Has anyone figured out how to verify a Salesforce domain with Apple Pay?
Basically, Salesforce does provide a way to verify a domain by going to Setup - Domains and clicking Verify. That prompts you to upload the verification file but Salesforce seems to place it under
https://your.domain/.well-known/apple-developer-domain-association.txt
whereas Apple is looking for it at
your.domain/.well-known/apple-developer-merchantid-domain-association.txt
(note the extra merchantid- in the file name).
The main issue is that Salesforce's multi tenant platform doesn't allow for direct access to the file that's placed in .well-known directory and there doesn't seem to be any way to control the file name. Is there any alternative way to verify domain ownership in this case?
Related
As you know Salesforce is enforcing Enhanced Domains. I found from Salesforce help that:
Custom components in your org must be evaluated in order to check
whether they use domain name/static URLs
Some embedded content stored in Salesforce might no longer appear
Third-party applications can lose access to your data
Single sign-on integrations can fail
However, I'm struggling with finding out which particular Salesforce elements/configurations should be checked in order to detect potential gaps? Do you know which areas exactly can be affected and shall be evaluated (like Apex Codes, Email Templates and so on)? Is there any guide on that?
Your biggest concern should be inbound integrations. Things that log in over REST/SOAP API, get response with session id back, ignore the "url to use for all subsequent requests" and just use hardcoded url, whether it's prod or sandbox.
Look at this guy, he's victim of either enhanced domain or "disable api versions < 30" thing: The requested resource no longer exists with rest PHP. Look at these guys, they had hardcoded url: how to solve python code error (TooManyRedirects: Exceeded 30 redirects), Salesforce API via postman error INVALID_SESSION_ID.
As for stuff inside Salesforce itself - best would be to download whole project with sfdx and run a text search for your domain name (and site/community name if you have these). Email templates that use merge fields for forgot password etc should be fine, merge fields with record link should be fine... But if you manually craft email body in apex - might be a problem. A lot depends how creative the developer was. If you find getsalesforcebaseurl().toexternalform() it should still work. If it's hardcoded / read from custom setting / custom label / custom metadata it might be more fun.
If you have external apps that display pieces of salesforce (embedded live chat? some iframe with FAQ? CMS Connect) - the domain change might mean they need to be updated, both in terms of updating url and changing security rules (CSP for example)
Can someone explain Saml2 authentication process? I have installed ckanext-saml2 extension for ckan.I have a extra button in login form which is called login with sso.But I donot have any sp metadata(sp.xml).Also I have idp.xml but what should I write to the this file.Do you have any idea about these files?Should I create a sp.xml file?Also should I change idp.xml file?When I click the button where should I read user information ?
You shouldn't change the idp.xml.
Basically ckanext-saml2 is used to allow Users to enter CKAN portal from other places, rather than only CKAN.
In order to do that, you'll need an idp.xml and sp.xml files.
idp.xml - file that consists of a unique path to the remote Portal where all Users already exists (usually it marked as entityID) and X509 Certificate.
sp.xml - file that is generated by CKAN portal and has pretty much same data as the idp.xml.
Both of those files are used to allow Users to log in into CKAN from other portals. In other words, sp.xml file is provided to the IdP (Identity Provider) and the idp.xml file is provided to the CKAN portal (Service Provider) that is going to use it.
According to the ckanext-saml2 documentation, all configuration should be done in ckanext/saml2/config/sp_config.py file. Configuration should consist entityID URL from idp.xml, path to the idp.xml file, path to logs, data about the CKAN portal, fields that should be taken from the response, their mapping and so on...
After the configuration done, according to documentation, you will be able to generate the sp.xml from the sp_config.py file by using python make_metadata.py sp_config.py.
The button on the login page should redirect you to the IdP login page, where you should log in and be redirected back to CKAN. CKAN will automatically create a User for you if it not exists on the CKAN Portal using the response from the IdP.
For more details, you can check out the Datashades SAML2 CKAN repo or at the original once.
if you are not sure about SSO then you need to have a good reading about that.
Can you tell us what kind of IdP you integrate with? AD FS?
Your sp.xml should be generated by the ckanext-saml2 extension, have a look their git hub page. Then you need to upload sp.xml (sp metadata to your IdP)
I am experiencing an issue where a set of custom policies that upload without issue to one tenant (development tenant), fail to upload to another (production tenant). The policies function correctly on the (working) development tenant.
I upload the files in the following order:
TrustFrameworkBase.xml uploads OK
TrustFrameworkExtensions.xml uploads OK
SignUpOrSignin.xml fails with above error
ProfileEdit.xml fails with above error
PasswordReset.xml uploads OK
The only clue I have is that if I query the extension claims in the B2C app for the failing tenant, it only shows 2 out of 8. If I run the same query against the working tenant, it shows all 8. I am doing this querying using this example app: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.
As far as I can tell, the two tenants are configured the same, and I have checked the various IDs etc are configured correctly. But it is always possible I have missed something!
Can anyone help?
The xml files: https://1drv.ms/f/s!ApxUZQaL9hp0h1ACYgWzgzsGwCOc
More info
I can actually run the policies that upload with an error. But when I try to create an user account via running the policy I get a message saying "Unable to validate the information provided." at the top of the page, inside the <div> with the id claimVerificationServerError. This may tie-up with the missing extension claims in the B2C app. So it looks like the problem is with creating the extension claims. But the same policy uploads and works on another tenant. How could the extension claims be valid on one tenant, but not on another?
In your base policy, there is the following claim of dateOfBirth:
<ClaimType Id="extension_DateOfBirth">
<DisplayName>Date of Birth</DisplayName>
<DataType>date</DataType>
<UserHelpText>Date of birth</UserHelpText>
<UserInputType>DateTimeDropdown</UserInputType>
<PredicateValidationReference Id="DateOfBirthDateRange" />
</ClaimType>
Since this claim starts with "extension_" and it is used in a technical profile with "AAD-" as prefix, it will be automatically created as an extension attribute in AAD during the policy uploading. However, the DataType "date" is not supported (only DateTime is supported) in AAD. This is causing policy uploading failure.
Regarding how to map "date" claim in B2C policy to AAD "DateTime" attribute, I will reply back to this thread after more investigation on these policies is done.
Edit: I was trying to find this doc: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#extensionproperty-entity when I first replied but could not find it. Thanks Mat for sharing. Hope this link is helpful for solving issues related to datatype of extension attributes in AAD.
Extension attributes need to be created at a per tenant basis. So if your policy requires extension attributes, you need to create them explicitly.
I'm currently trying to integrate with Azure AD using the admin consent flow.
I've set up an app in our domain, set a few permissions on it and am then navigating to the following link:
https://login.microsoftonline.com/mytestdomain.onmicrosoft.com/oauth2/authorize?client_id=12345678-1234-1234-1234-123456789012&response_type=code&redirect_uri=http://example.com/responsehandler&resource=12345678-1234-1234-1234-123456789012&prompt=admin_consent&state=12345
(Some of the values here have been swapped out for "example" values)
When I navigate there I get asked to sign in, which I do using a different test domain into which I want to import the app.
After signing in I'm shown a list of all the permissions that the app needs (which appear to be correct), I click accept but then I get the following error:
AADSTS90002: Requested tenant identifier '00000000-0000-0000-0000-000000000000' is not valid. Tenant identifiers may not be an empty GUID.
I'm not sure where this empty GUID is coming from and after some searching I can't find any reference to what might be causing it.
Daniel Camargo's comment above seems to have done the trick.
When I navigated to the login.microsoftonline.com link I was logging in with the user that created the domain.
If I log in with a test admin user that I created it works as I'd want.
I am not convinced that we had exactly the same problem, given that my case was involving a Cordova application, but I will share my scenario anyway:
I created a trial account for my proof of concept and for that I used my personal Microsoft account that I will call mypersonalaccount#outlook.com.
Thus, mypersonalaccount#outlook.com is now part of 2 directories: the outlook.com and my recently created mypersonalaccount.onmicrosoft.com.
When I was trying to authenticate in my Oauth2 application using mypersonalaccount#outlook.com I got that error. My humble guess is that the error is related to some sort of collision between the 2 accounts.
I later created a user1#mypersonalaccount.onmicrosoft.com and a guest account using my gmail account. Everything worked fine with these ones.
Was having the same problem, and the same after 1 week of work by the azure team, was solved.
My problem was being trying to log in to VSTS with AAD accounts.
I have Active Directory for B2C set up. I added my own domain, I configured my DNS and I click Verify, and I get "Could not verify domain".
Why?
Additional facts:
Yes, I am quite adept at DNS of domains and added the TXT record properly
Yes, I allowed plenty of time for DNS propagation (1 hr to... 2 weeks now)
https://dnsquery.org/dnsquery/ shows expected values within minutes, just FYI: "MyDomain.com. 3600 IN TXT "MS=ms34030xxx"
No, I did not check "...configure for single sign on.." when adding the domain, as that is not supported for AD B2C.
Possible Answers:
Perhaps B2C "Basic" (currently in Preview at time of this post) does not support adding a custom domain. If thats the case, why expose this in the Azure console??
This is a legit MS bug, and I'm the only one hitting it ( yeah right :) )
Yes, this question is similar to this one, but the difference here is I am not asking HOW to configure DNS, I am asking WHY it doesn't work when configured. That and B2C might have different requirements or functionality as it is in preview. So please don't mark as dup unless indeed we determine I misconfigured.
support for domain verification for B2C tenants is on the roadmap but isn't available in the current preview.