ITfoxtec Identity SAML 2.0 - Signed LogoutRequest using POST - itfoxtec-identity-saml2

With reference to our previous post our customer asked us to change the SamlIdpSettings:logouturl setting to:
https://idpqa.csu.edu.au/idp/profile/SAML2/POST/SLO
but the following then occurred:
2022-10-17 09:51:12,555 - 137.166.20.125 - ERROR [org.opensaml.profile.action.impl.DecodeMessage:73] - Profile Action DecodeMessage: Unable to decode incoming request
org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the HTTP POST method
at org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder.doDecode(HTTPPostDecoder.java:84)
2022-10-17 09:51:12,556 - 137.166.20.125 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: UnableToDecode
How can we change our code to use a POST request instead of a GET when sending the logout request?

The TestWebAppCore sample do logout using POST with the Saml2PostBinding.
It can be change to use GET by using the Saml2RedirectBinding.
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/Controllers/AuthController.cs#L68
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/Controllers/AuthController.cs#L81
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/Controllers/AuthController.cs#L90

Related

Cross-Origin Request Blocked: Authentication issue

ABP version 4.4 APP with identity server with angular EF core
my angular client send the username and password to identity server that is part of my abp application (mean same URL for api and identity server) that returns me token but after very next request for "api/abp/application-configuration" return with CORs error.
same application work for QA local environment with local config.
same call for "api/abp/application-configuration" work on app start because that time token is not attached in request header
i check my app setting CorsOrigins are matching with IdentityServerClientCorsOrigins
no space issue both angular and front end on https but with different port. you can verify with logs. one thing is strange in log no protocol attach # respond. (domain:1000)
I check and confirm that this is Authentication issue. by comment these two line and Authorize attribute from class
My application works fine. no issue for cors
app.UseAuthentication();
app.UseJwtTokenMiddleware();
system log
2021-09-04 10:42:24.731 -04:00 [INF] Request starting HTTP/2 OPTIONS https://domain:1000/.well-known/openid-configuration - -
2021-09-04 10:42:24.745 -04:00 [INF] CORS policy execution successful.
2021-09-04 10:42:24.751 -04:00 [INF] Request finished HTTP/2 OPTIONS https://domain:1000/.well-known/openid-configuration - - - 204 - - 19.7919ms
2021-09-04 10:42:24.793 -04:00 [INF] Request starting HTTP/2 GET https://domain:1000/.well-known/openid-configuration - -
2021-09-04 10:42:24.794 -04:00 [INF] CORS policy execution successful.
2021-09-04 10:42:46.050 -04:00 [ERR] Exception occurred while processing message.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'.
System.Net.Http.HttpRequestException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (domain:1000)
System.Net.Sockets.SocketException (10060): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
It is not a CORS issue, instead it is because your API (the UseJwtTokenMiddleware part) can't reach your IdentityServer over HTTP(s). I guess you got some DNS/Certificate/Network issue to resolve.

Getting HTTP 401 Error when using Camel-http4 with proxy and sslcontext

I have existing connection using http4(proxyAuthScheme=http4 and endpoint starts with https://<>) and using proxy and using sslContextParametersRef. it was working fine before.
now we have upgraded our new proxy with new proxy and i am started seeing HTTP 401 Error.
all the credentials correct and working before.
https4://test.org/DownloadHandler.ashx?proxyAuthHost=&authPassword=&bridgeEndpoint=true&authUsername=&proxyAuthScheme=http4&proxyAuthPort=&
throwExceptionOnFailure=true&sslContextParametersRef=sslContextParameters&proxyAuthPassword=&disconnect=true&okStatusCodeRange=200-299&
proxyAuthUsername=
sslContext is configured with correct key store and trust store and with TLSv1.2.
all this configuration working before and with new proxy server entry, i am getting HTTP 401 Error.
also i removed proxyAuthScheme=http4 from endpoint uri and i was getting ssl unverified error which is same as in this post. ( https://camel.465427.n5.nabble.com/Using-the-HTTP4-component-to-make-a-HTTPS-call-behind-proxy-sever-td5719105.html )
any help here would be appreciated.

Camel 3.2 PahoEndpointBuilder not working

I try to use the PahoEndpointBuilder
PahoEndpointBuilder endpoint = paho (topic).brokerUrl (brokerUrl);
but starting the route based on that endpoint always leads to an exception.
Caused by: org.apache.camel.ResolveEndpointFailedException: Failed to resolve endpoint: paho:myTestTopicMandant9?brokerUrl=tcp%3A%2F%2Flocalhost%3A1883 due to: There are 1 parameters that couldn't be set on the endpoint. Check the uri if the parameters are spelt correctly and that they are properties of the endpoint. Unknown parameters=[{brokerUrl=tcp://localhost:1883}]
at org.apache.camel.support.DefaultComponent.validateParameters(DefaultComponent.java:351)
at org.apache.camel.support.DefaultComponent.createEndpoint(DefaultComponent.java:169)
at org.apache.camel.impl.engine.AbstractCamelContext.doGetEndpoint(AbstractCamelContext.java:952)
Is this a bug?
Its a bug in Camel 3.2 that has been logged in JIRA: https://issues.apache.org/jira/browse/CAMEL-14921

SAML 2.0 invalid request SSOCIRCLE

I am trying to send a SAML request to the public IDP SSOCircle. I imported its metadata and try to authenticate against this URL:
https://idp.ssocircle.com/sso/idpssoinit?metaAlias=%2Fpublicidp&spEntityID=sp.bogdan.test
But when I send this request from my app, the following error is displayed:
Error occurred Reason: The SAML Request is invalid.
this my request:
a link
and this is the SAML message in the request that I wrote:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_3b7f937b-073d-4289-b2d1-35e786ebb524" Version="2.0" IssueInstant="2017-04-03T12:42:06Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://localhost:61344/Account/AssertionConsumerService">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.ssocircle.com</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
It may be as simple as not having registered the right Assertion Consumer URL (http://localhost:61344/Account/AssertionConsumerService) with SSOCircle. But you should really look in to the SSOCircle debug logs to find out more.
In your example you are sending https://idp.ssocircle.com as the Issuer of the AuthnRequest. The Issuer of the request is not the IDP but the SP. In your case it should be sp.bogdan.test

ERROR Angularjs + Lagom Framework

OPTIONS http://localhost:9000/api/chat/ 404 (Not Found)
XMLHttpRequest cannot load http://localhost:9000/api/chat/. Response for preflight has invalid HTTP status code 404
https://www.playframework.com/documentation/2.5.x/CorsFilter has details on enabling CORS for Play (which is Lagom is built on). To handle the OPTIONS you may need to do something like:
.withAutoAcl(true)
.withServiceAcls(
ServiceAcl.methodAndPath(Method.OPTIONS, "/foo")
)
https://groups.google.com/forum/#!msg/lagom-framework/dtYN_1Ds4SQ/gT-BGPuCAQAJ is a lagom-framework list discussion thread with more details.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests has an explanation of why your browser is sending an OPTIONS request to begin with.
The metadata for the current exact maven artifact which provides CORS for Play is this:
<metadata>
<groupId>com.typesafe.play</groupId>
<artifactId>filters-helpers_2.12</artifactId>
<versioning>
<latest>2.6.0-M2</latest>
<release>2.6.0-M2</release>
<versions>
<version>2.6.0-M1</version>
<version>2.6.0-M2</version>
</versions>
<lastUpdated>20170310220437</lastUpdated>
</versioning>
</metadata>

Resources