Here is the setup for LTPA token based authentication between ISAM and MobileFirst 6.3:
ISAM appliance is hosting Login page and generating LTPA token using the ltpa.keys from MobileFirst 6.3 server. ISAM also connects to LDAP to authenticate user which eventually forwards a request with generated ltpaToken2 cookie down to MobileFirst 6.3 server. I have configured following authenticationConfig.xml
<securityTests>
...
<customSecurityTest name="ISAMforWorklight-web-securityTest">
<test realm="wl_antiXSRFRealm" />
<test realm="WASLTPARealm" isInternalUserID="true" />
<test realm="HeaderAuthRealm"/>
</customSecurityTest>
</securityTests>
<realms>
...
<realm loginModule="WASLTPAModule" name="WASLTPARealm">
<className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
<parameter name="login-page" value="/login.html"/>
<parameter name="error-page" value="/loginError.html"/>
</realm>
</realms>
<loginModules>
...
<loginModule name="WASLTPAModule">
<className>com.worklight.core.auth.ext.WebSphereLoginModule</className>
</loginModule>
</loginMoudles>
Server.xml contains:
<ltpa keysFileName="<app>/resources/security/ltpa.keys" keysPassword="whatever" expiration="120"/>
It is throwing following exception. Per my understanding default login handler should work seemslessly in MobileFirst when ltpaToke2 is being provided in a request. Not sure what is that I am missing here.
==> trace.log <== [7/22/15 20:28:03:229 UTC] 000000eb id= com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator I
processRequest FWLSE0055I: Not recognized. [project worklight]
[7/22/15 20:28:03:230 UTC] 000000eb id=
com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator 1
processRequest Processing request not recognized [project worklight]
[7/22/15 20:28:03:230 UTC] 000000eb id=
com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator <
processRequest RETURN
Related
currently We have CAS SSO to our existing .net application, but now client is asking for Shibboleth SSO instead CAS. I'm totally new to Shibboleth.
Client has given the below details:
entityid= urn:mace:incommon:xxx.edu
metadata URL for test environment is:
https://shibboleth-test.xxx.edu/idp/shibboleth
By using guidelines from Shibboleth site, below are the steps i followed.
Installed Shibbolth Service provider (shibboleth-sp-2.6.1.4-win64.msi)
Installed Java with JCE
Installed Shibboleth Idp (in which jetty also checked)(shibboleth-identity-provider-3.3.3-x64.msi)
Web Application with self signed certificate
attached my Shibboleth2.xml file
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <InProcess logger="native.logger"> <ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="2" name="shibboleth-test.xxx.edu" scheme="https" port="443" />
</ISAPI> </InProcess> <RequestMapper type="Native"> <RequestMap> <Host name="shibboleth-test.xxx.edu" scheme="https" port="443">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap></RequestMapper><ApplicationDefaults entityID="urn:mace:incommon:xxx.edu" REMOTE_USER="eppn persistent-id targeted-id" cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"> <SSO entityID=""urn:mace:incommon:xxx.edu" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 <my system IP">/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root#localhost"
helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Problems I'm facing......
When i try to access https://shibboleth-test.xxx.edu/Shibboleth.sso/Status
getting error no metadataprovider available.
Noticed Problems:
1.when i try to add Metadataprovider Shibboleth daemon 2 service is getting
stopped and unable to start.if i remove it's is running.
2.Shibboleth Idp 3 deamon is getting stopped very frequently
When i run 'SC interrogate shibd_idp' in command prompt, results are
control service failed 1062
the service has not been started.
I donno what is wrong with my work.
Can any one please tell me what are the steps to be followed to accomplish this integration.
Thanks in advance,
Hema
There will be a tag in shibboleth2.xml called metadata provider, you will need to open that.
If you have done this but shill service is not getting started then you can check the log and give additional info in question.
Another reason I can think of is connection problem. Try downloading idP's metadata and store it physically in the SP configuration folder. Manually map the file, using following tag
<MetadataProvider type="XML" file="partner-metadata.xml"/>
All the issues has been resolved after we upgraded from Shibboleth 2.6 to 3.0.2. we are getting the Shibboleth Identity provider login page.We are able to see the attributes in Session.Now we are working on how to retrieve the attributes in our application and how to redirect to our application home page.Currently we created 1 sample html page under secure folder in our application. once we logged in we are able to this html page.But when i tried to redirect to our application home page, it's giving 500 error. Can any one knows like how to redirect to our app home page and retrieve the attributes in the application.
I am facing an issue with SSO integration (cloud directory) with a Liberty for Java application.
I have Liberty application which is integrated with SSO service using Cloud directory. I have followed the steps mentioned here
When I access the homepage of the application, I am getting "Error 500: SRVE0295E: Error reported: 500 " error message. Logs aren't providing any useful information.
The steps that I followed are listed below
Created a simple Liberty for Java webapp, named SSODemo and deployed on Bluemix. I could access home page of the application
Created SSO service. Created Cloud directory and added a couple of users and saved
Added the following in web.xml file of SSODemo
SSODemoSecurity
Secured
/
/
/
/SSODemo/
GET
PUT
HEAD
TRACE
POST
DELETE
OPTIONS
TESTROLE
Copied ssodemo.war file to folder c:\deploy2bluemix\apps
Created server.xml file in c:\deploy2bluemix. Added role. server.xml would look as below
<featureManager>
<feature>jsp-2.2</feature>
<feature>localConnector-1.0</feature>
</featureManager>
<httpEndpoint httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint"/>
<applicationMonitor updateTrigger="mbean"/>
<application type="war" id="SSODemo" name="SSODemo" location="SSODemo.war" context-root="/">
<application-bnd>
<security-role name="TESTROLE">
<special-subject type="ALL_AUTHENTICATED_USERS"/>
</security-role>
</application-bnd>
</application>
Pushed SSODemo app from c:\deploy2bluemix
Bound the SSO service created with SSODemo app
restaged SSODemo app
Saved the default details populated on Integrate tab of SSO Service
Now, when I launch SSODemo app, it asks for user id and password. On providing valid user id and password it throws "Error 500: SRVE0295E: Error reported: 500 " error message
Following is the log entry when the above error message is thrown
bmssodemo-mc.mybluemix.net - [10/02/2016:03:36:26 +0000] "GET /oidcclient/redirect/GIC5KC6sbK?scope=openid&code=lS9jAkiKSPmC8VNJw0NFULgqMkXEpP&state=f0hvnV7R4iSsUDwU5hzr HTTP/1.1" 500 0 42 "https://ssoq3-gikup9q8qk-cp16.iam.ibmcloud.com/idaas/mtfim/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:basicldapuser" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0" 192.155.237.118:32103 x_forwarded_for:"125.16.236.150" x_forwarded_proto:"https" vcap_request_id:4844e729-a9d6-4efb-579a-a5c6449db8ff response_time:0.227078783 app_id:7b8c1d84-2cb0-420a-8735-198ee50dcf62 x_global_transaction_id:"40112183"
Any guidance here to resolve the issue will be very helpful. Thank you.
Actually the Bluemix status page is reporting a notification opened on Feb 5th about an issue of SSO service with the liberty runtime.
Check on
https://developer.ibm.com/bluemix/support/#status
Liberty for Java runtime provided an urgent update for this issue today. I don't think you need the workaround now. Please give it a try.
I'm attempting to create a logon token using the BOE BI Platform RESTful SDK v4.1 (using RESTClient).
A GET request to http://server:6405/biprws/logon/long/ returns:
<attrs xmlns="http://www.sap.com/rws/bip">
<attr name="userName" type="string" />
<attr name="password" type="string" />
<attr name="auth" type="string" possibilities="secEnterprise,secLDAP,secWinAD,secSAPR3">secEnterprise</attr>
</attrs>
A POST to http://server:6405/biprws/logon/long/ with a single header of Content-Type: application/xml and a payload of
<attrs xmlns="http://www.sap.com/rws/bip">
<attr name="userName" type="string">myAccount</attr>
<attr name="password" type="string">myPassword</attr>
<attr name="auth" type="string" possibilities="secEnterprise,secLDAP,secWinAD,secSAPR3">secWinAD</attr>
</attrs>
returns:
<error>
<error_code>FWM 00006</error_code>
<message>Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName#DNS_DomainName, and then try again. (FWM 00006)</message>
</error>
I've also tried attr name="userName" type="string">myAccount#mycompany.org</attr>, but with the same results.
A POST to http://server:6405/biprws/logon/adsso returns:
<error>
<error_code>RWS 00057</error_code>
<message>Method not allowed (RWS 00057)</message>
</error>
The credentials work with BI Launchpad and the CMC.
What am I missing?
First, a disclaimer -- I've only done REST WinAD with SSO, not manual logon. So I can't be absolutely sure that my suggestions below will fix your problem.
The call to /biprws/logon/adsso requires a GET not a POST, but that will likely not work until you have SSO working.
There are a few settings that are required for WACS to use WinAD, with or without SSO. The file is here:
SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\pjs\services\RestWebService\biprws\WEB-INF\web.xml
You will see a section commented out, starting with:
<!-- Kerberos filter section starts
Uncomment this section. Then set the following parameters:
idm.realm
idm.princ
idm.keytab
idm.kdc
idm.allowUnsecured
The values for these parameters should equal what was set in your system for BI launch pad. This is in:
SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties
The format of the file is different (global.properties is a simple properties file, but web.xml is xml). So you can't just copy/paste the section, but you can copy the individual values. For example, in global.properties, you might see:
idm.keytab=C:/WINDOWS/bosso.keytab
This would be done in web.xml as:
<init-param>
<param-name>idm.keytab</param-name>
<param-value>C:/WINDOWS/bosso.keytab</param-value>
<description>
The file containing the keytab that Kerberos will use for
user-to-service authentication. If unspecified, SSO will default
to using an in-memory keytab with a password specified in the
com.wedgetail.idm.sso.password environment variable.
</description>
</init-param>
Couple of references:
http://myinsightbi.blogspot.com/
https://techwriter79.wikispaces.com/file/view/sbo41sp5_bip_rest_ws_en.pdf
Asked to evaluate buying Mulesoft - and produce demo that connects to facebook. Am following the two samples here:
https://github.com/mulesoft/facebook-connector/blob/master/doc/sample.md
and
http://blogs.mulesoft.com/mule-school-integration-with-social-media-part-ii-%E2%80%93-facebook/
Ran into a problem with the first sample - it wouldn't compile because the endpoint for the http connector was the same as the facebook connector. I did some research and made some changes, but I now get the error below and can't find anyone else that experienced the same:
Unable to fetch access token. Message payload is of type: NullPayload - this is on the callback page. Has anyone experienced this?
Here is my code:
<http:listener-config name="HTTP_Listener_Configuration" host="localhost" port="8099" doc:name="HTTP Listener Configuration"/>
<facebook:config-with-oauth name="Facebook-config" consumerKey="..." consumerSecret="..." scope="user_photos" doc:name="Facebook">
<facebook:oauth-callback-config domain="localhost" localPort="8099" remotePort="8099" path="callback"/>
</facebook:config-with-oauth>
<http:listener-config name="HTTP_Listener_Configuration1" host="localhost" port="8094" doc:name="HTTP Listener Configuration"/>
<flow name="Authorize">
<http:listener config-ref="HTTP_Listener_Configuration" path="/" doc:name="HTTP"/>
<facebook:authorize config-ref="Facebook-config" doc:name="Facebook"/>
<set-session-variable variableName="accessTokenID" value="#[flowVars['OAuthAccessTokenId']]" doc:name="Save Access Token"/>
<flow-ref name="PhotoDownload" doc:name="Call Photo Download"/>
</flow>
<flow name="PhotoDownload">
<http:listener config-ref="HTTP_Listener_Configuration1" path="/" doc:name="HTTP"/>
<not-filter doc:name="Not">
<wildcard-filter pattern="/favicon.ico" caseSensitive="false"/>
</not-filter>
<facebook:get-user-picture config-ref="Facebook-config" user="me" accessTokenId="#[sessionVars['accessTokenId']]" doc:name="Get Profile Picture"/>
<file:outbound-endpoint path="c:\temp" outputPattern="profilepic.jpg" responseTimeout="10000" doc:name="Save The Picture "/>
<json:object-to-json-transformer doc:name="Object to JSON"/>
</flow>
Here is the stack trace:
ERROR 2015-06-10 13:47:07,731 [[internalfacebook].HTTP_Listener_Configuration.worker.01] org mule exception DefaultMessagingExceptionStrategy:
********************************************************************************
Message : Unable to fetch access token. Message payload is of type: NullPayload
Code : MULE_ERROR--2
--------------------------------------------------------------------------------
Exception stack is:
1. unable to find valid certification path to requested target (sun.security.provider.certpath.SunCertPathBuilderException)
sun.security.provider.certpath SunCertPathBuilder:-1 (null)
2. PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (sun.security.validator ValidatorException)
sun.security.validator PKIXValidator:-1 (null)
3. sun.security.validator ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (javax net ssl SSLHandshakeException)
sun security ssl Alerts:-1 ( java.sun com/j2ee/sdk_1.3/techdocs/api/javax/net/ssl/SSLHandshakeException html)
4. Error found while consuming http resource at https(colonslashslash) graph facebook com/oauth/access_token (java.lang.RuntimeException)
org.mule security oauth util HttpUtilImpl:93 (null)
5. Unable to fetch access token. Message payload is of type: NullPayload (org mule api MessagingException)
org.mule.security.oauth.processor.OAuth2FetchAccessTokenMessageProcessor:95 ( wwwmulesoftrog docs site current3 apidocs org mule api MessagingException html)
--------------------------------------------------------------------------------
Root Exception stack trace:
sun.security.provider certpath SunCertPathBuilderException: unable to find valid certification path to requested target
at sun security provider certpath SunCertPathBuilder engineBuild(Unknown Source)
at java.security cert CertPathBuilder build(Unknown Source)
at sun.security validator PKIXValidator doBuild(Unknown Source)
+ 3 more (set debug level logging or '-Dmule.verbose.exceptions=true' for everything)
********************************************************************************
INFO 2015-06-10 13:47:08,183 [[internalfacebook].HTTP_Listener_Configuration.worker.01] org mule module http internal listener HttpListenerRegistry: No listener found for request: (GET)/favicon ico
INFO 2015-06-10 13:47:08,184 [[internalfacebook].HTTP_Listener_Configuration.worker.01] org mule module http internal listener HttpListenerRegistry: Available listeners are: [(*)/callback/, (*)/]
Couple things might help. First off, make sure your FB App and Mule FB Config match on the "scope" Ex. "email,public_profile,user_friends".
Also, I solved part of this issue by creating a global HTTP element as the callback. The callback HTTP path needs to be "/*". Then in the Authorization FB component under the OAuth tab, I put the callback HTTP name as the HTTP Connector Reference.
<facebook:oauth-callback-config domain="localhost"
localPort="5000" remotePort="5000" connector-ref="callback"></facebook:oauth-callback-config>
</facebook:config-with-oauth>
<http:listener-config name="callback" host="0.0.0.0"
port="5000" basePath="/*" doc:name="HTTP Listener Configuration" />
I am consuming an secured service hosted over basicHttpBinding
I have to pass credentials to the service for authenticatioon
Here’s the config setting for the client
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
While calling the service, I am getting following exception message
An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.
Message = "An invalid security token was provided (Bad UsernameToken Values)”
I not sure how to get it working I am curious if somebody can help me out or provide me any url where I could find the solution
When you create your MyServiceClient object you can set the username and password on the clientInstance.Credentials.UserName object.