OpenAM resutful authentication using x509 certificate - rest

Does anybody know or have experience on how to do x509 certificate authentication using openAM restful api. Could not find any useful information from official documentation and Google. The last post from a closed openAM issue track indicate the newest API might be able to do certificate authentication. However the detail information is still missing from the link. Any help will be greatly appreciated. Thanks.

First be certain to understand what SSL client auth means and how your infrastructure is setup ... where is the SSL endpoint...
Then read
http://docs.forgerock.org/en/openam/11.0.0/dev-guide/index.html#rest-api-auth-json
it tells you about which parameters you have to provide.
Apart from others OpenAM allows for 'service-based' (authentication chain) and 'module-based' auth.
So either you created an auth chain which has cert auth module configured or you use the module directly.
service-based auth: authIndexType -> service, authIndexValue -> name_of_auth_chain
module-based auth: authIndexType -> module, authIndexValue -> name_of_the_auth_module_instance
Don't forget to look at OpenAM debug logs (debug level set to 'message').

Related

Configuring Shibboleth Metadata File

We have recently migrated to a new hosting environment so have installed a fresh instance of Shibboleth. When we generate sp metadata files, the urls are non-secure (ie http) even though the url used to generate the metadata uses https.
When using the test connection from our own Azure AD system, we see the obvious error: "The reply URL specified in the request does not match the reply URLs configured for the application:"
I have limited knowledge of configuring the system beyond working on shibboleth2.xml and attribute-map.xml so would be very grateful if anyone can point me in the right direction to fix this.
I'm not sure if you managed to configure it but i'm currently working on this as well, and i think i can help.
So the ReplyURL you need to provide in the Azure Portal, is the reply URL that accepts the authentiaction reply message from the identity provider.
In the case of Shibboleth it is:
http[s]://yoursitename/Shibboleth.SSO/Auth/Saml
So if your webpage is for instance:
https://localhost/Foo
The replyURL should be:
https://localhost/Shibboleth.SSO/Auth/Saml
Notice that the page "Foo" is not in the replyURL.
After the authentication the browser should send the IDP reply to https://localhost/Shibboleth.SSO/Auth/Saml, after which Shibboleth should redirect you back to https://localhost/Foo
At least that's the default behaviour.

Keycloak SAML IdP gives invalidFederatedIdentityActionMessage after login

I configured a SAML identity provider in keycloak by importing metadata provided by Microsoft ADFS.
I could see the option of IdP on my client login page for login.
After clicking on that on that button it redirects to external identity provider login page.
After login, I get success with a SAMLResponce. (Checked with SAML tracer).
The page is redirected to IDP redirect URL.
After redirecting page shows me "invalidFederatedIdentityActionMessage"
I saw the docker logs it gives me ---
23:58:09,035 WARN [org.keycloak.events] (default task-181) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=rak-development, clientId=null, userId=null, ipAddress=172.18.0.4, error=invalid_saml_response, reason=invalid_destination
Can you please help what I am doing wrong.
This happens when you configure the Identity Provider to 'Validate Signature'. When you turn that switch on, Keycloak validates the SAML response against the text in 'Validating X509 Certificates'. That field should contain a valid certificate from your Identity Provider; in this case the App registration in Microsoft.
Try turning the 'Validate Signature' switch off to see if that removes the error. Then you can debug the certificate value.
I had a similar problem and it turned out to be a misconfiguration of the F5 proxy/firewall. It sent the wrong header "X-Forwarded-Proto: http" instead of "X-Forwarded-Proto: https". Maybe this can help.
I found a solution. For me, the issue was that I needed to set the PROXY_ADDRESS_FORWARDING=true envvar. I had already done that but I typoed the name.
I am using the AWS ALB which sets the X-Forwarded headers. I know those are also needed.

SAML error for SSO with ADFS - MSIS0038: SAML Message has wrong signature

Hi I am trying to use SSO to authenticate my client's users directly to my website. My client's IDP is Microsoft ADFS and I am using Passport-SAML (https://github.com/bergie/passport-saml) to configure the SSO process.
After getting to a special URL I give my client (example: www.myClient.myCompany.com ), the user (unauthenticated) is as expected redirected to the client login page.
After he enters his credential, he remains stuck in login page BUT the SSO work because the user is authenticated meaning that if he opens a new tab and go to www.myClient.myCompany.com, he will be redirected to my website.
Here the error in ADFS Server Log:
The Federation Service encountered an error while processing the SAML authentication request.
Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0038: SAML Message has wrong signature. Issuer: 'www.myCompany.co'.
at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
Thank for your time!
I'm not familiar with Microsoft ADFS nor Passport-SAML, but I when we had signature errors was because the SHA1 fingerpring of the IDp certificate didn't match the one at our end.
We fixed them by making sure the certificate is correctly formatted and then calculating the fingerpring.
Format:
https://developers.onelogin.com/saml/online-tools/x509-certs/format-x509-certificate
Fingerprint:
https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint
Hopefully this is your case
Not a Passport-SAML guru but the normal causes of this error with ADFS are:
A signing mismatch - ADFS expects the AuthRequest to be signed and it isn't or vice versa.
The signing certificate installed in this RP has expired or is the wrong one in the sense that it is not the certificate the client is using.
At the RP level, look at:
Get-ADFSRelyingPartyTrust
[-SignedSamlRequestsRequired ]
[-SamlResponseSignature ]
or globally:
Get-ADFSProperties
SignedSamlRequestsRequired
SignSamlAuthnRequests
and check:
Get-AdfsCertificate -CertificateType "Token-Signing"
(following up from ADFS and PingFederate SSO : SAML Message has wrong signature)
We're using a different library and it was a different issue for us (our customer actually had the wrong signature), but during the process of trying to debug, I happened upon this thread that sounds very similar to what you're describing.
The fix is to install this hotfix. Can you check if your customer is on Windows Server 2008 and 2012, has 2843638 or 2843639 installed, and if so, install the hotfix if they haven't already? Just a shot in the dark...

JWT and KONG with custom authrizations

I went through this tutorial on KONG
https://getkong.org/plugins/jwt/
I have an understanding of JWT and authorization concepts. I have prototyped JWT with Spring Boot where I could put my own key value like this {"authorizations":"role_admin, role_user"}.
It is easy to do that in Spring Boot but I am not able to find information on how to do this with KONG. Anyone has any info about it?
Kong community edition can handle only the authentication process, (give or deny access to a customer).
Authorization process (what a given customer can do in your application) is handled by your application or by https://getkong.org/plugins/ee-oauth2-introspection/ oauth2 introspection plugin which is enterprise edition only
you can write your own authorization server based on X-Consumer-Username request header if user passed authentication or original token header proxied by kong
hope helps
The kong jwt plugin does not support sending custom payload parameters to the upstream api. It does however seem like you can use this plugin (I have not tested it):
https://github.com/wshirey/kong-plugin-jwt-claims-headers
Update:
If you set Kong to forward all headers you'll get the raw Authorization header with the jwt token. So you could base64 decode the jwt token and pull out the claims/payload parameters you need manually in your service.

Configuring SSO utilizing ADFS 2.0, SAML 2.0, and simpleSAMLphp

My knowledge of these systems is not large so please forgive me if I am asking dumb questions.
I hope to achieve the following:
Idp (AD FS 2.0) -> SAML 2.0 -> Sp (simpleSAMLphp)
*I don't need anything more fancy than to simply authenticate a user.
I have attempted to configure Windows Server 2008 with AD FS 2.0 (domain A) as an Identity provider and have it handle authentication requests from a service provider on a different domain (created using simpleSAMLphp (domain B)).
The AD FS 2.0 Management application allows me to add raw meta XML from the SP to configure the idp. And my SP has the facility to do the same. So I figure that If I setup the idp (AD FS 2.0) correctly then I will simple just have to make the SP interpret the metadata of the idp.
Currently I feel that I am close to a solution (but then again I am probably wrong!). Currently it seems everything is find right up to the point when the Idp asks for your login credentials, and I enter my credentials, it appears that the session has started, but I get a 'Not Authorized - HTTP Error 401. The requested resource requires user authentication.' message after entering the correct login credentials.
Could someone please explain how to fix this? or if it's quicker a step by step setup to make AD FS 2.0 authenticate using SAML 2.0 for simply authenticating a username and password.
Thankyou in advance for any hints!
Have you established a claims provider trust within ADFS 2.0 management? Your system needs to accept claims-bearing tokens from a trusted claims provider. That is, whatever STS -- "Security Token Service" -- you have in front of your user repository. ADFS can both a "Relying Party" -- RP -- or a STS. You need both a relying party and a STS.
Check out Eugenio Pace's MSDN blog for more details:
http://blogs.msdn.com/b/eugeniop/archive/tags/federated+identity/