Hi earlier we were using below authorizationEntry to access(read/write) queues starting with "queue.".
Corresponding entry from activemq.xml
<authorizationEntry queue="queue.>"
read="test" write="test" admin="test" />
As per the latest requirement from client(External system), is there a possibility to access queues starting with "queue.".without credentials(username/password)
please let us know what changes we have to make in activemq.xml or configuration to achieve the same i.e., access queues without credentials
These queues are used in routes created using apache-camel ,spring DSL language
as said in doc :
To allow anonymous access to the broker, use anonymousAccessAllowed
attribute and set it to true as shown above. Now, when the client
connects without username and password provided, a default username
(anonymous) and group (anonymous) will be assigned to its security
context. You can use this username and password to authorize client's
access to appropriate broker resources (see the next section). You can
also change username and group that will be assigned to anonymous
users by using anonymousUser and anonymousGroup attributes.
src http://activemq.apache.org/security.html#Security-Anonymousaccess
so i think this can do the stuff
<simpleAuthenticationPlugin anonymousAccessAllowed="true">
<users>
<authenticationUser username="system" password="manager" groups="users,admins" />
<authenticationUser username="user" password="password" groups="users" />
<authenticationUser username="guest" password="password" groups="guests" />
<authenticationUser username="test" password="test" groups="test" />
</users>
</simpleAuthenticationPlugin>
<authorizationEntry queue="queue.>" read="test,anonymous" write="test,anonymous" admin="test,anonymous" />
if you use Advisory you have to add authorized groups to create Advisory topics :
<authorizationEntry topic="ActiveMQ.Advisory.>" read="anonymous" write="anonymous" admin="anonymous"/>
Related
UPDATE
I found that if I add a trusted cert to SPOptions.ServiceCertificates and set SPOptions.AuthenticateRequestSigningBehavior = Sustainsys.Saml2.Configuration.SigningBehavior.IfIdpWantAuthnRequestsSigned; and set IdentityProvider.WantAuthnRequestsSigned = true, the signature element is included.
Original Question:
Having troubles connecting to an IDP with the following AuthnRequest:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="idf299bf8aa08542d193e022cb047e5ecc" Version="2.0" IssueInstant="2019-07-23T00:10:13Z" Destination="https://example-idp.com" AssertionConsumerServiceURL="https://example-sp.com/Acs">
<saml2:Issuer>https://example-sp.com</saml2:Issuer>
</saml2p:AuthnRequest>
The IDP says: "SignatureStatus: NOT_PRESENT". I'm guessing that means that the authnrequest should have a <ds:Signature section? If so, how do I configure Sustainsys.Saml2.AspNetCore2 to include it?
The metadata xml I received from the idp contains a <ds:Signature section, but looking at the source code for Sustainsys.Saml2.AspNetCore2, it looks like that part of the metadata gets ignored when deserializing?
I'm not very familiar with the internals of SAML, so sorry if this is a silly question.
You'll want to generate a self-signed .pfx file that contains both your public cert and private key. We use azure key vault, but you could also use openssl. Lots of resources that explain how to generate one of those and load it into a c# X509Certificate2 instance.
Once you have an instance of X509Certificate2, set options.SPOptions.AuthenticateRequestSigningBehavior = Sustainsys.Saml2.Configuration.SigningBehavior.IfIdpWantAuthnRequestsSigned;
And set IdentityProvider.WantAuthnRequestsSigned = true.
And then add the X509Certificate2 instance like so: options.SPOptions.ServiceCertificates.Add(myX509Certificate2);
Then run your app and start the SAML SSO process. You can use hookbin or the like to see what it sends in the AuthnRequest for SAMLRequest. You can extract the xml from that by url decoding it and then base64 decoding it like so in javascript, for instance to confirm signature xml is set and correct: atob(decodeURIComponent(samlRequestValue))
I'm trying to configure Windows Server 2012 r2 ADFS 3.0 to send the NameID to Shibboleth 2.6 SAML 2.0 SP, but I keep on getting these errors:
2016-11-15 10:07:07 WARN Shibboleth.AttributeResolver.Query [1]: can't attempt attribute query, either no NameID or no metadata to use
2016-11-15 10:07:07 INFO Shibboleth.SessionCache [1]: new session created: ID (_7e425978e43bc32c86393f518b26eb3e) IdP (https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (192.168.50.131)
I understand that this has something to do about passing the NameID attribute from the ADFS IDP and displaying the nameID in Shibboleth SAML 2.0 SP.
I've also read that you need to set a rule in ADFS IDP to pass the Email Address, and transform the Email address to become a NameID. I have done that, and have these rules:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
However, I have observed that the configuration seems compatible only with SAML 1.0, but not 2.0 (maybe).
So, I went on by adding the name attributes. I tried transient, persistent, and emailAddress, and trying both SAML 1.0 and SAML 2.0 configurations.
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" id="NameID"/>
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="NameID"/>
<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="NameID"/>
Question:
So, what is the proper way of configuring ADFS IDP to send the NameID to the Shibboleth SP and display the Session attribute when going to my application Session page?
Specifically, what is the proper output for Claim Rules that I should expect? and how should the XML configuration for Shibboleth attribute-map.xml look like?
https://c-app01.contoso.com/Shibboleth.sso/Session
Solution:
The solution is to create two rules inside "Issuance Transform Rules" tab in the Relying Party. Here are the Rules to be set:
Add a Rule to Send LDAP Attributes as Claims
Add a Rule to Transform an Incoming Claim
Also, make sure that Permit Access to All Users is inside Issuance Authorization Rules tab.
Instructions:
Add a Rule to Send LDAP Attributes as Claims:
Claim Rule Name: Email
Attribute Store: Active Directory
Mapping of LDAP: E-mail-Address to E-mail Address
This will map the Email address.
Add a rule to Transform An Incoming Claim:
Claim rule name: EmailToNameID
Incoming Claim Type: E-Mail Address
Outgoing Claim Type: Name ID
Outgoing Name ID Format: Email
Make sure "Pass Through Claim Values" is selected.
The setting above for "Transform An Incoming Claim" will give you the following claim rule:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
After that, you may configure the attribute-map.xml like so:
<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="Email"/>
My Mistake:
I found out that every setting in my Claims Rules is correct, except that the rules for Email and EmailToNameID should be under the Issuance Transform Rules Tab of the Relying Party.
I using https://example.com:8443/enterprise/control/agent.php to call plesk Api using some Xml content, what I do is create and manage my domains and sites.
For some reason I need Create a Site-Alias(domain-alias) for my domain without 301 redirection.I can do it from plesk panel as I note in Image attached. But I don't know how to set it with xml.
This my xml that I post via API :
<packet version="1.6.7.0">
<site-alias>
<create>
<pref>
<web>1</web>
<mail>0</mail>
<tomcat>0</tomcat>
</pref>
<site-id>104</site-id>
<name>mysub.myotherexample.com</name>
</create>
</site-alias>
</packet>
Note that I have two domain name, example.com and myotherexample.com .I want add domain-alias mysub.myotherexample.com which is an alias for example.com.
I need some setting like what you see in Image.But my xml also enabled 301 redirection.
There is a seo-redirect option https://docs.plesk.com/en-US/17.0/api-rpc/reference/managing-site-aliases/site-alias-settings.33538/ :
<packet version="1.6.7.0">
<site-alias>
<create>
<pref>
<web>1</web>
<mail>0</mail>
<tomcat>0</tomcat>
<seo-redirect>0</seo-redirect>
</pref>
<site-id>104</site-id>
<name>mysub.myotherexample.com</name>
</create>
</site-alias>
</packet>
We are trying to do a single setup with Shibboleth Identity Provider 3 and 1 service.
We have configured the Shibboleth IDP3 to use the OpenLDAP service that we are running. This is working as authentication is succesful. (see green underlined part image). This is with a user we created in the LDAP who is named 'test'.
Now the problem is that the entire transaction fails because we seem to lack a nameid in our SAML response.
We have made multiple attempts to fix this, here are some of the changes we tried.
In attribute-resolver-ldap.xml we added:
<resolver:AttributeDefinition id="mail" xsi:type="ad:Simple" sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
</resolver:AttributeDefinition>
In attribute-resolver.xml we added an attributedefinition and a dataconnector as follows:
<!--
Attribute definition that expects to get the 'email' attribute from the ldap connector
defined as its dependency and encode it as a SAML 2 name identifier.
-->
<resolver:AttributeDefinition xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="googleNameID"
sourceAttributeID="cn">
<!--
The data connector expected to provide the source attribute, email. Note how the
value of the 'ref' attribute is the identifier given to the LDAP data connector.
-->
<resolver:Dependency ref="ldap" />
<!-- Encoder that transforms the attribute into a SAML2 NameID -->
<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</resolver:AttributeDefinition>
dataconnector (the <..> values are filled in correctly):
<!-- An LDAP connector that pulls in, at least, an attribute called email. -->
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="ldap"
ldapURL="ldap://localhost:389"
baseDN="dc=<FIRSTDC>,dc=<SECONDDC>"
principal="cn=admin,dc=<FIRSTDC>,dc=<SECONDDC>"
principalCredential="<PASS>">
<FilterTemplate>
<![CDATA[
(cn=test)
]]>
</FilterTemplate>
</resolver:DataConnector>
In the saml-nameid.xml file we added a nameIDgenerator (we did this for both SAML1 and 2):
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
In our ldap.properties file we assume we have configured everything correctly as the authentication itself works fine.
The error at the service side is that it can't process the SAML message:
Caused by: org.opensaml.common.SAMLException: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration
There could be many reason for this. There are some issues I could see in the configuration you have provided:
In attribute-resolver.xml, you have defined AttributeDefinition ID as id="googleNameID" while AttributeSourceIDs in saml-nameid.xml is set as p:attributeSourceIds="#{ {'mail'} }". These IDs should be exactly same. Change your AttributeDefinition in attribute-resolver.xml to:
<resolver:AttributeDefinition xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="mail" sourceAttributeID="cn">
<resolver:Dependency ref="ldap" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="mail" friendlyName="mail"/>
</resolver:AttributeDefinition>
In conf/saml-nameid.properties, uncomment and set default NameID as EmailAddress like this:
idp.nameid.saml2.default = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
You have not defined any Attribute Filter Policy. Add the following to the conf/attribute-filter.xml:
<afp:AttributeFilterPolicy id="ldapAttributes">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="mail">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
My ESB flow needs to get files from a dynamic folder. This folder name changes based on month and year. Hence, I configured my inbound-endpoint as shown below but I am getting below error. I really appreciate any help on this.
Flow:
<flow name="DataMapperTestFlow" doc:name="DataMapperTestFlow">
<file:inbound-endpoint path="C:\#[new Date().format('yyyy\\MMMM')]" moveToDirectory="C:\#[new Date().format('yyyy\\MMMM')]\backup" pollingFrequency="10000" responseTimeout="10000" doc:name="File">
<file:filename-regex-filter pattern=".*.xls" caseSensitive="true"/>
</file:inbound-endpoint>
<custom-transformer class="ExcelToJava" doc:name="Java"/>
<jdbc-ee:outbound-endpoint exchange-pattern="one-way" queryKey="insertTestHeaders" connector-ref="NewDatabase" doc:name="InsertHeaders"/>
<set-payload value="#[payload.excelData.excelRows]" doc:name="Set Payload"/>
<jdbc-ee:outbound-endpoint exchange-pattern="one-way" queryKey="insertTestRows" connector-ref="NewDatabase" doc:name="InsertRows"/>
</flow>
Error:
org.mule.api.endpoint.MalformedEndpointException: The endpoint
"file:///C:/#[new Date().format('yyyy/MMMM')]" is malformed and cannot
be parsed. If this is the name of a global endpoint, check the name
is correct, that the endpoint exists, and that you are using the
correct configuration (eg the "ref" attribute). Note that names on
inbound and outbound endpoints cannot be used to send or receive
messages; use a named global endpoint instead.. Only Outbound
endpoints can be dynamic
"Only Outbound endpoints can be dynamic" quite says it all. You can have a look at the Mule Requester Module if it suits your needs, or try creating endpoints/flows programmatically with a scheduler and Java/Groovy/etc code.