Message "Unable to unprotect message.State" when scaling IdentityServer4 - identityserver4

When running a single instance of IdentityServer4, we can login with another identity provider succesfully. As soon as we create several instances of IdentityServer4, the same process fails after the user authenticated if the result is handled by a different server.
The message "Unable to unprotect message.State" is written to the logs even though ASP.NET Core DataProtection API is configured correctly to run in a multi server environment.

In addition to ASP.NET Core DataProtection, some components of IdentityServer4 rely on ASP.NET Core distributed caching. In our case, the following call registered a component that relies on IDistributedCache:
services.AddOidcStateDataFormatterCache();
In the default implementation, an in-memory-cache is used which leads to the problem.
After removing the line, IdentityServer4 works in the multi server deployment.
An alternative would be to configure distributed caching to work in a multi-server environment as described here.

Related

Regarding Time out error in ITfoxtec Identity Saml 2.0

I have to implement the single sign-on functionality in my project. But once I have downloaded ITfoxtec Identity Saml2 project from Github and run the asp.net core project I have to face error like the below screen.
Please revert me on the same as soon as possible.
The solution contains a test identity provider (IdP) project called TestIdPCore. The other test applications in the solution are relaying parties and therefore depends on the TestIdPCore application being running before they can start.
You can either start multiple projects at the same time or ensure that TestIdPCore is running before you start another test application.
I have started multiple projects TestIdpCore and TestWebAppCore.
Once I click on the TestWebAppCore Login link I have to face error like "Sequence contains no elements"
https://i.imgur.com/CoawPM2.png

How to access the Project Server REST API using Azure AD App permissions?

I have a standalone web application (not an add-in) and I would like to access Project Server PWA oData from this web application without using the PWA username/password combination.
I can do this for SharePoint oData by registering my web app in Azure AD and configuring the application to require "Read" permissions from "Office 365 SharePoint Online"
If you are interested to do this for SharePoint data, see this article for details: https://www.itunity.com/article/integrating-angularjs-aad-office-365sharepoint-part-1-622
My problem is that I want to do the same for a Project Server, but can't see any relevant Project Online permission in Azure AD.
Has any one ever accessed Project Online using Azure AD tokens?
My 10 Minutes of Internet Researchâ„¢ leads me to believe this isn't available but that it was a planned feature at one point. [see here]
Without knowing much (anything) about Project Server, this seems like a situation I've dealt with on AWS at work. We have a bunch of endpoints that are secured using IAM (AWS) credentials and we can't leave those creds lying around in our app (because that would be silly). Our solution is to generate access URLs server-side and hand them out, these typically will have a time limit and be restricted to a very specific action.
A quick search for Azure's equivalent to IAM tells me that you might be able to do something similar though I'm unsure it exists for Project Server.
That failing, you could always set up an intermediary micro-service that acts as proxy and has the username/password combo. We do stuff like this all the time with Lambda (AWS's serverless functions).

SP implementation using Spring SAML extension with Google App Engine in Java

I try to make a SP hosted on Google app engine, with a third party IdP, and I'm facing multiple problems.
I'm using Spring SAML extension for java. I was able to run the stand alone (not in GAE) demo app, from the official guide http://docs.spring.io/spring-security-saml/docs/1.0.x/reference/html/chapter-quick-start.html using as IdP idp.ssocircle.com.
Now my problem comes whey I tried to integrate this code in my GAE project. When running with GAE I can get to the phase where I'm redirected to do the login on ssocircle.com and from there when I should be redirected back to my page I'm getting this error: "Error 401 Authentication Failed: Error decoding incoming SAML message", and on local GAE server logs I can see this message
"[INFO] Dec 17, 2014 5:21:23 PM org.apache.commons.httpclient.HttpMethodDirector executeWithRetry [INFO] INFO: I/O exception (java.net.SocketException) caught when processing request: Permission denied: Not allowed to issue a socket bind: permission denied."
I was wondering if this is a limitation from GAE regarding sockets: 1) Sockets are available only for paid apps (I don't have a paid app, but could consider this options) 2) You cannot create a listen socket; you can only create outbound sockets. 3) You cannot bind to specific IP addresses or ports. (for me this one sounds like it is my problem).
And whey I tried to deploy on GAE, the app remained in a start-up loop because of other errors regarding "nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "modifyThreadGroup")", that sounds like another GAE limitation to me.
At some point I was ready to gave up, because I was thinking that SAML Spring extension can't work with GAE, because of limitations present on GAE. But I see you have the same project running as a demo on GAE (or at least I think it is running on GAE because of the appspot part in domain name). https://saml-federation.appspot.com/saml/discovery?returnIDParam=idp&entityID=saml-federation.appspot.com
I would appreciate if you can give me some hints regarding my problems, and best would be if you could help me with the source code of this demo project (could not find it anywhere), and all configuration that is needed for GAE.
I've created a new repository https://github.com/vschafer/spring-security-saml-gae which includes instructions for deployment of Spring SAML applications on Google Application Engine. It also includes classes helping to avoid issues you're facing (sockets and threads).
In order to use it:
include the jar created from the repo in your project
use the provided org.springframework...StaticFilesystemMetadataProvider for loading of your metadata
in case you are using HTTP-Artifact binding replace bean org.springframework...ArtifactResolutionProfileImpl with org.springframework...google.ArtifactResolutionProfileGAE
Please comment if you spot some mistakes in the documentation or code.

Express/Passport local authentication multiple servers

I am building a real time web application with angular js, express js and passport js.
The passport authentication is working fine on the main server. I have written a second logging server also in express js and want to use this to simply receive http POST requests from an angular js service. This will enable client side exceptions/errors to be recorded and available for debugging purposes etc. I don't want to introduce a dependency on logging in the main server so to have this logically separated.
I am thinking about introducing a redis store for passport/express sessions so that the logging server is also subject to authentication and sessions can be shared across the two servers. I am not sure how to implement this session sharing though.
In this scenario what is the best practice is for authenticating across the two servers - I don't want the user to have to log in twice.
You nailed it down. redis store yes. There's no need for manual implementation. Have both servers use same instance of redis server (i.e. cloud redis, installed locally on only one machine etc). express sessions have the ability to use redis store (take a look at connect-redis package). Sharing is accomplished automatically since both stacks will communicate with same redis store.
The way it works in details, when the user is auth the connect.sid cookie gets written to the browser. then subsequent requests (i.e. to second server) will transmit this cookie. second server sees the SID and looks it up and finds it and retrieves the same session from redis.
It's hands off implementation.

RIA Services Authentication - What type? Preventing "copies?"

I've got a Silverlight application that will be running out on the open internet, available to basically everyone who has ever lived.
The application makes use of RIA Services to manipulate data in a database on the server.
The application creates, reads, updates, and deletes data of different varieties, however I only want these operations to occur from within the application.
This brings about two questions:
Is there a particular recommendation for what type of Authentication to use? Forms or Windows?
Is there a way to prevent someone from "linking" to the application? That is to say, copying the HTML from the containing page, pasting it in their own HTML page on their local machine and running it? The end goal would be to only allow the application to be run when it is embedded in a page requested directly from my server and my server alone?
If your application is being used on an internal network, then Windows authentication is best. Otherwise (as is your case) use Forms authentication.
Silverlight automatically prevents applications (unless they're running with elevated trust) from accessing resources on the Internet (web services, HTML, etc) that are not from the domain that the application originated from, unless that domain has a cross-domain policy file in its root. The Silverlight runtime prevents this (not the server), so this a client based security feature - not server based. By not having a cross-domain policy file in place on your server, your application will only be able to communicate with your domain services when it is run from your server (as you are after). The application will run, but calls to those services will fail.
You could always do a check for what domain the application originated from in code, and match it to a hard-coded domain name if you want to prevent the application running at all from other domains.
Hope this helps...
Chris

Resources