We are implementing CA Site minder on external server for single sign on.
We did all necessary configuration on our server as well as on policy server.
When I hit my URL request get interrupted by ISAPI Filter and Site Minder Replace it with Log in Page Then I put credentials and click log in.
This request goes to policy server and after authenticating site minder redirect me to original url that I hit early on but somehow i am not getting SMSESSION Cookie.
I check FRT log and found that cookie is there in Request Header which mean site minder able to generate and pass the cookie to request but not set in Response header So its getting removed from response.
I tried to find why its getting removed or response not setting SMSESSION Cookie but not able to find any reason.
I am using Integrated pipeline mode and the same setup is working fine with classic mode but since my application is MVC I can't use that and i have to use integrated mode.
The SMSESSION cookie is not provided to the application from SiteMinder. It is initialized in the client browser after login and should be included when the authenticated request arrives back at your application.
I suggest monitoring the client side to ensure the SMSESSION is received after login and sent back out in the application request.
Related
I'm implementing a webdav server. I have everything working fine for anonymous access, but now I want to require authentication.
When a user clicks on a link to open the word document (I'm using the ms-word: protocol), Word sends a couple of HTTTP OPTIONS requests, first with an empty Bearer value in the Authorization header, to which the server responds with a WWW-Authenticate header, and everything is working correctly (after the user authenticates with Word, word sends a follow-up HTTP OPTIONS request with a token value in the header).
However, when Word requests the file itself (using HTTP GET), there is no Authorization header. I've tried having the server respond with a 401 status, but when it does, Word simply gives up and informs the user the file can't be opened.
What's even more troubling is that, from what I can tell, Word sends the GET and OPTIONS requests in parallel, so at the time it sends the GET request, it has no idea that it will be authenticating with the OPTIONS request.
Not sure if this will always be the answer to the issues I described above, but I think it's a combination of problems I was running into. Here's the basics of how I got around the issues I was having.
Delete Office Webdav cache. Office caches information about Webdav servers pretty aggressively. The cache is found in the registry as this location: Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\X\Common\Internet\Server Cache where X is the current version of Office you have installed. Delete all subkeys that have your server's URL.
Do not use localhost or 127.0.0.1 for your Webdav. Office seems to behave differently if it knows that your server is local. This may mean needing to add entries into your hosts file to "trick" it into thinking your site is on a remote server.
If using some sort of federated auth (Azure AD, Google, Facebook, etc.) and you are using bearer tokens, Office needs to be told where to go to authenticate, this is done by responding to non-authenticated requests with a 401 status and the WWW-Authenticate header value being set to something like this (I can confirm this works for Azure AD):
Bearer authorization_uri="https://login.microsoftonline.com/[Tenant ID]/oauth2/authorize",trusted_issuers="https://login.microsoftonline.com/*/",client_id="[Azure AD App Client ID]"
Even with the client ID set, it seems like the Application ID URI in the app registration needs to match the server's base URL (protocol + host + port)
I have an application (VBS) that pulls data from a 3rd party web site via xmlhttp REST requests.
The first REST call of this application is to a log-in URL that returns also a JSESSIONID cookie ('Set-Cookie: JSESSIONID=7XYZD; Path=/; Secure; HttpOnly').
The called URL is 'https://www.bullionvault.com/secure/j_security_check?j_username=XXX&j_password=YYY'.
The second request, which needs me to be logged-in, pulls actual information from another URL of that web site, returning the data as XML document response as '.responseXML'. This flow works just fine if I execute the application while working on the VM (rdp), or also locally from my laptop.
Now, when I use a Azure Automation job to trigger the very same application on the VM the second (data) request does not return the expected XML document anymore; I get '200 OK' but then the (useless) log-in page of the site as HTTP document as the '.responseText'; '.responseXML' is empty.
Is seems that using an Azure Automation job is preventing the JSESSIONID from being sent back to the REST server when doing the data request. Hence, the server does not recognize me anymore, and send me back its log-in page. Note that there is no web browser involved explicitely.
Question: Is my suspicion of using Azure Automation breaking the application true; and how to fix this problem?
If you are using sandbox kind of setup instead of a hybird worker to execute then as the sandbox is a limited version of the Windows OS and user behavior like cookies and network configuration might not be the same so I would suggest trying out the hybrid worker (which runs under Local System context by default) to see if you can get some better-defined behavior.
I am trying to build an app in node.js that connects to Pinterest via its API. I can get an access token via Postman and test my app in single-user mode, but I am unable to incorporate OAuth2 to test my app for a second user. Every configuration of my code and settings at developer.pinterest.com yields the error "The provided redirect_uri ... does not match any of my registered redirect URIs."
I registered what I believe are correct callback URLs at developers.pinterest.com--many variants, with and without trailing slashes. My callback is hosted via https.
I tried calling Pinterest's auth URLs OAuth2 in my server code (node.js), and via browser address bar.
https://api.pinterest.com/oauth/?response_type=code&redirect_uri=https://www.outfinterest.com/auth/pinterest/callback/&client_id=5042375080944909391&scope=read_public&state=true
I attempted the auth from a browser logged into Pinterest as me, and from a browser logged in as a registered tester of my app.
What must I do to get Pinterest to accept my callback URL?
Do I need to submit my app for approval before I can authorize via OAuth2?
I resolved the problem by reducing the set URLs registered at developer.pinterest.com to just the one I need, then reloaded the page with the app settings.
In our web application's UI, we load a video in an iframe. The video is on office 365/SharePoint server.
If the user is not logged into the organization's portal managed by Azure ADAL, a login screen is loaded in the iframe. If the user is already logged in the video plays normally.
So far fine. But our management do not want the iframe redirected to login page and instead set a cookie on the iframe and load the video.
We said that it is not possible to set a cookie on an iframe and send a request and also we asked how can we get Microsoft cookies into our application? The architect says there is a rest endpoint which will give the details of the cookie. But still we do not have idea how to set it.
Is it really possible to set cookies and send to Microsoft portal to avoid authentication? I believe it is not possible but the architects and management insists we try something.
I would say it's not possible to set a cookie "per frame", but I guess you can login the user ("somehow", see below) and then reload the frame (or check authentication before even trying to load the frame).
Idea to login silently:
Create an account on your SharePoint which is only allowed to watch the selected videos (aka a "Public-User")
Automatically login all not already authenticated users with this account
Maybe with a rest call to the SharePoint server, check whether the user is logged in
If not logged in, maybe in a (hidden) frame send the login data for the Public-User to the SharePoint
All future requests should have the cookie set.
Show them the video
But for the idea to manually set the cookie: Due to security issues, browsers won't let you (= your web application) to read or write cookies for another domain (= the SharePoint server).
Sort of.
We accomplished something like this through the use of a proxy server.
In short, the proxy (hosted in elastic beanstalk) would notice a request coming in, check it's cookies for one that we set to determine the user is logged in, and if it found that cookie on the request it would call some authorization endpoints with it to be able to append a new cookie onto the response (set-cookie header) which we would then use to determine how to proceed. The proxy was written with node.js/express.
As long as you end up having sameSite: 'None' on the cookie options when you are setting the cookie it should work, even though the site hosting the iframe is on another domain.
I'm not sure if this relates into your bigger picture, but maybe gives some inspiration to others with similar issues.
I have a URL, say xyz.com, which upon being hit sends a request to Apache HTTP server which redirects to a come login page.
Upon sucessful verification of user the Apache redirects to my nodejs application with URL xyz.com
With SAML header which contains user info.
How to read this SAML header in node js.
PS: Had it been a Java application instead of nodejs req.getSession would have worked.
Thanks