We have Salesforce as IDP, WebSphere Portal v7.0 as SP. Our users are only available in Salesforce. From IBM, we came to know that Portal 7.0.0.2 does not support non availability of user in registry in terms of SAML whereas this feature is supported in WebSphere Portal 8 and 8+. SAML TAI happens properly, means any application deployed on WAS, SSO happens properly. Problem arises when we try to access WebSphere Portal. We get an error message that unable to find the user ID, even though it is available in the Subject.Now as a workaround, we need to create a user in Portal registry once SAML response is received. HAs anyone create a user on the fly in Portal registry through TAI or JAAS modules ?
You need to provide the User identities within the UserManagement system. WebSphere calls it VMM. It provides a pluggable infrastructure where you can trust the external users.
The function you have in Portal 8 and 8.5 had been developed first as an add on for Portal 7. Below is the link to it.
OpenID WebSphere Portal v7
Related
We installed an enterprise application through the Azure AD App Gallery. But when we try to config the Single Sign-on, it keeps saying:
The single sign-on configuration is not available for this application
in the Enterprise applications experience. HubSpot is a multi-tenant
application and the application is owned by another tenant.
Do we need to change some settings to allow the setup of Single sign-on?
We followed this tutorial but are now stuck on "Configure Azure AD SSO".
When added the hubspot application from Azure AD Enterprise application gallery like below ,you should be able to see if SSO setting is available or not and the ways it can be supported for sso.(Here i can be able to use SAML based SSO, or linked SSO)
Then you should be able to edit the saml configuration
For me when I search the hubspot app created in app registrations, its under supported account type of my organization only.
Please check if the App is registered and added as Multi-Tenant App in your case and users have to use login for particular tenant instead of common to avoid error.
Also user accounts need to be pre-provisioned into HubSpot prior to
sign-in .
Reference:
Sign in with My Apps portal and Azure AD SSO in multi tenants application - Stack Overflow
I followed this article to implment OAuth flow with the following authority url
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=d8e21783-5956-4bef-80ae-fdd636006223&prompt=login&response_type=code&response_mode=query&redirect_uri=xxxxx&scope=offline_access+user.read+files.readwrite.all&state=xxxxx
The page provides two sign-in ways:
With email address.
Without entering the email address.
You can see this screenshot, green line is the first option and orange line is the second.
Both of the two login ways supports 「Windows Hello Face」 and 「Security Key」 (Passwordless)
However, the authorization will fail if I choose the second sign-in way.
AADSTS500202: User account from external identity provider 'live.com' is not supported for API version '2.0'.
Does this mean Microsoft OAuth flow not supporting the second sign-in way?
PS: The ancient authority URL (ref) supports the second sign-in
way.
GET https://login.live.com/oauth20_authorize.srf?client_id={client_id}&scope={scope}
&response_type=token&redirect_uri={redirect_uri}
This approach is no longer recommended.
Use your personal Microsoft account to get access to Azure and all
consumer-oriented Microsoft products and cloud services, such as
Outlook (Hotmail), Messenger, OneDrive, MSN, Xbox LIVE, or Microsoft
365. Sign up your organization - Azure Active Directory - Microsoft Entra | Microsoft Docs
Note: Usually approach using the Azure AD v2.0 endpoint is recommended. However, some enterprise scenarios may require using the original Azure AD endpoint.
Please check this Microsoft Docs on Error AADSTS50020 to check for relatable cause to troubleshoot.
References:
Get OneDrive data in UWP using Microsoft (Live) Accounts and Azure
AD - DEV Community
Authorization and sign-in for OneDrive in Microsoft Graph
You can raise a support request.
When adding your Website to a new SSO (AD, Ping on this case), AD will normally ask for one thing: "Please share the Metadata URL for your site."
My application uses WS-Federation and its hosted on IIS. Its an application built in 2013 and minimal code changes are preferred.
Currently the (old) application is already enrolled in one AD that is going to be decommissioned, and the old Metadata used in 2013 is nowhere to be found. And so I need a new Metadata to provide to the new AD.
Back in 2020, I've already accomplished this, the WindowsIdentityFoundation SDK 4.0 was available on the microsoft site, and so following this: How to create federation metadata XML for "Relying Party Trust" and "Claims Provider Trusts" for ADFS 2.0 Was possible to create one FederationMetadata file completely valid and accepted by AD for an existing site to be enrolled to a new AD.
At the time I saved all the links/urls that I used, but with the SDK going out of business in late 2020, and some of the example sites, I had saved, are now Not Found. I am stuck.
Now, 2 years later, we do not have WIF SDK anymore, and here I am trying to do the same. For another address/website. To try to understand better a new approach, I tried to create a new application in Visual Studio to see what FederationMetadata.xml is generated by using the VS's Authorization and publishing. But no matter what I do, a FederationMetadata.xml is nowhere to be found, build/release folders, IIS, anywhere.
So, my question:
How to create a new application with a new FederationMetadata file?
Or even better, how to create a FederationMetadata for an already existing Website?
Thank you.
• Firstly, please ensure that ADFS is installed with correct settings in your environment and the ADFS service is reachable from the extranet through public DNS records configured. Once this is achieved, then please check whether your website has the correct website name configured according to the DNS of the IIS server on which it is hosted and joined to the domain.
Once the above things are working fine and are accessible from the intranet as well as extranet by adding the required DNS records in internal as well as public DNS, please ensure that system authentication and security classes regarding Windows Identity Federation framework that provide basic programming model for claims-based authentication is included in the ASP .NET MVC app or not.
• Since, as you said, the WIF SDK is out of business and no longer available, Microsoft has included the WIF classes in .NET Framework 4.5 hence forth and that should be used for claims-based identity and authentication in ASP .NET applications. So, to do this and include the required claims identity principals and assembly packages, please refer to the documentation link below for more information. It will help you in including the classes and namespaces required for security token-based authentication in your application.
https://learn.microsoft.com/en-us/dotnet/api/system.security.claims?view=netframework-4.5.2
Once the above is done, then you can create an ADFS Federation metadata URL by going to the Endpoints section in ADFS workspace. In that, go to ‘Metadata’ section and copy the link given there which states type as ‘Federation metadata’ and add your ADFS service FQDN in the link’s prefix to form the ADFS federation metadata URL, i.e., ‘https:adfsservicename.domainname.com/FederationMetadata/2007-06/FederationMetadata.xml’
• When the federation metadata URL is generated through the ADFS, then open your ASP. NET MVC application in Visual studio and change its authentication to on-premises, then configure the on-premises authority with the federation metadata URL and leave the App ID URI blank to detect the application URI name from the web.config file. Once, that is done, check the ‘System.IdentityModel’ and other classes added in the project directory. Then, configure the application as a ‘Relying Party’ in your ADFS Server and configure the SSO accordingly.
Please refer to the below link for more information on above stated steps of creating an ADFS URL for ASP .NET MVC application: -
https://www.dotnetcurry.com/windows-azure/1158/using-adfs-azure-single-signon-aspnet-mvc
New to Azure AD... So please don't be too harsh if this is off target. :-)
Technology Stack - Latest Angular 2 with C# Middle tier and latest .Net Framework.
Ideally, What we want to do is use Azure AD B2C to store user credentials and to do the authentication - but we want our 'own' forms on our site to do the login Forms capture and logging - then pass the credentials through an API (REST?) Call (using MS Graph SDK?) to Azure AD B2C and then check the call return for the Authorization content message.
Couple of reasons - control of the application flow, Logging and the "flickering of the URL" (i.e. going from our site URL to login.microsoft... URL and then back to our sites URL).
Is this doable without doing a hack?
Thank you in advance for your help and patience!
You are looking for the "Resource Owner Password Credentials".
This is not currently supported for Azure AD B2C, but you can give user feedback to the B2C team that you want this through the Azure Feedback Forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C and headless authentication in Microsoft Authentication Library
You should also see updates at that location if and when they implement this feature.
The resource owner password credentials flow is now in preview.
In Azure Active Directory (Azure AD) B2C, the following options are
supported:
Native Client: User interaction during authentication happens when
code runs on a user-side device. The device can be a mobile
application that's running in a native operating system, such as
Android, or running in a browser, such as JavaScript.
Public client flow: Only user credentials, gathered by an application, are sent in
the API call. The credentials of the application are not sent.
Add new claims: The ID token contents can be changed to add new claims.
The following flows are not supported:
Server-to-server: The identity protection system needs a reliable IP
address gathered from the caller (the native client) as part of the
interaction. In a server-side API call, only the server’s IP address
is used. If a dynamic threshold of failed authentications is exceeded,
the identity protection system may identify a repeated IP address as
an attacker.
Confidential client flow: The application client ID is
validated, but the application secret is not validated.
From here.
Note that one disadvantage of doing what you're requesting is precisely that you can do "login forms capture and logging", so your application has a chance to see the credentials and perhaps take copies of them; thus your users have to trust you to behave.
The normal web-based flow means that your application doesn't need to be trusted; it never even sees the password at all.
I am using iis 7.5 and I need connect authentication to my spring app on jboss 7.1.1 via my active directory with the windows authenticated user.
It should check the windows user is valid in ad.
How can I do this?
If you want following scenario:
user pass authentication in windows
when user opens web application then it will be authenticated automatically (no need to type windows login / pasword twice).
then Spring Security KERBEROS/SPNEGO extension is way to go. See this blog entry for details.
If you want to have a login page (where your users can retype their windows credentials) then you can set up and use a special ActiveDirectoryLdapAuthenticationProvider in your Spring Security config.