Trying to create SSO for AWS keeping Azure users as source of Truth. Followed below Tut's.
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-saas-amazon-web-service-tutorial
http://blog.flux7.com/aws-best-practice-azure-ad-saml-authentication-configuration-for-aws-console
Anything is to be more precise with user attributes in Azure ? Has anything to enable in AWS to accept the SSO ?
Login is successful(Can see signin's in Azure AD) but it displays message "Your request included an invalid SAML response. To logout, click here
". Any idea what has gone wrong ?
Yes, I think you are on the right path. It seems that you are missing the custom attributes which we are suggesting to add for your application. Those are Role and RoleSessionName. Please see the step #5 in my article https://learn.microsoft.com/en-us/azure/active-directory/active-directory-saas-amazon-web-service-tutorial and make sure that you use the same casing and namespace for the claims. With that the integration should work correctly.
May be I am late to this post. As Jeevan mentioned. You are missing custom attributes that you need to add. I have been struggling with same and found this well explained video. I hope, this will help any one who is struggling with this issues.
Related
I am having trouble with the error shown in the image. Does anyone know how to solve this problem?
I would like to obtain a refresh token to use the "YouTube Data API v3".
I tried the following behavior.
Create a WEB type Client ID in the GCP console in advance.
Access https://developers.google.com/oauthplayground/, set the client ID and client secret in "1.", select https://www...../youtube and https://www...../youtube.upload from YouTube Data API v3, and then Authorize APIs execution.
When asked which account to use for OAuth
If you select my brand account, Google will block it as shown in the image.
[What I tried to solve]
The newly created Google account was able to obtain a token.
→ However, I really need to use the Youtube API with a branded account I already have.
I have tried turning on "Less secure app access" in the security settings of my branded account, but this did not solve the problem.
The target brand account is not managed by GoogleWorkspace.
Any information would be appreciated, I will provide any information needed, so if anyone knows anything, please help me.
(I have done a search through the questions to see if I could find something on this, but have not found answers.)
I have two google groups through my G-suite and I want to automatically add people to both groups after they sign up for my club through a process on my website. I think this should be possible using:
https://developers.google.com/admin-sdk/directory/v1/guides/manage-group-members
I have gone into the API Console, created a new project, enabled the Admin SDKI API, and got an API key. However, I think I am running into the Authorization issue because we keep getting an error that the authorization token is missing.
I have tried using the OAuth 2.0 but I'm not sure if this should be "Internal" or "External". I'm not creating a whole app for someone to use - all I want to do is on the back end of the site take information that comes through when someone joins the club and automatically have them added to my google groups.
Is it possible for someone to please explain to me what I need to do?
I'm sorry this is kind of a basic question.
Thank you for your help.
I'm developing a webapp which allows users to log in with their Google accounts, using OAuth2.0.
I've created an OAuth2.0 client ID, configured the OAuth consent screen with the Publishing status set to 'Testing', and added a test user.
The frontend of my app is built with React, and I'm using a package (react-google-login) to handle the flow. I can successfully sign in with the Google account I added as a test user, and retrieve the basic profile information needed.
The problem is I can also sign in with other Google accounts, which have not been added to the list of test users. I imagine that Google should simply not issue access tokens for accounts which are not in the list of test users.
I feel like I've misunderstood something about the OAuth process, or I have configured something incorrectly. I would appreciate if anyone had any pointers?
Thanks.
It is indeed bugged.
I was in the same spot as you, assuming I had misunderstood something. After reviewing my code over and over with no luck, I made a Stack Overflow post, in which I was advised to post to Google's bug tracking system. After doing some troubleshooting with Google they confirmed the bug, and they are now working to fix it (for a little while already).
I included this thread as an example when talking to Google. I meant to post an update here after getting in touch with them, but I forgot, sorry!
The buganizer thread with more details:
https://issuetracker.google.com/issues/211370835
Is it possible you're only asking for the email scope?
It appears the test user filter and possibly the whole concept of the 'app' being in test mode exists only inside the consent screen feature.
For some reason, Google doesn't show the consent screen if you only ask for email.
So... maybe that means you don't need a consent screen, and therefore don't need to care what that feature thinks about your app (that your app is in test mode and needs to be verified before going into production).
Or maybe it's a bug? Or maybe just because you can do this doesn't mean it's allowed by Google's terms. Maybe they just haven't implemented preventing that use case.
Anyway, it may help you to know that if you add a more significant scope like the Calendar API then the following things will change:
Non-test users will get a message like "The developer hasn’t given you access to this app." and won't be able to complete oauth
Test users will get a message like "Google hasn't verified this app"
Test users will see a consent screen
Basically, everything starts working as expected.
By the way, just putting "email" or "profile" for scope seems to be an old way of doing things, and all the newer scopes want you to use a full URL for the scope (despite google themselves not using the full URL when you're configuring your scopes).
For example, if you want the email and calendar scopes, you can put this value for your scope field:
email https://www.googleapis.com/auth/calendar
Or you can use this equivalent value:
https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/calendar
Not suggesting you add a scope like email for the sake of it, just that it sheds light on what's happening, and if there's a scope like that that you need anyway, adding it will solve your problem.
refer to this link we integrated CustomPermissionClaimHandler to our server without any errors but still we can't get the permissions of the users... I know how to create custom claims refer to this link and if I follow these 2 links' steps, I can create permission field like a textbox as shown on picture (testClaim and organizationID are examples about that from picture)... I thought that after integrating CustomPermissionClaimHandler I would see permissions like Role field as shown on picture with blue line but still it comes with empty textbox as shown on picture with green line. Is there any way to get the permissions?
EDIT: I can get JWT including my custom claims and if I decode it I see like this (as you see it doesn't contain permissions):
By looking at the JWT response, I can say you have done either or both of the following.
It seems there is a mistake in the guide of configuring the application-authentication extension.
If you have added,
[authentication.framework.extensions]
claim_handler="com.wso2.sample.claim.handler.CustomClaimHandler"
in to the deployment.toml, but you use the jar by building the code, there is a mismatch in the package name. You have to use the following config.
[authentication.framework.extensions]
claim_handler="org.wso2.custom.claim.PermissionClaimHandler"
Because of this configuration issue, your custom handler may not get executed even though that service got activated properly.
If the claim handler is active and the configuration is correct as step one, you might have missed something when mapping the custom claim to an oidc claim / adding it as an OIDC sope / configuring service provider claims
I've set up a Django/python web application running on Google Cloud Platform's Kubernetes Engine pods, and secured by GCP's Identity-Aware Proxy.
It all works great, but there are two things I'm not sure how to accomplish.
1) How can I restrict the users to a specific domain, just like the hd=my_domain.com URL parameter does on OAuth2 logging in? That makes the sign-in page only show emails with that domain in the list to click on.
2) How can I enforce that the user logs in with a password, instead of just simply clicking on the account? This is just like when you go to admin.google.com, or security.google.com and even though you're logged in, it forces a password. I know how to go to /gcp/clear_login_cookie to enforce a new login session when I want to log them out, but not sure how to enforce a password is entered. This I believe is called the "user presence test."
Any help is greatly appreciated, I've poured through documentation and have searched various ways on Stack Overflow to no avail.
Both of these items are on our roadmap, though I can't offer a specific timeline.
I don't see an entry in Issue Tracker for either of these. I'll try to remember to add that next week (at which point I'll add the links here), or you can do it yourself: https://issuetracker.google.com/issues/new?component=190831&template=1162609
Thanks for the suggestion, and sorry I don't have a better answer for you!
--Matthew, Cloud IAP engineering