I have setup my GSuite account as a SAML iDP for Cognito User Pools (not identity pools).
If i provide no attribute mappings a new user trying to signup via GSuite login gets the following error.
Error in SAML response processing: Invalid user attributes: email: Attribute is required.
However if I add an email mapping, the user can signup. But can't ever sign in again as they get this error (strange as email is writable by this app client)
Error in SAML response processing: Invalid user attributes: email: Attribute cannot be updated.
Ideas as to whats going on?
In browser, using Hosted UI.
It turns out I had made the email address immutable during CloudFormation setup. Even though the email is not being modified, it needs to be mutable.
You can determine the mutability of email via the following command.
aws --output table cognito-idp describe-user-pool --user-pool-id <user pool id> | grep -B6 -A7 " | email "
For anyone who is facing this issue when using SAML and AD as the identity provider, you have to configure Attribute Mapping.
Go to Attribute Mapping under Federation, Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress for SAML attribute and Select Email fro User pool attribute
I had the error below randomly after being able to login the first time. Disabling and then deleting the user from the pool and allowing Cognito to recreate it fixed the issue for me. I assume there is an AWS bug here somewhere.
Error in SAML response processing: Invalid user attributes: email: Attribute cannot be updated.
Related
i am trying to set AWS Cognito as Auth provider to log in salesforce.
I have set up an "Auth Provider" (called it Cognito) enabled it as login option both for salesforce login and for community (in community workspace).
Auth provider settings
When i try to login to salesforce using Cognito credentials i manage to do it without issues, but when i click on "Cognito" as a login option in my community i get an error even before i try to enter my credentials:
Trying to log in
Error and url string
I use different credentials for user that is internal and user that is external, although in case of community login i did not even manage to enter my creds. In url string i see that error is "redirect_mismatch" but i am not sure what that means in current context and how to resolve it. In my Registration helper i have only adjusted "createUser" method to return a user that i already have in my org:
global User createUser(Id portalId, Auth.UserData data){
return [SELECT Id, Name, ContactId FROM User WHERE FederationIdentifier = :data.email];
}
If someone has experience with using Cognito as auth provider for salesforce communities i will be glad for any help.
Redirect mismatch is referring to your callback URL being different than the one you defined in your user pool settings. Go to user pool settings and click on app client settings. Here you will see fields for sign in and sign out urls. Put in the correct callback/redirect url here. You can enter multiple urls separated by commas.
I am integrating Okta in my React application for SSO. I use the following method to create token using redirect:
https://github.com/okta/okta-auth-js#tokengetwithredirectoptions
I am using https://www.npmjs.com/package/#okta/okta-auth-js package.
Users are directed to the Identity Provider (idp) in order to authenticate and then redirected to Okta once verification is successful.
The SSO works fine but when I keep the React application idle for sometime, I am getting the following error:
OAuthError - Unable to process the username transform. A required property is missing. Missing field email.
It looks like you have configured email as the incoming claim from your IDP but Okta can't find it in the incoming assertion/token.
I am trying to reset another user's password through the Graph API (specifically graph.windows.net, though the same behavior occurs using graph.microsoft.com as well).
I believe all security is properly set up. The application registration has the Directory.ReadWrite.All permissions and the service principal is a Global Administrator. There are no errors regarding insufficient privileges, but whenever I try to provide a password inside the password profile I get an error.
PATCH request to
https://graph.windows.net/{tenant_id}/users/{userPrincipalName}?api-version=1.6
with the following body gives me a 204 response.
{
"passwordProfile": {
"password": null,
"forceChangePasswordNextSignIn": true
}
}
But the same request with a password of "P#ssword1" or any other valid password returns a 400 Bad Request with the message "One or more properties contains invalid values."
Anyone encountered anything like this? These are accounts being synced from local AD but the password reset has been turned on in Azure and you can manually reset the passwords in AAD. Any help or advice is much appreciated.
It turns out this was a problem with how AD sync is set up in their environment. Apparently a federated domain syncing to Azure AD locks out the ability to reset passwords via the Graph API but the error messages don't tell you its a permissions issue.
It's outline here under unsupported operations, my problem was not understanding the full AD environment set-up: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback
According to your description, I assume you want update user's password through the Graph API.
According to this document, when we update the passwordProfile property, the following permission is required: Directory.AccessAsUser.All.
Based on my test, we can modify someone's password by using the following steps:
Grant the permission by following this document.
Check the password in the profile whether satisfy minimum requirements as specified by the passwordPolicies property.
Use the following request to update someone's password.
The Request URL:
PATCH /users/{id | userPrincipalName}
And the request body:
{
"passwordProfile": {
"forceChangePasswordNextSignIn": true,
"password": "P#assword1"
}
}
If successful, this request returns a 204 No Content response code.
You're calling the wrong URL, graph.windows.net is the legacy Azure AD Graph API. The Microsoft Graph APIs are located at graph.microsoft.com. While these APIs are similar in function, they're calling paterns are very different.
As kikang mentioned, in order to change a user's password you need need to request the Directory.AccessAsUser.All scope. There are a few important cavetes with this scope:
This is a Delegated scope, so it can only be requested when using Authorization Code or Implicit OAuth flows. It cannot be used with Client Credentials.
Before a User can consent to Director.AccessAsUser.All, you must first obtain Admin Consent from an Admin on the user's AAD tenant/instance.
Once you have the proper scopes consented, you need to issue a PATCH to the /user resource.
Your call will look similar to this:
PATCH https://graph.microsoft.com/v1.0/me
Content-type: application/json
{
"passwordProfile": {
"forceChangePasswordNextSignIn": true,
"password": "A-Strong-Password"
}
}
I can't figure out how can I get email address from twitter. I've been using this as example - https://github.com/sahat/satellizer/tree/master/examples/server/node. I've also seen that it's possible to get email from twitter's oauth - https://dev.twitter.com/rest/reference/get/account/verify_credentials. Thanks
The example server doesn't appear to get the email in the twitter case.
And the documentation link explains how to request
Requesting a user’s email address requires your application to be
whitelisted by Twitter. To request access, please use this form.
Once whitelisted, the “Request email addresses from users” checkbox
will be available under your app permissions on apps.twitter.com.
Privacy Policy URL and Terms of Service URL fields will also be
available under settings which are required for email access. If
enabled, users will be informed via the oauth/authorize dialog that
your app can access their email address.
"Given that you have to go through all the hoops to get whitelisted by Twitter in order to access user's email, it is it not part of the example code. If you really need to get user's email, you may have to do that outside Satellizer's auth flow." - sahat (owner of satellizer)
When performing authentication using the OpenID federated login on GAE, my user object has the following properties:
Nickname: http://wordfaire.com/openid?id=103539105724544727060
email: sudhir.j#wordfaire.com
From the docs,
email()
Returns the email address of
the user. If you use OpenID, you
should not rely on this email address
to be correct. Applications should use
nickname for displayable names.
Obviously, this advice isn't working out very well. So how then can I get an authoritative email handle to associate with a particular OpenID provided by any Google Apps or other domain? I really need the email ID because things like invitations and sharing / access control all function via email ids.
If you need a valid email for OpenID users, ask the user to supply one the first time they log in, and store it yourself along with their user object.
Since anyone can create an OpenID provider, it's not safe to assume that the provider has already gathered a valid address.