I am looking for the help regarding the linking of ADFS with GitLab. Their documentation mentiones only setup with Google and Okta, but no ADFS which makes me crazy. The AD is running at Windows Server 2019, but, I have no access to it since it runs at other organization. Also, I don't have a test account of whatever, I can't test any changes. I'm keeping guessing for 3 days already. The target is to provide an access to Gitlab hosted at our company for our customer, but, with their AD SSO. We need to provide access from both SSOs, ours and customer's.
I have succesfully implemented SSO login from ours Keycloak using OAuth, it is completely fine.
Then, we sent the next data to the admin of customer, like:
ID: https://git.#####.net/
· ReplyURL / Ressource: https://git.########.net/users/auth/openid_connect/callback
· Protocol: OIDC https://docs.gitlab.com/ee/administration/auth/oidc.html#keycloak
· Applikationstyp: Web App
· Claims / Rules: “openid”, “profile”, “email”
Federation Metadata: Nein
Later, from the admin of customer I received back the link to JWKS Keys, Federation Metadata XML, and link to .well-known configuration and UserID that ADFS generates. But, I tried to setup OAuth using ID and link, and I felt like the secret is missing. I was getting "token expired or invalid, and in logs DiscoveryFailed(NotFound). That's why I decided to try SAML instead.
So, the questions:
is it not possible to have two OAuth at once, right?
is it possible to setup OAuth without of secret?
if it's not possible, how do I setup SAML at GitLab correctly?
Which certificate fingerprint should I use, encryption or signature?
which claims and other things must be set in trust in ADFS?
is target URL right?
what else do I miss?
The current configuration looks like this:
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect', 'saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: "openid_connect",
label: "##### Login", # optional label for login button, defaults to "Openid Connect"
args: {
name: "openid_connect",
scope: ["openid", "profile", "email"],
response_type: "code",
issuer: "https://user.###########.at/auth/realms/########",
client_auth_method: "query",
discovery: true,
uid_field: "preferred_username",
client_options: {
identifier: "#######-gitlab",
# secret: "<YOUR CLIENT SECRET>",
redirect_uri: "https://git.########.net/users/auth/openid_connect/callback"
}
}
},
{
name: "saml",
label: "###### Login", # optional label for login button, defaults to "Saml"
args: {
assertion_consumer_service_url: "https://git.#####.net/users/auth/saml/callback",
idp_cert_fingerprint: "AF:92:5D:AD:DF:4A:7F.....",
idp_sso_target_url: "https://sts.#########.at/adfs/ls",
issuer: "https://git.#####.net/",
name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
}
}
]
I have extracted idp_cert_fingerprint from both certificates present at XML files.
I am not sure if claim is right, so, I would appreciate any help regarding configuring of these thing. What should I do to make it run?
Thank you!
Related
I found in documentation that is only possible using the console. That is true? I think that should exists a way that I can do that via api, no?
Ref: https://cloud.google.com/identity-platform/docs/multi-tenancy-managing-tenants
How can I create a tenant with social provider with firebase admin SDK?. I found in documentation that is only possible using the console
The doc you refer to explains that:
Using the Admin SDK, you can
manage tenants programmatically from a secure server environment
instead of using the console. This includes the ability to create,
list, get, modify, or delete tenants
and you can find the following example for creating a tenant. Note that by "secure server environment" the doc means a server you own on which you execute Admin SDK code or a Cloud Function.
admin.auth().tenantManager().createTenant({
displayName: 'myTenant1',
emailSignInConfig: {
enabled: true,
passwordRequired: false, // Email link sign-in enabled.
},
// TODO: Remove if you don't want to enable multi-factor authentication.
multiFactorConfig: {
state: 'ENABLED',
factorIds: ['phone']
},
// TODO: Remove if you don't want to register test phone numbers for use
// with multi-factor authentication.
testPhoneNumbers: {
'+16505551234': '145678',
'+16505550000': '123456'
},
})
.then((createdTenant) => {
console.log(createdTenant.toJSON());
})
.catch((error) => {
// Handle error.
});
I know this is a bit late but it looks like adding social logins to a tenant via the admin sdk is not supported at the moment. See this doc
My best reporoduction of the table in markdown
Feature
Google Cloud Console
Admin SDK
Email
X
X
OIDC
X
X
SAML
X
X
Social
X
Phone
MFA
X
X
Anonymous
X
Your client side code is what enables the various social provider sign-in's. In other words, the admin SDK has nothing to do with it.
To setup the various social providers, see Firebase Authentication.
I'm trying to use the next-auth library to call Azure Active Directory via OAuth 2.0, but not sure how to go about doing this.
The providers format in my /api/[...nextauth].js is currently:
providers: [
{
id: 'azure',
name: 'Azure Active Directory',
type: 'oauth',
version: '2.0',
scope: 'read',
accessTokenUrl: 'https://login.microsoftonline.com/{directory_id}/oauth2/v2.0/token',
authorizationUrl: 'https://login.microsoftonline.com/{directory_id}/oauth2/v2.0/authorize',
clientId: process.env.OAUTH_APP_ID,
clientSecret: process.env.OAUTH_APP_PASSWORD,
},
This doesn't seem to be working (Error: "The reply URL specified in the request does not match the reply URLs configured for the application:"). How should I go about this?
I'm quite late with my answer, but for the sake of this question being answered:
Usually, this message means that you're missing the right redirect URI.
In Azure, open your app registration, go to Authentication and enter the redirect URI under "Single-page application".
In this case, it's going to be something like http://localhost/api/auth/callback/azure for your local development.
I'm trying to connect WorkflowMax to my application and it's throwing the error "You don't have access to connect any WorkflowMax accounts".
Here's the server side code (NodeJS):
const oauth2 = simpleOauthModule.create({
client: {
id: 'client id',
secret: 'secret key',
},
auth: {
tokenHost: 'https://identity.xero.com',
authorizeHost: 'https://login.xero.com',
tokenPath: '/connect/token',
authorizePath: '/identity/connect/authorize',
},
options: {
authorizationMethod: 'body',
}
});
const authorizationUri = oauth2.authorizationCode.authorizeURL({
redirect_uri: 'example.com/_oauth2',
state: Random.id(),
scope: 'openid profile workflowmax'
});
The user account I'm using does have the "Authorise 3rd Party Full Access" permission ticked in the WorkflowMax staff settings. I've waited about a day for the permissions to update and tried it on other accounts.
Is there anything else I need to do to allow WorkflowMax Oauth 2?
Here's an image of what it's throwing:
I can see you have included the correct scopes. If your staff permission is set correctly you should have access to the account. You will need to use your staff account to go through the consent screens. The setting should be an instant update you don't need to wait for it to take effect.
Unfortunately I can't provide any more assistant here. I have replicated this in my environment and worked fine.
First I'm describing how I setup my applications then I will describe how I'm using the APIs.
Setup
In my Azure Active Directory, I have two applications registered: UI and Backend
UI has the client ID clientId1 and backend has client ID clientId2 (it's a GUID, but for simplicity)
Both are under the same tenant tentant1 (single tenant)
Backend (Web API)
Backend has an exposed API with scope "api://clientId2/access_as_user" and authorized client "clientId1" with the scope just mentioned selected
I'm using passport and passport-azure-ad (I pretty much copied https://github.com/Azure-Samples/active-directory-javascript-nodejs-webapi-v2).
My config:
const config = {
identityMetadata: "https://login.microsoftonline.com/tenant1/v2.0/.well-known/openid-configuration",
clientID: "clientId2",
validateIssuer: false,
loggingLevel: 'info',
passReqToCallback: false,
loggingNoPII: false
};
I get this message when starting the server:
{"name":"AzureAD: Bearer Strategy","hostname":"DESKTOP-NCVLN56","pid":16052,"level":40,"msg":"Production environments should always validate the issuer.","time":"2020-04-11T13:25:44.283Z","v":0}
{"name":"AzureAD: Bearer Strategy","hostname":"DESKTOP-NCVLN56","pid":16052,"level":30,"msg":"In BearerStrategy constructor: created strategy with options {\"identityMetadata\":\"https://login.microsoftonline.com/tenant1/v2.0/.well-known/openid-configuration\",\"clientID\":\"clientId2\",\"validateIssuer\":false,\"loggingLevel\":\"info\",\"passReqToCallback\":false,\"loggingNoPII\":false,\"clockSkew\":300,\"allowMultiAudiencesInToken\":false,\"audience\":[\"clientId2\",\"spn:clientId2\"]\"isB2C\":false,\"_isCommonEndpoint\":false}","time":"2020-04-11T13:25:44.285Z","v":0}
Listening on port 5000
UI (Angular SPA)
UI has permissions was granted automatically permission to access Microsoft Graph (profile, user.read, user.read.all -- last one I think I granted). The permissions are in "API permissions"
I went ahead and also granted access to the Backend access_as_user
For the UI code I'm using the MSAL library and again I pretty much copied the repo (https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-angular)
In the protectedResourceMap field I added the following
['https://graph.microsoft.com/v1.0/me', ['user.read']],
['http://localhost:5000', ['api://clientId2/access_as_user']],
I am able to log in and read my user profile, but when trying to access http://localhost:5000/hello (protected), I'm getting the error the title of this question
{"name":"AzureAD: Bearer Strategy","hostname":"DESKTOP-NCVLN56","pid":20720,"level":30,"msg":"authentication failed due to: jwt audience is invalid","time":"2020-04-11T13:38:08.700Z","v":0}
--
I can see the Bearer Token coming (in the UI and backend), the server decodes the token (I can see all my profile info in the server logs), but it's saying the JWT is invalid?!
I'm not defining an audience, yet I can see in the token when it gets decoded the audience with aud: 'api://clientId2'.
I can also see when the backend starts it shows the audience as [clientId2, sps:clientId2] by default (step4 on the backend). When I define in the config audience: 'api://clientId2', I get a 403 with the message:
{"name":"AzureAD: Bearer Strategy","hostname":"DESKTOP-NCVLN56","pid":12644,"level":30,"msg":"In Strategy.prototype.jwtVerify: We did not pass Req back to Callback","time":"2020-04-11T16:19:30.398Z","v":0}
Any help would be appreciated. Thank you.
Turns out their code in the repository is not using proper configuration to verify the scope access...
https://github.com/Azure-Samples/active-directory-javascript-nodejs-webapi-v2/blob/master/index.js#L41
if (req.authInfo['scp'].split(" ").indexOf("demo.read") >= 0) {
I needed to change the scope from "demo.read" to "access_as_user".
In my case it was just that the clock of my VM where the application was running on was 15mins behind. So the time of the token was created was in the future...
I'm trying to implement Implicit flow using Angular 6/MSAL. The client is trying to get an ID token from Azure AD. Our AD Client is configured to provide tokens only for certain users and groups. So, when an unauthorized user (still a user inside the organization) tries to login, Azure Ad directly reroutes them to the Login Page, which is not very intuitive. I would like to redirect them to a custom page, indicating that the user is not in any of the roles required by the application.
But MSAL has no option for something like "failedRedirectUri". Can someone please tell me if this is even possible with MSAL, if so how do i go about configuring it?
I've tried to set the "redirectUri" from localStorage, and try to modify it before the redirect happens. but that doesn't help.
MsalModule.forRoot({
clientID: '*****-************************',
authority: "https://login.microsoftonline.com/*************************/",
validateAuthority: true,
redirectUri: window.location.origin,
cacheLocation: 'localStorage',
postLogoutRedirectUri: window.location.origin + "/loggedout",
navigateToLoginRequestUrl: false,
popUp: false,
unprotectedResources: ["https://www.microsoft.com/en-us/"],
protectedResourceMap: protectedResourceMap,
logger: loggerCallback,
correlationId: "1000",
level: LogLevel.Info,
piiLoggingEnabled: true
})
On login failure for implicit flow, the user should not be redirect to the "redirectUrl" page. Instead the user should be taken to an error page where the error description is displayed.