all the configuration tested are correct but still getting this error:
sourceid.config.ConfigurationException: Unable to lookup sp connection metadata for entityid="SP URL"
Set the FULL URL as captured inside the quotes for "SP URL" as a VSID for the connection. This usually means that Entity ID for the partner has not been set to what they are sending (which is the SP URL).
This can be avoided by making the SP provide you with metadata, and you build the connection around it, then export your own metadata, and send to them. If they can't provide you with metadata, then they should get better at SAML.
Related
I need to get hashtags from a GET-request, like this:
/v1/search/search#tag?query=word
or /v1/search/search?query=word#tag
I try to get query string:
Yii::$app->request->getQueryString()
But in first case it totally ignores query param, whereas in the second case it finds query param, but ignores hashtag. Is any way to get the hashtag from request?
You cannot get URI fragment value (hashtag) on the server (directly).
This is not a Yii limitation, the anchor # part of the url is meant to be used on the client side, and it isn't sent to the server.
According to the Wikipedia page for URI fragment:
Fragments depend on the document MIME type and are evaluated by the client (web browser).
Clients are not supposed to send URI fragments to servers when they retrieve a document, and without help from a local application (see below) fragments do not participate in HTTP redirections.
You can check by yourself looking at the network traffic, your server logs, Yii debugger logs, or at your browser console, for example, if you try to browse https://example.com/user/123#1234 the server will only get https://example.com/user/123.
You could bypass this limitation converting the values to parameters before you send the request.
// you could update
https://example.com/user/123#1234
// to
https://example.com/user/123?tag=1234
I have a DNN 8.0.1 website
The users are not able to reset their own passwords. There is an error generated when the reset email is sent:
Mailbox unavailable. The server response was: 5.7.0 Mail relay denied
[...]. Invalid credentials for relay for
Emails are sent through an SMTP relay handled by G-Suite.
here is the stack trace:
at System.Net.Mail.MailCommand.CheckResponse(SmtpStatusCode statusCode, String response)
at System.Net.Mail.MailCommand.Send(SmtpConnection conn, Byte[] command, MailAddress from, Boolean allowUnicode)
at System.Net.Mail.SmtpTransport.SendMail(MailAddress sender, MailAddressCollection recipients, String deliveryNotify, Boolean allowUnicode, SmtpFailedRecipientException& exception)
at System.Net.Mail.SmtpClient.Send(MailMessage message)
at DotNetNuke.Services.Mail.Mail.SendMailInternal(MailMessage mailMessage, String subject, String body, MailPriority priority, MailFormat bodyFormat, Encoding bodyEncoding, IEnumerable`1 attachments, String smtpServer, String smtpAuthentication, String smtpUsername, String smtpPassword, Boolean smtpEnableSSL)
I have tested the SMTP settings at both the Host and Site Admin levels and they both work.
Email generated from other services are working and emails generated from custom modules are working. Just the emails being set for password resets are not working.
Does anyone have an idea as to why this is happening?
Thanks
When you send an email using the SMTP test, are you sending to an address in the domain of the server? That should work because it doesn't involve a relay.
For relaying, it is the To email address that counts. Relaying means that you are sending to an address that is outside of the domain of the website. So, you need to have permission to do that.
Are your users possible at external email addresses?
One other thing to look at is the SMTP setup for both Host and Site. If I'm remembering right, DNN8 lets you set up separate SMTP for the Host and the site. You may want to check these.
Finally, the way to really see what is going on is to see what is sent to the SMTP server. If you can get at, or have someone get at, the SMTP logs, you'll see exactly how you are sending and the exact error. Given that you are using G-Suite, this may not be easy.
You may get more information from the log4net logs. If there is nothing useful there, you might want to (temporarily) adjust the logging level.
Are you able to get a password reset message for your account?
I created a data source on Azure Search via rest API. I use the API instead of portal, as I have a rowversion data type that isnt handled yet on portal. I am able to view the data source on portal
When I try to import the data source into an index, I get the following error
"Error detecting index schema from data source: "Data source payload should specify at least one of datasouce name and type"
What am I missing here?
In OSB Layer when the endpoint uri is changed, I need to alert the core group that the endpoint has changed and to review it. I tried SLA Alert rules but it does not have options for it. My question is, the endpoint uri should be saved somewhere in the underlying database. If so what is the schema and the table name to query it.
URI or in fact any other part of OSB artifact is not stored in relational database but rather kept in memory in it's original XML structure. It can be only accessed thru dedicated session management API. Interfaces you will need to use are part o com.bea.wli.sb.management.configuration and com.bea.wli.sb.management.query packages. Unfortunately it is not as straightforward as it sounds, in short, to extract URI information you will need to:
Create session instance(SessionManagementMBean)
Obtain ALSBConfigurationMBean instance that operates on SessionManagementMBean
Create Query object instance(BusinessServiceQuery) an run it on ALSBConfigurationMBean to get ref object to osb artifact of your interest
Invoke getServiceDefinition on your ref object to get XML service
definition
Extract URI from XML service definition with XPath
Downside of this approach is that you are basically pooling configuration each time you want to check if anything has changed.
More information including JAVA/WLST examples can be found in Oracle Fusion Middleware Java API Reference for Oracle Service Bus
There is also a good blog post describing OSB customization with WLST ALSB/OSB customization using WLST
The information about services and all its properties can be obtained via Java API. The API documentation contains sample code, so you can get it up and running quite quickly, see the Querying resources paragraph when following the given link.
We use the API to read the service (both proxy and business) configuration and for simple management.
As long as you only read the properties you do not need to handle management sessions. Once you change the values, you need to start a session and activate it once you are done -- a very similar approach to Service bus console.
We currently have ADFS 2.0 with hotfix 2 rollup installed and working properly as an identity provider for several external relying parties using SAML authentication. This week we attempted to add a new relying party, however, when a client presents the authentication request from the new party, ADFS simply returns an error page with a reference number and does not prompt the client for credentials.
I checked the server ADFS 2.0 event log for the reference number, but it is not present (searching the correlation id column). I enabled the ADFS trace log, re-executed the authentication attempt and this message was presented:
Failed to process the Web request because the request is not valid. Cannot get protocol message from HTTP query. The following errors occurred when trying to parse incoming HTTP request:
Microsoft.IdentityServer.Protocols.Saml.HttpSamlMessageException: MSIS7015: This request does not contain the expected protocol message or incorrect protocol parameters were found according to the HTTP SAML protocol bindings.
at Microsoft.IdentityServer.Web.HttpSamlMessageFactory.CreateMessage(HttpContext httpContext)
at Microsoft.IdentityServer.Web.FederationPassiveContext.EnsureCurrent(HttpContext context)
As the message indicates that the request is not well formed, I went ahead and ran the request through xmlsectool and validated it against the SAML protocol XSD (http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd) and it came back clean:
C:\Users\ebennett\Desktop\xmlsectool-1.2.0>xmlsectool.bat --validateSchema --inFile metaauth_kld_request.xml --schemaDirectory . --verbose
INFO XmlSecTool - Reading XML document from file 'metaauth_kld_request.xml'
DEBUG XmlSecTool - Building DOM parser
DEBUG XmlSecTool - Parsing XML input stream
INFO XmlSecTool - XML document parsed and is well-formed.
DEBUG XmlSecTool - Building W3 XML Schema from file/directory 'C:\Users\ebennett\Desktop\xmlsectool-1.2.0\.'
DEBUG XmlSecTool - Schema validating XML document
INFO XmlSecTool - XML document is schema valid
So, I'm thinking that ADFS isn't playing full compliance with the SAML specification. To verify, I manually examined the submitted AuthnRequest, and discovered that our vendor is making use of the 'Extensions' element to embed their custom properties (which is valid, according to the SAML specification) (note: "ns33" below correctly namspaces "urn:oasis:names:tc:SAML:2.0:protocol" elsewhere in the request)
<ns33:Extensions>
<vendor_ns:fedId xmlns:vendor_ns="urn:vendor.name.here" name="fedId" value="http://idmfederation.vendorname.org"/>
</ns33:Extensions>
If I remove the previous element from the AuthnRequest and resubmit it to ADFS, everything goes swimmingly. And, in fact, I can leave the 'Extensions' container and simply edit out the vendor namespaced element, and ADFS succeeds.
Now, I guess I have 3 questions:
Why was the reference number not logged to the ADFS log? That really would have helped my early debugging efforts
Is it a known issue that ADFS's SAML handler cannot handle custom elements defined within the Extensions element, and if so, is there a way to add support (or at least not crash while handling it)? My vendor has offered to change the SAML AuthnRequest generated to omit that tag, but said that it 'may take some time'-- and we all know what that means...
Does anyone think that installing ADFS hotfix rollup 3 will address this situation? I didn't see anything in the doc to indicate the affirmative.
Thanks for your feedback.
When facing a MSIS7015 ADFS error, the best place to start would be enabling ADFS Tracing. Login to the ADFS server as admin and run the following command. If you have a very busy ADFS server, might be wise to do it when the server is not as busy.
C:\Windows\System32\> wevtutil sl “AD FS Tracing/Debug” /L:5
C:\Windows\System32\> eventvwr.msc
In Event Viewer select “Application and Services Logs”, right-click and select “View – Show Analytics and Debug Logs”
Go to AD FS Tracing – Debug, right-click and select “Enable Log” to start Trace Debugging.
Process your ADFS login / logout steps and when finished, go to the event viewer mmc find the sub tree AD FS Tracing – Debug, right-click and select “Disable Log” to stop Trace Debugging.
Look for EventID 49 - incoming AuthRequest - and verify values are not being sent with CAPs value. For example, in my case, it was I was receiving the following values: IsPassive='False', ForceAuthn='False'
In my case, to address the issue, all I needed to do was create incoming claim transformer rule - for the distinct endpoints.
Once the CAPs were transformed to lower case true and false, authentication started working.