I have nginx-->SonarQube.
nginx is able to forward requests successfully.
We want to integrate Authentication with Azure AD.
We followed instructions from here:
https://www.emtec.digital/think-hub/blogs/sonarqube-integration-azure-active-directory/
So when I access https://mycompany.com, I get login page which has "Login with Microsoft" and More options(you can login with local user).
When I enter username and password for Microsoft , we see that Azure AD is returning the token, but SonarQube rejects after that. I see that in the sonarqube access log
"GET /api/navigation/global HTTP/1.1" 401 - "https://mycompany.com/sonar/oauth2/callback/aad?co
So it goes back to login page again. Not sure what I am doing wrong.
Please check with below points:
Try upgrading sonarqube to the latest version.
The redirect URL should be configured with a correct URL, e.g. https:// sonarqube.example.com/oauth2/callback/aad. Here /oauth2/callback/aad is a must in addition to the application URL. For example, if your main URL is "https://sonarqube.example.com" in sonar server base url , you would enter "https://sonarqube.example.com/oauth2/callback/aad" as redirect url in aad.
Make sure the user has required role or permissions to access .
Set the required permissions in portal and grant consent if required
i) Sign in and read user profile
ii) Read all users’ basic profiles
Also please check http redirection - Stack Overflow reference .The redirect URL must have a https or loopback address, else the Azure AD login will not work.
Try clearing the cookies and Restart after any changes made
Referencs:
sonar-auth-aad (github)
running-sonarqube-behind-an-iis-reversed-proxy
docs.sonarqube.org
Related
The disturbing scenario is: users log out of the application but their session remains valid such that they are able to sign back in without reauthenticating. Is the below code snippet the portion of the code that needs to be configured for the B2C session behaviour?
app.UseRewriter(
new RewriteOptions().Add(
context =>
{
if (context.HttpContext.Request.Path == "/MicrosoftIdentity/Account/SignedOut")
{ context.HttpContext.Response.Redirect("/Home/Index"); }
}));
When you want to sign the user out of the application, it isn't enough
to clear the application's cookies or otherwise end the session with
the user. Redirect the user to Azure AD B2C to sign out. If you fail
to do so, the user might be able to reauthenticate to your application
without entering their credentials again
The logout endpoint can receive an optional post_logout_redirect_uri parameter in the query string, where you can specify another URL where your user will be finally redirected by B2C. That can be the address of any resource, e.g. you homepage or your own page showing a "You successfully logged out of our service" message to the user.
post_logout_redirect_uri - The URL that the user should be redirected to after successful sign out. If it isn't included, Azure AD B2C shows the user a generic message.
For more details refer this document And also check with this SO Thread
I'm trying to get Bing ads spends from my firm. According to the Microsoft documentation, I understood that it's mandatory to use Microsoft Azure portal, get developer_token, client_id, tenant_id, client_secret, and access/refresh token to download the csv files with the data I want.
So, this is what I did:
I've received an invitation from my firm to Microsoft advertising onto this email adress:
abc#myfirm.fr, and I've generated my developer token.
With this email address, I've created a web application onto Microsoft Azure portal, which allow all king of users. Getting client_id, tenant_id, and generated a client_secret.
The redirect URL that I have chosen is http://localhost (according to the documentation but not sure this is the good URL to choose).
With Postman, I have tried with this endpoint:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
and the params (previously obtained) needed for the OAuth 2.0 authentication to get my access token. Without success.
The issue is here.
When I request the access token, a new browser window opens, and asks for an email address on which to authenticate. I'm using my email address abc#myfirm.fr and I received authentication completed onto Postman but into the response body I have access_token: invalid.
The role of my account is super admin.
So I'm trying to authenticate with a professional Microsoft Azure Account and this time I received into the browser Invalid redirect url.
I have also tried to start all over again with different email address, like my personal email address, or with the email address of the creator of the Microsoft Advertising account, and I get the error contact your system Admin into the browser.
I have also tried with the Python SDK project given in the documentation, with the error message.
I must have forgotten or misunderstood something.
Should we use the same email address (or same account) on Microsoft Advertising, on Microsoft Azure, and when obtaining the access token?
Do you have to pay and take an Azure subscription? (Already done but without success)
Thanks in advance, sorry for my English.
EDIT:
Thank for ypur reply. The full request is: https://login.microsoftonline.com/common/oauth2/v2.0/authorize with the following params:
-type: OAuth 2.0
-Header Prefix: Bearer
-Grant Type: Authorization Code
-Callback URL: https://localhost
-Auth URL: https://login.microsoftonline.com/{my-tenant_id}/oauth2/v2.0/authorize
-Access Token URL: https://login.microsoftonline.com/{my-tenant_id}/oauth2/v2.0/token
-my client id
-my client secret
-scope: https://ads.microsoft.com/ads.manage OR also testing with https://graph.microsoft.com/User.Read
-State: None
-Client authentication: send client credentials in body
Give me an access_token but when I click on use token and send the request, I'm not getting an refresh token
Once a user provides consent, you can get an access token and act on behalf of the user.
So when the browser session starts, you should enter your Microsoft Advertising credentials.
Remember to set scope=https://ads.microsoft.com/ads.manage in the request for acquiring the authorization code.
If you prefer to automate this process, you can refer to this script and steps to obtain an access token.
I've set up IdenityServer4 to use AzureAD backend authentication. All's well and it works, but when trying a guest user account, it just seems to hang.
I've set the "signInAudience": "AzureADMyOrg" in the Manifest file for the authenticating app on AzureAD. Also I am using the tenant specific url for the Authority from IDS4. "https://login.microsoftonline.com/abc.onmicrosoft.com".
And I've added the Microsoft Account account as guest user to AzureAD.
PS:
Noticed that it gives and error page with:
This login.live.com page can’t be found
No webpage was found for the web address:
https://login.live.com/oauth20_authorize.srf?response_type=code&client_id=51487777-085c-4777-bf88-cf50c7257777&scope=openid+profile+email+offline_access&response_mode=form_post&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2ffederation%2foauth2&state=rQIIAZ2Vuc7kABCDE59_ZnZmkGBBK0Q4wUocwv_4Pn6Job2... etc... &username=abc%40gmail.com
Notice the "https%3a%2f%2flogin.microsoftonline.com%2fcommon" in there... even though I've specified a tenant specific authority with IDS4...
Tried manually changing that part to "https%3a%2f%2flogin.microsoftonline.com%2fcontoso.onmicrosoft.com" and still gives same error. "This login.live.com page can’t be found".
The guest user email account is actually a gmail.com. But which has been added as guest user on AzureAD. When I look at the Identity for that guest user account, it is of type Microsoft Account. Do I need to add either gmail or Microsoft (live.com) as an additional authentication provider (in addition to AzureAD) to IDS4 for it to work..? –
I have SAML service provider(SP) and I want to use salesforce as a Identity provider(IdP) with my SP.
I have setup domain, Created new Connected App with saml enabled with all required details. Then downloaded metadata and used this to register on SP.
Salesforce gives me IdP initiated Login Page URL. When i visit that, it works perfectly. It redirects to saleforce login, after that sends SAML response to SP. But when I visit SP and initiate login from there which redirects to salesforce page which gives following error.
Insufficient Privileges
You do not have the level of access necessary to perform the operation you requested. Please contact the owner of the record or your administrator if access is necessary.
I had the same issue and got fixed. Here are helpful tips.
You can check on the logs under 'Manage Users -> Identity Provider Event Log'. This could give reason for your error. I got a 'Error: User does not have access to this service provider' error
For this, the user was not given permission. Even if the user is System Administrator, the access to Connected App is not given by default. To give permission, go to 'Manager Users -> Users' and click edit on the user you are testing.Click profile name link .e.g System Administrator. This takes to profile page. You can scroll below to 'Connected App Access' and you would see that the access is not given. Give the access by clicking edit profile in the top of page.
I have set up the custom login page for my application using the following resource.
http://brianpeddle.com/2011/06/06/building-a-custom-salesforce-login/
However this approach requires security token for each user if the user is in untrusted network and the security token changes when user reset password.
How can I set up so that I allow multiple user login from this page? Currently only I can think of is have an extra input box so that user past the security token along with username and password. I wonder if salesforce allow javascript to grab security token dynamically for each user
OAuth2 is a security implementation that allows users to access their Salesforce data without having to enter their user/password in an untrusted application or do nasty token management themselves.
Salesforce has a guide on how to implement OAuth2 for web sites. It can be difficult to set up if you don't have any experience with OAuth2, but there are plenty of guide available.
I would also recommend using something like Firefox's RESTClient addon (or something like it) to test the use of OAuth2 to get a feel for authenticating against Salesforce .
Are you sure you have white listed the IP?
I strongly belive if you get the IP of server where your custom login page is hosted and put that in list of white listed IP's then User will not required to enter their security token.
to find the ip of your server(where your page is hosted)
- try to login with your custom login page
- login into SFDC and go to setup -> user profile-> login history
there you will see last login from IP
Copy above IP and
Again go into Setup -> Security control -> Remote site setting
and add above copied IP.
this way SF will not required security token when user is login from that IP.
http://ap1.salesforce.com/help/doc/en/configuring_remoteproxy.htm
Use this code for just login:
https://login.salesforce.com?un="+username+"&pw="+password+"&startURL=/apex/somepage