I am consuming an secured service hosted over basicHttpBinding
I have to pass credentials to the service for authenticatioon
Here’s the config setting for the client
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
While calling the service, I am getting following exception message
An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.
Message = "An invalid security token was provided (Bad UsernameToken Values)”
I not sure how to get it working I am curious if somebody can help me out or provide me any url where I could find the solution
When you create your MyServiceClient object you can set the username and password on the clientInstance.Credentials.UserName object.
Related
I am trying to set up Keycloak as IdP and use it for SSO. The first re-direct (from the application login url to keycloak) works fine, but then, after entering the user credentials I get an "invalid signature" error from the application.
I have checked the SAML response (from keycloak to the application) and I can see that keycloak adds a weird escape character
in the certificate and signature value.
Here is part of the SAML response
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<dsig:Reference URI="#ID_fde25c3e-6958-4b49-bbe0-e4aeb200de98">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<dsig:DigestValue>p3ldrwhvbO1zoeHlhCx9TdZ01hGnw3f3IqBDIT5e1oU=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>
iGNKaLxr3c9CUPpRxC3xeS0grx2FdcXWcWArlqZHdWIjQF0n9Whh5ue00HEmb+Nr5VO9jBUwRwXl
VNEARy/4DeAsuXIxej0OYASBMjx+5qfmUIelXKLChTYjrdHyq2ZtD7BWfCrnNLtB7XiZsy8cYm0v
ynWLlJTyxUpg+FakcxGNDnSUG6Ofslv6byQDsNY56yvqKCWbcqa1/70PD401E/Gf2XcD4paPAvHX
B+wS25QFytqrxumRtlJiKcPS+IB8umpcHG4mKk3Qg9FxCRQk2Pk693VnEtYyQ5VXUTNFW8SfWpnQ
xDNSE6h2cevj4nT7NSQDxoNh1LRBokwjUNJWQg==
</dsig:SignatureValue>
Why does it have to truncate the signature and add the
escape code? Is there a way to change this?
I am sure that this is the error that is preventing the application from reading the response.
Thank you in advance
I am trying to enable SSO capabilities for Apache Zeppelin, using Apache Knox, which is configured to redirect auth requests to a Siteminder IdP.
The issue I am having is related to the NameID format configuration, and the signing configuration.
No matter what I configure in the sp/idp metadata, the NameID format used is
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
And the requests are always being sent with Signed requests set to true.
My SP configuration is as follows:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"/>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="1" isDefault="true" Location="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"/>
</SPSSODescriptor>
I activated a SAML tracer and attempted the logon user journey. The AuthNRequest being sent to the Siteminder IdP based on this configuration looks like this:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"
Destination="https://test-siteminder.com/test/saml2sso"
ForceAuthn="false"
ID="_yp52mio0oj4ho2niijmnnaikgbkid9tnc5h5ear"
IsPassive="false"
IssueInstant="2020-02-17T10:19:24.279Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="pac4j-saml"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
NameQualifier="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"
>https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client</saml2:Issuer>
I can see a signature value in the Parameters section of the request, which is why I'm assuming that the AuthNRequest is signed (though my understanding of this is minimal, so that could be a wrong assumption!).
Can anyone help explain why the NameIDFormat is coming through as entity, as opposed to unspecified?
Does Apache knox support SAML1 protocols?
Thanks in advance!
You mentioned NameID format to be urn:oasis:names:tc:SAML:2.0:nameid-format:entity in your post but in the code you pasted it is urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, just a copy paste error ? Looks like protocolSupportEnumeration is also referencing SAML 1 protocol. Knox uses Pac4J under the hood which does not support SAML 1, this might be the reason.
currently We have CAS SSO to our existing .net application, but now client is asking for Shibboleth SSO instead CAS. I'm totally new to Shibboleth.
Client has given the below details:
entityid= urn:mace:incommon:xxx.edu
metadata URL for test environment is:
https://shibboleth-test.xxx.edu/idp/shibboleth
By using guidelines from Shibboleth site, below are the steps i followed.
Installed Shibbolth Service provider (shibboleth-sp-2.6.1.4-win64.msi)
Installed Java with JCE
Installed Shibboleth Idp (in which jetty also checked)(shibboleth-identity-provider-3.3.3-x64.msi)
Web Application with self signed certificate
attached my Shibboleth2.xml file
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <InProcess logger="native.logger"> <ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="2" name="shibboleth-test.xxx.edu" scheme="https" port="443" />
</ISAPI> </InProcess> <RequestMapper type="Native"> <RequestMap> <Host name="shibboleth-test.xxx.edu" scheme="https" port="443">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap></RequestMapper><ApplicationDefaults entityID="urn:mace:incommon:xxx.edu" REMOTE_USER="eppn persistent-id targeted-id" cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"> <SSO entityID=""urn:mace:incommon:xxx.edu" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 <my system IP">/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root#localhost"
helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Problems I'm facing......
When i try to access https://shibboleth-test.xxx.edu/Shibboleth.sso/Status
getting error no metadataprovider available.
Noticed Problems:
1.when i try to add Metadataprovider Shibboleth daemon 2 service is getting
stopped and unable to start.if i remove it's is running.
2.Shibboleth Idp 3 deamon is getting stopped very frequently
When i run 'SC interrogate shibd_idp' in command prompt, results are
control service failed 1062
the service has not been started.
I donno what is wrong with my work.
Can any one please tell me what are the steps to be followed to accomplish this integration.
Thanks in advance,
Hema
There will be a tag in shibboleth2.xml called metadata provider, you will need to open that.
If you have done this but shill service is not getting started then you can check the log and give additional info in question.
Another reason I can think of is connection problem. Try downloading idP's metadata and store it physically in the SP configuration folder. Manually map the file, using following tag
<MetadataProvider type="XML" file="partner-metadata.xml"/>
All the issues has been resolved after we upgraded from Shibboleth 2.6 to 3.0.2. we are getting the Shibboleth Identity provider login page.We are able to see the attributes in Session.Now we are working on how to retrieve the attributes in our application and how to redirect to our application home page.Currently we created 1 sample html page under secure folder in our application. once we logged in we are able to this html page.But when i tried to redirect to our application home page, it's giving 500 error. Can any one knows like how to redirect to our app home page and retrieve the attributes in the application.
I have a separate rest module named 'x' where I have used spring security with basic auth filter(username and password) in complete module therefore any request hitting this rest services should be logged-in but I have one page for forgot password where I am mapping in the same x module due to this auth filter I am unable to proceed. If I am logged in and going to this page and using the services of x module then its working fine but not in case of logged out users.
I tried these thing for not working
<http pattern="/forgotpass" security="none"/>
<intercept-url pattern="/forgotPassword" access="permitAll"/>
<intercept-url pattern="/forgotPassword" filter="none"/>
--> access="permitAll" does not work since it does permit all url but still it will authenticate with filter
and filter="none" is depricated not even able to start my jar when I put this thing.
security="none" gives 403 forbidden error sometimes or internal server error since I was changing the pattern "rest/forgotPassword" or "forgotPassword".
I resolved my problem by myself.
It was sequence that was having problem with.
I was using <intercept-url pattern="/forgotPassword" access="isAnonymous()"/>
after this <intercept-url pattern="/**" access="hasAuthority('USER')" />
I just order the line by putting "/forgotPassword" url on top of "/**"
Reason: It was overriding the request pattern in sequence it came first therefore it didnt allow to pass because role was missing in forgotpassword
I have an existing WCF REST service running on an Azure Windows Server 2012 using IIS8. Let say 1x.2x.3x.4x:7777/InvService.svc/RESTquery is how my users currently use the service.
I am wanting to replace the IP address with a hostname, say www.testDomain.com so the user will can then use www.testDomain.com:7777/InvService.svc/RESTquery.
After obtaining the domain name from GoDaddy, assigning IP 1x.2x.3x.4x, and testing it (my default site on the server comes up, hence why I am using port 7777). When I try www.testDomain.com:7777/InvService.svc/RESTquery I get a "Connection Timed Out" error.
I believe I am needing to add or change something inside my Web.config file but cannot seem to find the right answer. Here is what my current unsuccessful Web.config file looks like.
<services>
<service name="WCFInventoryService.InvService">
<endpoint address="RESTquery" behaviorConfiguration="restPoxBehavior"
binding="webHttpBinding" contract="WCFInventoryService.IInvService" />
<identity>
<dns value="www.testDomain.com" />
</identity>
</endpoint>
<host>
<baseAddresses>
<add baseAddress="http://www.testDomain.com/"/>
</baseAddresses>
</host>
</service>
</services>
What am I doing wrong? or should try?
I solved my problem. The problem was how the domain was set up in GoDaddy. In the GoDaddy account, the domain was set up to forward to the IP address and not to point to. Once I removed the forwarding record and changed the A record to point to the IP address in the GoDaddy account, the WCF service was accessible by using www.testDomain.com:7777/InvService.svc/RESTquery