I have SAML with ADFS configured in Artifactory and it is working just fine really. We are also "filtering" users by AD group membership and only allow users within a certain group to log in. All that is and has to be done by ADFS because Artifactory doesn't do that.
When a user is not authorized to log in with SAML he is redirected to an HTTP 400 Page though which obviously isn't a good solution. I can already see the tickets pouring in telling my that Artifactory doesn't work at all.
How can I avoid that or tell them actually what's the problem?
EDIT: using Artifactory version 5.3.1
Related
The Paypal API doesn't recognize my Client ID and Secret I got from https://developer.paypal.com/developer/applications/
I wanted to include a server side checkout according to this tutorial https://developer.paypal.com/docs/archive/checkout/how-to/server-integration/
When I do the request to https://api-m.paypal.com/v1/payments/payment I always get a 401 Error with the message "Authentication failed due to invalid authentication credentials or a missing Authorization header.".
I checked multiple times if my credentials were correctly included into the request. I also tested the endpoint in my server environment and as well via Postman.
I also tried the route https://api-m.sandbox.paypal.com/v1/oauth2/token to exchange my credentials with an access token and got the same problem.
I also tried to create multiple Sandbox and Live Accounts and always got the same error.
Has anyone an idea what the problem could be?
There are two separate issues here.
You first need to use /v1/oauth2/token to obtain an access token, and then use that access token to call any of the other actual APIs.
The credentials you obtain from PayPal Developer will be for either "Sandbox", or "Live". Make sure you choose the correct tab (sandbox, for development). Sandbox credentials will only work for api-m.sandbox.paypal.com , and Live credentials will only work for api-m.paypal.com . The two environments are completely separate.
If you still have issues, post the SANDBOX client ID and secret you are using, and the full request and response to the api-m.sandbox.paypal.com endpoint. There should be a PayPal-Debug-Id in any error response, in the headers if nowhere else.
We have installed and configured RedHat APIMan for our working API and the plan is migration form current home-grown tiny gateway to APIMan. The problem is that we have some unprotected endpoints which do not need login (Not everyone role! No login required at all). We are using Keycloak OAuth plugin for roles, and Authorization Policy for API security. When Authorization policy is not added, I can allow unauthenticated requests via a boolean value in Keycloak OAuth policy, but after adding Authorization policy, there is no way to let unauthenticated requests pass!
Kamyar. Apiman developer here.
Please file a feature request for this over at https://github.com/apiman/apiman/issues.
I think what you are trying to do may not currently be possible easily because the authentication policy is expecting a successful auth of some sort before it is hit (to get the roles, etc).
We probably need a slightly more detailed explanation of your use-case, and then we can figure out whether we can support it. It seems like it should be doable without major changes if I understand correctly.
If and when we add support for the specifics of your requirement, I will endeavour to update this ticket.
We have recently migrated to a new hosting environment so have installed a fresh instance of Shibboleth. When we generate sp metadata files, the urls are non-secure (ie http) even though the url used to generate the metadata uses https.
When using the test connection from our own Azure AD system, we see the obvious error: "The reply URL specified in the request does not match the reply URLs configured for the application:"
I have limited knowledge of configuring the system beyond working on shibboleth2.xml and attribute-map.xml so would be very grateful if anyone can point me in the right direction to fix this.
I'm not sure if you managed to configure it but i'm currently working on this as well, and i think i can help.
So the ReplyURL you need to provide in the Azure Portal, is the reply URL that accepts the authentiaction reply message from the identity provider.
In the case of Shibboleth it is:
http[s]://yoursitename/Shibboleth.SSO/Auth/Saml
So if your webpage is for instance:
https://localhost/Foo
The replyURL should be:
https://localhost/Shibboleth.SSO/Auth/Saml
Notice that the page "Foo" is not in the replyURL.
After the authentication the browser should send the IDP reply to https://localhost/Shibboleth.SSO/Auth/Saml, after which Shibboleth should redirect you back to https://localhost/Foo
At least that's the default behaviour.
We are having problems with the authentication via SAML. All users who have an Active Directory user can log into Artifactory - which is not what I want.
I configured Artifactory to use two specific AD groups to allow users in, but we can't seem to get ADFS to filter those same groups
As far as I've understood Artifactory doesn't do anything with SAML authentication besides checking if ADFS says user is allowed or not allowed - is that correct?
Does anyone have experience with that kind of problem or an idea on how to solve this?
We are using Artifactory 5.2.0 at the moment
Never used Artifactory but assuming it's just a SAML SP ...
What is the format of the AD groups? What claim type? You may need a claims rule to transform the attribute to the required format.
ADFS can pass groups as Roles using "Token Groups - Unqualified Names".
Or you can set an access rule in ADFS so that access is denied if the user is not a member of a group.
I have setup SSO with Netsuite and Azure using the following instructions:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-netsuite-tutorial/.
The SSO works for users from Office 365 to NetSuite, however if a user clicks on a NetSuite link in an email they receive an invalid SAML protocol message from Azure during authentication.
For example:
Email Link is
"https:\system.netsuite.com/app/accounting/transactions/purchord.nl?id=167770&c={ACCOUNT_ID}"
Get redirected to (by NetSuite)
"https:\login.windows.net/9621cdc8-e1c4-4a3c-849e-35be6db5a45e/saml2"
which then redirects to :
"https:\login.microsoftonline.com/9621cdc8-e1c4-4a3c-849e-35be6db5a45e/saml2?RelayState=https%3A%2F%2Fsystem.netsuite.com%2Fapp%2Faccounting%2Ftransactions%2Fpurchord.nl%3Fid%3D167770%26c%3D{ACCOUNT_ID}"
which generates error:
Sign In
Sorry, but we’re having trouble signing you in.
We received a bad request.
Additional technical information:
Correlation ID: a8ceee9f-8507-4f55-aa56-e65266bf7d92
Timestamp: 2016-04-13 05:18:07Z
AADSTS75005: The request is not a valid Saml2 protocol message.
Does anyone have any ideas how to get further details on the error, or fix it?
I recently came across this issue and found a solution that works for me.
Try using the following format
https://account.activedirectory.windowsazure.com/applications/signin/{AZURE NETSUITE - APPLICATION_ID}?RelayState=https%3A%2F%2F{NetSuite_Account#}.app.netsuite.com%2Fapp%2Faccounting%2Ftransactions%2Fpurchord.nl%3Fid%3D{Purchae_Order_Record_ID}
I hope this helps.
Recently I faced this issue with Azure SSO, link does not work it fails # the SSO provider's(Azure) login URL. Issue is not with the Netsuite it is sending the request for authentication to Azure but Azure could not authenticate the user even though user is logged into the AD. You can resolve this issue by syncing Azure AD and source of authority. Also make sure your Azure SSo is setup correctly -by running zure Active Directory Module for Windows PowerShell as an admin.
Good luck