Sending SAML request to NetSuite - saml

I've been navigating and toying with features of netsuite, for one feature that came across was the SAML single sign-on. I can not understand how it works or even get it working.
I've read the numerous SAML documents on suiteanswers however, they leave me puzzled.
Does anyone have a working netsuite SAML code example or documentation?
A hurl.it would suffice also!
Thanks is advance

I don't have a specific SAML snippet, but IIRC SSO needs to be enabled/provisioned. Kindly navigate to Setup, Company, View Billing Information. There must be users provisioned towards the bottom under: Two Factor Authentication Users (Should show Provisioned Quantity and Used Quantity.) I believe there is also a place on Role Permissions where a Role can be defined as single Sign On ONLY - but I don't think that is what you are asking.
Like I said, I have no snippet, however on the Suite-Answers Site, They give me a reference Link that has a PDF that shows a sample for you. The PDF Itself is Located here: https://system.netsuite.com/core/media/media.nl?id=7490306&c=NLCORP&h=cd5c1c4877483ebab26b&_xt=.pdf
I've made an offline http nonsecured version here stored in Dropbox: https://www.dropbox.com/s/ohiu6f308szu6rd/SAML_Setup_ADFS_Netsuite.pdf

Related

How to discover if Google User is using Two Factor Authentication through OIDC

I am looking into adding Google as an Identity Provider for a Single Signon Solution. The problem is that I would very much like to be informed if the Google user that authenticates has Two Factor Authentication enabled on their account or not.
This is where my googling skills failed me however, as I have found no real mentions of the Two Factor Authentication information being available as part of the authentication Token.
So my question is simply how I can discover if a user who either creates an account via the Google IDP, or simply links their account, has Two Factor Authentication enabled on their Google account?
It seems to be possible to do via the reporting API at a later date, but it would make much better sense for my usecase to somehow get the information in the OIDC token.
Thank you very much for any help you can provide.
Having spent a lot of time on google, i finally managed to find a result, which is another stackoverflow post (No surprise there).
In short, it does not seem to be possible, at least it wasn't in 2017. It was a considered feature but was not implemented. The post is here:
Google OAuth2 API. Check user has two factor authentication (Not GSuite)

How can I get Google OAuth on a catalyst app?

I've been trying to use Google's OAuth for authentication on a Catalyst app. I've tried using CatalystX::OAuth2 and Catalyst::Authentication::Credential::OAuth but it seems I get stuck on configuration.
I'd like to get it working on Google and then proceed to Facebook
Any good advice out there? I've googled to death, but there doesn't seem to be a lot out there.
I realise this question is almost 2 years old but just in case it helps anyone else, here is some information obtained from a couple of weeks of testing and debugging. I've also published a test oauth2 client project using CatalystX::OAuth2 at https://github.com/simonamor/oauth2-client - it sort of works with Google although I've not done anything with the token yet such as fetching user profile information and the 'protected' page is broken currently. It might be enough to point you in the right direction though.
There seemed to be a problem with CatalystX::OAuth2 in that it didn't send a scope value, nor could I find a way to make it send one and yet Google's API requires one. Not all providers have this requirement so work ok. Having made a slight alteration to a local copy of CatalystX::OAuth2, I managed to get it to authenticate via Google. The (minor) changes are in a fork of this module, also in my github account.
Visit the Google developers console and create the OAuth2 credentials to use. You'll need them below.
To my oauth2client.yml (from the github project referenced above) I added the following:
Plugin::Authentication:
default:
credential:
grant_uri: [provided by google, ends]/o/oauth2/v2/auth
token_uri: [provided by google, ends]/oauth2/v4/token
client_id: [issued by google]
client_secret: [issued by google]
scope: [provided by google, ends]/auth/userinfo.profile
I don't have a reputation high enough to post more than two links so apologies for missing out parts of the urls above!
This was the only real configuration I needed to setup. By modifying the credential settings I've also used it successfully with dropbox.com as well.
I'm still working on the OAuth2 server side of things and those are the default config within the project which is why you need to add an extra section for Google.
if you provided some info, like where you are stuck and why, I might be able to help.
The cpan has an example config. If you are not using a config file, you can also add it in your Catalyst app, though I would recommend using a config file, there just paste in the example with the data you need specifically.

Understanding OAuth2.0 and REST API Security

In my current work, I have to develop an intern REST API engine.
I have read the Roy Fielding thesis, documented myself, and I finally got something that works great easy to use, with high performance, corresponding to the Fielding REST spec.
There is only one point that I dont really know how to overcome : the security problem.
Again, I documented myself, and I wanted to use OAuth2.0 in my engine.
The problem is that I dont understand nothing at all how to use this protocol.
I dont understand how the consumer can connect himself and be recognized by the server.
I dont understand if I have to provide API key to my consumer(like Facebook, Twitter and Google make it) or if a token will automatically be generated if I send a login / password to the server
I dont know if I have to create my own OAuth2.0 server that provides keys, or if OAuth2.0 libraries are sufficient to provide security.
In fact, I dont understand nothing at all with OAuth2.0, and I need to learn. The problem is, every documentation that I try to read is like chinese, I didn't find an easy one, step by step that will help me with this.
That's why I post here, can you help me understanding a bit more OAuth2.0 and the secured authentication for API ?
I willingly didn't speak about the technologies, because I want to understand OAuth2.0 before applying it technically.
Thanks for all
The main problem with OAuth (both versions) is that you'll see a lot of talk about the three legged version. That is when you have user, a data-providing service and a consuming service, let's say a service that will create physical copies of your flickr photos. In this case the OAuth flow allows the user to tell flickr that the third party can access their data. This is not the scenario you are after, you are interested in 2-legged OAuth, see here for a description.
Of course you could look at other methods too. I've used HAWK in a number of REST/Hypermedia APIs and found it to be great to use in both nodejs and .NET server stacks.
Thank you for your answer, I studied a bit more OAUth2 en tried to implement it with 3 stragery : basic, clientPassword, bearer.
I created a new thread for an other problem, if you want to take part of it :
OAuth2 server creation with nodejs

Is OAuth suitable for this scenario?

I'm new to OAuth and I would really appreciate if someone could give me a hand with my problem. I need to create a simple web application for track expenses, with some basic actions (user must be able to create an account and log in, list expenses, edit them, etc) with a REST API for each one, and the trick is that I need to be able to pass credentials to both the webpage and the API. So, after some research I've found some examples using Digest Authentication and HMAC Authentication but lot of posts also mentioned OAuth as an alternative approach, so my question is, given this scenario, would be proper to use OAuth? I mean, as far as I understand OAuth is suitable when you want to share resources with other application, which I'm not doing for this project; besides that, when you try to access the shared resource it appears a page requesting permission for the foreign application, would that page appear at some point in my application? (maybe after the login?)
Thanks in advance guys
In your current scenario it does not make sense to use OAuth. It's not what OAuth is designed for.
If your application ecosystem is going to have multiple webapps running on a single SSO (like google) then it is very helpful to have OAuth.
Suggestion: Decide based on your business/operation plan and implement accordingly.
Note: If you plan to have 10 apps in the span of the next 5 years but only have one app now it does not make sense to spend time to implement complex protocols like OAuth right now. Scale as you grow.

User Registration by Email in SecureSocial, How to?

A bit or problem here, well I figured out how to store users signing up from FB/Twitter using SecureSocial, but how am I to register users using email-registration, Can anyone provide me with a brief explanation of how one does it in SecureSocial. I have googled a lot to find tutorials about how thats done, but with no avail.
Yes, of course I can store the token data easily, but in case of email users how am I to integrate the stored data with the user trying to login through the email-password menu. I am confused with the whole work-flow of registering user-by-email
Since I am new to scala, and even new to SecureSocial, I couldn't get the user-regsitration working properly, and didn't properly understand the guide provided in the SecureSocial site regarding this matter.
It would be helpful, if you could provide me with any pointers, or point me to resources/tutorialscovering the part.
Well, I researched about my own question and gained some ideas about Token,
As the name itself describes, Tokens are like real world tokens/tickets:
Tokens-id in SecureSocial exactly are JAVA UUID generated keys, which are unique and used to describe if a particular SecureSocial request is valid or not.
For example if you have used SecureSocial, you might have come accross links like:
http://someapp.com/signup/xxxx-xxxx-xxxx-xxxx
Most imp part of the Token Object, token-id=> xxxx-xxxx-xxxx-xxxx, its unique and you will find them in every links connected to email registration and its other functionalities, like :
Password Change Links
SignUp Links
I 'll try and posting more elaborate answers, after I learn more about SecureSocial.