SAML With ping identity getting error invalid issuer - saml-2.0

I have tried using the sso url as mentioned "Single Signon Service"https://auth.pingone.asia/{env}/saml20/idp/sso , and issuer as https://auth.pingone.asia/{env}. but getting ErrorCode: INVALID_ISSUER - Unable to find application for spEntityId: 'https://auth.pingone.asia/{env}' in environment {env}.
Please help me to understand where exactly I have wrong configuration.

Check if you have created a SAML Application, if not, try creating it with https://apidocs.pingidentity.com/pingone/platform/v1/api/#post-create-application-saml-protocol
Note: acs url is the place where you want PingIdentity to redirect after login authentication is completed. You will get a SAMLRespose also posted there.
(OR) You can create SAML application directly from the PingIdentity console itself by selecting Add Application, Select SAML as type, and Set Manual Saml configuration by specifying entity id (something unique) and ACS url.
Go to ping console dashboard, and check the Entity ID of the application, it should match with your AuthnRequest saml:Issuer
Example if your dashboard is like this with Entity ID "test",
then your AuthnRequest should look like this:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="test"
Version="2.0"
IssueInstant="2022-09-19T16:46:59">
<saml:Issuer>test</saml:Issuer>
</samlp:AuthnRequest>
Note the line: <saml:Issuer>test</saml:Issuer>

Related

Okta - OAuthError - Unable to process the username transform. A required property is missing. Missing field email

I am integrating Okta in my React application for SSO. I use the following method to create token using redirect:
https://github.com/okta/okta-auth-js#tokengetwithredirectoptions
I am using https://www.npmjs.com/package/#okta/okta-auth-js package.
Users are directed to the Identity Provider (idp) in order to authenticate and then redirected to Okta once verification is successful.
The SSO works fine but when I keep the React application idle for sometime, I am getting the following error:
OAuthError - Unable to process the username transform. A required property is missing. Missing field email.
It looks like you have configured email as the incoming claim from your IDP but Okta can't find it in the incoming assertion/token.

Getting AzureAD implicit flow working with Swagger UI

As an exercise, I have been attempting to create a swagger configuration that can invoke the Azure Management API, and to run this from the online swagger editor.
I have configured it to use implicit authentication, and it almost works, but I just cannot get the Azure Framework to recognize the swagger editor as a valid redirect URL.
Here is all the steps I have taken. Can anyone spot what I'm doing wrong?
Using the Azure AD portal, I create a new Azure AD Application
In the application registration's Reply URL's, I added https://editor.swagger.io/oauth2-redirect.html
I created the following security entries in my Swagger 2.0 document:
securityDefinitions:
azureTokenAuthentication:
flow: implicit
authorizationUrl: https://login.microsoft.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/authorize
scopes:
https://management.azure.com: Accessing the Azure API
type: oauth2
security:
- azureTokenAuthentication:
- https://management.azure.com
(The redacted GUID is my tenant id).
Now, when I click on the "Authorization" button, swagger opens up a dialog for me:
So I enter the application ID and click authorize. It then sends me to the logon URL with the following parameters:
response_type: token
client_id: eb482fb2-8229-434e-b5a6-9fc3e0f06968
redirect_uri: https://editor.swagger.io/oauth2-redirect.html
scope: https://management.azure.com
state: <Base64 string>Wed Mar 13 2019 09:16:06 GMT+1000 (Australian Eastern Standard Time)
Note that the redirect uri matches the value I entered in the app registration.
So I enter my username and password, and then the URL gets redirected to the following:
https://login.live.com/err.srf?lc=1033#error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+a+URI+which+matches+a+redirect+URI+registered+for+this+client+application.&state=rQIIAdNiNtQztFJJTTKxMEpLMtK1MDKy1DUxNknVTTJNNNO1TEs2TjVIMzCzNLMoEuISWF1yo3vvud0Ozb9b9Z66bQ-cxcgZn5NZlqqXnJ-7ilEvo6SkoNhKXz81JbMkv0ivuDwxPT21SC8zXz8_sbQkw0i3CChTlJpcAlSZm7ODkfECI-MLRsZbTPz-jiB5EJFflFmVOos5JswoLNvT1TAjOdOxwrfSsdLXxdXU08XR1D_L1cg_y9HI0zXFL8y5uMLXxbHc0znDKSXCzyA51604Mdyt1NM1LCPZOCgnOdckPdQ4KCMpNygjOTcwPcw9pyQqONt2E7NKSqqpuZGhmZGuabJ5iq6JRVqSrmWSqaGuubmlabKpeaKZqWXyKWYZmI9yE_MS01NzU_NK9BKrSovAHr7BzHiBhfEVC48BsxUHB5cAgwSDAsMPFsZFrMCQmrTR22we8wzHyc1Bd633_2M4xapfku7mkeJk5qxfkpOb7lcUXB5SmOZb7Jef7l-c526UmVUQqV_q5Zzh4uzma2tkZTiBTeYDG2MHO8MuThID9haXiJGBoaWugbGuoZGCkbGVoZmVgXkUAA2
The interesting text I glean from this is:
The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
But it DOES match! What am I doing wrong?!?
reply url = "your web api's swagger page url" concatenated with "/oauth2-redirect.html"
example: https://localhost:44329/swagger/oauth2-redirect.html
configure that for each environment in your app registration including your localhost.
First of all, I changed the authorization URL from https://login.microsoft.com/<tenant-id>/oauth2/authorize to https://login.microsoft.com/<tenant-id>/oauth2/v2.0/authorize
I then had to follow these instructions, and directly modify the application manifest to allow implicit flow:
Then I changed the scopes. I could not get management.azure.com running, but I could get https://graph.windows.net by appending /.default to the scope. (https://graph.windows.net/.default).
That got me another step further. Now it redirected to the Authorization URL, and Microsoft authenticated me, generated a token for me, and redirected my browser to https://editor.swagger.io/oauth2-redirect.html
Then I was thwarted, when I realised that editor.swagger.io does not actually handle the path it's redirecting the browser to. (The file outh2-redirect.html exists on GitHub here: https://github.com/swagger-api/swagger-ui/blob/master/dist/oauth2-redirect.html)
That's when I gave up.

What should the Issuer be set to in SAML request for Azure AD

I have read https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol, but I am not clear what to set the Issuer value to below. Is this something I can grab from Azure portal. I am using a "Non Gallery Application".
<samlp:AuthnRequest
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
ID="id6c1c178c166d486687be4aaf5e482730"
Version="2.0" IssueInstant="2013-03-18T03:28:54.1839884Z"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.contoso.com</Issuer>
</samlp:AuthnRequest>
The issuer is your SAML2 entityID
this is set to the App ID URI that is specified during application
registration
so if your app id uri is something like:
https://your.app/saml
then that's what you set your Issuer to. The entityID is not a URL although they usually look like one and opening it in a browser usually downloads the SAML2 metadata for the entity but it's not essential. The app id uri is just a unique identifier for your app. Your app issues SAML Request instances using its app id uri as the Issuer
It's what you have configured on the Azure portal for custom SAML e.g.
Identifier (Entity ID)
https://some address

SP-initiated Single Logout not working with SalesForce

I am attempting to use SP-initiated SLO with SalesForce (trying Redirect and POST) with the following LogoutRequest:
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_1583fa34b3e9426ba5885849204d6f8d" Version="2.0" IssueInstant="2017-11-14T18:42:25Z" Destination="https://myorg-dev-ed.my.salesforce.com/services/auth/idp/saml2/logout">
<saml:Issuer>myorg</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">me#myorg</saml:NameID>
</samlp:LogoutRequest>
I am using my SP entity ID for Issuer. I also tried using it for NameID SPNameQualifier. My Redirect and POST logic work for AuthnRequest. This SLO is working with OneLogin.
The error I get back is:
We are unable to log you out. Please contact your administrator for
more information.
I can not find any relevant log entries.
Which tool are you using to generate the XML?
Add the tag SessionIndex, which you can get from the login.

How to change saml2p:NameIDPolicy that wso2is sends to IdP?

I have a WSO2IS 5.2 acting as a federation hub. The AuthnRequest that it sends to IdP (in this case PingFederate) includes this NameIDPolicy:
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
SPNameQualifier="WSO2IS"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
/>
After logging in at PingFederate it sends back SAML message including this:
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
</samlp:StatusCode>
<samlp:StatusMessage>Cannot provide requested name identifier qualified with WSO2IS</samlp:StatusMessage>
</samlp:Status>
I've tried uid and mail NameID values in PingFederate but I always get this response. I would like to try changing the NameIDPolicy format that wso2is sends but have not found a way to do it. I think it should be a SAML:2.0 format.
Only thing I found was "Include NameID Policy" check box in IdP settings but it stays checked even if I uncheck it and save.
How to change the NameIDPolicy format?
UPDATE: I solved the problem by enabling pseudonym identifier at PingFederate and sending username as attribute. Still it would be good to know the answer to my question.
Yes your understanding is correct. You could need to change the NameIDPolicy. You can found it in service provider (SP) creation page. Go to WSO2 IS management console, Home>service Provider>Add> .
After that need to enter the name for SP and click the register button.
Now you are in Service provider configuration page.
GO to Inbound Authentication Configuration>SAML2 Web SSO Configuration>configure.
This page you can configure SAML2 Web SSO configuration and page header show as
Register New Service Provider and go to NameID format change the urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress instead of urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
You can found more details from WSO2 documentation [1].
[1] https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0

Resources