I do my first steps with WSO2 (Version 5) and I do not understand the claim mapping.
Currently the travelocity.com application works fine. I can login and afterwards I'am redirected to the home page of the travelocity application - everything is fine.
No I would like the send different SAML assertions as response the the travelocity- appl.
Therefore I have added "Identity Provider Claim URIs" to the claim configuration (email and roles).
What is not clear for me is, that there is only one select field "Subject Claim URI".
When I select the email URL, than in the SAML- Response is the following line:
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:name">email#email.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="0"
NotOnOrAfter="2014-08-30T09:18:56.447Z"
Recipient="http://localhost:8080/travelocity.com/samlsso-home.jsp"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
when I choose role- URL as Subject Claim URI, than I get the roles:
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:name">admin,xccx,asqs,Internal/identity,Internal/travelocity.com,Internal/everyone</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="0"
NotOnOrAfter="2014-08-30T09:18:56.447Z"
Recipient="http://localhost:8080/travelocity.com/samlsso-home.jsp"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
But I will get both in the SAML Response.
What I am doing wrong.
Thanks a lot for any help and all the best!!
You have to use Requested Claims to get claims in the SAMLAssertion. The subject claim is the username your application is expecting.
Related
I have Sitecore 6.6 installed. I wanted to add a new domain to Sitecore; Since my Sitecore instance is deployed in two servers with two Sitecore sites in each pointing to different web databases but same core, master and analytics databases, I couldn't do it using Sitecore Domain manager.So I thought of doing it manually by editting the App_Config\Security\domains.config in the server. The following was the domains.config that I had.
<?xml version="1.0" encoding="utf-8"?>
<domains xmlns:sc="Sitecore">
<domain name="sitecore" ensureAnonymousUser="false" />
<domain name="extranet" defaultProfileItemId="{AE4C4969-5B7E-4B4E-9042-B2D8701CE214}" />
<domain name="default" isDefault="true" />
<sc:templates>
<domain type="Sitecore.Security.Domains.Domain, Sitecore.Kernel">
<ensureAnonymousUser>true</ensureAnonymousUser>
<locallyManaged>false</locallyManaged>
</domain>
</sc:templates>
<domain name="Station" defaultProfileItemId="{F181ED3D-F342-46E6-B6F6-2A6A6173B513}" />
<domain name="Emailcampaign" />
</domains>
I added one more domain(MyDomain) at the end like below.
<?xml version="1.0" encoding="utf-8"?>
<domains xmlns:sc="Sitecore">
<domain name="sitecore" ensureAnonymousUser="false" />
<domain name="extranet" defaultProfileItemId="{AE4C4969-5B7E-4B4E-9042-B2D8701CE214}" />
<domain name="default" isDefault="true" />
<sc:templates>
<domain type="Sitecore.Security.Domains.Domain, Sitecore.Kernel">
<ensureAnonymousUser>true</ensureAnonymousUser>
<locallyManaged>false</locallyManaged>
</domain>
</sc:templates>
<domain name="Station" defaultProfileItemId="{F181ED3D-F342-46E6-B6F6-2A6A6173B513}" />
<domain name="Emailcampaign" />
<domain name="MyDomain" />
</domains>
As soon as I did that, Sitecore.Context.User.IsAuthenticated started returning true for extranet\Anonymous user(Non-logged in user) in the code.
Has anyone faced this issue before?
Please let me know where am I going wrong.
I also encounted this issue back when I was working with Sitecore 6.6, I'm not certain if its an issue in later versions. Essentially when you modified your domains.config with the param ensureAnonymousUser set to true the Anonymous User for that domain, in this case Extranet, was created in the database - it may not have been until you changed that setting.
In Sitecore all non-logged in users view the site as the user *domain*/anonymous. As Sitecore's membership is based on .NET Membership it determines that the User is logged in as its using that account.
Therefore I recommend completing an additional check with your Sitecore.Context.User.IsAuthenticated to check if the username of User's account is *domain of site*/anonymous, Sitecore.Context.User.Name, if it is return false.
EDIT
I have confirmed Sitecore.Context.User.IsAuthenticated returning true for *domain*\Anonymous user has been fixed in Sitecore 8. Therefore you can use it to determine if the User is logged in and not using the *domain*\anonymous account.
We finally resolved this issue! This was caused by a fix we added to solve an issue we had with Sitecore ECM. The issue was that Sitecore used to log out as soon as we clicked on the message preview. So we followed the steps given in the below thread to fix the issue.
https://stackoverflow.com/a/30836600/4165670
But we were not testing for Anonymous user like it is done in the thread. We never pushed this code into Content Delivery site and when
we created the new domain, This code got pushed into the Content Delivery site with some other code.
Since we are setting the current user as the Active user in the code, it started showing that extranet\Anonymous user as the current user.
How to pass query parameters to web page after SAML SSO redirect by WSO2 Identity Server. I tired to save those parameters in session by extending the SAML SSO filter. But that session data is also loss after the authentication redirect.
I think, You can use RelayState. When SAML Request is sent to IS, you can send values with RelayState parameter and IS would reply back to your web application with same value. Also you can append query parameters to ACS url and send it with the SAML Request. If your SAML request has been signed, IS would redirect to ACS url which is in SAML Request.
as well as using the relay state as the previous post says you can use attributes within the SAML token if you need to
<saml:AttributeStatement>
<saml:Attribute Name="Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Name">
<saml:AttributeValue>Test</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Mobile" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Mobile">
<saml:AttributeValue>09009090909</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Email">
<saml:AttributeValue>test#test.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
That way you can query the SAML, make sure it's valid and then get the information from the attributes section and do what you want after, whether it's a redirect or you require extra processing.
Hope that helps.
I'm new to Spring and spring security and I can't seem to get this working. I'm securing a web service with Spring security. I'm getting the appropriate responses back - 401, 200, etc - for the secure requests and when I explicitely login to the URL I defined. However, when I try to test the actual url providing data via curl or poster sending the authentication in the header, I can't get it to work.
Here's my servlet-security.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint">
<intercept-url pattern="/services/schedule/**" access="ROLE_USER, ROLE_ADMIN"/>
<custom-filter ref="myFilter" position="FORM_LOGIN_FILTER"/>
<!-- Adds a logout filter to Spring Security filter chain -->
<logout logout-url="/api/logout" delete-cookies="true" invalidate-session="true"
success-handler-ref="restLogoutSuccessHandler"/>
</http>
<beans:bean id="myFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationSuccessHandler" ref="mySuccessHandler"/>
<beans:property name="filterProcessesUrl" value="/api/login"/>
<beans:property name="usernameParameter" value="username"/>
<beans:property name="passwordParameter" value="password"/>
<beans:property name="postOnly" value="true"/>
</beans:bean>
<!-- Configures a custom authentication success handler that returns HTTP status code 200 -->
<beans:bean id="mySuccessHandler" class="com.touchvision.pilot.security.RestAuthenticationSuccessHandler"/>
<!-- Configures a custom authentication failure handler that returns HTTP status code 401 -->
<beans:bean id="restAuthenticationFailureHandler" class="com.touchvision.pilot.security.RestAuthenticationFailureHandler"/>
<!-- Configures a custom logout success handler that returns HTTP status code 200 -->
<beans:bean id="restLogoutSuccessHandler" class="com.touchvision.pilot.security.RestLogoutSuccessHandler"/>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="customUserDetailsService">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>
<!-- A custom service where Spring will retrieve users and their corresponding access levels -->
<beans:bean id="customUserDetailsService" class="com.touchvision.pilot.services.CustomUserDetailsService"/>
</beans:beans>
As I said, I can login fine via posting the creds to the /api/login. However, when I try to send the authentication in the header with an actual data request, I get an error that says "This request requires HTTP authentication." The curl command I'm using is:
curl -u admin#touchvision.com:admin123 "http://local.touchvision.com/services/schedule/list"
Thanks for any and all help.
You only have a form-login filter (UsernamePasswordAuthenticationFilter) configured that processes form parameters passed in a HTTP POST request, but there is nothing on the server side that would process the header of a request.
Try configuring a BasicAuthenticationFilter that will authenticate requests based on info passed in the header.
Have you tried using %40 intead of the # sign in the user ID. Also, depending on your version of CURL, you may want to try quotes around the entire -u parameter.
I want to configure Sitecore Workflow engine for email sending.
I had a look into the "Email Action" implementation using Reflector,
It reads "mail server" from argument as follows.
string host = this.GetText(innerItem, "mail server", args);
Don't we need to provide credentials(Username/Password) for mailserver? Or does it take mail configuration from the webconfig?
I have not tried email sending with Workflow yet, Please help me to configure email sending module.
Thanks
Sitecore reads the mailserver settings from the following properties in the web.config:
<setting name="MailServer" value="your.mailserver.com" />
<!-- MAIL SERVER USER
If the SMTP server requires login, enter the user name in this setting
-->
<setting name="MailServerUserName" value="" />
<!-- MAIL SERVER PASSWORD
If the SMTP server requires login, enter the password in this setting
-->
<setting name="MailServerPassword" value="" />
<!-- MAIL SERVER PORT
If the SMTP server requires a custom port number, enter the value in this setting.
The default value is: 25
-->
<setting name="MailServerPort" value="25" />
This should be enough to send emails from Sitecore and webforms.
Yes. It reads your mail settings from the web.config. In addition to all of the Sitecore mail settings you need to configure you should also add the generic ASP.NET mailSetting at the bottom of your web.config.
<system.net>
<mailSettings>
<smtp>
<network host="127.0.0.1" />
</smtp>
</mailSettings>
</system.net>
<authentication mode="Forms">
<forms name="ASPAuth"
path="/Admin"
timeout="20"
requireSSL="false"
slidingExpiration="true" />
</authentication>
On my dev system I have the above in my web.config. This works fine if I am using VS web server. But when I host the same website on my IIS7 using a virtual directory it doesn't.
VS Url looks like: http://localhost:xxxx/
IIS URL looks like: http://MachineName/MyApp/.
When accessing the website through IIS the IsAuthenticated is always false. I figured out that it's because the cookie is being assigned to http://MachineName/Admin/ not http://MachineName/MyApp/Admin.
How I make it so that "Admin" is a relative path? I tried path="~/Admin" but that doesn't work.
Thanks!
Try putting a transformation into your Web.Release.Config:
<authentication mode="Forms">
<forms name="ASPAuth"
path="/MyApp/Admin"
timeout="20"
requireSSL="false"
slidingExpiration="true"
xdt:Transform="Replace"
xdt:Locator="Match(key)"/>
</authentication>
Answer:
It's simply not possible to do it at this stage. You cannot have a relative path with a tilda (~) in your web.config for forms authentication path unless you're willing to write your own HttpModule.
See this post (and the comments):
http://www.west-wind.com/weblog/posts/2008/Jan/20/Forms-Authentication-and-path-in-the-forms-Tag