How to use ADFS Webfinger Endpoint? - azure-active-directory

I'm very new to ADFS and the Web Application Proxy. That said, I've recently setup an ADFS server and a WAP server and have all of the configuration setup to successfully handle SAML SSO to my custom application.
I am now attempting to use the Webfinger endpoint. By default, that endpoint is enabled (and proxy enabled). Unfortunately, I have not been able to get any meaningful response from this endpoint and am unsure even how to set it up. Searching for "ADFS Webfinger" documentation has been fruitless. Honestly, I can't find anything other than discussions of an Event Viewer error and other useless information.
I have attempted various combinations of URLs.
https://my-adfs-server/.well-known/webfinger?resource=https%3A%2F%2Fmy-adfs-server%2Fadfs%2F/ls&rel=http://schemas.microsoft.com/rel/trusted-realm
This gives me back a JSON:
{
"subject": "https://my-adfs-server",
"links": [
{
"rel": "http://schemas.microsoft.com/rel/trusted-realm",
"href": "https://my-adfs-server"
}
]
}
but it is the only URL I have found that returns anything.
https://my-adfs-server/.well-known/webfinger?resource=acct:<myemail>
This gives me a 404 with a valid email (acct).
What am I missing? Even if that last URL was working, how do I resolve it to specify information that should be returned in the JRD document for this particular account? Do I need IIS installed (I don't have it installed currently) and custom code?
Thanks for any help/insight.
Pink

Related

Salesforce API failing with API_DISABLED_FOR_ORG

When calling this Salesforce api:
https://{host}/DM/services/data/v48.0/chatter/feed-elements
I get this response:
[
{
"message": "The Chatter Connect API is not enabled for this organization or user type.",
"errorCode": "API_DISABLED_FOR_ORG"
}
]
I'm using a trial org and this has been working until recently. What might be going on? does it require a beta package to work or doesn't matter? Any permissions that can be related to this? Any settings that I can look at?

Duende IdentityServer 6.20 .Net6.0 "AuthenticationScheme: idsrv was not authenticated"

I have a fully functioning Duende IS6 solution, servicing an Angular client. However the Seq log output contains a lot of these entries with each request:
{
"#t": "2023-01-08T19:14:58.3783602Z",
"#mt": "AuthenticationScheme: {AuthenticationScheme} was not authenticated.",
"#m": "AuthenticationScheme: idsrv was not authenticated.",
"#i": "19c670d5",
"#l": "Debug",
"AuthenticationScheme": "idsrv",
"EventId": {
"Id": 9,
"Name": "AuthenticationSchemeNotAuthenticated"
},
"SourceContext": "Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler",
"RequestId": "0HMNHLIGV47GF:00000002",
"RequestPath": "/.well-known/openid-configuration/jwks",
"ConnectionId": "0HMNHLIGV47GF",
"application": "dev.identity"
}
Does anyone know what the issue is here? To be clear, my app functions and authenticates just fine so whatever it is doesn't appear to be causing an issue, just filling up my logs.
(apols for earlier version tag but could not tag identityserver6 as not enough rep)
The error is because ASP.NET Core did not find any cookie that it could convert into a ClaimsPrincipal user.
As you mention, requests to "/.well-known/openid-configuration/jwks" is never made by the browser, instead its made by the client and apis on the backend to retrieve the signing keys. And in these requests, there is no cookie to authenticate.

Can I turn off case sensitivity for Azure AD RedirectURI

I have a Redirect URI configured like this:
https://<url>/RALauncher/signin-oidc
But if I go here:
https://<url>/ralauncher
and sign in, I get this error message:
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply url specified in the request does not match the
reply urls configured for the application:
'<guid>'. More details: Reply address
did not match because of case sensitivity.
Is it possible to configure this so that the Redirect URI is not case sensitive? I can't find a setting for this in the Azure Portal.
AFAIK there is no setting to turn on or off the case sensitivity, i.e. it will always be case sensitive.
Generally I haven't seen it to be an issue, because app developer controls the code and you can set the configuration in Azure AD App registration appropriately.
Anyway, I don't the exact reason you have different variations on cases, but here is one approach that I can suggest that could solve your issue -
It's a collection, so you can add multiple values. So feel free to add the valid variations from your side. For example:
"replyUrlsWithType": [
{
"url": "https://myredirecturi1",
"type": "Web"
},
{
"url": "https://MyRedirectUri1",
"type": "Web"
}
]
You can do this by editing the Manifest for your Azure AD app registration
or directly using Portal UI.

How to check other user availability with Microsoft Graph API?

I'm trying to implement checking availability for specific user (actually a room) in O365 calendar. I'm using Graph API as it's recommended by Microsoft.
My first approach was using POST on https://graph.microsoft.com/v1.0/me/findMeetingTimes with the message body prepared according to template given in Graph API Explorer. On the API Explorer everything seems to work fine but when I try to run exactly the same request with my applications token I receive 403:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "b130177d-e138-4cc7-8e72-5d3529a9dc24",
"date": "2017-03-21T08:47:10"
}
}
}
I checked the app's delegated permissions in AAD and they seem to be fine. For Microsoft Graph those are granted:
Calendars.ReadWrite.Shared
Calendars.Read.Shared
Calendars.ReadWrite
Calendars.Read
I get exactly the same response (403) when I try to simply list user's events: https://graph.microsoft.com/v1.0/users//events In Graph API Explorer 500 is returned.
I found the following bug description: https://github.com/microsoftgraph/microsoft-graph-docs/issues/559 (and probably this one too) Is it related with the issues above?
Any clue what I might be doing wrong?
Is there any other way to achieve the same using different endpoint or API assuming that I still want to use oAuth for authorization?
I will be grateful for any hint
Update: Outlook Calendar API seems to work. Still appreciate any ideas why Graph API doesn't?
The FindMeetingAPI needs A work or a school account . If you are logging in using your personal email ID , you might not be able to login. Moreover , you need to set permissions to Calendars.Read Calendars.Read.All Calendars.ReadWrite User.Read"

App Engine Admin API Error - The "appengine.applications.create" permission is required

We would like to automatically create a project ID and install our ULAPPH Cloud Desktop application using the App Engine Admin API (REST) and Golang.
https://cloud.google.com/appengine/docs/admin-api/?hl=en_US&_ga=1.265860687.1935695756.1490699302
https://ulapph-public-1.appspot.com/articles?TYPE=ARTICLE&DOC_ID=3&SID=TDSARTL-3
We were able to get a token but when we tried to create a project ID, we get the error below.
[Response OK] Successful connection to Appengine Admin API.
[Token] { "access_token" : "TOKEN_HERE", "expires_in" : 3599, "token_type" : "Bearer" }
[Response Code] 403
[Response Body] { "error": { "code": 403, "message": "Operation not allowed", "status": "PERMISSION_DENIED", "details": [ { "#type": "type.googleapis.com/google.rpc.ResourceInfo", "resourceType": "gae.api", "description": "The \"appengine.applications.create\" permission is required." } ] } }
We are just using the REST API calls. Request for token was successful as you can see above and the scope is ok as well. Now, when we posted the request to create application, we are having the error that says "appengine.application.create" permission required.
How do we specify the permission?
What are the possible reasons why we are getting that error? Do we missed to send a field in JSON or in query?
As per below link, we just need to pass the json containing the id and location. We also just need to pass the token in the Authorization header. The same logic I have used successfully in accessing Youtube, Drive APIs etc so not sure what needs to be done since I have followed the docs available.
I have also posted the same issue in Google Groups and now waiting for their reply.
It seems you've given no details about how you set up the account you're using to authorize the request. You'll need to make sure the appengine.applications.create permission is given to the account you're using, as mentioned in the error text. You can use the Google Identity and Access Management (IAM) API for this.
(by the way, I'd given this answer in the original thread, although you didn't reply or seem to take action on it. check it out! this is likely the solution you need!)

Resources