I set up a Shibboleth IdP and I am testing it with samltest.id
Everything works fine if i do not enable signature verification. If I uncomment the relevant lines in my metadata-providers.xml the IdP won't start. The message is:
ERROR [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:537] - Metadata Resolver FileBackedHTTPMetadataResolver SAMLtest: Error filtering metadata from https://samltest.id/saml/sp
org.opensaml.saml.metadata.resolver.filter.FilterException: Metadata root element was unsigned and signatures are required.
my metadata_provider.xml looks like this:
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
xmlns:resource="urn:mace:shibboleth:2.0:resource"
xmlns:security="urn:mace:shibboleth:2.0:security"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
<MetadataProvider id="SAMLtest"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/SAMLtest.xml"
metadataURL="https://samltest.id/saml/sp">
<!-- You should always check the signature and freshness of remote
metadata. It's commented out until you get the basics working.-->
<MetadataFilter xsi:type="SignatureValidation"
certificateFile="%{idp.home}/credentials/signet.crt" />
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
</MetadataProvider>
</MetadataProvider>
I'm using the latest version of Shibboleth 3.
I suspect this is something trivial, but I cannot figure it out. Is it that samltest.id does not sign their metadata and so SignatureValidation cannot be enabled? Why did they write that it should be enabled then?
If you want test your IDP my first approach to this problem is to comment MetadataFilter tags so your metadata provider service (MetadataResolverService) can import metadata from https://samltest.id/saml/sp.
You can call metadata provider service (MetadataResolverService) manually.
bash /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.MetadataResolverService
Another reason for the problem may be that you do not add the samltest certificate to the IDP. As you indicated in your metadata_provider.xml, your IDP expect signet.crt file in credentials directory.
certificateFile="%{idp.home}/credentials/signet.crt"
You can find certificate on the link below. You should create a signet.crt file with Encryption Certificate value.
https://samltest.id/download/
Related
I have a problem with connecting my .net 4.6.2 console app to our on-Premises Dynamics CE v.9.0 installation.
I have the following code to connect:
CrmServiceClient conn = new CrmServiceClient(connectionString);
OrganizationServiceProxy = conn.OrganizationServiceProxy;
This is my connectionString
<add name="CRM" connectionString="Url=http://ServerFQDN/OrgUniqueName; Domain=Mydomain; Username=MyUser; Password=MyPW; AuthType=AD;"/>
I followed the instructions on the following page to generate the ConnectionString
https://learn.microsoft.com/en-us/dynamics365/customer-engagement/developer/xrm-tooling/use-connection-strings-xrm-tooling-connect
Unfortunately is the OrganizationServiceProxy null all the time.
When i look in my CRMServiceClient i do get the following in LastCrmError
LastCrmError = "Unable to Login to Dynamics CRMOrganizationWebProxyClient is nullOrganizationWebProxyClient is null"
I updated all my NuGet packages to the newest Version:
Microsoft.CrmSdk.CoreAssemblies is 9.0.2.5
Microsoft.CrmSdk.Deployment is 9.0.2.5
Microsoft.CrmSdk.Extensions is 7.1.0.1
Microsoft.CrmSdk.Workflow is 9.0.2.5
Microsoft.CrmSdk.XrmTooling.CoreAssembly is 9.0.2.7
Had anyone had the same Problem?
Do you have a tip for me what could be the Problem?
EDIT
I just noticed, that i am not able to Login via the .NET application but also PluginRegistration and XRMToolBox is not working.
I do assume there is an error with the authentication. Maybe in AD.
When i try to connect i now always get the two following errors:
Microsoft.Xrm.Tooling.Connector.CrmServiceClient
Source : mscorlib
Method : HandleReturnMessage
Error : The caller was not authenticated by the service.
And
Inner Exception Level 1:
Source : System.ServiceModel
Method : ThrowIfNegotiationFault
Error : The request for security token could not be satisfied because authentication failed.
EDIT2
If i login to the Deployment Manager i can see "Failed" in the Status field. I think this is related to each other.
Try to add this line before creating CrmServiceClient object
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
I was able to fix the issue.
The Problem was, that there was some mismatch in between our DB an the Deployment Manager.
The following Steps fixed our Problem:
Delete the Organization in Deployment Manager
Import the Organization again from an existing Organization in Deployment Manager
Configure HTTPS (i think this was not necessary to fix the problem)
Hope this helps others.
PS: Here is a link that describes how you can configure HTTPS:
https://learn.microsoft.com/en-us/dynamics365/customer-engagement/on-premises/post-installation-configuration-guidelines-dynamics-365
Client Environment is Xamarin Android Native TLS 1.2 SSL/TLS implementation (boringssl aka btls), using System.Net.WebSockets.ClientWebSocket. This is running on an Android 7.0 device. Visual Studio 2017 15.8.1, Xamarin.Android 9.0.0.18.
Server Environment is Windows .NET 4.7 running Fleck (WebSocket server) configured with TLS 1.2 using a certificate issued by a homemade (non-trusted anywhere on the globe) Certificate Authority (CA).
Assuming a homemade CA Cert (.pem or .cer format) has been installed on the android device via Settings->Security->Install from SD Card, the ClientWebSocket connects using TLS 1.2 without problems, as one would expect. Since this is a global solution to a local (one part of my app) problem, not to mention opening a security hole for the larger device ecosystem, I do not wish to require this setup.
I have then tried several methods to localize the trust of the CA to only my application without success. Regardless of approach, there is always the same exception thrown by ClientWebSocket.ConnectAsync(): A call to SSPI failed and Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED at /Users/builder/jenkins/workspace/xamarin-android-d15-8/xamarin-android/external/mono/external/boringssl/ssl/handshake_client.c:1132
I created a sample windows server and console app and Xamarin.Forms Android app that demonstrates the issue and the attempts to workaround it described below. Included is a custom CA cert. The server code dynamically issues a client cert with SANs bound to your IP/hostnames for ease of repro.
Attempt 1:
Apply the android:networkSecurityConfig="#xml/network_security_config" attribute to the application element in the AndroidManifest.xml file, including resources Resources\raw\sample_ca.pem Resources\xml\network_security_config.xml
<?xml version="1.0" encoding="utf-8" ?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="#raw/sample_ca"/>
<certificates src="system"/>
<certificates src="user"/>
</trust-anchors>
</base-config>
</network-security-config>
This had no visible effect, and I cannot see anything in the debug output that would indicate that the runtime is even loading this. I have seen references to messages like this:
D/NetworkSecurityConfig: No Network Security Config specified, using platform default
However, with or without this in place I have never seen messages like this or similar. I really have no idea if it is being applied or not, or if btls implementation even uses/respects this.
Interestingly, since the Android minSdk is set to 24 and target sdk of 27 I would expect the lack of this declaration should cause TLS 1.2 to not work if I simply added the CA to the android device user certificate store. I suspect there are a few Xamarin bugs surrounding this.
Attempt 2:
Add the CA to the X509 Store, hoping btls uses that as a source of certificates. This approach works on Windows/.NET 4 (it does bring up a dialog to accept the addition of the certificate).
X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
var certs = store.Certificates.Find(X509FindType.FindByThumbprint, cert.Thumbprint, false);
if (certs.Count == 0)
store.Add(cert);
store.Close();
Attempt 3:
Handle ServerCertificateValidationCallback. This never gets called in Xamarin Android, but this approach works on Windows/.NET 4.
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, errors) =>
{
if (errors == SslPolicyErrors.None)
return true;
//BUGBUG: Obviously there should be a much more extensive check here.
if (certificate.Issuer == caCert.Issuer)
return true;
return false;
};
There are some Mono issues surrounding btls and a pull request that makes this approach look possible in the near future.
Attempt 4:
Add the CA cert (and/or the cert issued from the CA) to the ClientWebSocket.Options ClientCertificates collection. Technically this should not work with CA Certs but should be the approach to use with self-signed certificates. I offer it here merely for completeness. As expected, it does not work either.
Full Repro Code
Easy to use code that demonstrates this issue with all of the attempted workarounds described above is available on GitHub.
I don't know, what the problem was, but I also had some problems, as I have started with my first https webservices.
The reason was, that I have started with a self signed certificate, what does not work without ugly workarounds...
So.. only use signed (trusted) certificates from a public vendor and you should not have any problem...
To switch between http and https you only have to change the url (from http to https) - no further changes in the app ae needed.
I normally do first (local) tests with the web service with http (the url ist loaded from an .ini file) and then copy the web service to the "real" webserver (with certificate and https url).
I never had any problems (when a trusted certificate is used)...
I'm getting Insufficient permissions when trying to call the acl.list method of the google calendar api via python.
service.acl().list(calendarId='primary').execute();
*** HttpError: <HttpError 403 when requesting https://www.googleapis.com/calendar/v3/calendars/primary/acl?alt=json returned "Insufficient Permission">
I'm using the scope 'https://www.googleapis.com/auth/calendar' as recommended in the documentation. Additionally, other API methods do work, for example service.calendarList
service.calendarList().list(pageToken=page_token).execute()
What am I missing?
Here is the code I'm using based almost entirely on the sample they provide:
import sys
from oauth2client import client
from googleapiclient import sample_tools
def main(argv):
# Authenticate and construct service.
# import pdb;pdb.set_trace()
service, flags = sample_tools.init(
argv, 'calendar', 'v3', __doc__, __file__,
# scope='https://www.googleapis.com/auth/calendar.readonly')
scope='https://www.googleapis.com/auth/calendar')
try:
page_token = None
while True:
calendar_list = service.calendarList().list(pageToken=page_token).execute()
for calendar_list_entry in calendar_list['items']:
print calendar_list_entry['summary']
page_token = calendar_list.get('nextPageToken')
service.acl().list(calendarId='primary').execute();
if not page_token:
break
except client.AccessTokenRefreshError:
print ('The credentials have been revoked or expired, please re-run'
'the application to re-authorize.')
if __name__ == '__main__':
main(sys.argv)
You might have to delete existing credentials, in the form of .json files. I had a similar "Insufficient permissions" problem, and I had to delete stored credentials. I had the additional problem that because of trying out some of Google's scripts in their tutorials, unknowingly I had credentials stored in a hidden .credentials folder in my home directory (users/home). Since they were hidden, I had to look for them through Terminal (on Mac), and delete them there. Once deleted, the problem was solved, since I could create new and proper credentials, suitable for the scope of my new script.
Something is wrong with your authentication. Insufficent permissions means that you don't have access.
I can verify that the scope https://www.googleapis.com/auth/calendar is enough to display ACL.list on the primary calendar.
You have to find the location of "calendar-dotnet-quickstart.json" file and delete it. I used .NET example and I have to debug the following code the find exact location.
string credPath = System.Environment.GetFolderPath(
System.Environment.SpecialFolder.Personal);
credPath = Path.Combine(credPath, ".credentials/calendar-dotnet-quickstart.json");
Then change scope as bellow and rebuild the solution.
string[] scopes = { CalendarService.Scope.Calendar};
You will notice that google will ask to confirm the access again.
I connected Alfresco with my active directory I am able to login using windows credential but how to add userspace to these windows login. I am not able to able to create new content using windows login. Also I have to login twice inorder to view the alfresco explorer page. First in browser then in alfresco login page. How to make it as single page.
Here is my global property
### ACtive Directory Configuration ###
authentication.chain=passthru1:passthru,ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
passthru.authentication.sso.enabled=false
passthru.authentication.allowGuestLogin=false
passthru.authentication.authenticateCIFS=false
passthru.authentication.authenticateFTP=false
passthru.authentication.servers=192.168.100.100
passthru.authentication.domain=<Netbios Domain>
passthru.authentication.useLocalServer=false
passthru.authentication.defaultAdministratorUserNames=sameer
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NETBIOS
ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://192.168.100.100:389
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=uid\=sameer,cn\=users,dc=<company.domain>,dc=com
ldap.synchronization.java.naming.security.credentials=<administrator.privilege.account.password>
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupDifferentialQuery=(&(objectclass=nogroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(& (objectclass=user)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupSearchBase=cn\=users,dc=<company.domain>,dc=com
ldap.synchronization.userSearchBase=cn\=users,dc=<company.domain>,dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=msExchALObjectVersion
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=Nogroup
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
synchronization.synchronizeChangesOnly=true
cifs.enabled=false
First error kind of in your properties:
Use the ldap.authentication.active=true or the passthru as active subsystem
This is the reason you need to login double.
So in this case just put the
ldap.authentication.active=false
I'm not sure why you're not an admin, can you try the following:
ldap.authentication.defaultAdministratorUserNames=sameer
or
ldap.authentication.defaultAdministratorUserNames=uid\=sameer,cn\=users,dc=<company.domain>,dc=com
Are you sure it's uid=sameer and not cn=sameer.
I am very new to Mule ESB and I tried to implement a tutorial from a website:
http://www.mulesoft.org/documentation/display/MULE3START/Intermediate+Studio+Tutorial
it returns connection error like this:
Response: Failed to route event via endpoint: DefaultOutboundEndpoint{endpointUri=http://www.google.com/tbproxy/spell?lang=en:80, connector=HttpConnector { name=HTTP_HTTPS lifecycle=start this=53edd9ee numberOfConcurrentTransactedReceivers=4 createMultipleTransactedReceivers=true connected=true supportedProtocols=[http] serviceOverrides= } , name='endpoint.http.www.google.com.tbproxy.spell.lang.en.80', mep=REQUEST_RESPONSE, properties={lang=en:80, Content-Type=text/xml}, transactionConfig=Transaction{factory=null, action=INDIFFERENT, timeout=0}, deleteUnacceptedMessages=false, initialState=started, responseTimeout=10000, endpointEncoding=UTF-8, disableTransportTransformer=false}. Message payload is of type: PostMethod
Problem is probably with my proxy settings because when I do this at home there was no problem but when I try behind a corporate wall problem occurs.
There was a warning about this issue in the tutorial
So I used a connector as the warning indicated.
I typed my proxy informations as:
proxyHostname="iproxy"
proxyPort="8080"
proxyUsername="ekucuk"
proxyPassword="P34cttyb"
this is the xml line corresponding to it:
<http:connector name="HTTP_HTTPS" cookieSpec="netscape" validateConnections="true" sendBufferSize="0" receiveBufferSize="0" receiveBacklog="0" clientSoTimeout="10000" serverSoTimeout="10000" socketSoLinger="0" proxyHostname="iproxy" proxyPort="8080" proxyUsername="ekucuk" proxyPassword="P34cttyb" doc:name="HTTP_HTTPS"/>
I guess the problem is in the format.
Sorry this is late coming, but I just ran into the same problem and worked out a solution.
The host proxy name might need some tweaking. To find it, please look at Firefox behind the corporate firewall. Go to the Tools -> Options / Network tab and press the Settings button.
The proxy should look something like this: http://autoproxy.mycompany.com/. Back in the Mule IDE, you should enter autoproxy.mycompany.com in the Proxy Host Name field. (Strip off the http:// and the final /.)
You need to stop the Mule Spell Checker Application and then restart. (Otherwise, there is no opportunity to read the new information.)
You need to add a HTTP Connector as a global element. make sure that it is a global element and comes at the top as the direct child of the mule configuration root node and not below the connectors.
<http:connector name="proxyConnector" proxyHostname="172.16.2.4" proxyPort="8080" proxyUsername="user" proxyPassword="password"/>