This is my SAML assertion from OpenAM IDP
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="http://idp.ntech.com:9090/openam">/81OhgvXhHdM/+STdnPlhgkVJzDo</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="FEDE98AB33A4049999504522AB01C664219893A2" NotOnOrAfter="2012-10-27T10:56:22Z" Recipient="http://sp.ntech.com/SampleApp/fedletapplication.aspx" /></saml:SubjectConfirmation>
</saml:Subject>
but i need the username instead of NameId ,I am using OpenAM.Please help
Since you are using the transient NameID-Format, the NameID coming from OpenAM will contain just a random string. If you actually need any info about the user, then you either need to change the NameID-Format from transient to something else (possibly also using the NameID value mapping feature in OpenAM), or you need to send those extra attributes as part of the assertion (attributestatement). In order to do that you would need to configure Attribute mapping on the IdP.
Related
I'm trying to implement caching of public key provided by openid-configuration/jwks endpoint of our JWT provider. I want to use cached value for validation of signature of incoming request. We want to have cache in place in order to lower requesting jwks endpoint. So we decided to create custom APIM policy in order to do that. After few hours of struggles I found myself clueless. Therefore I would like to address some questions about APIM xml policies.
How can I read request JWTs kid or x5t in policy? Regarding to APIM policy expressions calling AsJwt() returns Jwt object which does not contains Header property which should contain required fields
I tryed Id, Claims with no successful reach of kid or x5t (<set-variable name="requestKid" value="#(context.Request.Headers.GetValueOrDefault("Authorization","").Split(' ')[1].AsJwt()?.____)"/>)
When retrieving JWKs from the provider endpoint I'm not able to store various fields of response into separate context variables, it always fails on second <set-variable. Seems like (IResponse)context.Variables["jwksResponse"]) is null when calling second time. Does context variables get destroyed after first read?
<send-request mode="new" response-variable-name="jwksResponse" timeout="10" ignore-error="true">
<set-url>https://some.identity.server/.well-known/openid-configuration/jwks</set-url>
<set-method>GET</set-method>
</send-request>
<set-variable name="jwksn" value="#(((IResponse)context.Variables["jwksResponse"]).Body.As<JObject>()["keys"][0]["n"])" />
<set-variable name="jwkse" value="#(((IResponse)context.Variables["jwksResponse"]).Body.As<JObject>()["keys"][0]["e"])" />
How can I set key exponent and modulus attributes? When I use variables from previous step I got xml validation Error: "ValidationError" - "Error in element 'validate-jwt' on line 8, column 4: value is not a valid base64url string." while It works when when hardcoded. (I also tried hacks with Convert.ToBase64String(), with no success, to me seems like xml validator issue - can it be overriden?)
<issuer-signing-keys>
<key e="#((string)context.Variables["jwkse"])" n="#((string)context.Variables["jwksn"])"/>
</issuer-signing-keys>
Can I use x5c value retrieved from our JWKs provider as key value? like so:
<issuer-signing-keys>
<key>#((string)context.Variables["jwksx5c"])</key>
</issuer-signing-keys>
After further investigation we found gitHub thread regarding caching of JWKs when using JWT validation with OpenId. It seems JKWs are cached for 1 hour and also recached when validation fails. However this behavior is not stated in documentation.
I'm trying to capture the URL of the Azure B2C custom policy as user lands on the first page. This is the CombinedSignInAndSignUp orchestration step (the first combined signup/sign-in page). I want to use this url at later stage during the user journey.
I'm fiddling with the idea of displaying a pop-up with custom message if anything goes wrong and journey can not be continued further.
Current recommendation from Microsoft is that it throws an error and backend application should handle that error and take appropriate action (like in the case of Forgot Password link). I'm trying to handle this situation slightly different in the sense that I'd rather show this message to the user and redirect back to the policy (sign-up or password reset).
I have tried to setup extra input controls on CombinedSignInAndSignUp step but it doesn't seem to support that, it's only showing username and password controls. The idea was I capture current url (via JavaScript), store it in that input control (claim) and carry it forward in the journey and use it when needed to redirect the user back to that policy.
Any suggestion on how this can be achieved?
Thanks
Sanjay
I am not sure if the url can be captured or not but its easy o construct it using claims transformations and claim resolver.
Following will be the format of the policy url with all the claim resolver mentioned. You will need a claims transformation to format the final url .
https://{Policy:RelyingPartyTenantId}.b2clogin.com/{Policy:RelyingPartyTenantId}.onmicrosoft.com/oauth2/v2.0/authorize?p={Policy:PolicyId}&client_id={OIDC:ClientId}&nonce={OIDC:Nonce}&redirect_uri=https%3A%2F%2Fjwt.ms&scope{OIDC:scope}&response_type=id_token&prompt={OIDC:Prompt}&ui_locales={Culture:LanguageName}
There are two variables which currently are not available in custom policy as a claims resolver- redirect_uri and responseType. For them you have two options
- Hard code them
- duplicate them into other query string param to the policy url and then extract them as claims resolver. B2C has claims resolver which can get value from query string params it's called {OAUTH-KV} claims resolver. example for a query string parameter testReplyUrl.
<OutputClaim ClaimTypeReferenceId="replyUrl" DefaultValue="{OAUTH-KV:testReplyUrl}" AlwaysUseDefaultValue="true" />
<BuildingBlocks>
<ClaimsSchema>
<ClaimType Id="replyUrl">
<DisplayName>redirect uri</DisplayName>
<DataType>string</DataType>
<AdminHelpText>Reply url</AdminHelpText>
<UserHelpText>ReplyUrl.</UserHelpText>
</ClaimType>
</ClaimsSchema>
</BuildingBlocks>
I try to build an invitation flow using custom policies.
My approach was to combine the invitation part of the WingTipGamesB2C policies with the custom policy starter pack.
The invitation seems to work fine; when using the invitation link and providing the user data (display name, password), the user is created in the Azure AD.
But I am not able to login with this user; the sign in dialog shows "Invalid username or password." (while with a wrong password "Your password is incorrect" is shown).
Using the builtin signin policy, the login works as expected.
b2crecorder shows the following log:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Using validation endpoint at: https://login.microsoftonline.com/foo.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(c693a69c-4a15-4ef5-b85d-a9a6a3f3298f) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
This looks like the same error as in this question, but should be a different problem, as the problem was the "forceChangePasswordNextLogin" flag in there, while the users that are created by the invitation should not have this flag.
I checked that the IdentityExperienceFramework and ProxyIdentityExperienceFramework apps are correctly created and permissions are granted. They are also referenced as documented in the TrustFrameworkExtensions.xml.
How can I fix this? What can I do to further debug this problem? I used both Application Insights and the b2crecorder without getting enough information about the failure.
Additional information:
* The custom signup does also not work
* Signing up/in via 3rd party IDP (Google) works
I just found out what my problem was; In the login-NonInteractive technical profile, I replaced the strange looking <Item Key="ProviderName">https://sts.windows.net/</Item> by some nice looking name, assuming that it was just some irrelevant string (e.g for the google IdP, I could use <Item Key="ProviderName">Google</Item> ...)
Well, it seems to be important. When restoring the original providername, signin works perfectly.
Just answering my own question here, as I hope this will save somebody else's time.
In my Spring Integration project (with Spring Security API using Basic Authorization), I am trying to access the Principal object in order to read the Username.
This is the structure of the inbound gateway:
<int-http:inbound-gateway request-channel="gatewayRequests"
reply-channel="gatewayResponses"
supported-methods="POST"
path="/api/v1/myservice"
request-payload-type="java.lang.String" reply-timeout="100">
<int-http:request-mapping consumes="application/xml" produces="application/xml"/>
<int-http:header name="principal" expression="T(org.springframework.security.core.context.SecurityContextHolder).context.authentication.principal"/>
</int-http:inbound-gateway>
I got the aforementioned expression from the reply in this:
Spring Integration and http inbound adapter, how do I extract a principal user?
Despite successful authentication, I don't see the principal - is my syntax correct in expecting the result of the expression to be mapped to a message header?
Instead of the mapping to the header, if I were to use the following, how do I access the Principal value in the code layer (assuming it gets added into the payload)?
<payload-
expression="T(org.springframework.security.core.context.SecurityContextHolder).
context.authentication.principal">
Can anyone kindly help me?
Sincerely,
Bharath
There is already a header like:
.setHeader(org.springframework.integration.http.HttpHeaders.USER_PRINCIPAL,
servletRequest.getUserPrincipal())
in the message sent to the gatewayRequests.
Why that doesn't work for you?
OTOH that expression must work too. If you don't have that one, then you can't assume that you are authenticated correctly...
OpenID specification 5.5 explain RP can request claims using claims request parameter. http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
What is the purpose of this feature?
Is it this feature create security vulnerabilities as user able to set claims?
For example user can modify URL on browser into:
https://op.example.com/authorize?
response_type=code
&client_id=client
&redirect_uri=https://client.example.com
&scope=openid
&claims={“userinfo” : {“sub”: { “value” : “superuser”}} , “id_token” : {“sub”: { “value” : “superuser” }}}
If OP implements this feature, then OP put that claims into id token and user info.
The purpose of this feature is to request claims, possibly with a certain desired value. It does not mean that the RP is able to set claim values. Instead the OP should verify which of the requested claims and values match for the authenticated user and return only those claims that are valid.