I have a query regarding the certificate used by IBM AppId to sign SAML requests.I believe this certificate is self-signed by the tenant's ( AppId tenant ) private key and is auto-generated by AppId when 'signRequest' is set to true in the IDP metadata. Please confirm my understanding.
A follow up question on it, is there a API which I can use to update this certificate, lets say the IDP organization expects signed CA certs attached to a valid domain name. I only found an API to GET the AppId SAML metadata, no update API was found that could be used to provide signing certificates to the service provider ( AppId ). Please let me know.
Have seen that the CN name of the certificate generated by AppId has the below CN configuration:
subject=C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Cloud and Cognitive Software, CN = IBM Cloud App ID
Your understanding is correct, the signing certificate is auto-generated by App ID when signRequest is set to true. There is not a way for a user to update it.
Related
I am configuring Keycloak login with Apple Id I followed the steps according to these pages:
https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple and https://keycloak.discourse.group/t/sign-in-with-apple/119/4
But when I try to login, the following is returned:
pic1
Here is my configuration:
pic2
I don't understand where I went wrong, please help
I had the same issue and I configured apple SSO using below link
https://github.com/BenjaminFavre/keycloak-apple-social-identity-provider
Just download the latest provider jar file and copy it to Keycloak->standalone->deployments folder. Add Apple IDP on Keycloak identity provider list and according to the documentation add Client-ID, Client secret, Team ID, Key ID and default scopes.
Please make sure you have provided the correct redirect uri, client id as com.XXXX.XXXXXX (in my case com.renter.applesso), Client secret should not have new line and delimiters, Key ID and Team ID (Should be 10 character) and default scope has to pass without space and comma
I had these error while configuring apple SSO with Keycloak unexpected error when authenticating with identity provider, invalid-client, invalid-grant, Internal server error, could not decode access token. This is due to ClientID, client secret, Key ID and Team ID mistakes. So double check all values.
This Solution is 100% working for me..
How can I export the Token Signing Certificate that is created when ADFS 3.0 is installed? When I open up the certificate MMC, I am able to see the certificate however the message 'You have a private key that corresponds to this certificate' is missing and I am unable to export the private key. I read in the article ADFS deep dive: Certificate Planning that I can find it in Active Directory in the following container:
CN=ADFS,CN=Microsoft,CN=Program Data,DC=domain,DC=com
However, although I can get to that container, all I see is a GUID inside and do not know how to export the private key out of Active Directory.
How can I get the private key?
******************************************** EDIT ********************************************
In case anyone comes to this later, the certs are actually in the personal cert store of the ADFS service account but they are NOT exportable. You almost certainly want the SSL cert private key NOT the token signing cert private key. The documentation
I was following to set up ADFS for SharePoint was a little confusing. The private key had to exported for the SSL cert, however the thumbprint of the token signing cert had to be placed in the web config. I was incorrectly trying to export the private key of the token signing cert.
******************************************** EDIT ********************************************
You mean the self-signed ones you get with automatic rollover?
If so, where do you see these with mmc?
They are stored in a combination of an AD container and the ADFS DB.
So you can't export in the normal manner.
For a very good reason - security. If you have the private key you can send / hack anything and it will be accepted as coming from ADFS.
The public key is available in the metadata.
If you have to do this, turn off automatic rollover and use your own certificates.
How to configure okta developers application for single log out
Single Logout URL
SP Issuer
Signature Certificate
Any one please help me how to configure it . how to generate Signature Certificate and sp issuer???
Useing "SIGN ON" Tab(in Okta application) you will get this details.
using "View Setup intruction" button you can fetch this details. This link provides following attributes:
Identity Provider Single Sign-On URL:
Identity Provider Issuer:
metadata to your SP provider:
X.509 Certificate:
If you are using Rails you can use Omnioth-saml gem
For issuer field you can reffer this
References:
https://github.com/onelogin/ruby-saml-example
http://developer.okta.com/docs/guides/setting_up_a_saml_application_in_okta.html
SSOCircle provides a ready to use Identity Provider according to their website. I wanted to simulate SAML SSO and integrate it in sample Liberty for Java application in bluemix.
What I did so far:
Downloaded SSOCircle Public IDP Metadata from "Manage Metadata". Uploaded it into the bluemix SSO service via the upload file button and entered https://idp.ssocircle.com/sso in the textbox under "Step 1" in the SAML Enterprise setup.
Downloaded SAML metadata under "Step 2" in the SAML Enterprise setup and imported it in SSOCircle. The FQDN that I used is: https://ssocruzgstest-8iotczj2sk-cabc.iam.ibmcloud.com.
Edit** Changed URL to https://idp.ssocircle.com/sso/idpssoinit?metaAlias=/ssocircle&spEntityID=https://ssocruzgstest-8iotczj2sk-cabc.iam.ibmcloud.com/idaas/mtfim/sps/idaas/saml20 as recommended by Martin
After integrating. I pointed my browser to https://cruzgsjava1.mybluemix.net then clicked "Sign in with SAML Enterprise".
I got redirected to https://idp.ssocircle.com/sso/UI/Login?module=peopleMembership&goto=https%3A%2F%2Fidp.ssocircle.com%2Fsso%2Fidpssoinit%3FmetaAlias%3D%2Fssocircle%26spEntityID%3Dhttps%3A%2F%2Fssocruzgstest-8iotczj2sk-cabc.iam.ibmcloud.com%2Fidaas%2Fmtfim%2Fsps%2Fidaas%2Fsaml20. I logged in and encountered an error
Your URL is wrong. I have not seen clear documentation on ssocircle.com, but I found some samples from which I could deduce the (hopefully) right URL pattern. This is what I use for testing:
https://idp.ssocircle.com/sso/idpssoinit?metaAlias=/ssocircle&spEntityID=<your SP entity ID>;
You can find out your SP entity ID by downloading the service provider metadata in step 2 and inspect the attribute "entityID" of the root element "md:EntityDescriptor".
The SSOCircle URL is correct. The error happens at the bluemix site. According to IBM knowledge center FBTSML236E says that the trace log will indicate the operation failed.
Most probably the validation of the assertion signature is failing. SSOCircle signing certificate itself is not self-signed but is signed by its own CA.
It could be the case that bluemix is validating the whole certificate chain and for that reason needs the CA certificate. You can get it from the SSOCircle web site after logging in and then under 'My certificate status' you'll find a link to the CA certificate.
If that does not solve the problem. Check with IBM how the SAML response is validated. SSOCircle public IDP by default signs the SAML assertion. It could potentially be that bluemix has different requirements (e.g. signing the SAML response)
SOLUTION
I figured out how to solve this problem.
First of all here is my implementation with Service Account:
// Build service account credential.
GoogleCredential credential = new GoogleCredential.Builder().setTransport(httpTransport)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId(SERVICE_ACCOUNT_EMAIL)
.setServiceAccountScopes(Collections.singleton("https://www.googleapis.com/auth/appsmarketplace.license"))
.setServiceAccountPrivateKeyFromP12File(new File("/path/to/mykey/key.p12"))
// .setServiceAccountUser("NOT SET THIS LINE")
.build();
License build = new License.Builder(httpTransport, JSON_FACTORY, credential).setApplicationName("My Application").build();
Licenses execute = build.customerLicense().get("9999999999", "domain.test.com").execute();
This License Builder object is myself implementation based on the new google-api-client 1.17 and above. If someone could advice me how can i share with the rest of the community i will be glad to do it.
Best,
I have posted another thread, Google Apps Marketplace API customerLicense with OAuth2, explaining about my intentions to consume this API with OAuth2 Service Account strategy.
I have tried every method and officials library present and I always get Invalid OAuth header message or UNLICENSED
I am going to detail what is the scenery and what things i have tried:
I have and Google App Marketplace which use Service Account OAuth2 because all task are being perform on background.
This API Project has Service Account keys and Client Web Account keys too.
I published app restricted for my domain only because i am yet developing. So I installed App for my domain.
At this point it is suppose if I queried Customer License with API Project ID and Customer Id, which is domain name, I have to see the APP LICENSE for my domain.
I have used this jars https://developers.google.com/google-apps/marketplace/v2/developers_guide to access License API.
This is my code:
String appName = "MY APP";
AppsMarketService service = new AppsMarketService();
service.appId = "NUMBER_APP_ID";
service.appName = appName;
service.endpoint = "https://www.googleapis.com/appsmarket/v2/";
service.consumerKey = service.appId + ".apps.googleusercontent.com";
service.consumerSecret = "CLIENT_SECRET_FROM_WEB_OAUTH2_API_PROJECT";
service.authorize();
I get 403 forbidden if i use this code.
If i changed appId for prefix clientId from my API Project web OAuth2, I get 200 but with body UNLICENSED.
I have added scope to my app https://www.googleapis.com/auth/appsmarketplace.license and i still get the same result.
I have tried also getting Access Token from Admin user with Service Account handshake and then use that Oauth2 Access Token to access API License and the same result Invalid OAuth Token
My questions are:
Is there any way to access this API with Services Account keys, taking into consideration there is not consumer Secret in Service Accounts keys, only Client ID and private Key file?
Is there any updated library to use this with OAuth2 because i am seeing all this libraries are using OAuth1 with two-legged auth?
It would be great if someone can help me because we are trying to migrate our 7 Google App Old Marketplace Apps from OAuth1 to OAuth2 as per Google request but we have some black holes in our implementation if we would not be able to query what domains have our App Installed.
Best,
There is no need for any other libraries than OAuth2 lib. You can impmement this using urlfetch.
...
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.appengine.api.urlfetch.FetchOptions.Builder;
import com.google.appengine.api.urlfetch.HTTPHeader;
import com.google.appengine.api.urlfetch.HTTPMethod;
import com.google.appengine.api.urlfetch.HTTPRequest;
import com.google.appengine.api.urlfetch.HTTPResponse;
import com.google.appengine.api.urlfetch.URLFetchServiceFactory;
...
String SERVICE_ACCOUNT_EMAIL = "...#developer.gserviceaccount.com";
String P12 = "...-privatekey.p12";
// appid is the same id that you have in the google cloud project that has the Google Apps Marketplace API and SDK enabled
String appid = "";
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(new NetHttpTransport())
.setJsonFactory(new JacksonFactory())
.setServiceAccountId(SERVICE_ACCOUNT_EMAIL)
.setServiceAccountScopes(Collections.singleton("https://www.googleapis.com/auth/appsmarketplace.license"))
.setServiceAccountPrivateKeyFromP12File(new File(P12))
.build();
credential.refreshToken();
String token = credential.getAccessToken();
URL url = new URL("https://www.googleapis.com/appsmarket/v2/licenseNotification/"+appid);
HTTPRequest request = new HTTPRequest(url, HTTPMethod.GET, Builder.allowTruncate());
request.setHeader(new HTTPHeader("Authorization", "Bearer "+token));
HTTPResponse response = URLFetchServiceFactory.getURLFetchService().fetch(request);
You need to install the OAuth2 package for this to work. In eclipse its under Google > Add Google Apis.