I'm trying to set up OpenAM with CDSSO, but I cann't find the right setup.
My environment looks like this:
OpenAM:
version: 10.0.0
few tomcat
behind loadbalancer 10.10.10.10:8000
availble by http://abc.xxx.com which redirects to http://sso.yyy.com or by http://sso.yyy.com
Apache with web agent
apache version: Apache/2.2.15
web agent version: Version: 3.0-04, Revision: 9150
host have access to 10.10.10.10:8000, but not to http://abc.xxx.com or http://sso.yyy.com
accessed via http://efg.xxx.com
End user / browser
have access to http://sso.yyy.com, but not to 10.10.10.10:8000
Tested configurations
Try 1
In web agent configuration I setup
com.sun.identity.agents.config.cdsso.cdcservlet.url[0]=http://10.10.10.10:8000/opensso/cdcservlet
in browser I have redirect to 10.10.10.10:8000/opensso/cdcservlet
Location: http://10.10.10.10:8000/opensso/cdcservlet?goto=http%3A%2F%2Fefg.xxx.com%3A80%2F&
in web agent log is
am_web_do_cookie_domain_set(): setting cookie iPlanetDirectoryPro=;Path=/.
is_server_alive(): Connection timeout set to 2
am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [http://efg.xxx.com:80/] [http://10.10.10.10:8000/opensso/cdcservlet?goto=http%3A%2F%2Fefg.xxx.com%3A80%2F]
process_access_redirect(): get redirect url returned AM_SUCCESS, redirect url [http://10.10.10.10:8000/opensso/cdcservlet?goto=http%3A%2F%2Fhttp://efg.xxx.com%3A80%2F&].
process_access_redirect(): returning web result AM_WEB_RESULT_REDIRECT.
process_request(): returning web result AM_WEB_RESULT_REDIRECT, data [http://10.10.10.10:8000/opensso/cdcservlet?goto=http%3A%2F%2Fhttp://efg.xxx.com%3A80%2F&]
am_web_process_request(): Rendering web result AM_WEB_RESULT_REDIRECT
am_web_process_request(): render result function returned AM_SUCCESS.
Try 2
In web agent configuration I setup
com.sun.identity.agents.config.cdsso.cdcservlet.url[0]=http://sso.yyy.com/opensso/cdcservlet
in browser I have
403, You don't have permission to access /
in web agent logs is
am_web_do_cookie_domain_set(): setting cookie iPlanetDirectoryPro=;Path=/.
am_web_get_url_to_redirect: unable to find active Access Manager Auth server.
process_access_redirect(): get redirect url returned AM_FAILURE, redirect url [NULL].
process_access_redirect(): returning web result AM_WEB_RESULT_FORBIDDEN.
process_request(): returning web result AM_WEB_RESULT_FORBIDDEN, data []
am_web_process_request(): Rendering web result AM_WEB_RESULT_FORBIDDEN
am_web_process_request(): render result function returned AM_SUCCESS.
Questions
Is it possible to perform such a configuration?
In newer version of OpenAM (12.0.0 › OpenAM Administration Guide) I find
OpenAM Conditional Login URL (Not yet in OpenAM console)
CDSSO examples: com.forgerock.agents.conditional.login.url[0]= login.example.com|http://openam1.example.com/openam/cdcservlet, http://openam2.example.com/openam/cdcservlet, com.forgerock.agents.conditional.login.url[1]= signin.example.com|http://openam3.example.com/openam/cdcservlet, http://openam4.example.com/openam/cdcservlet
what does it mean "Not yet in OpenAM console". Can I set this directry in OpenDJ?
Is this configuration will work on older versions of OpenAM?
Is for web agent work failover similat to https://docs.oracle.com/cd/E19636-01/819-6101/auto20/index.html?
Thanks in advance
kawu
Answer to 1) Yes that's possible. I don't see why you would need conditional login URL feature, 3.0-04 agent might not even support this feature (question 3) If agents can not access CDCServlet or LoginURL feature you need to disable the probing for it ... see OPENAM-3294 You are using LB for OpenAM, so no need for Agent failover.
Related
I am getting the error IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null.
https://testing.demo.com/message=IDX21323:%20RequireNonce%20is%20'[PII%20is%20hidden]'.%20OpenIdConnectProtocolValidationContext.Nonce%20was%20null,%20OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce%20was%20not%20null.%20The%20nonce%20cannot%20be%20validated.%20If%20you%20don't%20need%20to%20check%20the%20nonce,%20set%20OpenIdConnectProtocolValidator.RequireNonce%20to%20'false'.%20Note%20if%20a%20'nonce'%20is%20found%20it%20will%20be%20evaluated.
I checked in other SO links and found this issue is related to redirect URI mismatch like if you have one URL in the code but different one in AZure.
IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null
For me Redirect URI same for both i.e. in code and Azure. moreover I registered one application with two redirect URI (http://localhost:11111/ and https://testing.demo.com). so when I am running through local using localhost it's working fine but when I use https://testing.demo.com, I got IDX21323 error in my system, where as in different system its in a loop.
https://login.microsoftonline.com/{tenantID}/oauth2/authorize?client_id={client ID}&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%{tenant ID}%2foauth2%2fauthresp&response_type=id_token&response_mode=form_post&nonce={nonce 1}state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6qswsdwdY2OTAtNzlk
The above URL remains same but only the nonce got changed everytime.
So is it because I have kept two redirect URI for the same application. Do I need to create two different application one for localhost (Redirect URI - http://localhost:11111) and another for Dev (Redirect URI - https://testing.demo.com)
Your expertise matters.
Thanks!!
Its always recommended to use different application for development and production. Mainly from security and isolation point of view.
Your redirect_url seems to be wrong, its pointing to the tenant itself and hence in a loop. The redirect_uri below should be your app's reply url - http://localhost:11111 or https://testing.demo.com,
https://login.microsoftonline.com/{tenantID}/oauth2/authorize?client_id={client ID}&redirect_uri=http://localhost:11111/&response_type=id_token&response_mode=form_post&nonce={nonce 1}state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6qswsdwdY2OTAtNzlk
I plan on using the sample-app.py as a baseline of what I am building out and then expanding it from there. Just want to get comfortable with the instagram API and build out from there.
I am trying to use the sample-app.py provided with python-instagram. I have registered an application on instagrams website. I set it up using the default redirect uri from sample-app.py:
http://localhost:8515/oauth_callback .
I was able to authorize my instagram account to use the app, but when I click on any of the links, I get an error about the acccess-token.
When you look at the python command-line window that stays open, I get the following error:
"check_hostname needs a SSL context with either CERT_OPTIONAL or CERT_REQUIRED"
It appears that when the sample app is processing the lines below, it is trying to connect to instagram, but is not able to because SSL in local host is not set up properly. How do I set up SSL so i do not get the above error?
access_token, user_info = unauthenticated_api.exchange_code_for_access_token(code)
if not access_token:
return 'Could not get access token'
api = client.InstagramAPI(access_token=access_token)
request.session['access_token'] = access_token
print ("access token="+access_token)
There are a few steps to solve this problem (it appears that it is actually several problems in aggregate causing this issue):
use openssl to create a ssl certificate and save cert to the same location as your python script. Download open ssl here: http://slproweb.com/products/Win32OpenSSL.html
You need to tweak bottle so that it will support ssl. Do so by adding the following lines in run in class WSGIRefServer(ServerAdapter):
import ssl
srv.socket = ssl.wrap_socket (
srv.socket,
certfile='server.pem', # path to certificate
server_side=True)
There is a bug in python 3 and above(https://github.com/jcgregorio/httplib2/issues/173). I am using 3.4, so the bug could be fixed in 3.5. In the instagram/oauth2.py file, change all disable_ssl_certificate_validation=False to True.
Using a browser REST client to POST to the activity stream at e.g.
https://connectionsww.demos.ibm.com/connections/opensocial/basic/rest/activitystreams/#me/#all
...with the settings prescribed in IBM Connections OpenSocial API > POSTing new events
...results in the following response:
<error xmlns="http://www.ibm.com/xmlns/prod/sn">
<code>403</code>
<message>You are not authorized to perform the requested action.</message>
<trace></trace>
</error>
What am I missing?
This same approach works nicely on IBM Connections 4.0.
Which setting needs 'switching on'?
Try a URL like this... https://sbtdev.swg.usma.ibm.com:444/connections/opensocial/basic/rest/activitystreams/#me/#all
I added the Basic/Rest component, and it worked for me.
1 - Added URL https://sbtdev.swg.usma.ibm.com:444/connections/opensocial/basic/rest/activitystreams/#me/#all
2 - Changed Method to Post
3 - Added Content-Type: application/json
4 - Authentication -> Basic
5 - Logged IN
6 - Posted
Same thing here: 403 when I make an AJAX call to an IBM Connections 6.0 REST API url. Same error in Chrome, Firefox and IE11. When I open the same URL in a separate browser tab, everything works fine.
Comparing the http headers of both calls, and fiddling with Postman, the diference is the presence and value of the atribute Origin.
Seems that Connections allows calls from its own server. For example, when: Origin: connections.mycompany.com.
It also allows calls when Origin is not defined, which happens when the url is called from a separate browser tab.
There is a doc at IBMs Support site that confirms this - http://www-01.ibm.com/support/docview.wss?uid=swg21999210. It also suggests a workaround that did the job for me: unsetting the Origin attribute in the IBM HTTP Server that is in front of your Connections instance. Add the lines below to the httpd.conf file:
Header unset Origin
RequestHeader unset Origin
I am using SproutCore to query a CouchDB database on Mac OSX (10.6.7), from a tutorial on NetTuts+ premium. The database name is microblog. The query resolve to this string:
"http://localhost:5984/microblog/_design/posts/_view/posts?descending=true"
If I type this query directly in the browser's address bar, I get a nice json answer. But through the SproutCore app, I get an error message:
405 Method Not Allowed
Why is that? would that be because SC is running out of :4020 and CouchDB out of :5984 ? Any ideas?
Because of Javascript cross-domain regulations you are not allowed to query any arbitrary URL from your browser. If you loaded your sproutcore page from localhost:4020, it's forbidden to contact any other host or port on the same host.
To overcome this problem you usually make your sproutcore host proxy to the backend. You can do this by including a proxy statement like the following in your sproutcore buildfile
proxy "/microblog", :to => "localhost:5984"
which will forward all request going to localhost:4020/microblog to your backend localhost:5984/microblog. As you can imagine this might lead to problems where you can't set the url in your sc application to the desired value, the common case might be that your sc application is also named "microblog" the above proxy directive would then cause your sc application url being overridden.
To fix that problem you can use another url in your sc application to contact the backend, e.g. /db and then use the url parameter in the proxy directive to rewrite the target url:
proxy "/db", :to => "localhost:5984", :url => "microblog"
All requests to localhost:4020/db will then be forwarded to localhost:5984/microblog and will no longer interfere with your sc application on localhost:4020/microblog.
I am trying to use System.Net.WebClient in a WinForms application to upload a file to an IIS6 server which has Windows Authentication as
it only 'Authentication' method.
WebClient myWebClient = new WebClient();
myWebClient.Credentials = new System.Net.NetworkCredential(#"boxname\peter", "mypassword");
byte[] responseArray = myWebClient.UploadFile("http://localhost/upload.aspx", fileName);
I get a 'The remote server returned an error: (401) Unauthorized', actually it is a 401.2
Both client and IIS are on the same Windows Server 2003 Dev machine.
When I try to open the page in Firefox and enter the same correct credentials as in the code, the page comes up.
However when using IE8, I get the same 401.2 error.
Tried Chrome and Opera and they both work.
I have 'Enable Integrated Windows Authentication' enabled in the IE Internet options.
The Security Event Log has a Failure Audit:
Logon Failure:
Reason: An error occurred during logon
User Name: peter
Domain: boxname
Logon Type: 3
Logon Process: ÈùÄ
Authentication Package: NTLM
Workstation Name: boxname
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 127.0.0.1
Source Port: 1476
I used Process Monitor and Fiddler to investigate but to no avail.
Why would this work for 3rd party browsers but not with IE or System.Net.WebClient?
I have seen a similar issue, where the Integrated / NTLM security will only work if you are accessing the host by machine name or localhost. In fact, it is a [poorly] document feature in Windows that is designed to protect against "reflection attacks".
Basically, you need to create a registry key on the machine that is trying to access the server, and whitelist the domain you are trying to hit. Each host name / FQDN needs to be on it's own line - there are no wildcards and the name must match exactly. From the KB Article:
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
Type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
Exit Registry Editor, and then restart the computer.
http://support.microsoft.com/kb/956158/en-us
Have you tried ...
new NetworkCredential( "peter", "password", "boxname" );
You might also try ...
var credCache = new CredentialCache();
credCache.Add( new Uri ("http://localhost/upload.aspx"),
"Negotiate",
new NetworkCredential("peter", "password", "boxname"));
wc.Credentials = credCache;
Also, according to this it may be that IIS is configured wrong. Try replacing "Negotiate" with "Basic" in the above and checking your IIS config for the website. There's also a bunch of possible causes here.
Try going into IE's options and explicitly add the site to the Intranet Zone. Then re-run the program. You should also not run the program from an administrator login. This may trigger the Enhanced Security Configuration for Internet Explorer.
It could explain why you can hit the site with Firefox and Opera, but not with IE or WebClient.
Without knowing your IIS deployment, and assuming that you have the correct authorization rules for upload set in IIS (e.g. the right allow* ACL's on the right dirs you are trying to upload content to, etc), first thing I would try is to set UseDefaultCredentials to true instead of explicitly set Credential. (Maybe you think you are accessing the server with the Credentials you are setting but that's not the case? That would be possible if this works.)
This is a very common scenario, so I would focus on IIS authorization rules for the directory in which you are trying to upload the file, the actual ACL's on that directory. For ex. is your site impersonating or not? if it is, then you have to have actual ACL's on that dir, otherwise whatever account app pool is running on.