/subscriptions/" + subscriptionID + "/resourceGroups/" + resourceGroup + "/providers/Microsoft.Network/networkInterfaces/" + networkInterfaces
}
]
I've tried reversing it by referencing the NSG in the Interface REST call, but still doesn't work. Oddly enough, I use the same syntax to associate the Interface to the VM itself, and that works as expected. Variations of the same syntax work with associating the PublicIP to the Interface, disks to VM, ect.
Any thoughts?
pretty sure you need to add this under NIC properties section:
"networkSecurityGroup": {
"id": "NSG_Resource_Id"
}
A few weeks ago this error started popping up.
Set-PSRepository : The specified Uri 'http://*****' for parameter
'SourceLocation' is an invalid Web Uri.
Please ensure that it meets the Web Uri requirements.
I'm not sure how to fix this short of uninstalling Powershell. There is a workaround available on StackOverflow but it's clunky and will not work for me long term.
Frankly I'd rather just find where the PSRepositories are stored and edit the files manually when I need to.
The answer to this other question should help: Invalid Web Uri error on Register-PSRepository
It involves registering the repository using a local path first, then updating it to point to the URL.
Had the same issue,
for me it was an expired certificate at my own repostitory. Exchanged the certificate and the error was gone.
I am trying understand kerberos & LDAP.
Working openldap(user information) & kerberos(authentication) are already installed.
I have migrated unix user(user01) to openldap using "migrationtools".
Below user and host principles are also created using kadmin..
addprinc user01
addprinc -randkey host/host01.example.com
addprinc -randkey host/host02.example.com
Let's say, I have 3 hosts:
host01.example.com
host02.example.com
host03.example.com
Now, my question is: how I can make sure that "user01" can access only on host01 & host02, NOT host03 ?
Thanks,
Obaid
Seems like we can do some workaround using sssd.
We can do it by editing "/etc/sssd/sssd.conf" and using "access_provider" parameter.
Considering my environment (openldap+krb5), first I tried with below parameters file "/etc/sssd/sssd.conf":
[domain/default]
access_provider = ldap
ldap_access_filter = memberOf=cn=demo1,ou=Groups,dc=example,dc=com
But, as soon as I put this parameter "access_provider = ldap" all the LDAP users failed to login.
Then I tried simple access method as below parameters in file "/etc/sssd/sssd.conf":
access_provider = simple
simple_allow_groups = demo1,demo2
Simple access provider worked for me.
In above example demo1 & demo2 are groups defined only on openldap and "access_provider = simple" is working. So, it is a potential candidate as my solution. And I am using "id_provider = ldap".
I would like to hear other thoughts/solution about this, so that we can find a good solution not only for me but also for others having similar scenario.
Thanks,
Obaid
I am trying to use the xWebsite resource in powershell DSC but it keeps failing to Set-TargetResource. the error is
PowerShell provider MSFT_xWebsite failed to execute Set-TargetResource functionality with error message:
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
The resource looks like
WindowsFeature IIS
{
Ensure = “Present”
Name = “Web-Server”
}
xWebsite Website
{
Ensure = "Present"
Name = "Website"
PhysicalPath = "E:\www\site"
State = "Started"
BindingInfo = MSFT_xWebBindingInformation
{
Protocol = 'HTTP'
Port = 7777
HostName = '*'
}
DependsOn = "[WindowsFeature]IIS"
}
I just copied it from one of the DSC examples, and initially it did not return the above error. I do not know what changed, but now it cannot create the website on subsequent runs. There is not a lot of troubleshooting content on DSC yet either, and I am hoping that someone else has run into this problem as well.
Regarding the initial run not returning an error
This may be related to this bug.
Regarding the error itself
Let's check the obvious stuff first:
All components of the PhysicalPath must exist; the resource won't create any of those paths. So use a File resource to create them if needed then make xWebsite depend on it.
Make sure a different web site is not using the port.
You show a DependsOn but don't show the rest of your configuration. Make sure that you're actually specifying a WindowsFeature resource in your config for it to depend on.
If those don't help
Post the rest of your config (if there is more).
Check out the xDscDiagnostics module in the DSC Resource Kit. It's not a resource, it's 2 functions that help you turn on the diagnostic and debug logs for DSC and then retrieve the events related to a specific run. This should help you figure out the actual underlying error.
I ran into problems trying to use the xWebsite resource on Windows Server 2008 R2 too. Then I noticed that at the bottom of the documentation page, it says:
Verified on the following platforms
Windows Server 2012: Yes
Windows Server 2008 R2: No
I ended up debugging through the module code outside of DSC. I found that there were several bits that didn't work on 2008R2, and so had to create my own version of the module that worked on that operating system.
Sorry - no easy fix!
In WSO2 Enterprise Store 1.0.0 there is a mix about the hostname used to make connections.
You can set HostName and MgtHostName in carbon.xml. But there are files with fixed names, like
sso-idp-config.xml: (AssertionConsumerService) https://localhost:9443/store/acs
jaggeryapps\store\controllers\ login.jag: (postUrl) "https://" + process.getProperty('carbon.local.ip') + ":" ...
localhost breaks every remote connection. IP address breaks SAML authentication and is not consistent with 3rd party certificates.
Is there an easy way to set the hostname all over the ES?
I tried this scenario only by updating AssertionConsumerService within sso-idp-config.xml and it works for me.
So you have to only update AssertionConsumerService within sso-idp-config.xml.
To work properly, the full list of files I had to modify is:
repository\conf\sso-idp-config.xml
repository\deployment\server\jaggeryapps\publisher\controllers\login.jag
repository\deployment\server\jaggeryapps\publisher\controllers\logout.jag
repository\deployment\server\jaggeryapps\social\controllers\login.jag
repository\deployment\server\jaggeryapps\social\controllers\logout.jag
repository\deployment\server\jaggeryapps\store\controllers\login.jag
repository\deployment\server\jaggeryapps\store\controllers\logout.jag
repository\deployment\server\jaggeryapps\store\themes\store\js\asset.js
login/logout files use the IP address (a bad choice when working with third-party certificates. It also breaks SAML authentication).
I lost a lot of time locating files with IP and localhost references. I think it should be reviewed and documented in future versions of the product.