i'm trying to set AWS SSO (now AWS Identity Center) to login to Cloudflare. When i login to aws portal and then click to Cloudflare app i get this error:
https://i.stack.imgur.com/CXRja.jpg
These are the settings of aws and Cloudflare
https://i.stack.imgur.com/dlQ0q.jpg
https://i.stack.imgur.com/CW2jG.jpg
https://i.stack.imgur.com/bYn79.jpg
i tried to change mapping value with no success
Related
I am trying to set up Google Integration in my self-hosted Nextcloud instance. For this I need a Google Cloud API Web application OAUTH Client ID and Secret, along with the preset Authorized redirect URI from my Nextcloud instance. I can easily create the ID and Secret for the Web app. But, if I put the Authorized redirect URI in the Google Cloud OAUTH page, it tells me "Save failed: The request has been classified as abusive and was not allowed to proceed".
For context, the Domain provided is a Google Domain which I am using with a Cloudflare proxied DNS. Google verification TXT record have been added to Cloudflare. I am self-hosting the Nextcloud instance with a subdomain of this domain behind an Nginx Proxy Manager with a Cloudflare SSL certificate. To add, all of these are running as docker containers on Ubuntu. Additionally I have also verified the Redirect URI as Safe from: https://global.sitesafety.trendmicro.com/result.php
Even then, apart from that specific URI, I have tried URI of other services I am self-hosting as well as the parent domain. All of these are giving the same message from the GCP OAUTH screen.
Kindly help me out with this considering I am fairly a novice.
I have a project where I am hosting an ASP.NET MVC site on an AWS EC2 instance behind an AWS application load balancer (ALB).
I have an ALB listener "Authenticate" rule that takes any traffic that does not have a valid cookie and forwards it to the Azure AD OAuth prvoider (aka OIDC Autentication). The authentication works well, and goes as follows:
HTTPS traffic hits my ALB and since there was not a previous OIDC authentication it forwards the user to Microsoft's Azure AD authentication page for my Azure AD tenant.
On successful authentication, Azure AD forward the response to my ALBs response URL. This is where the Azure AD OAuth flow terminates.
The AWS ALB generates it's own OAuth token, which includes my original Azure AD username and claims, signs the JWT with it's own key, and forwards the request to my EC2 instance via a target group, with additional HTTP headers (X-Amzn-*) which include the AWS token info
However, I cannot figure out how to sign the authenticated user out. I have tried
Using Azure ADs own "outh2/v2.0/logout" URL with information about my tenant and client ID (application ID) and then specifying a logout page I have hosted behind my AWS ALB, This only logs out the Azure AD user, but when I return to my site home page the AWS ALB has persisted info via it's own cookie and forwards the traffic without redirecting to Azuure AD with the old AWS JWT (event if the "Exp" timestamp in the JWT has passed). These subsequent requests contain a cookie named "AWSELBAuthSessionCookie-0" whose value is the entire JWT encoded in Base64, but with a cookie expiration of 1 week in the future.
I have tried clearing the "AWSELBAuthSessionCookie-0" cookie both on the server side of my application and also in the client code (by setting expiration to some time in the past) prior to hitting my website home page again, but the "AWSELBAuthSessionCookie-0" is somehow magically restored containing the old, expired JWT
Is there a prescribed way to logout of an AWS ALB-authenticated session that used Azure AD (with a custom tenant, not the public 'common' tenant) as the OIDC provider?
I configured a Session timeout to be as short as 1 second to prevent users from reusing the old cookie.
The AWSELBAuthSessionCookie-0 is a session cookie containing the secure and httponly attributes issued by the load balancer. As this post points out, the cookie must be changed only on the issuing server.
I am setting up AWS ALB to authenticate using OIDC.
I am getting the below response: error=redirect_uri_mismatch&error_description=redirect_uri%20must%20match%20configuration
How should this be handled.
And for AWS ALB be able to authenticate is there anything special to be done in SFDC side
Architecture : Strictly Serverless
Cloud - AWS
I've an application load balancer (internal) in front of a private api gateway and the requirement is to protect the load balancer endpoint with the enterprise SAML IdP.
Lambdas, S3 are allowed, but Route 53, EC2 are not whitelisted to use on this account.
Problem here is what would be the relay state (final target) here after SAML authentication ? As the internal ALB and the private api gateway endpoints arent visible outside the AWS landscape, I dont understand how to land on the alb endpoint once the user is authenticated with the enterprise IdP ?
Many thannks !
To use the on-premise enterprise IdP with your ALB, the IdP and ALB must be able to talk to each other (via VPN or Direct Connect). you would then establish a trust relationship between your AWS account and the IdP and define an authentication action in a listener rule on your ALB.
Elastic Load Balancing uses the OIDC authorization code flow:
When users direct requests to your ALB, the ALB authentication
action will check if the session cookie exists on the incoming
requests and check its validity. If the session cookie is set and
valid then the ALB will route the request to the proper target group
containing identity information (JWT token via X-AMZN-OIDC-*
headers) that backend instances can use to identify the user. If the
cookie is not present, the load balancer redirects the user to the
IdP authorization endpoint so that the IdP can authenticate the
user.
The IdP then authenticates the user and redirects the user back to
the load balancer with an authorization code. The ALB presents the
code to the IdP token endpoint to get the ID token and access token.
After the load balancer validates the ID token, it exchanges the
access token with the IdP user info endpoint to get the user claims.
The load balancer creates the authentication session cookie and
sends it to the client so that the client can use it on subsequent
requests.
Source:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/
I am new to AWS API Gateway.
I am trying to expose an endpoint to a static page I have hosted on S3.
I am trying to restrict access to the endpoint so that it can only be called by my domain example.com
In API Gateway I click enable CORS and by Access-Control-Allow-Origin* I am entering 'example.com'
The endpoint is not restricted to my domain as expected, I can call it from my dev machine locally
I can't see what I'm doing wrong? I have Googled but can't find anything similar....