I am trying to integrate our ADFS login with our application which uses ActiveAdmin in combination with Devise. I succesfully added omniauth-saml for that purpose. The application now redirects to ADFS, the login succeeds but than fails on the callback. I get the error Invalid ticket.
When I try to look into the response on the server in the omniauth-saml lib I can see it says: #document=<UNDEFINED> ... </> and #decrypted_document=<UNDEFINED> ... </>
The initializers/devise.rb reads:
config.omniauth :saml,
assertion_consumer_service_url: 'https://my_server/admin/auth/saml/callback',
issuer: 'https://my_server/',
authn_context: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
idp_sso_target_url: 'https://my_adfs_server/adfs/ls/',
assertion_consumer_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
assertion_consumer_logout_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
idp_sso_target_url_runtime_params: {original_request_param: :mapped_idp_param},
name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
idp_cert: idp_certificate,
request_attributes: {},
attribute_statements: {email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'],
last_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname']},
private_key: sp_key,
certificate: sp_certificate,
security: {authn_requests_signed: true,
logout_requests_signed: true,
logout_responses_signed: true,
metadata_signed: true,
digest_method: XMLSecurity::Document::SHA1,
signature_method: XMLSecurity::Document::RSA_SHA1,
embed_sign: false}
How can I solve this?
Addition:
It appears that REXML::Document is unable to decrypt the Cypher inside of the SAML response. It fails to do so without errorring. When I try to do it myself by using https://www.samltool.com/decrypt.php I see no problems with it though.
I picked the wrong certificate from ADFS metadata xml. Need to pick the signing, not the encryption certificate.
Found this by using https://www.samltool.com/validate_response.php for debugging.
Related
My ask is to generate a token for Power Bi so to achieve it I created an application for organization by selecting Embedded for your organization
So, to integrate with Azure AD created the application in Azure AD.
The endpoint I used is POST: https://login.microsoftonline.com/common/oauth2/token
and in the body tab, I gave the below inputs:
data: {
grant_type: password
scope:
resource:
client_id:
username:
password:
}
My requirement is to generate token with ROPC authentication flow only.
This is the page I am referring to Solved: Re: How to generate the authorization code and the... - Microsoft Power BI Community
But after hitting send got this error:
{
"error": "invalid_request",
"error_description": "AADSTS900144: The request body must contain the following parameter: 'grant_type'.\r\nTrace ID: \r\nCorrelation ID: \r\nTimestamp: 2022-09-25 13:40:05Z",
]
Not sure what am I missing in configuring the application or postman. Any suggestions?
I tried to reproduce the same in my environment and got the same error as below:
POST: https://login.microsoftonline.com/common/oauth2/token
data: {
grant_type: password
scope: openid
resource: https://analysis.windows.net/powerbi/api
client_id: ******
username: ******
password: ******
}
If your application is not public, then add client_secret parameter like below:
To resolve the error, add the parameters in Body tab -> x-www-form-urlencoded
I am able to generate the access token successfully like below:
I'm trying to do a password less signIn & signOut in flutter with amplify, but I don't see an option on the amplify_auth_cognito package (that aws provides in pub.dev) that allows or hints me how to do it, is it even possible to do it with this package or should I use some other package? if yes then which one and how to do it?
The user pool that I'm using is from an actual working web application which I imported following the aws flutter documentaion
Thank you in advance.
What I experimented with was the default methods provided by amplify_auth_cognito as shown below:
var signUpConfirmedd = await auth.signUp(
username: _email,
// tried not filling the password field but it doesn't work
password: '1234567890',
options: CognitoSignUpOptions(
userAttributes: {
CognitoUserAttributeKey.email: _email,
CognitoUserAttributeKey.name: 'nityy'
},
),
);
I would like to use the AWS SES mail service using SMTP. I know it works for some versions, but I haven't gotten it to work for my application yet. I get a 530 Authentication error.
My question is in three parts:
1. Does AWS smtp work using Grails 2.3.1 with the Mail 1.0.7 plugin using java 1.7?
If it does work, how does one configure it?
If it does work, how can I get more debug information to figure what is wrong?
I've tried every configuration example variant I've come across for this. My latest is below. (It's clear I don't really understand the Mail plugin and the Java mail class, I'm just trying to suss out a working configuration incantation.)
Here is what I have in my config.groovy file:
grails {
mail {
host = 'email-smtp.us-east-1.amazonaws.com'
port = '587'
username = SMTP AWS username, not IAMS username
password= SMTP AWS password, not IAMS password
props = [ 'mail.debug': true,
'mail.smtp.host' : 'email-smtp.us-east-1.amazonaws.com',
'mail.smtp.auth': 'true',
'mail.smtp.starttls.enable': 'true',
'mail.smtp.port': '587',
'mail.smtp.starttls.required': 'true',
'mail.smtp.user' : smtp username from above,
'mail.smtp.usernme' : smtp username from above,
'mail.smtp.password': smtp password from above,
'mail.smtp.socketFactory.port': '587',
'mail.smtp.socketFactory.class':
'javax.net.ssl.SSLSocketFactory',
'mail.smtp.EnableSSL.enable':'true',
'mail.smtp.socketFactory.fallback': 'false' ]
}
}
I have successfully made direct AWS SES emails using the aws-sdk:1.9.40 plugin, by the way.
I am using the mailService.sendmail code from the Mail plugin. This is unchanged (beyond the hardcoded html text), and works fine when the configuration went to our email server.
def resp = mailService.sendMail {
from replyToEmail
replyTo replyToEmail
to user.email
subject emailSubject
html "This is the mesage text Mar 20"
}
Any help at all would be most appreciated!!
I'm using the
http://splix.github.io/grails-spring-security-facebook/index.html
java version "1.8.0_91"
Grails Version: 3.0.9 & Groovy Version: 2.4.5
I'm not sure where is is being inserted at. I've added the appid to application.yml, application.groovy, src\main\resources\application.properties.
````
DEBUG com.the6hours.grails.springsecurity.facebook.SpringSecurityFacebookGrailsPlugin - Facebook security config: [appId
:********, secret:********, apiKey:Invalid, domain:[classname:com.spontorg.FacebookUser, appUserConnectionPropertyName:u
ser], useAjax:true, autoCheck:true, jsconf:fbSecurity, permissions:[email, user_friends, public_profile], taglib:[langua
ge:en_US, button:[text:Login with Facebook], initfb:true], autoCreate:[enabled:true, roles:[ROLE_USER, ROLE_FACEBOOK]],
filter:[json:[processUrl:/j_spring_security_facebook_json, type:json, methods:[POST]], redirect:[redirectFromUrl:/j_spri
ng_security_facebook_redirect], processUrl:/j_spring_security_facebook_check, type:redirect, position:720, forceLoginPar
ameter:j_spring_facebook_force], beans:[:], host:localhost]
....
DEBUG com.the6hours.grails.springsecurity.facebook.FacebookAuthUtils - Redirect to http://127.0.0.1:8080/j_spring_securi
ty_facebook_check
`````
afterwards the URL redirect is
````
Location:https://www.facebook.com/dialog/oauth?client_id=962223610477458&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fj_spring_security_facebook_check&scope=email%2Cuser_friends%2Cpublic_profile&state=0-c68ca
````
then i get an error 72, and some message about the app is setup for public access, etc.
WELP...
It was me, i must have copy/pasted that in and never looked closely enough. IDK?
I checked the source code & it was pretty clearly pulling that value, rechecked and DOH!
finally got it, you need to match the host: with the value you put in ont the facebook app or it pukes again with a different error.
grails:
plugin:
springsecurity:
facebook:
appId: '###########'
secret: 'asfd!##$asfdasfd!#'
domain:
classname: 'com.domain.FacebookUser'
host: live.yourdomain.com
filter:
type: redirect
permissions: ['email','user_friends','public_profile']
I'm trying to use loopback angular SDK to login but instead I'm getting back a 401 unauthorized response.
User.login({ rememberMe: true }, {email: $scope.user.email, password: $scope.user.password})
.$promise
.then(function() {
var next = $location.nextAfterLogin || '/';
$location.nextAfterLogin = null;
$location.path(next);
})
.catch(function(x) {
$scope.authError = 'Wrong Credentials';
});
};
Also i can see the user with the given credentials in the datasource that I've defined for the User model.
So basically, I have a boot script that creates a default user
User.create([{
username: 'admin',
email: 'xxxx#gmail.com',
password: 'admin'
}], on_usersCreated);
And I also have created a custom User model that extends the built-in User model.
Why am I getting a 401 unauthorized response when trying to login? I have even tried to login via the explorer, but with no success.
Update:
I debugged the build-in User model and the login method; and it seems that it cannot find the user with the given email. I can see it though in the mongodb database.
Inspect the ACL records of User model, starting you app in debug mode and viewing console: DEBUG=loopback:security:acl slc run.
I don't see anything wrong with your code. Are you sure the values you're passing into the function are correct? Try logging $scope.user.email and $scope.user.password before calling User.login.
See my new example here: https://github.com/strongloop/loopback-getting-started-intermediate/blob/master/client/js/services/auth.js#L6-L15
The tutorial part is not complete, you can look around the source code to get an idea of what you're doing different.