I am new to ADFS, I m in a position to hit ADFS login screen where i m providing myself and all my colleagues credentials and it is validating perfect. After validation it is redirecting to spring-saml application with error "Response doesn't have any valid assertion which would pass subject validation". when i try to open other wildcard siter domains(*.csscrr.com) it is not asking authentication, so it concludes SSO is working perfect. Because of the Error page i can't move to next level. I m scratching my head to resolve the mentioned error.
Note : From my ADFS,
i can see in federationmetadata xml as SignatureMethod Algorithm="#rsa-sha256"
and in my generated metadata i can see SignatureMethod Algorithm="rsa-sha1"
Related
I am using Authorization Code Flow. I want to get consent for two different audience/resource in one login popup.
So, I know that it is needed for acquireToken for first audience and then acquireTokenSilently for second audience.
However I got below error when calling acquireToken method:
AADSTS28002: Provided value for the input parameter scope 'openid
profile offline_access' is not valid when requesting an access token.
Please specify a valid scope.
I remember that I didn't get this error when I tried this scenario last week.
Also, I didn't add the openid, profile, offline_access scopes, it is added to url automatically by the library.
Then below url is generated.
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?scope=openid+profile+offline_access+https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadWrite.All+https%3A%2F%2Fteamsconfigapi-int.trafficmanager.net%2Fuser_impersonation&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A8080%2Flogin&state=bd237c04-76b6-4a76-beca-fe4650c1f64d&nonce=3eab6371-df43-5cga-aded-a106fed74ab6&prompt=consent&client_id=56b7k4bh-8ce4-4b45-adkd-c51cdf5t52c2&response_mode=query
Note: Also, when I getting https://graph.microsoft.com/User.ReadWrite.All and https://teamsconfigapi-int.trafficmanager.net/user_impersonation consents separately(in two different login popup), there is no any problem. I can get AuthenticationResult objects both of them.
Why I got this error?
You want to collect consent from two separate audiences/resources in one login popup, however you cannot get an access token for scopes that span more than one resource. You will need to request two access tokens for two different resources. The first can be accomplished using loginPopup, and the second can be accomplished using acquireTokenPopup or acquireTokenSilent.
Read more here: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/resources-and-scopes.md
we are developing a web application which offers multiple login mechanisms such as LDAP, Kerberos, SAP Logon Ticket as well as SAML.
For this we use the Spring Security Framework which works (mostly) fantastic!
A few months ago we added SAML support to our application and tested this with an external IdP (SSOcircle). We also worked closely with CEO of SSOcircle to get us up and running.
Everything worked just fine and we thought we could enroll SAML with our first real life customer.
So we setup a test server (SP) on a linux machine, and configured our part (we used this doc: http://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-idp-guide.html) and waited for our customer to do their part.
But when they tried to SSO into our application (they use ADFS), we ran into an issue.
Because right now, we get one out of two error messages. Either this one
Authentication request failed:
org.springframework.security.core.userdetails.UsernameNotFoundException:
Empty username not allowed!
or this one
Error validating SAML message org.opensaml.common.SAMLException:
NameID element must be present as part of the Subject in the Response
message, please enable it in the IDP configuration
During the troubleshooting I came across these other threads here on StackOverflow:
SAMLException: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration
Configuring ADFS 3.0 / SAML 2.0 to work with Spring Security for SSO integration
NameID element must be present as part of the Subject
The odd thing is, that the second error message (regarding the nameid) element comes up only if we change the adfs claim rule from "Outgoing claim type" to "Pass Through claim type".
Right now, I have no idea where to continue my troubleshooting. Any ideas or thoughts on this issue?
Best regards
René
EDIT1: I attatched a link to the debug logfile and our saml security config
EDIT2: Does someone know if there is a way to specify a timezone which SAML should use? Right now, Zulu time seems to be the time zone used although our OS is configured to use CET/CEST. Therefore we had to use responseSkew parameters for login/logout.
EDIT3: Debug & Config removed because we solved the problem
Okay, we solved the problem.
During a live debugging we noticed that NameID was not send as a SAML assertion attribute key/value pair but as a "standalone" key/value pair in the SAML assertion "header".
So we modified our code to cover both possible positions within the SAML assertion and now it works just fine. :D
I am working on a Window Live Authentication. I have used the code from GitHub
My Process is
After Login into the Window Live (Hotmail.com)
It will give us one Authorization code which then we send it with the other detail to get the Access Token.
/*
e.g. Url to get the Access token by the Authorization code
https://login.live.com/oauth20_token.srf?client_id=XXredirect_uri=XX&client_secret=XX&code=7df98b56-0fe5-6898-44ed-5feb8d28f582&grant_type=authorization_code
*/
But I am facing the Error in Getting the Access token from the Authorization code
"The Error is : invalid_grant The provided value for the 'code' parameter is not valid. The code has expired."
Please help me.
Thank you
Vijay Chavda
I am implementing shibboleth IDP and SP. I have installed in my machine and tested it with testshib.org , both(IDP&SP) are working fine.
I am trying to use my own IDP with my SP.
Once I access the protected resource, SP redirects to the IDP login page correctly, after authentication is successful, it is redirected to the SP with the SAML encrypted response (With the servlet status code 500) Which shows the following error ,
"opensaml::FatalProfileException at (https://myip.address/Shibboleth.sso/SAML2/POST)
A valid authentication statement was not found in the incoming message."
I checked the native log which shows the following message.
"2013-08-29 20:22:36 ERROR Shibboleth.Listener [28868] shib_handler: remoted message returned an error: A valid authentication statement was not found in the incoming message.
2013-08-29 20:22:36 ERROR Shibboleth.Apache [28868] shib_handler: A valid authentication statement was not found in the incoming message."
How can I rectify this problem?
What do the IdP logs show for the corresponding authentication attempt? You may need to elevate the log levels to DEBUG for IdP, OpenSAML and/or LDAP (conf/logging.xml) to get sufficiently descriptive results.
I am not able to get a request token from the oauth/initiate page because it says page not found. What could be the problem?
I have created an oAuth customer, given the appropriate REST roles and attributes. Also, appended the consumer key, secret, nonce etc. in the authorization for the oAuth request.
What am I missing?
Oauth will give you page not found if the request params are incorrect. It's likely your client isn't sending the parameters correctly, or your signature doesn't match the one Magento is calculating.
I added some temporary logging to the OAuth server to try and track down the issue.
Add this to file app/code/core/Mage/Oauth/Model/Server.php after line 594, it will help you see what specific oauth error is being raised
Mage::log($response, Zend_Log::DEBUG, 'oauth.log');
Try your initiate request again, and then check var/log/oauth.log to see what the error is.
Don't even think about doing this on a production system, and ensure you roll back your changes afterwards. You should never modify core files other than for temporary debugging.