I am configuring Liferay with Open AM using Active Directory as the LDAP Server.
The problem I am facing is if i configure OpenAM to authenticate using AD I get the following error in Liferay -
07:52:17,962 DEBUG [http-bio-8080-exec-15][OpenSSOUtil:146] Attributes response code 500
07:52:17,962 DEBUG [http-bio-8080-exec-15][OpenSSOAutoLogin:132] Validating user information for null null with screen name null and email address null
07:52:17,962 ERROR [http-bio-8080-exec-15][AutoLoginFilter:261] Current URL /web/guest/home?p_p_state=maximized&p_p_mode=view&saveLastPath=false&_58_struts_action=%2Flogin%2Flogin&p_p_id=58&p_p_lifecycle=0&_58_redirect=%2Fc generates exception: com.liferay.portal.security.auth.AutoLoginException: java.lang.Exception: Email address is null
On OpenAM side there is no error.
The steps I followed are -
Configure AD in Liferay and enable it
Configure SSO in Liferay through portal-ext file
Enabled pass through authentication in OpenAM.
I dont see any errors in OpenAM logs.
The only issue I see is in Liferay logs.
The following works -
Liferay + AD
Liferay + OpenAM using OpenDJ
Let me know if anyone knows what can be done to fix the issue.
The error you show seam to indicate that the mappping between your openAM server data and the liferay one isn't correct. Look at the properties "open.sso.screen.name.attr" and similar from your portal.
Also keep in mind that you need to activate the ldap sync on your liferay server so the User are created and Liferay can match it with openAM data.
Related
I am trying to configure Rocket.Chat to authenticate using Keycloak, with the hope of integrating Rocket.Chat to out custom CRM developed using JSF. I cannot use any other technology.
The challenge is right now I have failed to figure out how to configure Rocket.Chat to even authenticate with my Keycloak server. I have tried solutions here https://github.com/RocketChat/Rocket.Chat/issues/3897 and here https://github.com/RocketChat/Rocket.Chat/issues/7418 but to no avail.
What configurations are required to make this authentication work?
Under /admin/OAuth, I added Custom Aauth with the following parameters
enable=true,
url=http://localhost:8580/auth,
tokenPath=/realms/cdi/protocol/openid-connect/token,
tokenSentVia=Header,
identityTokenSentVia=Header,
identityPath=/realms/cdi/protocol/openid-connect/userinfo,
authorizePath=/realms/cdi/protocol/openid-connect/auth,
scope=openid,
id=rocket,
loginStyle=redirect,
usernameField=preferred_username
I also defined a realm named cdi on Keycloak, and added a couple of users to it. However, when I try to login to Rocket.Chat using these users defined in Keycloak, authentication fails with message "User not found or incorrect password". There is no event on the Rocket.Chat logs as well as the keycloak logs.
Problem: Access to the sample Liberty application testpage is redirected to Azure and the user authentication is successful (verified via fiddler trace). However, authorization fails with Error 403: error=access_denied
The WAS-Liberty profile (17.0.0.1) openConnectClient has been configured to use Azure for authorization.
There is a WebSphere APAR PI52604 which describes a similar issue and adds a parameter encodeParameters=true.
PI52604: OPENID CONNECT SSO WITH ACTIVE DIRECTORY FAILS WITH 403 FORBIDDEN
http://www-01.ibm.com/support/docview.wss?uid=swg1PI52604
Question: Is there a similar fix for WAS-Liberty (17.0.0.1) that adds the parameter encodeParameters=true?
There's no equivalent property in Liberty at present. If you're in a position to open a PMR with IBM, that would be the best way to get this addressed.
I have implemented AAD authentication in one of my webapp, using OWIN. everything is working as expected on dev environment but it is not working on PROD. At login it goes to AAD page, it authenticate users and it redirects back to my registered page, but register page is not opening at all. In title it show working only. I am completely lost, how to resolve this, Please help me to resolve the same.
Thanks in advance!
I got the solution for this. The issue was - to store the Tokens the Owin context created a local db (AzureTokenCache.mdf and .ldf files) in App_Data folder. This uses SQL express. Now we all know that using PaaS we cannot use any Software. Hence my authentication failed every time saying that error connecting to database. I moved everything to SQL Azure and it worked for me.
Can someone please help me in finding the solution for below question? I have been struggling for last 2 days and am not able to reach conclusive decision. [Disclaimer: I am still in nascent phase ..:(]
Whether it is possible to launch our own web application(portal) log-in page instead of openAm log-in page. Right now I are able to access protected page after successful authentication on openAm log-in page.
I was able to customize the openAm pages (according to our look and feel) in openAM portal ,but this added dependency on openAM version. I will again have to redo/copy paste the changes in new openam version.
Any lead/pointer will be highly appreciated.
If you do not want to rely on OpenAM you have to create an auth-wrapper/interface used by your portal. The implementation can use either OpenAM's REST API or SDK to perform authentication. If you want to do SSO as well be sure to send OpenAM's SSO tracking cookie back to the client.
But if OpenAM's API changes for some reason you have to adopt the implementaion as well ... so you still have some OpenAM dependency there.
If you do not want to customize OpenAM directly you could deploy OpenAM DistAuth along with your portal app ... and customize this. This allows you to customize Login pages independent from OpenAM.
I am trying to create a sample application here with federated authentication with Azure ACS
I have a asp.net web application with a default.aspx page
I want to upload this azure cloud.I want to authenticate users using Active Directory login credentials how can I create an working sample for this.
I was searching and I found I can make use of Custom STS ?Is this the right direction ?
I found an example from MSDN
http://msdn.microsoft.com/en-us/wazplatformtrainingcourse_windowsazureandpassivefederation2010_topic2#_Toc310436991
but I clouldn't make this working till now. (I am getting a message --This page can't be displayed).
Can some one point me to a working sample with step by step documentation.
I am using VS2010 on Windows8 machine,and azure sdk 1.7
I dont have an ADFS2.0 supported server machine available now.So I am just trying to make MSDN example working
I followed all the steps as mentioned there,but
when I debug ,I can see control reaches inside "WSFederationAuthenticationModule_RedirectingToIdentityProvider method"
if my assumption is right,it should redirect to Login.aspx page ,
but instead is simply showing message "This page cant be displayed"
You can use the how-to guide on windowsazure.com: How to Authenticate Web Users with Windows Azure Access Control Service. This will also work for Active Directory by simply using your ADFS as an identity provider instead of Windows Live / Google, no need to create a custom STS for this.
If you want something with a little more screenshots, I wrote the following guide for one of my trainings: http://sandrinodimattia.net/blog/posts/federated-authentication-with-azure-appfabric-acs-v2-0-part-1-setup/