The application I am using with WSO2 is running under HTTP in a development environment. A cookie with samesite set to strict will soon be lost due to browser security udpates during the scheme change to WSO2 (HTTP to HTTPS). This cookie is required for a particular piece of functionality upon the redirect to the app I'm using.
I'd like to test SAML configuration in a non-HTTPS secured dev or testing environment with this app but cannot because I can't figure out how to disable HTTPS for the samlsso endpoint.
I've found tutorials on how to do this for the admin console, but that does not apply to other endpoints. I am using WSO2 version 6.0.0 at the moment but can update if necessary. Any help is appreciated.
Related
We are using Azure AD and have an application registered for authentication. The application is a ASP.net server side and Angular client side application. Initially this was setup with an implicit flow, but that rocked the web browsers cross site cookie protection. The authentication worked, but only if the browser was explicitly allowing third-party cookies.
Microsoft documentation specifies that Single Page Applications can overcome this issue when using Authentication Code Flow. To make this work we implemented angular-auth-oidc-client (instead of msal-angular which is yet to support auth code) with a configuration that is closely matching their provided sample program. The ASP.net application uses Microsoft.Identity.Web and its settings have been changed to have a code response type.
The Azure AD Application Registration was amended in line with the Microsoft documentation. I have included a screenshot of the page highlighting the implicit flow is disabled and the SPA Redirect URI is eligible for Authorization Code Flow with PKCE.
However when blocking third party cookies in the browsers, the authentication fails basis the CORS policy (Safari, Chrome and both in private browsing). When allowing third party cookies in the browsers the authentication is successful.
Question What could we investigate as the cause for not complying with the CORS policy?
Microsoft.Identity.Web configuration:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"TenantId": "organizations",
"ClientId": "removed_our_azure_ad_client_id",
"CallbackPath": "/signin-oidc",
"SignedOutCallbackPath ": "/signout-callback-oidc",
"ResponseType": "code"
},
Based on the images you have shared the redirecturi http://localhost:5000 is for SPA applications and http://localhost:5000/signin-oidc is for web application.
But In your configuration file CallbackPath is for web application.
Authorization Code Flow with PKCE is designed to work only for single page applications. Please go through Prerequisites
Please use CallbackPath with URL given for SPA application to fix the issue.
I'm looking for help on how to call WS-Trust secured SOAP service from WSO2 ESB.
The idea is to create a non-secure proxy-service which would call WS-Trust secured back-end service, so our SOAP clients wouldn't have to worry about authentication.
I've been going though the documentation and have found nothing of much value. The documentation mentions that WSO2 ESB uses Apache Rampart and more specifically Rahas module to engage WS-Trust secured services, yet there are no examples on how to configure, for example - security token service address.
So far i've found this blog post http://xacmlinfo.org/2012/11/05/how-to-invoke-secured-backend-service-using-wso2-esb/
It runs a similar scenario but without WS-Trust. It uses Rampart configuration inside WS-Policy files, but Rampart configuration doesn't support any WS-Trust attributes.
I've also found this: http://ask.programmershare.com/279_17604398/
Which is more in line with what i'm looking for, but this example is doing the STS calls programmatically and even then unsuccesfully.
Is anyone aware of any examples of a succesfull configuration to call security token service -> service call itself using WSO2 ESB?
I installed the APIM and started the APIM and created a new API. The ApI which i created comprises of a URL which points at our company production server. I gave the URL in the api creation mode to the production endpoint and sandbox Endpoint boxes. Then i set the required parameters under the GET method. Then i try it out at the store but the request does not hit the production server. I want to see the URL output from your api manager which passes to our production server. Because i want to see what is whether there is an error on that as it it doesnot hit our production server.
Can you help me with the issue?
Thanks in advance.
You can enable wire log to see the what are the requests which came to APIM and what are the requests APIM made for backend. Follow the steps in How to get wire logs from WSO2 ESB blog post to enable wire log. Those instructions are given for ESB, but they are valid for APIM as well.
I'm using SoapUI 5.2.1 and accessing a IIS hosted web service on my domain. The web service has windows authentication enabled.
When I browse to the wsdl using internet explorer, it asks for my credentials, then shows the wsdl.
When I do the exact same with soapui, it prompts for my details, then fails and when I check the http log it sayus 'unauthorised: access is denied due to invalid credentials'.
But I'm entering it correctly, I've even tried various permutations of domain\username, username, leaving the domain text box blank or entering it there.
Any ideas?
I needed to provide a lot more info than would fit into a comment...
The other setting that I was referring to is detailed here : https://www.soapui.org/soap-and-wsdl/authenticating-soap-requests.html. If you are sure its windows credentials authentication, then use the NTLM setting. You may have to restart for the settings to take effect.
"Domain – add this for NTLM authentication challenges. If you are authenticating NTLM, make sure to note the following in your configurations:
File > Preferences > HTTP Settings tab > uncheck Authenticate Preemptively preference
for NTLM v2 provide your username as "DOMAIN\USERNAME" or at least as "\USERNAME""
If you still have issues, you can use BURP suite or Fiddler or similar proxy tools for proxy setup. BURP is an extensive security testing tool and may even be an overkill. Fiddler is a proxy. Check out these two links:
Burp : Testing web service with SoapUI and Windows authentication
Fiddler: Using fiddler with Windows Authentication
I have written my web services using apache axis2. Now I want to make my web services secure to avoid unauthorized access.
Is there any way in apache axis by which we can redirect each web service request to a particular web service ? so that it will do authentication and on successful authentication it will forward the request to respective web service.
Thanks,
Ajinkya.
you can use Apache Rampart[1] for this. Instead of redirecting to another web service you can use UT (user name token) to authenticate the uses. Using WS-Security is the correct way to secure a web service. This[2] would help you.
If you interested WSO2 AS[3] provides a integrated environment for web service deployment and add security using its GUI. Further since it is based on WSO2 carbon platform you can integrate your user store with WSO2 AS and then authentication is provided out of the box.
[1] http://axis.apache.org/axis2/java/rampart/
[2] http://wso2.org/library/240
[3] http://wso2.org/library/application-server