I am trying to write a C++ program that uses WinLDAP for Active directory authentication; and currently trying to set a custom server certificate verification method (i.e. by setting LDAP_OPT_SERVER_CERTIFICATE option in ldap_set_option() method)
The VERIFYSERVERCERT callback does not have a application specific data argument which i require to access other parameters in the application.
Is there a method (such as a ldap_set_option option) that i can use to keep a application related parameter bound to the PLDAP session handle?
Related
I am trying to authenticate against our corporate Azure B2C server using the MSAL written in GO. I am using the public authentication. I am able to successful authenticate with the python version of MSAL, but I have some challenges with the GO version as the discovery does not work. The generated URL for AADInstanceDiscovery does not exists. So the authentication process fails in an early stage.
I assume that I need to set the KnownAuthorityHost property in AuthParams to prevent the system from doing the discovery, but I am not sure how to set that parameter. It seems like the property and the function WithKnownAuthorityHosts in base are not exported in public.
I must admit that I am quite new to GO.
Is there any way I can set the WithKnownAuthorityHosts from my application?
Environment:
Oracle 11g database
Weblogic 11.3.6
Webgate 3
Forms&reports 11 g (11.1.2.0)
WebTier 11.1.1.9.0
Problem :
When trying to access form with :
http://localhost:7777/forms/frmservlet
i have this error:
Error 500--Internal Server Error
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.5.1 500 Internal Server Error
The server encountered an unexpected condition which prevented it from fulfilling the request.
but when i set ssoMode = false in formsweb.cfg froms's config file, the forms welcome page displays well.
Any idea?
Thank you.
ssoMode (Single Sign-On parameter) indicates whether the URL is
protected in which case mod_osso, which is Oracle Single Sign-On
Module, will be given control for authentication or continue in the
FormsServlet if not.
It is false by default. It may be set to true in an
application-specific section to enable Single Sign-On for that application.
formsweb.cfg,in which ssoMode parameter may also be overridden , defines parameter values used by the FormsServlet (frmservlet)
The mod_osso component is a module that plugs into Oracle HTTP
Server. It enables the HTTP listener as a partner application that can
use the Single Sign-On server to authenticate users. Once mod_osso is
installed and configured, Web applications can register URLs that
require SSO authentication with the module. Then when URL requests are
received by the HTTP server, mod_osso detects which requests require
SSO authentication and redirects them to the Single Sign-On server.
After the Single Sign-On server authenticates the user, it passes the
user's authenticated identity back to mod_osso in a secure token, or
cookie. The module retrieves the user's identity from the cookie and
propagates the user's identity information to applications running in
the HTTP server instance. The module can propagate the user's identity
information to applications running in the CGI, those running in
Oracle9iAS Containers for J2EE, and it can also authenticate users for
access to static files.
Oracle Forms Services applications can be run in a single sign-on
(SSO) environment using Oracle Login Server (Single Sign-On Server)
and Oracle Internet Directory (OID) to store user name and password
information. For Single Sign-On implementation Oracle Forms is
considered as an 'External Application'.
In Forms, it is possible to obtain the Single Sign-On username via :
GET_APPLICATION_PROPERTY(sso_userid);
This returns a string containing the Single Sign On user ID if the user has been authenticated via the Login Server. A NULL value is returned if SSO was not used.
It is possible to also obtain the user distinguished name (dn) and the subscriber distinguished name (subscriber dn) e.g.
GET_APPLICATION_PROPERTY(sso_usrdn);
GET_APPLICATION_PROPERTY(sso_subdn);
I am calling a java webservice sitting on Websphere Application Server(WAS) from Websphere Enterprise Service Bus(WESB).
Provider has enabled security using JAAS.
So,I created WS-Security username token client policy set for my module.
The trace of my outbound call from WESB looks like
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<s:Security xmlns:s="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
<s:UsernameToken>
<s:Username>**username**</s:Username>
<s:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">**password**</s:Password>
</s:UsernameToken>
</s:Security>
But the provider is expecting the Security payload to be sent as below with some namespace in Username tag
<soapenv:Header>
<wsse:Security wsse:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">**username**</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">**password**</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
I am getting the below error while invoking the java service
AxisEngine E org.apache.axis2.engine.AxisEngine receive Must Understand check failed for header soapenv : {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
org.apache.axis2.AxisFault: Must Understand check failed for header soapenv : {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
at org.apache.axis2.jaxws.handler.HandlerUtils.checkUnprocessed(HandlerUtils.java:196)
at org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:163)
at org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:363)
Is it the correct way to handle JAAS by creating WS Security client policy set or do I have to handle in different way.
That wsu namespace that is on that UsernameToken in the 2nd example is there for wsu:Id. The wsu:Id is only needed if something will reference the element. You have nothing referencing the element, so it is not required.
If you were getting an error because the security handler didn't like the fact that the wsu:Id was missing, you would get a SoapSecurityException, not a MustUnderstand check.
A MustUnderstand check means that you have sent a header for which no handler in the runtime has marked as processed. Either there is no handler registered to handle it or no registered handler marked the header. For security headers, this usually means that there are no WS-Security constraints applied.
You can verify that there are no WS-Security constraints applied by sending a message with no Security header.
If you send a message that includes a Security header like your 2nd example?
Do you have security constraints on you client for responses? You will get this same error if you have no constraints for responses but the server sent a Security header in the response.
This is what I would do:
1) Enable a WS-Security trace on the WAS server
com.ibm.ws.webservices.wssecurity.=all:com.ibm.wsspi.wssecurity.=all:com.ibm.ws.wssecurity.=all:com.ibm.websphere.wssecurity.=all:com.ibm.xml.soapsec.=all:com.ibm.ws.webservices.trace.=all:com.ibm.ws.websvcs.trace.=all:com.ibm.ws.wssecurity.platform.audit.=off:com.ibm.ws.webservices.multiprotocol.AgnosticService=all:com.ibm.ws.websvcs.utils.SecurityContextMigrator=all
2) Restart the server
3) Send the message from the client
4) Search the trace for 'bound http'.
4a) You should see the Inbound HTTP SOAP Request
4b) search again
4c) You should see Outbound HTTP SOAP Response
4ci) Does the response have the expected response or a fault?
4cii) If the response is a fault, then you have a server issue
4cii) If the expected response, does the response contain a Security header?
4ciii) If yes, then the MustUnderstand check came from the client and you most likely need to apply security response constraints to your client.
5) If, in step 4, you determined that you have a server issue, search backwards in the trace for something that looks like this (on the current thread):
WSSecurityCon 3 isServerSide == true
WSSecurityCon 3 No PolicyType Binding
5a) If you see this, then you do not have security constraints applied to your provider application. Here are some instructions for applying a UsernameToken policy in WebSphere (assuming that your app is JAX-WS):
https://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/twbs_stand_alone_security_token.html
And for those that delete my posts because they have links:
Configuring a policy set and bindings for a stand-alone security token (UsernameToken or LTPA Token)
You can secure web services by configuring the message-level WS-Security policy set and bindings for a stand-alone security token that is either a Lightweight Third Party Authentication (LTPA) token or a Username token.
Before you begin
This task assumes that the service provider and client that you are configuring are in the JaxWSServicesSamples application. See the documentation on accessing samples to learn how to obtain and install this application. Specify the following trace specification on your server to enable you to debug any future configuration problems that might occur.
=info:com.ibm.wsspi.wssecurity.=all:com.ibm.ws.webservices.wssecurity.=all:
com.ibm.ws.wssecurity.=all: com.ibm.xml.soapsec.=all: com.ibm.ws.webservices.trace.=all:
com.ibm.ws.websvcs.trace.=all:com.ibm.ws.wssecurity.platform.audit.=off:
If LTPA tokens are used, you must enable the application security on the application servers that are used for both the client and the service.
About this task
This topic describes how to configure a WS-Security policy set and provider bindings for a Username token or an LTPA token. For simplicity, this procedure demonstrates how to remove the timestamp, digital signature, and encryption attributes from the policy; however, you might want to include these attributes in your final configuration. To learn more, see the documentation on configuring a policy set and bindings for Asymmetric XML digital signature or XML encryption with client and provider application specific bindings.
In this task, default provider general bindings are used for the provider application to consume the tokens. If a caller configuration is required, an application-specific binding will be added for the provider.
Procedure
Create the custom policy set.
In the administrative console, click Services > Policy sets > Application Policy sets.
Click New.
Specify Name = OneTokenPolicy.
Click Apply.
Under Policies, click Add > WS-Security.
Edit the custom policy set
Remove digital signature, encryption, and timestamp.
In the administrative console, clickWS-Security > Main Policy.
Deselect Message level protection.
Click Apply.
Add the UsernameToken or LTPA token.
Under Policy details, click Request token policies.
Select Add Token Type.
If you want to use a UsernameToken, select UserName. If you want to use an LTPA token, select LTPA.
Token name=myToken.
Click OK.
Configure the client to use the OneTokenPolicy policy set.
In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.
Select the web services client resource.
Click Attach Policy Set.
Select OneTokenPolicy .
Create a custom binding for the client.
Select the web services resource again.
Click Assign Binding.
Click New Application Specific Binding to create an application-specific binding
Specify the bindings configuration name. name: oneTokenClientBinding
Click Add > WS-Security
If the Main Message Security Policy Bindings' panel does not display, select WS-Security.
Edit the custom binding for the client.
Edit the identity token generator to send the identity username.
Click request:myToken.
Click Apply.
Click Callback handler. User name=(yourUserid) Password=(yourPassword)
Avoid trouble Avoid trouble: This is a userid/password that is valid on the user registry on the provider's system. If you are using LTPA tokens, the userid/password must be valid on both the consumer and provider registries.
(Optional) If configuring a UsernameToken, add the following WS-Security custom properties:
*com.ibm.wsspi.wssecurity.token.username.addNonce=true
*com.ibm.wsspi.wssecurity.token.username.addTimestamp=true
These custom properties are added because they are specified on the UsernameToken consumer default general bindings. If we do not specify those properties here, you will either need to remove those properties from the default provider general bindings or create application-specific bindings for the provider that does not include those properties.
Click OK.
Click Save
Configure the provider to use the OneTokenPolicy policy set.
In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service provider policy sets and bindings
Select the web services provider resource (OneTokenPolicy)
Click Attach Policy Set.
Select OneTokenPolicy
Note: Since no bindings are attached to the provider application, it will use the default provider general bindings for the token consumers.
(Optional) If you want to create a Caller configuration for the provider, create custom bindings for the provider.
Select the web services provider resource again.
Click Assign Binding
Click New Application Specific Binding to create an application-specific binding
Specify Bindings configuration name:oneTokenProvBinding
Click Add > WS-Security
If the Main Message Security Policy Bindings' Panel does not display, select WS-Security
(Optional) If a Caller configuration will be created, edit the custom bindings for the provider.
Click Caller > New. Name: myCaller.
If using a UsernameToken, enter the following:
Caller identity local name: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
If using an LTPA token, enter the following:
Caller identity local name: LTPAv2
Caller identity local URI: http://www.ibm.com/websphere/appserver/tokentype
Click OK.
Click Save to save your configuration changes.
Restart the client provider.
Stop the client and the provider
Restart the client and the provider
Test the Service.
Point your web browser at the JaxWSServicesSamples: http://localhost:9080/wssamplesei/demo
Avoid trouble Avoid trouble: Make sure you provide the correct hostname and port if your profile is not on the same machine or the port is not 9080.
Select Message Type Synchronous Echo
Make sure Use SOAP 1.2 is not selected
Enter a message and click Send Message. The sample application should reply with JAXWS==>Message.
Results
The JaxWSServicesSamples web services application is configured to generate and consume a UsernameToken or LTPA token in the request message.
I playing with webapi and trying to setup app configuration for proper signature validation in
WindowsAzureActiveDirectoryBearerAuthenticationOptions
I have noticed MetadataAddress field is not used in several examples online and in AAD auth samples: https://github.com/AzureADSamples/NativeClient-WebAPI-MultiTenant-WindowsStore/blob/master/TodoListServiceMT/App_Start/Startup.Auth.cs
When I launch the app I noticed there is a request to https://login.windows.net/common/federationmetadata/2007-06/federationmetadata.xml on app launch even though the field is not set. Is this the default value to MetadataAddress?
How does the signature validation work even though the sts address is
different in token?
How is the validation handled in case of custom sts service?
The tenant parameter passed in the option is enough for the middleware to determine the location of the metadata document of the corresponding Azure AD tenant. In the case of multitenant applications, as you observed that value is common. In the multitenant sample you can see that there is custom logic that takes over the verification of the issuer (what you called the "sts address" - that's more of an identifier). As you can see in the file that you linked, the options turn off the issuer validation via the switch ValidateIssuer = false. If you take a look at https://github.com/AzureADSamples/NativeClient-WebAPI-MultiTenant-WindowsStore/blob/master/TodoListServiceMT/AuthorizationFilters/MTAuthorizeAttribute.cs, you'll see that it executes logic meant to compare the issuer in the incoming token against a list of trusted issuer. Your own application might have different business logic for establishing whether the issuer of the incoming token should be trusted.
I have a setup with Tivoli Access Manager (TAM) as reverse proxy for some application servers on the backend side. TAM is responsible for authenticating users. Is it possible to access the credentials a user passed in during TAM authentication in the backend applications?
I need this because the backend applications connect to a Host-System and there the credentials are needed to log in.
there are a couple of options you might have for this :
Since you mention TAM, I guess you are still using 6.X, so you can use a custom CDAS (Cross-domain Authentication Service) library. You would need to implement the library yourself in C and handle the authentication part and return the clear text password as an extended entitlement in the credential. This will allow you to add this extended entitlement as an injected HTTP header for the junctions that require the password. You can get more information here : http://www-01.ibm.com/support/knowledgecenter/SSPREK_6.1.0/com.ibm.itame.doc_6.1/am61_web_devref58.htm%23chap-wsd-write-custom
You can implement your own External Authentication Interface. EAIs are external web applications where WebSEAL can delegate the authentication part. In that EAI, as in CDAS, you would have to handle the authentication part yourself - probably against TAM user registry - and then return the clear text password as an extended attribute in the credential to be used as a custom HTTP header for the junction that requires it. See http://www-01.ibm.com/support/knowledgecenter/SSPREK_6.1.0/com.ibm.itame.doc_6.1/am61_web_devref128.htm%23appx-wsd-eai
Leverage Tivoli Federated Identity Manager and a custom STS chain to do the authentication and return the clear text password as part of the credential.
For all 3 of the above options, you would need to modify the existing backend application to read the injected HTTP header and use the clear text password to perform the actions to the Host.
I have done all 3 for various integrations and I think your best choice is writing an EAI, as CDAS got deprecated with ISAM 7 and the 3rd option requires an additional software component.