I'm using .NET 4.5 with a MVC5 5.2.2 web site and a Web API 2.2 service. The web site is using Identity 2.0, and I'm using MachineKey as a data protection provider. In the web site, I'm able to create new users, generate an email confirmation token and then verify that token when it comes back.
In the web service, I need to follow the same process - create a new user, generate email confirmation token and email that token to the new user. The user should then be able to visit the site, confirm the email address and finish creating the account. The problem I'm having is the email confirmation tokens generated by the web service can't be verified by the web site.
Both the service and the site are on the same machine. I can also duplicate this on my local machine in Visual Studio. My first guess was the machine keys weren't the same, but changing both sites to use the same hasn't worked. I've tried and confirmed:
Both sites have <httpRuntime targetFramework="4.5"/> in the <system.web> section.
I've tried <machineKey compatibilityMode="Framework45"/> in both sites.
I've tried generating machine keys - using decryption=AES and validation=SHA1 - with and without setting compatibilityMode.
Per https://aspnetidentity.codeplex.com/workitem/2439, I tried capturing the data protection provider and using that instead of MachineKey.
What am I missing?
So my first lesson from yesterday is that it is best to play Russian roulette with as few bullets in the chamber as possible. Otherwise you end up with a sore foot...as well as a sore forehead.
My problem ended up being that while I knew the confirmation tokens were being url encoded correctly from the site since I was using UrlHelper, I was forgetting the service was not using UrlHelper which mean those tokens were not being encoded correctly. After fixing that, I was able to figure out the machinekey settings.
For anyone who finds this, if you need to share Identity 2.0 tokens between different sites, I can confirm that you need a common machinekey set in your web.config for each site. I wasn't able to figure out if a common machinekey can be configured in IIS Express, so I ended up putting the keys in the web.config in source control then using the config transforms to remove them to make sure they aren't included when the site is published. In production, I'm going to use IIS to set these keys for the default web site so they are shared across both sites.
Related
Let's say we have a lot of projects. Project1, Project2, etc. and let's say their local development domains are example1.local and example2.local, etc.
Now we have set up a Keycloak instance of our development machine, with a Development realm inside it, with an AdminPanel client in that realm, and we want to use it for all of our projects.
We can manually add https://example1.local/* and https://example2.local/* etc. to valid redirect URLs and web origins.
But this means that we need to add each and every project we have and we do many many projects per year.
We tried https://* but it did not let us login complaining about invalid redirect_uri.
Is it possible to whitelist every domain for Keycloak?
You should be able to do that. I suggest to check your configuration again. Something like this works perfectly for my scenario which is the same as yours. The only difference is that I created a dedicated client for my applications, but still it's single client for many dev environments:
Valid Redirect URIs: https://* or https://*.local
Web Origin: *
Don't put anything extra for Web Origin. Just the * but this is only needed for example if you want to use a swagger-ui hosted on somewhere else. It allows swagger from any domain ask for token from the Keycloak. If you don't put the *, due to CORS error, the swagger-ui or any tools like that would not be able to fetch token.
It's a minor thing, but worth mentioning that you put https:// in the config, so the client app should also be accessed using https. If someone type http by mistake, the same error would be returned.
We tried https://* but it did not let us login complaining about
invalid redirect_uri.
Unless you are working in a testing environment, or you want to get hacked, DO NOT DO THIS in a production environment. From OAuth 2.0 Security Best Current Practice you read an explanation of a an exploit based on this misconfiguration.
Therefore, you should make your registered redirect URIs as specific as feasible, and simply using a wildcard in a big no-no.
But this means that we need to add each and every project we have and
we do many many projects per year.
Wouldn't it be possible to automatize this via scripts or so? Get the project names and then call the Keycloak Admin API to add those redirectURIs to the client?!
We are using ADFS to allow users to log into Artifactory and basically it works fine. Problem is, that the group memberships aren't recognized. Can anyone tell me what the problem is?
Using Artifactory Pro 5.4.4
ADFS 3.0
XML used to transfer the information to Artifactory (I included the mail attribute as well which works fine)
<Attribute Name="memberOf">
<AttributeValue>CN=some_group_the_user_is_in,OU=...</AttributeValue>
<AttributeValue>CN=my_artifactory_group,OU=..</AttributeValue>
<AttributeValue>CN=some_other_group,OU=...</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>x#y.com</AttributeValue>
</Attribute>
I do not have direct access to the ADFS and I really have no experience with it. The responsible person says he cannot filter the groups to show just the one important in Artifactory, so there is a list of groups and one or two might be used in Artifactory and he also cannot change the attribute name.
SAML Settings in Artifactory are:
Group Attribute: "memberOf"
Email Attribute: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
Else SAML works fine. The users are "just" missing their groups - which in the end makes the whole thing quite useless because each new user has to be assigned by hand which obviously isn't really practical with almost 200 users
Can anyone help?
Ran into the same thing and it took me a while to troubleshoot it.
First of all, you have the SAML settings set up correctly.
What you need to do is to create the group in artifactory with the exact ID as the one specified in your SAML. In your case you will have to create:
CN=some_group_the_user_is_in,OU=...
CN=my_artifactory_group,OU=..
CN=some_other_group,OU=...
I assume these are not the real names of your groups but I copied them verbatim from your question.
Then you'd need to give your groups the proper permissions to be able to browse the proper repositories.
Word of caution, the SAML group association allows the users to browse Artifactory according to their permission. It does not allow them to use that association to access artifactory using a generated token as you would if you want to run a build from a developer machine rather than user the Artifactory password.
The latter missing feature was promised to be delivered in Q4 2018 by their support.
Here is the JIRA issue related to the missing feature.
I also ran into this by setting this up on an Artifactory instance.
As already mentioned the SAML SSO synchronizes the groups of a user only on the ui interface and only in the background.
This means a user is not added to the group he is assigned to in the identity provider.
JFrog provided now an SCIM feature which is only available to the Enterprise edition (as of 2021-06-16) of their JFrog Platform.
This feature works like SAML SSO but also synchronizes the groups of an user so it can also be used via API which means during build time of an developer machine.
A customer of ours has just purchased CQ5 and would like to externalize all of its security. We'd like to use an STS server for SSO and then leverage a custom authorization/attribute provider instead of the CQ5 repository. Ultimately, we do not want to use LDAP in any way.
Here is how we envision this (some pieces already working):
User browses to CQ5 Dispatcher running in Apache
Apache filter redirects user to STS site where login is completed.
User is redirected back to Apache with SAML Claims.
User ID token is placed as cookie into browser. (everything is working up to here)
CQ5 captures that cookie based on the SSO configuration (working)
Problem starts here: From here, we want to call a custom authorization provider for the user's attributes, roles, groups etc...
We have tried to figure out how to do this and can't seem to find the missing link.
Do we need to create a custom login module? Do we need to create a custom principal provider? Do we somehow use the existing LDAP capability in CQ5 but have it call a custom class which leverages the external auth source?
If anyone here has any idea how to do this, their karma quotient would be full for the year if they could share it. I'm not sure if this is a basic thing you do with JAAS or even where to put my classes after I've created them.
We've worked really hard on this so far and seem to be close, but we keep hitting dead-ends.
Thanks so much if you have an idea where to begin!!
-joe
Recent versions of AEM now include the SAMLAuthenticationHandler which allows you to:
Redirect users to SSO to simulate IDP initiated login, or
Allow AEM to perform SP initiated login with IDP
Specify attributes to take from the SAML Assertion and add to the user's profile node (not sure if you can use this for groups)
Specify which groups users should be added to
Set a cookie called request-path that will store the URL the user arrived at, and then redirect them to that location when they're authenticated (ie. deep linking)
This makes relying on the SAMLAuthenticationHandler better than using Apache to redirect. The current version of the handler bundled with AEM 6.2 does not properly set the cookie when using the redirect method, but Adobe does have an updated version that they can provide that will fix that problem.
I normally recommend that clients do not have their own authentication handlers developed inside AEM.
When not using LDAP, this does create an issue where users will not exist until they've logged in. Additionally, when your architecture includes more than one load balanced publisher, it is possible that a user may exist on one server user synchronization.
Try searching the google group for SSO details. Here's one useful post:
http://groups.google.com/group/day-communique/browse_thread/thread/72c235c83a501252/fba4d08a90487156?lnk=gst&q=SSO#fba4d08a90487156
It seems that you will have to implement a custom LoginModule, more information here: http://dev.day.com/docs/en/crx/current/deploying/custom-login-modules.html
I have a GWT app to deploy to Tomcat on a Windows server, with the following requirements:
1- The app should work fully, whether the user is in the Windows domain or not;
2- If the user happens to be in the domain, the app should be able to identify the user in some manner. Presumably, this should be via getThreadLocalRequest().getRemoteUser(), but any other alternative is fine...
3- If the user happens to be in the domain, the app should be able to access the MS Exchange server in that domain, without requiring the user to enter their password.
I've scoured the web high and low for this, but unfortunately, it seems there's no way to get authentication without forcing authentication. There are many examples of exclusions for, say, a login form or other "public" resources, but that won't work for us, since all the resources in a GWT app are packed into the same "page".
Maybe it's my limited understanding that's making me fail in some basic way, but I've tried to look at JCIFS, Jespa, Waffle and SPNEGO, and I just can't seem to get working the way I want to...
Any help would be greatly appreciated.
Cheers,
J.
How about putting a Javascript on your front page and have a Kerberos/SPNEGO protected page. The javascript will attempt to request a protected page, if the user is on the domain you will get the correct result from the page otherwise you will get 401 access denied. In the former case you can redirect your browser to exchange page, or have another AJAX call to retrieve things from exchange server in the later case you either show a log-in form or a generic anonymous page.
What about using JNI to call the Win32Api function LogonUser?
By doing impersonation at the thread level you will have the NTLM token added to the current thread and you would be able to call exchange with no issues
I am working with an app that is querying a JSON API on a server running Drupal. I used this tutorial and have changed the code a bit to work with my program, but every request just sends me to the not authorized page that the server generates. Any ideas why?
Why not use the drupal ios sdk? https://github.com/organizations/workhabitinc
I guess you haven't set the permissions in the Drupal service.
First go to permissions, and set the desired ones for the modules you're using (I guess you're using the default ones that are included within the services module).
Next, go to Site Building->Services, and authentication. Check if you have any authentication module set, and if so, add the methods that you're using to that key.
At our company we've made several apps which uses Drupal (but using XMLRPC instead of JSON). So feel free to ask everytime you need :)