WebSphere form based authentication logout mechanism not logging out - forms

I am analyzing code. It is a Wicket application using WebSphere form based authentication.
The program has the ibm_security_logout form mechanism implemented.
When being logged in, I copy the current URL to the clipboard.
When logging out using the form, I seem to be logged out. However, when using the copied URL, I am back in the GUI, being logged in.
So the session is still valid? How can I make sure I am actually logged out, and redirected to the login page when using 'old' URLs?
Thanks!

Check that security is enabled for applications in admin console, menu Security > Global security, checkbox "Application security".
Check that there is no security interceptor in menu Security > Global Security > Trust association > Interceptor
Connect to your application using Chrome or Firefox and open "developer tools" panel. Check what happens when you click on logout:
in network tab, browser should send GET request to ibm_security_logout url
in Websphere answer, there should be header Set-Cookie:LtpaToken2="" which should remove LtapToken2. LtpaToken2 is basically session cookie for Websphere.
Look at your cookies using developer tools. LtpaToken2 should not be there anymore.
If step 1 is not OK: your client application logout button is not properly implemented.
If step 2 is not OK: there should be an error in Websphere log file.
If step 3 is not OK (very unlikely): there might cross-domain error, meaning the cookie was set for another domain name.

Related

Google Auth API - idpiframe_initialization_failed on Production environment

I integrate Google's Auth API in my production website.
When I enter the login page, it throws an idpiframe_initialization_failed exceptions to the console.
I found out that I can fix it by enabling that API / Cookies in my chrome browser, but I want to find a comprehensive solution that will prevent those exceptions in my production environment.
So my two questions are:
What do you suggest me to do in order to achieve that?
In general, what is the meaning of those excpections?
Thanks :)
If you have a production url like http://godaddysite.com etc host your page there with a Webserver.
Opening a htnl page from your computer with javascript doesnot work as it is not hosted on webserver.
Please check your redirect url etc when you created Oauth client.
Go to the Credentials page.
Click Create credentials > OAuth client ID.
Select the Web application application type.
Name your OAuth 2.0 client and click Create
check origins
create new OAuth with correct origins.

Configure Authentication for actual html login page

We've got an install of Azure Devops server that currently authenticates against our active directory server and authentication works, but it appears to do so by means of browser basic authentication (the browser modal prompt that asks for a simple user name and password).
I'm wondering if there is some way to configure authentication such that users that have never logged in, actually get a login page... not just the basic authentication prompt in the browser.
I appreciate any input, I've used and administered azure devops in the cloud for a LONG time, but the devops server stuff I'm new to.
NOTE: I've played with IIS settings for authentication (enabling and disabling basic authentication and forms auth etc, but nothing really seemed to help there)
it appears to do so by means of browser basic authentication (the
browser modal prompt that asks for a simple user name and password).
I'm wondering if there is some way to configure authentication such
that users that have never logged in, actually get a login page... not
just the basic authentication prompt in the browser.
What's the login page do you mean?
1.If you mean the login page to connect to TFS web portal, as I know using basic prompt with username+password is the only appraoch.
Web Portal:
Only logic page:
2.But if you mean something used for authentication when accessing the code. I think you must be familiar with PAT which is widely used in Azure Devops Service. IIS Basic Authentication is not recommended. You can check Enabling IIS Basic Authentication invalidates using Personal Access Tokens and Use the TFS Cross Platform Command Line with TFS using basic authentication or personal access tokens (PATs).
Hope it helps to resolve your puzzle :)
So after lots of research, I found that in the differences between azure devops server and azure devops services documentation. In this documentation it states that it uses windows authentication, and you will never be presented with any login experience.
I'd vote that this should be something that be configured to show a login screen, as sometimes we want to log in as users other than the users we logged into the machine as.

WSO2 IS SAML2.0 Deactivates user after single login

I downloaded WSO2 IS, took care of all the prerequisites and started it using "wso2server.bat --run" command.
It's running and I am able to configure it in Management Console as Identity Provider (SAML 2.0). I also added my app as Service Provider (SAML 2.0). SSO seems to be working - I navigate to my app, it redirects to WSO2 IS where I log in using default admin/admin. I am then redirected to assertion service in my app when I am authenticating a user. Everything great so far!
The problem is that when I close the browser (using incognito mode) and try to repeat that process and login to WSO2 IS using the same user (admin/admin) I get error message:
"Login failed! Please recheck the username and password and try again."
I also get similar message in console:
[2018-02-08 15:57:39,258] ERROR {org.wso2.carbon.identity.scim.common.listener.SCIMUserOperationListener} - Trying to login from an inactive account of user: admin
How is that possible? It looks like the second I use given user during SSO process - that account gets deactivated. I can't even login to WSO2 IS Management Console.
I did not change any configuration other than mentioned above.
I would appreciate any help.

Is IdentityServer3 WindowsAuthentication post logout redirect possible?

I was wondering if it is possible to add a redirect Url to the post-logout action when using the Windows Authentication module of IdentityServer3? Currently, it seems to leave users on a blank page.
If you're using the WindowsAuthentication module, then you don't want to redirect to that STS for signout (since it's all about integrated windows auth, and the only sighout is logging out of the windows machine). I'd suggest to suppress the redirect for signout to the WindowsAuthentication STS in the WS-Fed Katana middleware you're using in IdentityServer. Handle the RedirectingToIdentityProvder (or whatever the event is called) and call the API to suppress the redirect.

What does this SSO error mean? - CTJSO1502E The authentication process to the configuration dashboard failed

I'm just starting up with Bluemix Single Sign On (SSO). Whenever I'm accessing the SSO console using Safari I get a popup with the error below.
CTJSO1502E The authentication process to the configuration dashboard failed
I do not get this error when accessing the SSO console using my firefox browser.
I've already cleared the cache in Safari. Can anyone give me a pointer or something else to try to get past this?
As it turns out the solution in Safari is that I needed to enable third-party cookies to access the SSO interface.
The iframe containing the SSO service dashboard comes to the overall Bluemix console (.ng.bluemix.net) from a host on a different DNS domain (.iam.ibmcloudsecurity.com). Session cookies for the dashboard get blocked unless 3rd party cookies are allowed, or at least permitted from .iam.ibmcloudsecurity.com.