I am not able to find the Reset Security token Option under the settings page in any of my sandbox instances. And I am not sure why this is happening. Can someone please let me know how to find it. Or if I am missing out on anything.
I am attaching the screenshot of how my setting page menu looks right now.
You probably have login IP ranges defined. See https://help.salesforce.com/articleView?id=000331668&type=1&mode=1
Try if you can force navigate to https://yourdomain.lightning.force.com/lightning/settings/personal/ResetApiToken/home to reset it anyway.
Related
When a user tries to log in but fails with a bad password and then clicks the forgot password link, they are directed to a URL containing their PII email.
The hint is not injected until the link is clicked, so it can probably be fudged with some custom JS, but we would like to use configuration rather than customisation..
e.g.
https://b2ctenant.b2clogin.com/b2ctenant.onmicrosoft.com/B2C_1A_customflow/api/CombinedSigninAndSignup/forgotPassword?csrf_token=xxxx&tx=StateProperties=xxxx&p=B2C_1A_customflow&hint=blablablah#example.com
This PII has potential to be captured/logged/etc, which we would really like to avoid.
So, can we turn that off?
Yes, we understand this is a convenience/quality-of-life feature to help clients, but revealing their PII seems a poor trade-off.
If you initiate Password Reset by clicking on the "Forgot your password?" link at the sign-in page, clicking this link doesn't automatically trigger a password reset user flow. Instead, the error code AADB2C90118 is returned to your application. Your application needs to handle this error code by running a specific user flow that resets the password. You should be able to handle the URL and forgot password from the application.
The Azure AD B2C guidelines for using custom JS (https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-javascript-overview#guidelines-for-using-javascript) direct prohibit binding the click event on anchors/links, but we can use the mousedown event.
With that, we can use a JS snippet as below to clear the signInName field, and so prevent the link from containing the hint parameter:
$("#forgotPassword").mousedown(function () {
$("#signInName").val("");
});
This addresses the issue with customisation, so now we wait to see if we can replace it with an official configuration option.
We are hitting a bit of a brick wall with this one – if you go to this article and look at the final screenshot, it includes a message 'To sign in with your new password, click here' and the click here must be configurable:
http://www.rebeladmin.com/2019/02/step-step-guide-using-microsoft-authenticator-app-public-preview-reset-azure-ad-user-password/
Can anyone tell us how to config that link on the success page please? Otherwise, the user will have to manually enter in the URL to login which seems a bit bonk.
Any help appreciated!
That option isn't configurable for SSPR and it's most likely by design for security reasons.
I don't see any legitimate use case for configuring this URL either. When the user clicks the link they should be taken to login.microsoftonline.com and after successfully logging in will be taken to the original site the user was trying to access since it's embedded in all links across the SSPR experience by means of query parameters.
We experience session bugs in our SCA website (Mont Blanc).
The session bugs are:
you are logged in but sometimes the website still shows the 'login | register' link. Ie, it doesn't recognise you as logged in.
you click the login/register link intending to login but you get taken to the checkout page
Have other SCA developers experienced this bug (SCA is known for many) and what have you done to fix this? Any advice would be very much appreciated.
Yes, It is there, We are changing our version to Elburs
Being sent to checkout upon logging in is due to the SSP application's touchpoints missing parameters. Specifically, the checkout.ssp is used for login, checkout, and register. By default, it handles checkout, but with a parameter of is=login or is=register, it will go to the appropriate places after login is complete.
I'm not sure offhand the solution for the first question.
Very strange issue I am facing from past few days. I am just able to login to any application on my domino server using "Mozilla Firefox". If I use any other browser (Chrome, IE), it just stays on the login page with absolutely no information, everytime I login in it again shows back the login page with no error message at all. Its quite strange since its working perfectly fine on Firefox.
I am not sure, but I somehow feel that it has something to do with the configuration. Would really appreciate if someone can guide me here.
Edit 2:
Selecting Single Server, does work, that was the simplest solution; as of now we do not need "Multiple Server".
However, we do not use any other "Internet Sites", I tried to remove the organization field, however, that lead me to "An R5 web SSO configuration already exists", which in turn lead me to here. However, I am able to move further here with "Multiple Servers".
Edit 1: Based on the answers, here are the things I tried. Please find below the snapshot of each of it for better understanding..
LTPA Token Configuration
Server Configuration for LTPA Token
Network tab - before login
Network tab - after login
Console shows nothing before or after login, neither does the server log files. Also, I am able to access the names.nsf database with absolutely no problem. Lastly, I try to access a database with no anonymous access and hence get redirected to the login page (however, as question mentions, it just stays in loop)
Ok, you may need to provide a little more information.
Are you doing a "normal" login using domcfg and a "...&login" url? Or are you trying to open a design element in a database that has no access to "anonymous" and thus redirects to the login?
You can easily check that "standard" login by opening the url: http://yourserver.com/names.nsf?login. Does it behave differently in the browsers? If not then your server setup etc. is Ok. Then you have to look at the solution that tries to log you in.
Your first place to check is in the browser's console. Are there any errors in there? E.g. some client side Javascript that stops running? Check the network tab when you inspect the console/developer tools. Does it send the right requests?
Another step is to check the console/log files on the server. If you have grown your own solution then you may want to add some simple print statements to prove that it sends what you think.
Finally, you can use a network sniffer (like wireshark) to see exactly what is sent between your browser and the server.
/John
A login- page that reloads itself after every login without a message like "Wrong username or password" or similar normally happens if the session authentication for the server is configured as Multiple Servers (SSO) (Found in Server document on Internet protocols-Domino Web Server, if Internet Sites are Disabled or in Internet Site document, if they are enabled).
In that case an LTPAToken has to be configured as well, and this token has to have a configured domain name. Whenever you try to access a server with SSO enabled using a hostname without domain or with a different domain, then exactly this will happen: Login- Page reappears after every try to login.
Example:
if the servername is myserver with ip 10.10.10.1 and the LTPAToken is configured for ".mydomain.com", then the only valid URL for login is:
hxxp://myserver.mydomain.com
Trying hxxp://myserver or hxxp://10.10.10.1 will result in exactly the described behaviour.
It is important to know, where to look for the "right" SSO- Configuration document.
If the server is configured to use "Internet Site documents" (Server- document, Basics- Tab, Load Internet configurations from Server\Internet Sites documents enabled) , then the SSO- document needs the field "Organization" to be filled. In that case you will find it in the Web\Internet Sites- View of the domino directory.
If Internet Sites are disabled, then the Field "Organization" has to be empty. In that case you find the SSO- document in the Web\Configurations view.
We have a Magento store and sometimes when users login it authenticates with someone elses user information.
When the user goes into my account they can see the order details of another customer.
I have found a forum that said to activate the Validate HTTP_USER_AGENT and Validate REMOTE_ADDR values under the Session Validation settings but we are still seeing the issue.
Does anyone have any ideas of what may be causing this issue?
Thanks in advance for your assistance.
George
I never really took the time to properly debug this, but some time ago we had an almost identical problem. Eventually it looked like that when System > Configuration > Web > Use SID on Frontend is enabled and you also have Magento Enterprise Full Page Cache enabled it sometimes saved the SID within cached templates. When other users clicked the link with the incorrect SID they sort of took over that session.
After disabled the SID option, we never had the problem again.
Perhaps not a real answer, but maybe valuable information for you.