Trying to automate the manual process of updating a user's app id and password for One Login. When the user gets created, we have to manually go to user > applications > select app > update ID and password.
Is there API I could use to update the user's app ID and password? I could not find any.
There's two APIs to set a user's password:
https://developers.onelogin.com/api-docs/1/users/set-password-in-cleartext
https://developers.onelogin.com/api-docs/1/users/set-password-using-sha-256
Depending on where your user is mastered, you might have to adhere to password complexity rules not maintained in Onelogin, so prepare for that in your code.
Why would you change the value set for the user's Subject ( NameID ) in the app ? Is your data inconsistent so you can't set a rule for that in the standard app configuration ?
The new app API might do that for you, but if you're needing to do that process on a consistent basis, then you should be doing some house keeping in your data source.
https://developers.onelogin.com/api-docs/1/apps/update-app
Related
This is the my web-app "User Settings" page.
I have simplified it to a minimum to better highlight the problem.
To authenticate users I use Auth0, I wanted to use the sub claim user_id to identify the users inside my MySQL database for update and retrieve user's info. Unfortunately the user_id is different for each provider, for example, if the same user with the same e-mail logs-in via Auth0 he gets a user_id if he does it via google he gets another one.
I thought about using email to link logged user to his info.
The problem is in my API. Before the change it was "localhost: 8080 / api / users /: id"
each time it created a new id and in any case it was impossible to recover the data of the single user. Now that I have replaced "id" with "email" my API has also changed in "localhost: 8080 / api / users /: johnsmith#xxx.com".
Before:
After:
In a few words, the request url on the client side has also changed.
I would like to make sure that the GET and PUT requests are made based on the e-mail of the logged user without going to modify the whole back-end.
Sounds like something is wrong with how you authenticate users. If you have multiple ways to authenticate a user, those methods need to be in a one to many relation with the user. For example each user has a list of auth-methods, and whenever an authentication is made you check your table of authentication methods and find the one user it maps to.
Im not sure if you are doing this yourself or if the framework you are using is handling that, but it sounds like you need to change the model to allow many Auth methods for a single account.
Also you could use email, but that is also an "old" way of uniquely identifying users almost every single person has multiple active email accounts nowadays, so you should also have a one-to-many relation for users to emails. What if the user has different email accounts for their Facebook and Google accounts?
See account linking here: https://auth0.com/docs/users/user-account-linking
It is dangerous to trust that the external providers are truthful about what email belongs to who. What if I open a new account using someone else's email on one of the providers? Then I can log into that users account in your application, which is a pretty big security risk.
I need to implement a login system in MERN stack in which there will be three types of logins.
1. Admin login
2. Student Login
3. Faculty Login
The admin login will have a pre defined username and password (say admin & admin#123 resp.) which can be changed if needed.The faculty and student will only be able to login if the admin adds new student or faculty from his dashboard.The student and faculty username will be the registration number from college and password will be the date of birth.
All the tutorials that i came across are on registration and authentication & since registration is not a part of this project, I'd like to know basically how i should go about with this feature.
I am using mongodb as the database.
You have multiple things going on here:
authentication: accepting and checking a username and password
authorization: once a user has authenticated herself, assigning her the appropriate privilege level (admin, faculty, student in your case).
registration: in your system only the admin can register new users. This is different from some systems, which permit self-registration. Yours does not, according to your requirements.
(Important security tip it's a seriously bad idea to use date of birth for a password. Why? if a cybercreep breaks into your database, he will have a list of names and dates-of-birth. Those are useful for stealing your users' identities. They are also considered personally identifiable information and so they're covered by by GDPR and the California Consumer Privacy Act. But you didn't ask about that.... )
Let's take your requirements one-by-one.
1-authentication. This is a simple username/password scheme. Use the passport module for that, with its local strategy.
2- Authorization. When you look up the user also look up her privilege level (again admin or faculty or student). Passport feeds your user a session cookie so they stay logged in.
Before you display any page or accept any API request or form-post from a user, check the authorization level. If the user is not permitted to use the particular feature, send back a 403 error message rather than showing the page or accepting the form.
3- Registration. You need a form for creating / replacing / updating / deleting users (called a CRUD form). This form must be accessible only to your admin.
By the way, all this happens on your node / express server. Your react client must simply pass along the passport-generated session cookie with every request, so the server can look up the user to retrieve the authorization.
Thinking about your requirements in this structured fashion should help you apply the stuff you learn from various online tutorials.
I setup a password reset flow using Azure B2C and local Azure accounts that uses the user's email address and verification code. However, my client would like to have a password reset email sent to the user based on the user name, not email address. The user email would be looked-up behind the scenes and an email sent that would include a link to the password reset page as shown in the flow below.
After reading a gazillion articles on custom Azure B2C policies, I'm struggling to convince myself if it is possible to do what the client is asking for using Azure B2C.
In the sample password reset flow shown below, some of the areas I'm struggling with include:
Is it possible to create custom pages in the password reset flow such as the page in Step 4 that displays the user's masked email address, or the information page in Step 7?
Is there built-in functionality to look-up a user's email address and Active Directory Object ID based on their user name or would I have to call out to a custom Azure Function and use the Graph API to do this?
Is it possible to create and send a custom email that includes a hyperlink to the password reset page that includes the user's Active Directory Object ID as a query string parameter so the password reset page knows which user's password is being reset?
At the moment, it seems like it would be easier to create a completely custom ASP.NET MVC app to handle the requirements than it would be to use Azure B2C custom policies, but that isn't really a path I want to go down.
Is it possible to create custom pages in the password reset flow?
Yes you can create your own custom password reset user flow using azure active
directory B2C
In your case if you want to figure out your custom page you could
refer here
Is there built-in functionality to look-up a user's email address and
Active Directory Object ID based on their user name or would I have
to call out to a custom Azure Function and use the Graph API to do
this?
Using Microsoft Graph REST API you could fetch your user
information.
In your case you could use
List users
Get a user
To access user information you could also refer here in a great
details
Is it possible to create and send a custom email that includes a
hyperlink to the password reset page that includes the user's Active
Directory Object ID as a query string parameter so the password reset
page knows which user's password is being reset?
You can use the company branding feature to customize the
content of verification emails for resetting password.
Note : For better clarity you could check the Azure AD B2C: Frequently asked
questions (FAQ) before final work around Which definitely guide you to
define ultimate go ahead.
Update
As per Microsoft document right now you cannot create according to your sample exactly. See the screen shot there is and important remarks.
Thank you.
This GitHub project covers the case you describe. Still needs a lot of understanding about custom flows to get it working.
https://github.com/yoelhor/aadb2c-verification-link
How would I retrieve all valid sessions for a specific user? For example, if the user is logged in from multiple devices and decides to change password, or reset password. I need to be able to expire all active sessions and log the user out of all devices. This is specially important if the user is suspecting that his/her account has been compromised and needs to change the password. Currently I can retrieve RMEs but not sessions. I know this is doable from the UI but I need to put this feature in an SDK or API. Is there a curl command to easily achieve this?
Sarah,
Currently there is no endpoint that will let you invalidate all user sessions.You would need the session token of each session and then call the /json/sessions/?_action=logout REST endpoint multiple times (once per session).
That being said you can use the following class to get the list of sessions for a particular user:
com.iplanet.dpro.session.service.SessionCount
You can read the javadoc here.
There are some constraints for using this method though. Session Quota must be enabled. You can enable Session Quota on the admin console by going to Configuration -> Global -> Session page and:
Set the number of "Active User Sessions"
Turn on "Enable Quota Constraints"
To sum up, you can create your own custom endpoint that will take the User ID and invoke SessionCount.getAllSessionsByUUID(uuid) to get the list of active sessions. After that, you can iterate through the list of sessions and invalidate them one by one.
Hope this answers your question.
I am trying to sort out a peculiar behavior when creating new users as a site Admin on our Dnn installation.
I have gone into the Admin > Site Settings > User Account Settings > Profile Settings and changed a few of the fields to Required (FirstName, LastName, Title, Address etc) with Required and Visible checked and Default Visibility set to 'AllUsers'.
I have a requirement of 'None' for the 'User Registration' type, meaning the site Admin must create all new users. I also have a requirement that the password for new users be created randomly, instead of being assigned by the site Admin.
When the user is created in this manner, an email is sent with instructions to choose the 'Reset Password' option (if first time user). This built in Dnn function asks for the new user name (supplied in the email) and then sends another email with a reset password link with a token.
We are doing this to remove any password knowledge from the site Admin.
The problem is that when new users finally set their password and gain access to the system they are not being forced to fill in the required profile settings the first time (when they choose their password). They are required to fill them out when they log in the second time (without going through the reset password process).
We would really like them to be forced to complete the Profile Settings the first time regardless of whether they are setting their password via the password reset token link.
Does anyone know why this is happening? Is there a workaround?
Thanks for any information!
The answer to this question can be found here:
https://dnntracker.atlassian.net/browse/DNN-4213