Auto login for specific URL liferay - filter

I am trying to auto login for specific url like webdav url for document.
We want to modify documents uploaded to document library.
We are passing webdav url to ms office to open document. It is our intranet project and we are using ntlm.
I am unable to pass credentials from ms office to our liferay server.
When we click webdav url from our browser where I logged in already then it redirect to office and when office tries to open that document from liferay server then it is asking credentials, as I am already logged in then it should not ask credentials at the time of opening documents using ms office.
I am thinking if we do autologin for webdav url like url="/webdav/*" and able to do autologin then my issue would resolve.
Please help me on this.
I am using liferay 7.2 CE.
Windows

This is a long-standing issue that is not quite related to Liferay. The fact is that when you authenticate in Liferay from the browser it stores a session cookie inside that browser. When you open the webdav url, it's actually ms office that contacts the server and then it doesn't know about your browser cookies. So it does ask authentication on its own.
Now you are using NTLM which is Microsoft own SSO protocol, would it be nice that it does authenticate you on a Microsoft product. It's been a very long time since I had this exact same issue (2014, Liferay 6.1) but I believe NTLM info is only sent in network trusted sites and by default any site is not. You have to make change to your domain controller to allow them.
Next in that time, I think the Liferay NTLM filter was not called on a webdav path, we did have to create a hook to apply it. I don't know if it has been changed since then.
Additional info asked in the comments:
filter hook mapping documentation:
https://portal.liferay.dev/docs/7-1/tutorials/-/knowledge_base/t/servlet-filters#step-2-map-urls-to-your-servlet-filter
The ootb ntlm filter is here: https://github.com/liferay/liferay-portal/blob/7.2.x/modules/apps/portal-security-sso-ntlm/portal-security-sso-ntlm-impl/src/main/java/com/liferay/portal/security/sso/ntlm/internal/servlet/filter/NtlmFilter.java

Related

LDAP SSO between portal built in Laravel and SAS

We have built a portal in PHP(Laravel) + Angular for a client. User Authentication is done through LDAP.
Client also has a SAS solution for Analytics and it also has LDAP Authentication (SAS Viya).
We need to redirect the user from our portal to SAS portal and the user should get logged in automatically as both portals are authenticating the users through same LDAP.
We tried a few things, but it didn't help.
I am looking for some guidance on how to implement this and if there is any programming/configuration required on our side or on SAS side.
Hard to be specific without fully understanding your use case, but you could look to handle authentication to Viya using the SASjs Adapter (disclaimer - my team built it)
https://github.com/sasjs/adapter
Just set the LoginMechanism to REDIRECTED in the config object to support SSO or alternative login flows. If you need help, my team can be contact on https://sasapps.io/contact-us, else just raise an issue on the github.
We have an implementation on Angular that may help: https://github.com/sasjs/angular-seed-app
We have integrated a VIYA Visual Analytics report into a corporate web application, using the SDK (so not realy a redirect) with single sign on.
(I don't know all the details about how we did it. my roll was in the personalization of the report, where we went further than ordinary row level security.)

Okta sign-in widget with PHP does not work

I was trying to setup OAuth workflow using the sample application as given here
However for some reason, after I enter my okta user Id and password, I never gets the control back on my call-back URL and application just hangs indefinitely.
However the normal Javascript Singn-in widget (check this link) with the minimal authentication does work and I get the control back to the redirect URL. But this is not for an OAuth2 workflow... which is completely useless for me. Because all it does is provide authentication service using Okta tenant app and it will redirect you to your App URL. This does not provide any authorization grant workflow or other OAuth2 complex workflow. May be useful for some application but not for enterprise app where you want to retrieve user profiles, and create a login session based on user profile data retrieved from OKTA.
So my question is why is the OAuth workflow not working using the PHP application that uses JS sign-in-widget? And why there are no instructions or warning on this page for this costly service (this is not free and many org is probably paying for this)?
I spent almost a day trying to setup my Authorization server as per the instruction given on this link, but nothing works. Any idea what must be going wrong ?
Does this entire example works only after contacting OKTA support to enable the Authorization server feature? Because, I also saw a documentation here that says that this is Early Access (EA) feature (and it is probably recently added in OKTA? Extremely frustrating experience).
BTW I sent email to their customer support to enable this Authorization server feature just in case if I am missing something. If this does not work then I will have to create my own OAuth2 server using Laravel 5.4 PHP framework, which is probably the quickest solution and 100% free.
I also tried to test the Authorization server setup as per the instructions provided here.
I was successful in getting the following end point working:
/oauth2/:authorizationServerId/.well-known/openid-configuration
But I am unable to get any scope and claims using api end-point:
/api/v1/authorizationServers/:authorizationServerId/scopes
So in short, I am so far unable to test my Authorization server to get my authorization grant workflow working.
Where can I look for some troubleshooting advice?
Is there another way to check whether I have configured my OKTA Authorization server properly?
I found out that the JS script provided for the PHP sample is not right for the workflow I am working on. So after changing that JS Script, things started to work.
Edit: Also please note that Setting up Authorization server is a new feature (It is Early Access feature) in OKTA. It is not enabled by default. So you need to contact OKTA support team to enable the Authorization service endpoint and functionality provided by it.

ASP.net MVC3 with forms authentication and LDAP authentication

I have asp.net mvc3 application with forms authentication. But the our client request AD authentication as well. But the mvc3 app is hosted outside the clients network. What are the possible solutions for this.
Get permission to access the clients network from remote server.
Get an API to access the active directory data from webserver.
If we choose opt one how could we access active directory for authentication from outside the client network. I anybody have any idea or better options please let me know. Thanks in advance.
My guess is that the Microsoft security products can support this out of the box but I'm not sure how so I suggest that you direct your question to whoever supplies your client with their Microsoft product support.
If you'd rather build a solution so that you've got more control over how it works a quick search found an interesting approach at https://support.freshservice.com/support/solutions/articles/169196-setting-up-active-directory-single-sign-on-sso-for-remote-authentication where they created a simple ASP.Net web site that used AD authentication for sign-on. MVC 5 can build a WebApi site that does that just by creating a new project in Visual Studio with the right options.
That site wouldn't have to do anything except confirm that the credentials supplied were valid or not. Your application would ask the user to enter login / password details, then send a (properly secured) web request to the authentication site to determine whether they're valid. As long as you keep the communication between your server and the client web service tightly secured this should do what you need without much fuss. That approach removes the need for your server to communicate directly with the client's AD server.

Office 365 CRM and Sharepoint Online How to Get SAML Token for Current Logged in User

So I have CRM Online and SharePoint Online as document storage. I have the list component installed and everything is working there. I have a plugin I have built which generates emails, and as part of the process, grabs documents from various SharePoint folders and attaches the to the email before sending.
To do this in a SharePoint online environment, I have to go out, grab a SAML token from MS's login STS service, pass the token to SharePoint, receive a couple of authentication cookies back, and pass those cookies along with any requests I make to SharePoint. All of this is working. The bad news is I have to have a username and password hardcoded in (or prompt the user). Is there any way from inside CRM Online to grab the current user's credentials and pass that to get the SAML token? I mean there has to be since CRM does it when you create the document libraries when you turn on Document Management, right?
I can't use the SharePoint dlls inside CRM Online plugins, it is security restricted. I cannot access the CredentialCache, security restricted. Hell, I even looked at trying to intercept the cookies somehow with Javascript, but it looks like they are HTTPOnly and pretty much inaccessible.
Tried putting in a Microsoft ticket and got some low level guy who immediately passed the buck and called it unsupported.
You can't get user's password in CRM. If you are developing a plugin, the plugin can run in the user context and the code will execute based on the logged in user. Therefore you don't need to pass any creds for adding a document in CRM.
Check out this url, it helps you understanding how impersonating works in CRM.
https://msdn.microsoft.com/en-us/library/gg309416.aspx
Hope this helps.

How do I create a web page in CRM that talks the web service for both IFD and On-premise?

We have three servers that all share the same database. One server is internet facing.
I have a web page in an IFRAME in CRM that talks to the CRM web service using the standard method of connecting for on-premise. When this IFRAME is displayed through the IFD with users logged in through the forms authentication element, you are asked for login credentials.
How do I get around this?
EDIT
The IFRAME that targets the CRM service is on four servers. Two of the servers are used for IFD and On-premise use. The other two are for on-premise only. They are all in the same domain. All of the users are internal users that can log in through the web if they are using a customer's computer or a machine in an Internet cafe and therefore can't use the VPN.
A few questions to better understand you issue. Is the iframe which targets CrmService on the same IFD server? Is the IFD server on the same domain as the rest of the servers? When you say users are logged in are you refereeing to local domain users or external users?
I suspect the problem is not the services, but the IFrame. When you authenticate to MSCRM via on-premise you are doing Windows Authentication, and when you should the IFrame that authentication request is done again. Since the browser knows everything it needs this is all handled transparently.
When using IFD, you are not using authentication on the web server level - you are doing it using forms based which is on the application level. You IFrame though is still wanting authentication, and thus the iframe prompts for authentication.
If you were having a service problem, the IFrame would display and what ever action triggers the service call would fail with a 400 or 500 error.
So the question comes in how do you build a web page that can cater for windows authentication and forms based? Well that is easy in MSCRM, first make sure you are not running authentication on the web page - set it to anonymous. That ensures no more popups, then make sure you use the CrmAuthenticationToken code to get the token and use that for all calls. You should not be setting the .Credentials property of the service itself.
Assuming you're deploying your page within the CRM website (and not its own virtual directory) then here is pointing you at the SDK article for what Robert mentioned:
See the SDK topic titled: Authentication from an ASPX Page.
In my experience you should always use the CRMImpersonator in your web pages within the CRM website.
Now if you've got your own page running on its own website:
You'll want to see the Discovery service and obtaining a CRM Ticket for accessing the services.

Resources