My use case is, i need to open NetSuite within Salesforce using SSO. Both the platform supports SAML 2.0.
As a first step mentioned in SSO implementation guide in Salesforce, I am trying to create new Single Sign On Setting from 'New From Metadata Url' button. And here is NetSuite Service Provider metadata url:
https://system.na1.netsuite.com/saml2/sp.xml
However, Salesforce is throwing an error-
The XML file doesn't include your SAML 2.0 settings. Verify that the URL links to the SAML 2.0 settings you want.
I checked the NetSuite SSO metadata xml (provided in the url path) and that contains definition for SAML2.0. So not sure why this error is coming up. Can anyone suggest here what might be wrong? Or if I am missing something here.
thanks in advance!
I think the issue is that both Salesforce and Netsuite are Service Provider implementations. Neither is an Identity Provider so if you are importing Netsuite's metadata to Salesforce you'd get an error because you are importing the wrong sort of file.
Related
I'm trying to configure google IdP on my Snowflake following this tutorial from Snowflake community:
https://community.snowflake.com/s/article/configuring-g-suite-as-an-identity-provider?t=1630354048853
After the whole configuration is complete when I click on the SSO button on the login page
SSO Screen
I receive the following error:
Error Message
I have already double-checked the SAML configuration on both platforms
SAML Configurations
And APP configuration on Google seems correct
Google Snowflake App configurations
Google Snowflake App configurations
But the 403 error still persists.
How can I identify exactly where is the problem (Snowflake or Google) and how to fix it?
Is there any log I should be checking or any configuration missing?
Thanks!
We ran into this error as well, but fortunately the solution was rather simple in our case:
Either use incognito mode
Or log out & back in to the Google account
Afterwards, it works flawlessly! 👌
I found this article from Google Support:
403 app_not_configured_for_user To resolve the 403
app_not_configured_for_user error:
Verify that the value in the saml:Issuer tag in the SAMLRequest
matches the Entity ID value configured in the SAML Service Provider
Details section in the Admin console. This value is case-sensitive.
I have my own identity authority set up using the Identity Server.
I'm running a native windows application and currently I'm using IdentityModel's OidcClient library to connect on the authority and obtain the token.
I want to add support for Azure AD and since I haven't been able to set-up the application on the Azure AD to use HybridWithProofKey flow, and found this MSAL I've decided to give it a shot.
In MSAL there is a PublicClientApplication class with accepts the string authority in its constructor (source)
When passing my URL in this constructor I imagined it would use the discovery service and found the correct endpoints and to its job. But to my suprise this dont work.
I get following error message:
AADSTS50049: Unknown or invalid instance.
Search on github MSAL for AADSTS50049 returned zero results. I've cloned the project and started with debugging.
I've figured out that the request is sent to my authority url but instead there is a GET request on the
GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.0&authorization_endpoint=https%3A%2F%2Fmyidentityserverhostname%2Fidentityserver%2Foauth2%2Fv2.0%2Fauthorize HTTP/1.1
This request is done in this source and it returns the error above.
So, is MSAL intended to use with non azure authorities?
No. It's a proprietary client library for their proprietary backend.
Yes it can,
You need to use the Azure B2C library, it can be configured with other identity provideer, like facebook, google, linked in etc.
There is also an option to utilise a custom IDP, if it conforms to openId
See here.
https://go.microsoft.com/fwlink/?linkid=854174
Using MSAL.NET with a non-MS OpenID Connect provider is unnecessary, as Microsoft.AspNetCore.Identity provides sufficient support for social logins and other OIDC providers.
Also vendors of custom OpenID Connect servers provide own extensions (see IdentityServer docs and OpenIdDict samples).
As per this official example, MSAL is not required if you're only signing users in. They claim:
MSAL is used for fetching access for accessing protected APIs
BTW, if you're interested in MSAL.JS, then it's a completely different story – https://stackoverflow.com/a/73618966/968003.
I am trying to crawl a website, more specifically a Google Site using ManifoldCF that has SAML authentication and index the crawled data into Apache Solr. But as I crawl the URL, it gives me 302 redirection to login page and then says RESPONSECODENOTINDEXABLE.
I am not sure if have I authenticated correctly or not. In manifoldCF we have options for HTTP basic authentication, NTLM authentication and Session-based access credentials authentication method. I used Session based authentication method which more looks like a form based authentication rather than SAML authentication.
Has anybody crawled a website using manifoldCF which has SAML authentication? And if not manifoldCF, has anyone been able to accomplish this via Apache Nutch, because I am afraid, it also provides only HTTP basic , Digest and NTLM authentication.
Any insight would be helpful. Can provide more information regarding the issue, if anyone here thinks it can easily be accomplished. Basically when I crawl https://sites.google.com/a/my-sub-domain.com, it redirects to SSO login page and crawler refuses to crawl any more giving a 302 error. It's an intranet based website.
There is no support in Nutch forSSO authentication using SAML. You need to handle it by writing your custom plugin. We have extended proptocol selenium plugin to handle SAML flows.
Not sure whether this helps, just try it out.
In nutch, we can provide credentials to login to the page, we have httpclient-auth.xml file in conf directory.
There u can provide your host name along with the credentials.
<auth-configuration>
<credentials username="admin" password="admin123">
<authscope host="hostname" realm="login"/>
<default/>
</credentials>
</auth-configuration>
Similarly you can add any number of credentials to this configuration.
To crawl https site, change plugin.includes property from protocol-http to protocol-httpclient in nutch-conf.xml
We have modified logic in Nutch protocol-selenium plugin to handle SSO flows.
You need to wait for redirect to SSO page. Then using selenium you can handle SSO. Again wait for redirection to original page after SSO.
If 2 factor auth is required, then things become complex. In that case you can configure google authenticator (if allowed by your IdP). You can use that to get get TOTP.
For crawling files behind authentication there is no usual way. You can configure driver to always downlaod files and then use the docwnlaoded file.
You can handle the auth flow using another http clients. If you need dynamic page's content (after all JS and Ajax request completed) then selenium is the best choice and if you are using it, you can move auth part to selenium.
Current State of web application:
We have an existing web application designed in AngularJs, MVC5. Authentication is happening against our custom database.
SignIn:
We did over ride Microsoft.AspNet.Identity.UserManager and other source classes to talk to our database to get user related information.
adding the results to System.Security.Claims.ClaimsIdentity.
Passing on to "Microsoft.Owin.Security.IAuthenticationManager.SignIn(params System.Security.Claims.ClaimsIdentity[] identities)
What I need SSO:
We would like to move the auhentication to SSO with SAML 2.0 token as we are planning to integrate 2 new vendors into our web application
Identity Provider:
We are implementing Identity provider in F5 Big Ip which does the authentication by providing the login page and generates the saml2 token. Our web application would be configured as Service provider. On redirect to the web application it will pass on the saml2.0 token.
Consuming SAML2.0 in MVC .net framework 4.5.2
All my application would need is to consume saml2.0 token and integrate with existing authentication pipeline.
Things to do:
Meta data from Identity provider has public key to decrypt saml2.0 token and as well a key which is used to sign the meta data file
My assumption would be parse the request for SAML 2.0 token and verify if the token is valid and use the data from the attributes and query the database for more details and insert the results into "System.Security.Claims.ClaimsIdentity" and use the existing signin operation.
Need to figure out how to configure the principle.. and do we still need Microsoft.AspNet.Identity.UserManager.
Research:
In visual studio we had identity and access tool which doesnt exist from vs2013.
Went through the article on windows identity foundation and claims identity principle
www.codeproject.com/Articles/504399/Understanding-Windows-Identity-Foundation-WIF
I know wif support saml2.0 token but not saml2 protocols.
Here are the third party tools that was suggested to be used
http://nzpcmad.blogspot.co.nz/2013/06/saml-saml-connectivity-toolkit.html
I am not sure just to consume do I need to used one of the tool? As we have our IDP configured in F5 bigip and not designed in .net
Another good article I found
http://www.primaryobjects.com/2013/08/08/using-single-sign-on-with-windows-identity-foundation-in-mvc-net/
Also saw some suggestions about Saml2SecurityTokenHandler to process saml2.0 token.
I appreciate if someone can direct me to simpler solution to integrate to my existing web app. Just need to consume saml2.0 token and integrate with existing claims based authentication.
OK - then you have to use a SAML stack as per the link you used.
Have a look at Kentor - there's some examples on the site plus I did a write up
Update:
The way SAML works is that the client needs to send an AuthnRequest to the IDP, then the user authenticates and then the IDP sends a AuthnResponse to the client. The response contains the SAML token which contains the assertions (claims).
I was thrown on a project where I need to implement web sso. I'm new to SAML. I've set up shibboleth idp. How do I generate IdP metadata in order to give it to service providers.
The default location for shibboleth-idp metadata is in either of the following locations :
Shibboleth-idp-installation/metadata/idp-metadata.xml
or
idp-url/shibboleth
It's located in
{shibboleth installation folder}/metadata/idp-metadata.xml