I'm using TestShib and Python Social Auth SAML backend to implement a Service Provider on a Django app.
I've been able to configure my app, and build a metadata file.
TestShib allows for my metadata file to be uploaded here.
I have configured TestShib's metadata correctly on my end and built up a test button pointing to TestShib's endpoint.
When I click that button, I get redirected to TestShib, then provide test credentials, and then I get an error because the metadata does not match the redirect.
How does TestShib, or any other IDP for that matter, manage to find the right metadata (among several SPs) after an incoming auth request? Does the EntityID have to match the URL of the Service Provider?
EDIT: (added more info)
SP's metadata (uploaded previously to TestShib):
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="P10D" entityID="https://www.example.com">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDBDC .. QltX1icsr0=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDBDC .. QltX1icsr0=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://staging.example.com/complete/xx-saml/" index="1" />
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en-US">example</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en-US">Example</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en-US">https://www.example.com</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>John Doe</md:GivenName>
<md:EmailAddress>johndoe#example.com</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>John Doe</md:GivenName>
<md:EmailAddress>johndoe#example.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
Request:
https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fVNN ...
<samlp:AuthnRequest
AssertionConsumerServiceURL="https://staging.example.com/complete/saml/"
Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO"
ID="ONELOGIN_973a7f348c282cc6dedd4410f900efcf9538dcda" IssueInstant="2016-08-22T14:12:11Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="Example"
Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>https://www.example.com</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Error:
10:10:39.009 - WARN [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:206] - Relying party 'https://www.example.com' requested the response to be returned to endpoint with ACS URL 'https://staging.example.com/complete/saml/' and binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no endpoint, with that URL and using a supported binding, can be found in the relying party's metadata
10:10:39.009 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:447]
- No return endpoint available for relying party https://www.example.com
https://staging.example.com/complete/saml/ is available so the problem seems to be that the metadata info was not found by TestShib. Entity ID and Issuer seem to match ..
The Assertion Consumer Service URL in the AuthN Request (https://staging.example.com/complete/saml/) doesn't match the one in the metadata (https://staging.example.com/complete/xx-saml/), which is is also in line with the error thrown by the IdP.
The quickest fix would be to edit the metadata and correct the <md:AssertionConsumerService.../> element so that it reflects the actual ACS to be used.
Related
I'm trying to upload image/music file using presigned-url. But I'm getting 403 forbidden error. I've implemented using below document.
http://www.cheynewallace.com/uploading-to-s3-with-angularjs-and-pre-signed-urls/
$http.put($scope.uploadFileLocation["presigned-url-bkgd-img"],
document.getElementById('backgroundImage').files[0],
{ headers: {
'Content-Type': document.getElementById('backgroundImage').files[0].type }
})
.success(function (resp) {
//Finally, We're done
alert('Upload Done!' + resp);
})
.error(function (resp) {
alert("An Error Occurred Attaching Your File" + resp);
});
So the topic regarding the issue you are facing is called CORS, Cross-Origina Resource Sharing. This is good security on the part of Amazon Web Services. A malicious user could get access to your s3 bucket for uploading images without having to pay for it.
First, I would check if your application requires a user to be logged in, in other words does your application have the idea of a user logging in to use the application in general. If so, then you probably need to configure your project accordingly, for example grabbing that middleware that requires your user to be logged in to do anything and dropping it as an argument into your route request to /api/upload.
Second, check your AmazonS3 -> my-bucket-123 and click on the PERMISSIONS tab.
You may need to configure it like so:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="https://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>Authorization</AllowedHeader>
</CORSRule>
<CORSRule>
<AllowedOrigin>http://localhost:3000</AllowedOrigin>
<AllowedMethod>PUT</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
I am working on Maven project in Intellij.I have generated wsdl to java using cxf-codegen-plugin. I have created a client and created a tester.java to test the client. I have to log the soap request and response. I have one cxf.xml, config.properties and a client.java files. I am not sure where to configure to log the soap messages. Also i have less idea about webservices. I have also copied log4j.xml to my METAINF.
I have tried all possible scenarios in stack overflow. Not sure which is going wrong.
Assuming you have the latest version of CXF (or fairly recent), the easiest way is to enable the logging feature on the CXF bus in the cxf.xml:
...
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
...
or only on your jaxws endpoint:
<jaxws:endpoint...>
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature"/>
</jaxws:features>
</jaxws:endpoint>
Make sure you have cxf-rt-features-logging-XXX.jar on your classpath (XXX = your version of CXF).
And configure logging as described here:
http://cxf.apache.org/docs/general-cxf-logging.html
You need to be in INFO level at least.
I am trying to send a SAML request to the public IDP SSOCircle. I imported its metadata and try to authenticate against this URL:
https://idp.ssocircle.com/sso/idpssoinit?metaAlias=%2Fpublicidp&spEntityID=sp.bogdan.test
But when I send this request from my app, the following error is displayed:
Error occurred Reason: The SAML Request is invalid.
this my request:
a link
and this is the SAML message in the request that I wrote:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_3b7f937b-073d-4289-b2d1-35e786ebb524" Version="2.0" IssueInstant="2017-04-03T12:42:06Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://localhost:61344/Account/AssertionConsumerService">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.ssocircle.com</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
It may be as simple as not having registered the right Assertion Consumer URL (http://localhost:61344/Account/AssertionConsumerService) with SSOCircle. But you should really look in to the SSOCircle debug logs to find out more.
In your example you are sending https://idp.ssocircle.com as the Issuer of the AuthnRequest. The Issuer of the request is not the IDP but the SP. In your case it should be sp.bogdan.test
We have Silverlight Application with RIA web service. URL: https://mysite.mydomain.com/services/mysitewebservice.svc
Also, we have a Sharepoint (SharePoint 2013) site hosted in separate domain. URL: https://mysharepointsite.mydomain.com
The Silverlight RIA service is called in SharePoint Silverlight Web Part.
I placed the "clientaccesspolicy.xml" file in the Silverlight root site (URL: https://mysite.mydomain.com/clientaccesspolicy.xml) and I can view this file in IE v11 browser. Compatibility view is ON.
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
But calling the service in SharePoint Site SL Web Part. an exception error still occurs.
"Load operation failed for query 'GetMyData'. An error occurred while trying to make a request to URI 'https://mysite.mydomain.com/services/mysitewebservice.svc/binary/GetMyData?category=sales'. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. This error may also be caused by using internal types in the web service proxy without using the InternalsVisibleToAttribute attribute. Please see the inner exception for more details."
I read bunch of forums and articles but they all points to placing the clientaccesspolicy.xml in root site.
What is missing. Please help.
I have a command line script (actually a git post-checkout hook) that reloads my Solr application by doing a cURL to:
http://localhost:8080/manager/html/reload?path=/solr
Since I upgraded to Ubuntu 13.04, it now fails, where it used to work before the upgrade.
The cause of the problem is that my newer version of Tomcat (6.0.35), has some new CSRF protection and it now returns 403 Access Denied.
How can I solve the issue and bypass the CSRF protection?
More info:
My /etc/tomcat6/tomcat-users.xml file:
<?xml version='1.0' encoding='utf-8'?>
<role rolename="manager"/>
<user username="tomcat" password="secret" roles="manager"/>
</tomcat-users>
The documentation for Configuring Manager Application access in tomcat mentions some new manager roles, however my error specifically mentions that the single "manager" role still exists for the moment (and I tried the other roles anyway without success).
(As I was writing the question, I found the answer.) Instead of cURLing to the HTML application, I needed to cURL to the "plain text interface".
i.e. instead of
http://localhost:8080/manager/html/reload?path=/solr
Use:
http://localhost:8080/manager/reload?path=/solr
It turns out:
The HTML interface is protected against CSRF but the text and JMX interfaces are not.
This fits with the new role called "manager-script". To ensure my app will work in the future I changed my /etc/tomcat6/tomcat-users.xml file:
<?xml version='1.0' encoding='utf-8'?>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="secret" roles="manager-gui,manager-script"/>
</tomcat-users>