I struggle a bit to get Nextcloud to work with Google as SSO provider. I have URL target of the iPd is https://accounts.google.com/o/saml2/idp?idpid=xxxxxxx then I get
403. That’s an error.
Error: app_not_configured_for_user
So following the suggestion here, I changed the url to
https://accounts.google.com/accountchooser?continue=https://accounts.google.com/o/saml2/idp?idpid=xxxxxx
Which redirects me to the google account chooser, but then I get, after selecting my account
null. That’s an error.
Error parsing the request, No SAML message present in request That’s all we know.
Sometimes I am not asked for a user account, so then I get the following from Nextcloud
Account not provisioned.
Your account is not provisioned, access to this service is thus not possible.
What worked for me is to configure Google having these attribute mappings
While on Nextcloud I configure SAML as follows
Related
I’ve integrated “KeyCloak” (identity broker) with Azure ADB2C for authenticating a user.
Firstly, the user ADB2C Login user flow endpoint integrated with Keycloak and tested it, which is absolutely fine. Also, we have integrated B2C “Forgot Password” userflow endpoint with Keycloak, Upon successful Forgot Password completion in B2C, while redirecting the response back to the keycloak we are seeing an error response from the Keycloak screen as - “Missing State Parameter in Response From Identity Provider”
In the request url has Scope, Client_id, State, Response_type, Redirect_URI, nonce. But in the B2C response url contains “Client_ID”, response_type, scope and redirect_Uri.
So far, unable to find a way to handle this issue. Please suggest, if there is any approach to handle this issue either from the ADB2C or Key-Cloak.
“ADB2C- Implemented with OAuth standard authentication protocol”
Keycloak error page code:- “Missing State Parameter In Response from Identity Provider”
Thank you.
• The ‘state’ parameter is used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery attacks. In your case, the keycloak identity broker service is the authorization service while Azure AD B2C is the client.
• And since, the state parameter is missing in the response URL from Azure AD B2C, it might be the case that redirect URIs for the keycloak identity broker or the application may not be correctly configured in Azure AD B2C due to which keycloak throws an error of state parameter missing.
• Keycloak might have considered this response as a CSRF attack due to the missing state parameter and thus displayed an error whereas in Azure AD B2C, the redirection URI relating to specific keycloak page might not be correctly configured due to which though the response reached keycloak default URI but not the intended application integrated URI due to which the state parameter might be missing.
Please refer the below documentation links regarding CSRF and state parameter configuration as well as redirection URI in Azure AD B2C: -
https://datatracker.ietf.org/doc/html/rfc6749#section-10.12
https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url
The Paypal API doesn't recognize my Client ID and Secret I got from https://developer.paypal.com/developer/applications/
I wanted to include a server side checkout according to this tutorial https://developer.paypal.com/docs/archive/checkout/how-to/server-integration/
When I do the request to https://api-m.paypal.com/v1/payments/payment I always get a 401 Error with the message "Authentication failed due to invalid authentication credentials or a missing Authorization header.".
I checked multiple times if my credentials were correctly included into the request. I also tested the endpoint in my server environment and as well via Postman.
I also tried the route https://api-m.sandbox.paypal.com/v1/oauth2/token to exchange my credentials with an access token and got the same problem.
I also tried to create multiple Sandbox and Live Accounts and always got the same error.
Has anyone an idea what the problem could be?
There are two separate issues here.
You first need to use /v1/oauth2/token to obtain an access token, and then use that access token to call any of the other actual APIs.
The credentials you obtain from PayPal Developer will be for either "Sandbox", or "Live". Make sure you choose the correct tab (sandbox, for development). Sandbox credentials will only work for api-m.sandbox.paypal.com , and Live credentials will only work for api-m.paypal.com . The two environments are completely separate.
If you still have issues, post the SANDBOX client ID and secret you are using, and the full request and response to the api-m.sandbox.paypal.com endpoint. There should be a PayPal-Debug-Id in any error response, in the headers if nowhere else.
Recently,I needed to access HUAWEI AppGallery Connect API
and create a product through the PMS API (server API). However, when Postman
was used for basic service interconnection tests,
the error message "403 client token authorization fail" was displayed.
how can i fix it?
Based on the error code included in your screen captures, the error was caused by an authentication failure.
To solve the problem, you first need to confirm that the client ID used for applying for the token has sufficient permission.
HMS official document suggested that the project associated with the API client be selected as N/A. You need to create an API client and associate it with a project. E.g. An app ID in the project was 100xxx591. However, the app ID in the Postman service request was 101xxx531, which would cause the authentication failure.
Also, to fix the above, you need to create an API client and selected N/A (indicating that all projects are supported), and use the client to request a token. The process should work well after this.
In general, if Huawei's 403 authentication failure occurs, you can verify the permission first, and then check the associated projects.
For more details about the PMS API, please refer to this link.
I'm using Azure Media Services. I have an encoded asset placed there with Content Key and Asset Delivery Policy. I'm also using the Token restriction.
I am able to stream the video well on localhost but as soon as I deployed the application to the server it stopped streaming and giving an error code: 0x20500006 (of Azure Media Player).
When I checked all the requests I found that there is a request to Key Delivery service with some KID and it returned the following response:
<Error>
<Message>
Failed authorization policy evaluation.
</Message>
<Code>
Unauthorized
</Code>
</Error>
I am using the HTTPS protocol on the server also tried over HTTP as well but got no response.
I responded to your post on MSDN. Posting on here for visibility.
"There are different reasons for the unauthorized error. It may be due to one of the following reasons:
Missing authentication header.
Bad authentication header value.
-The token has expired.
-The token contains an invalid signature.
Policy misconfiguration
No token in the request
Please double check to make sure your token has not expired. Also, for the Media Services REST request to succeed, the calling user must be a Contributor or Owner role in the Media Services account it is trying to access. For more information, see this documentation about Access control."
We've deployed an ADFS Server and its associated proxy, with our application as the relying party, and a cloud identity provider (Covisint) as Claims Provider.
We have tested the ADFS server using Active directory as the claims provider, and the authentication process is successful end to end.
When we switch the application's home realm over to use the cloud provider, the process seems to work, up to the point where the cloud provider returns the now-logged-in user back to https://[adfs url]/adfs/ls
This is what we had supplied the cloud identity provider with for the SP-initatied URL for them to return logged in users to, but it appears to be incorrect, or incorrectly configured, as it presents the user with the below error.
What is the URL that the cloud provider should post logged in users to for SAML2.0 on ADFS2.0?
I should also note, even logged in users are being redirected to the cloud provider on access to the app, leading me to believe that a necessary SAML>ADFS post has not happened yet.
Error:
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: 4973cca5-db6f-43dd-bd9b-59fa9872e97c
There is nothing in the trace or admin logs of use.
Thanks!