Getting the following message when accessing a site that should redirect to the OpenAM login page:
No such Organization found.
Contact your system administrator.
Return to Login page
i took a look at the debug logs (Authentication) but just getting null pointer exception:
amAuth:02/18/2014 08:26:12:659 AM GMT: Thread[http-bio-8181-exec-53,5,main]
ERROR: Error creating logFailed message
java.lang.NullPointerException
at com.sun.identity.authentication.service.LoginState.getSSOToken(LoginState.java:1926)
Organization in OpenAM is a REALM. Are you using a REALM in your URL e.g:
http://bla.bla.com/bla?realm=MYREALM
If yes make sure that REALM exists in the OpenAM server.
Related
I am trying to use an AWS single sign on script from my company to log into aws using the internal Azure Platform. When trying to log into the platform using SSO, I receive the following error messages:
Logging in to Azure AD...
Please enter your username(email address): test#company.com
Please enter your password: ********
Login failed: Authorization failed, please activate company's VPN.
The logs of the sso script show me this information:
2022-07-11 11:57:42,042 auth_with_adfs 207 | DEBUG | loginMessage: Authorization failed
2022-07-11 11:57:42,042 log_in_to_aad 174 | ERROR Login failed: Authorization failed, please activate your company's VPN.
I have activated the VPN so that is not the issue.
By looking at the internals of the files that raise those errors I found out that during the failed login process the login page for the Microsoft Office 365 Identity Platform is returned.
The login webpage tells me that I receive the following error when logging in with my credentials:
Error details: MSIS7012: An error occurred while processing the request. Contact your administrator
My POST request seems to be redirected with a 302 code and GET the login page with a 200 OK response.
So I can tell that I get stuck during the login process and according to the error message it is an authorization issue. My credentials are correct so I am wondering what needs to be changed here to get correct access? Is there some permissions missing I should have a closer look at? Do I need to make changes in AzureAD somehow?
Thanks in advance for looking into this, I know the information is sparse but I hope it is enough.
I have a bare-bones website (single page app) that tries to log in the user with AAD using the msal JavaScript library. It is practically just doing what the example AAD login code does:
It creates a UserAgentApplication with my app's client ID and the authority URL for my tenant
It calls handleRedirectCallback and loginRedirect
It tries to get either the accessToken or the errorCode/errorMessage from the redirect response
Under practically all circumstances this works fine. Users visit my page, they get redirected and login just fine. One particular user, however, after the redirect and attempt to login gets this error:
Login failed: invalid_client - AADSTS650051: The parameter 'dynamicPermissions' in the request payload is not a valid parameter for the function import 'consentToApp'.
Trace Id: ed33266a-26ac-4706-9018-e6e89f650100
Correlation Id: e3103cab-1a7f-4a99-8455-fd8c8a769e35
Timestamp: 2019-06-25 20:50:44Z
He has tried this in many different browser (Edge/Chrome) and always gets this error, even in InPrivate/Incognito mode. No other user ever runs into error that I've found.
I'm not sure how to debug the issue because in my code I don't ever specify a 'dynamicPermissons' property or reference a function named 'consentToApp.'
How can I troubleshoot what is causing this error for this one user?
Thanks!
Ultimately this turned out to be a bug in the AAD service that was fixed by Microsoft.
I'm trying to configure SAML between MS Azure AD and a WebSphere v9 CF11 server that's sitting in AWS. But it is not recognizing the TAI set up
I've followed all the steps here: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_enable_saml_sp_sso.html and here https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/twbs_configuresamlssopartners.html
I've installed the SAMLSA app in WebSphere, imported the metadata file provided by my Azure admin, and imported the certificate as well. I've set up the ACSTrustAssociationInterceptor interceptor and put in (what I thought was) the right sso_1.sp.acsUrl and other settings for the server.
The SystemOut logs show that the ACSTrustAssociationInterceptor is loading:
SECJ0121I: Trust Association Init class com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor loaded successfully
but the version is null:
SECJ0122I: Trust Association Init Interceptor signature:
After setting it all up as above, when I go to the URL it just shows:
Error 403: AuthenticationFailed
And the log has errors about a missing cookie:
SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: CWWSS8017E: Authentication Error: Single-Sign-on cookie is not present or could not be verified. Please login to the SAML Identity Provider, and try again.
It's like it's never "intercepted" to be passed. Just fails. No network traffic goes to the AD server
When going to the URL it should redirect me to the MS Login and then back to the app, but it's not
It sounds like you might be missing an sso_1.sp.login.error.page property definition. Without that property, the expectation is that the user will be going to the IdP to initiate the sign on; if you define the property and set its value to your IdP's login page, then the 403 you're getting (as a result of being unauthenticated) will end up redirecting you over to the IdP to initiate the sign on process from there.
More info here in the "bookmark style" description: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/cwbs_samlssosummary.html
I created a jhipster monolithic application (jhipster version v4.14.2). Also I create a Okta web application with following settings:
Login redirect URIs -> http://localhost:8080/login
Initiate login URI -> http://localhost:8080
Create groups for admin and user, setup the claim in the default authorization server, and assign them to the application and my user
I updated the application.yaml of my jhipster application as follow:
security:
basic:
enabled: false
oauth2:
client:
access-token-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/token
user-authorization-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/authorize
client-id: ????????
client-secret: ????????
client-authentication-scheme: form
scope: openid profile email
resource:
filter-order: 3
user-info-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/userinfo
token-info-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/introspect
prefer-token-info: false
When I start the application and then I try to sign in. I do get the Okta login page, however after adding my credential I always get the following error:
Your request cannot be processed
Sorry, an error has occurred.
Status: Unauthorized (Unauthorized)
Message: Authentication Failed: Could not obtain access token
I followed instruction in jhipster security documention and can't make it work. Any idea why I still get the unauthorized error?
This might have nothing to do with jhipster. Make sure your you URL for accessing the access token is right.
What Grant type are you using?
https://developer.okta.com/authentication-guide/implementing-authentication/
I think the error is here:
access-token-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/token
user-authorization-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/authorize
Is "user-authorization-uri" jhipster way of of asking for "issuer URL"?
My jdbcRealm has somehow gotten deleted by magic from GlassFish. Now when I try to add it back in, I get the following error.
SEVERE: SEC1111: Cannot load group for JDBC realm user [admin].
WARNING: WEB9102: Web Login Failed: com.sun.enterprise.security.auth.login.common.LoginException: Login failed: Security Exception
WARNING: Exception
com.sun.enterprise.security.auth.login.common.LoginException: Login failed: Security Exception
at com.sun.enterprise.security.auth.login.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:394)
Based on the other answers I've seen on here, the culprit is usually a reserved word being used as a column name but this doesn't seem to be the problem in my case (see screenshot below). We recently had some database model changes so I had to reconfigure the mappings for roles to groups in web.xml and glassfish-web.xml. There are five roles and they are a 1:1 mapping between users.