I'm using OpenAM 13 and Web Policy Agent 4.0 for apache.
It seems that Web Policy Agent could not recognize an iPlanetDirectoryPro cookie, which is a token set by OpenAM after authentication, is expired or is actually an invalid one.
Looks like Web Policy Agent would take the token and confirm it with OpenAM, then be told the validation failed, like these lines of log below, and give the user a 403 forbidden page.
2017-01-24 11:29:55.475 +0800 WARNING [0x7f180e887700:17669] am_get_session_policy_cache_entry(): failed to locate data for a key (AQIC5wM2LY4SfcxFG6Bl98dRT7AluZ7682rulJGU8-CCSN4.*AAJTSQACMDEAAlNLABQtMTQ2NTcwMTgyOTEwMjQ5MTg4OQACUzEAAA..*)
2017-01-24 11:29:55.484 +0800 WARNING [0x7f180e887700:17669] validate_policy(): retry 0 (remote session/policy call failure: error)
2017-01-24 11:29:57.490 +0800 WARNING [0x7f180e887700:17669] validate_policy(): retry 1 (remote session/policy call failure: error)
2017-01-24 11:29:59.497 +0800 WARNING [0x7f180e887700:17669] validate_policy(): retry 2 (remote session/policy call failure: error)
2017-01-24 11:30:01.504 +0800 WARNING [0x7f180e887700:17669] validate_policy(): retry 3 (remote session/policy call failure: error)
2017-01-24 11:30:03.504 +0800 ERROR [0x7f180e887700:17669] validate_policy(): remote session/policy call to validate 'http://agent.job.com.tw:80/notification/push' failed (max 3 retries exhausted)
The expected behavior under that situation is redirect the user to auth, I think so, if the user is valid and has no permission to access that page, agent would be instructed to block the user out of it, like this one below.
2017-01-24 11:43:59.009 +0800 WARNING [0x7f17f9ff3700:17669] am_get_session_policy_cache_entry(): failed to locate data for a key (AQIC5wM2LY4Sfcz6gBnS77c_KhZogqv6gYGQdjU1WpRaQxE.*AAJTSQACMDEAAlNLABMzMTYxMjIwNDAzNjc4NDA4MDQxAAJTMQAA*)
2017-01-24 11:43:59.050 +0800 WARNING [0x7f17f9ff3700:17669] validate_policy(): decision: deny, reason: no action decisions found
2017-01-24 11:43:59.213 +0800 WARNING [0x7f180d000700:17669] validate_policy(): validate policy did not find a match for 'http://agent.job.com.tw:80/favicon.ico' in the cached entries, retrying with the new request to the policy service
2017-01-24 11:43:59.227 +0800 WARNING [0x7f180d000700:17669] validate_policy(): decision: deny, reason: no action decisions found
However, if I navigate to the OpenAM server page by myself, regardless before or after accessing the resource page and get a 403 page back, OpenAM would ask me to auth! On other words, to login, and the iPlanetDirectoryPro cookie disappeared, I guess it was cleared by OpenAM, so this means that OpenAM is able to distinguish an expired session, or at least, it knows how to take care of an iPlanetDirectoryPro cookie which is no longer effective.
If I choose not to login immediately, and head back to the resource page, it starts to redirect to OpenAM for authentication which is good. When getting 403 page, remove the iPlanetDirectoryPro cookie manually will do the same trick.
Well this is really annoying, and could be critical for general users, they won't be aware to do those workaround mentioned above.
I wish there's somebody kind could help me with this problem, many thanks.
I believe you are running into this bug: AMAGENTS-279
Related
paradigm
Hello Everyone
I am trying to integrate SSO on Redmine using keycloak with google as identity provider, i almost got there till i get this error after login account with google and keycloak return redmine following error.
Log redmine:
Completed 200 OK in 53ms (Views: 39.3ms | ActiveRecord: 9.6ms)
Started GET "/auth/saml" for 42.113.145.55 at 2022-08-29 15:09:34 +0700
Started POST "/auth/saml/callback" for 42.113.145.55 at 2022-08-29 15:09:34 +0700
Started GET "/auth/failure?message=invalid_ticket&origin=https%3A%2F%2Fdomain redmine%2Flogin&strategy=saml" for 42.113.145.55 at 2022-08-29 15:09:34 +0700
Processing by AccountController#login_with_saml_failure as HTML
Parameters: {"message"=>"invalid_ticket", "origin"=>"https://domain redmine/login", "strategy"=>"saml"}
Current user: anonymous
Redirected to http://domain redmine/login
Completed 302 Found in 7ms (ActiveRecord: 1.7ms)
Started GET "/login" for 42.113.145.55 at 2022-08-29 15:09:35 +0700
Processing by AccountController#login as HTML
enter image description here
i'm guessing that the cause of the problem lies in the mappers identity provider, client on Keycloak , i have no experience with this , can someone help me to see if my mappers configuration is correctenter image description here
enter image description here
Im using powershell to connect to azure ad and what I need is to get a list of the policies that were configured.
First, I used Connect-azuread to get into my tenant, and when I tryed to use Get-AzureADPolicy, I'm having this error:
Get-AzureADPolicy: Error occurred while executing GetPolicies Code: InvalidAuthenticationToken Message: Access token validation failure. Invalid audience. InnerError:
DateTimeStamp: Wed, 16 Feb 2022 20:36:13 GMT HttpStatusCode: Unauthorized HttpStatusDescription: Unauthorized HttpResponseStatus: Completed
any ideas of what could I been doing wrong?
Thanks
I have tested in my environment. I was able to get the list of policies successfully.
Try using AzureADPreview latest module
Uninstall-Module AzureAD
Install-Module AzureADPreview
Import-Module AzureADPreview
Now, use cmdlet “Connect-AzureAD” with credentials and “Get-AzureADPolicy” to display the list of policies.
If still the error remains, please check if you have permissions and granted consent for the same.
Try with "Connect-AzureAD -AzureEnvironmentName AzureUSGovernment"
Reference:
Get-AzureADDirectorySetting - Authintication problems - Microsoft Q&A
I'm curious if anyone else has seen the following behavior from the Office 365 REST API beta when attempting to retrieve Outlook tasks for users other than one's self?
I've confirmed that I've granted my application the necessary permissions for it to retrieve tasks for all users:
https://outlook.office.com/api/beta/me/tasks
-> I get a result
https://outlook.office.com/api/beta/users/abc#xyz.com/tasks
-> I get a 403 forbidden error
If developer is reading this, could this be an issue w/the beta API which will be corrected in the near future? Or, is there something else which could be going sideways?
Aside from "tasks", I can retrieve contacts, mail, etc. from other users just fine.
Here is the response I get whenever I attempt to query another user's tasks:
HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
request-id: 5c375fd9-d5ed-4fd3-8e1a-ab3dc61feaf3
X-CalculatedFETarget: BN3PR03CU002.internal.outlook.com
X-BackEndHttpStatus: 403, 403
X-FEProxyInfo: BN3PR0301CA0017.NAMPRD03.PROD.OUTLOOK.COM
X-CalculatedBETarget: BN3PR0501MB1298.namprd05.prod.outlook.com
x-ms-diagnostics: 2000008;reason="The token contains not enough scope to make this delegate access call.";error_category="invalid_grant"
OData-Version: 4.0
X-DiagInfo: BN3PR0501MB1298
X-BEServer: BN3PR0501MB1298
X-FEServer: BN3PR0301CA0017, CO1PR06CA031
X-MSEdge-Ref: Ref A: 5CE3BDDBE9BB483ABA0F13CE2EC07F80 Ref B: 52E8D7443714773298F8956513923AFC Ref C: Thu Jun 30 12:59:31 2016 PST
Cache-Control: private
Date: Thu, 30 Jun 2016 19:59:31 GMT
Set-Cookie: exchangecookie=e4b8e5f48581449893f48eba48413e88; expires=Fri, 30-Jun-2017 19:59:31 GMT; path=/; HttpOnly
Server: Microsoft-IIS/8.5
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000#*", token_types="app_asserted_user_v1 service_asserted_app_v1", error="invalid_token"
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
It says that, "The token contains not enough scope to make this delegate access call."
However: I have confirmed that 9/9 "Application Permissions" as well as 26/26 "Delegated Permissions" have been granted to the app for the "Office 365 Exchange Online" service. Additionally, the account I'm using is also a Global Administrator for our tenant.
Thanks for any help!
At present, the Task API requests are always performed on behalf of the signed-in user(refer to target user).
And there is no such scope that for reading task from all users, you can refer to the permissions from figure below:
You may submit the feedback from here if you require that the Task API to support for other users.
We are currently trying to deploy CAS 4.0.1 on a JBoss EAP 6.3.0 server.
The login webflow was customised in order to redirect to a specific login form depending on the service calling CAS for authentication. Depending on these forms, we use specific authentication handlers, and a specific Credential model. Besides that, the configuration is rather standard.
At the moment, we are experiencing the following issue: when a user attempts to access a service secured by CAS, he is correctly redirected to the portal, and the expected login view is rendered ; upon successful login, the Service Ticket is delivered to the authentication filter on the service side (standard j_spring_cas_security_check), which then validates it successfully against CAS' ticket registry. We see in the logs that CAS is rendering the cas2ServiceSuccessView ; however, instead of delivering the expected XML response, the user is redirected to the login form.
We then confirmed that we were in fact getting a 404 error after the cas2ServiceSuccessView... Any idea what could trigger such behaviour/what we could have done wrong ?
Note that we are getting the same error regardless of how we call CAS for the ST validation: whether it is manually through /serviceValidate?ticket=ST-YYY&service=XXX, or via the /j_spring_cas_security_check on the service side...
Edit: we have the same behaviour running CAS on Tomcat 7.
Thanks in advance.
Below the debug logs that we are getting:
08:54:10,806 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) Last-Modified value for [/cas/serviceValidate] is: -1
08:54:10,809 INFO [org.perf4j.TimingLogger] (http-/0.0.0.0:8080-7) start[1433314450807] time[2] tag[VALIDATE_SERVICE_TICKET]
08:54:10,810 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] (http-/0.0.0.0:8080-7) Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-3-uecoOwdbdIn4bc2WvXfe-cas-test
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Wed Jun 03 08:54:10 CEST 2015
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
08:54:10,810 DEBUG [org.springframework.validation.DataBinder] (http-/0.0.0.0:8080-7) DataBinder requires binding of required fields [renew]
08:54:10,811 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) Rendering view [org.springframework.web.servlet.view.InternalResourceView: name 'cas2ServiceSuccessView'; URL [/WEB-INF/view/jsp/cas2ServiceSuccessView.jsp]] in DispatcherServlet with name 'cas'
08:54:10,811 DEBUG [org.springframework.web.servlet.view.InternalResourceView] (http-/0.0.0.0:8080-7) Added model object 'assertion' of type [org.jasig.cas.validation.ImmutableAssertion] to request in view with name 'cas2ServiceSuccessView'
08:54:10,811 DEBUG [org.springframework.web.servlet.view.InternalResourceView] (http-/0.0.0.0:8080-7) Removed model object 'pgtIou' from request in view with name 'cas2ServiceSuccessView'
08:54:10,811 DEBUG [org.springframework.web.servlet.view.InternalResourceView] (http-/0.0.0.0:8080-7) Forwarding to resource [/WEB-INF/view/jsp/cas2ServiceSuccessView.jsp] in InternalResourceView 'cas2ServiceSuccessView'
08:54:10,812 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) Successfully completed request
08:54:10,814 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) DispatcherServlet with name 'cas' processing GET request for [/cas/login]
08:54:10,814 DEBUG [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] (http-/0.0.0.0:8080-7) Mapping request with URI '/cas/login' to flow with id 'login'
In SpringSecurity 4.x, CasAuthenticationFilter's defaultFilterProcessesUrl path is changed.
So Change '/j_spring_cas_security_check' to '/login/cas' in Configuration.
... and of course, the cause was rather silly: somehow (I have to look at our merge/git history), the viewResolver bean defined in cas-servlet.xml did not have a basenames property set.
After I invoke single-log-out (SLO), by calling 'GET' on https://[PingFederate Server Instance]:[Port]/sp/startSLO.ping, my PingFederate server begins making requests to my SP logout services. [I know this because I can see it happening in Fiddler.]
But when one my SPs invokes “https://<PingFederate DNS>:XXXX” + request.getParameter(“resume”); (per #Scott T.'s answer here), I get an error message:
Error - Single Logout Nonsuccess Response status:
urn:oasis:names:tc:SAML:2.0:status:Requester Status Message: Invalid
signature Your Single Logout request did not complete successfully. To
logout out of your Identity Provider and each Service Provider, close
all your browser windows. Partner: XXXX:IDP Target Resource:
http://<domain>/<default SLO endpoint>
My Questions:
What is this error message referring to?
How can I resolve this error condition?
This error is likely due to a mismatch in configuration between IdP and SP. The signing keys/certificate for SAML messages used at one end, must match the verification certificate at the other end. Check your Credentials configuration on your connection for both IdP and SP. See this section in the PingFederate Administration Guide for some details.