I am trying out pickup-dispatch saml web app with IS 5.9.0.[1] I created a service provider in one of my tenant. In the configs, I didn't enable Enable Audience Restriction. But once I logged in to the app, it gives the following error.
org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: SAML2 Assertion Audience Restriction validation failed
org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.validateAudienceRestriction(SAML2SSOManager.java:866)
org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:578)
org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:525)
org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:358)
org.wso2.carbon.identity.sso.agent.SAML2SSOAgentFilter.doFilter(SAML2SSOAgentFilter.java:98)
In the saml trace, following audience value can be seen.
<saml2:Conditions NotBefore="2022-04-15T16:47:15.511Z"
NotOnOrAfter="2022-04-15T16:52:15.511Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>janaka1</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
The issuer name that I used is janaka1. How to correctly configure the SP?
[1] https://is.docs.wso2.com/en/5.9.0/learn/deploying-the-sample-app/#deploying-the-saml2-web-app-pickup-dispatch-webapp
Related
Actually, we use Google IdP as a SSO / SAML authentication type for our application.
We have configured it to connect our users to our application and it works fine.
But recently, we have also wanted to ask a reauthentication to our users for different actions that could happen during the application lifecycle.
In deeper details, when we send a SAML request to the Google Idp, we add the attribute ForceAuthn="true" in the node "AuthnRequest" and we also add a AuthnContextClassRef to ask explicitly that we want a reauthentication by credentials.
When we send this SAML request to the Google IdP, the problem is that the IdP server doesn't ask credentials to the end user and redirect directly to the application with a successful response.
Is that normal ?
Does the Google IdP support the attribute ForceAuthn="true" ?
I didn't find any documentation on this topic.
Here is an example of the SAML request that has been sent to the IdP:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Version="2.0"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="#url_sp"
ID="#id"
IssueInstant="2021-05-31T15:34:19Z"
Destination="https://accounts.google.com/o/saml2/idp?idpid=#id"
ProviderName="#ip"
IsPassive="false"
ForceAuthn="true">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">#url_sp</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
#signature_info
</Signature>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Official answer from Google support: "Google doesn't currently implement Single Log out/account reauthentication, for SAML authorized services. You may alternatively have the use of "session lengths"".
I have a JWT token that i want to validate with the open yaml security definition for a google endpoint.
But it is checking only token from same issuer and audience.I dont see this checking anything else.So anyone with same issuer and audience is allowed to call the endpoint.I want to restrict it for my tenant may be with the client id/secret as it will be unique.I tried with the details mentioned in https://auth0.com/docs/integrations/google-cloud-endpoints .When tried with password or application,it still allows user with same issuer and audience although the scopes are different.I want to restrict for my tenant.How can i do that?
security:
- auth0_jwt:
- openid
- profile
- email
securityDefinitions:
auth0_jwt:
tokenUrl: https://domain_name/oauth/token
flow: application
type: oauth2
x-google-issuer: https://domain_name/
x-google-jwkuri: https://jwks_uri
x-google-audiences: https://audience_name/
scopes:
openid: test
profile: test
email: test
In above code,security is written inside the path .Same as mentioned in the above link.
Also i have a question regarding the claims.How do i validate claims in a token for google endpoint using the opena api yaml ?
Cloud Endpoint performs only authentication and not authorization. To achieve authorization checks, you have to implement the process in your API. In my company, we usually use Firestore to store and retrieve the link between the user email and their profiles (authorization).
I was looking for a way to add another Client Id to IAP, because if I can try to request a protected resource with a token generated with an android client id but in the same project, it gives me this error:
Invalid IAP credentials: JWT audience doesn't match this application ('aud' claim ( "the android client id used to generate the token" ) doesn't match expected value ('the IAP client ID'))
We are using WSO2 EI 6.1.1 and WSO2 Identity server of version 5.5.0. We have a requirement of using Oauth Mediator to validate the access token. I have a service provider registered with the identity server and generated the oauth2.0 bearer access token using curl command. I tried the Oauth2webservice to validate the authorization which was succeed and request going to identity server. But if I use the Oauth Mediator of WSO2 Integrator getting the below error message and the request is not going to identity server which was confirmed from the logs of identity server.Please help on it.Is there any other jar files or configuration settings needed for the same.
<oauthService remoteServiceUrl="https://localhost:9444/services/" username="admin" password="admin"/>
ERROR - OAuthMediator Error occured while validating oauth access token.java.lang.Exception: Error while validating OAuth2 request. at org.wso2.carbon.identity.oauth.mediator.OAuth2TokenValidationServiceClient.validateAuthenticationRequest(OAuth2TokenValidationServiceClient.java:61).
Caused by: org.apache.axis2.AxisFault: SSL peer failed hostname validation for name: null.at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
I have the same issue and can't resolve, This bug has not been corrected yet
https://wso2.org/jira/browse/IDENTITY-5243
Unlike targeting a custom audience, it seems impossible to create an ad targeting a saved audience using Facebook Ads API. Can someone confirm that is the case? What would be a workaround? This is the error I'm getting:
Error #100: Param targeting[custom_audiences][id] must be a valid custom audience id
There is a difference between a saved audience and a custom audience. A saved audience is an audience you manually create specifying age range, geographic region and interests. While a custom audience is a list of customers you gathered (uploaded or visitors or your site etc). You can create these audiences manually through the Ads Manager interface:
Using Graph API Explorer, one can retrieve saved audiences as follow:
act_1234567890/saved_audiences
Using Graph API Explorer, one can retrieve custom audiences as follow:
act_123456789/customaudiences
Note that 123456789 is not my real account number. I changed it for security reasons.
So, I can retrieve IDs for both custom audiences and saved audiences and creating an ad targeting a custom audience works fine, unlike targeting a saved audience which gives the above error message.
A cumbersome workaround could be to save the flexible_spec of each saved audience locally and use that spec when creating ads. The problem with that is that some targeting segments become invalid (Facebook decides to discontinue some segments at random times) which causes Facebook Ads API to hickup. Additionally, this means I constantly need to keep saved audiences in sync with my local copy. Unless of course I retrieve the targeting of a saved audience on the fly and re-use it, each time I create an ad resulting in yet another API request.
I figured it out myself. It seems impossible to directly target a saved audience unlike a custom audience, which is odd. What I did is retrieve the targeting from the saved audience first and reuse that targeting when creating the ad.
Here you see a screenshot of the official documentation showing only custom audiences and lookalike audiences can be targeted.
Retrieving targeting from saved audience (with Facebook PHP SDK):
$api = Api::instance();
use FacebookAds\Http\Request;
$response = $api->call(
"/987654321", 'GET',
array('fields'=>'targeting')
);
$audience = $response->getContent();
With 987654321 as the saved audience ID.
Then copy that targeting to the ad (with Facebook PHP SDK):
use FacebookAds\Object\Targeting;
use FacebookAds\Object\Fields\TargetingFields;
$targeting = new Targeting();
$targeting->setData($audience['targeting']);
The disadvantage of this technique is that the ad won't be updated when the saved audience is updated and that it requires an extra API call which slows down the creation of the ad.