I have several clients. All of them are able to retrieve their domain_public user information via directory api using their own credential. Then, one of the client always return a resource not found error even the account is valid. However, when I tried with an admin user with admin_view, everything work fine. Only domain_public viewType return error. Anybody have this issue?
Please confirm that contact sharing is enabled for the domain:
https://support.google.com/a/answer/60218?hl=en
As well as for the user they are attempting to retrieve:
https://support.google.com/a/answer/1285988
Related
I'm unable to login to my own subscription. When I try to login the page shows next error: "Your account has been locked. Contact your support person to unlock it, then try again.". The URL of this page looks like https://login.microsoftonline.com/[ANOTHERORG].onmicrosoft.com/oauth2/..., but I do not work in ANOTHERORG anymore and I want to login into my own subscription.
The ID of my own subscription should be f77b7b54-c38f-44e0-a471-95a4914cf742. I tried to login multiple times from incognito windows of different browsers and for some reason it tries to login into ANOTHERORG instead of my own. BTW, I used the same email address to login into ANOTHERORG and my own so I do not understand what the problem is, I think Azure should suggest to select which subscription I want to login to. How can the problem could be solved? How can I login into f77b7b54-c38f-44e0-a471-95a4914cf742 ?
Also I'm unable to create issue using https://azure.microsoft.com/en-us/support/create-ticket/ because of the same problem: it tries to login to ANOTHERORG which I do not have access anymore
I hope people from Microsoft are read questions on stackoverflow and will help to solve my problem
Finally I was able to find solution: I opened link https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade which was mentioned in https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/troubleshoot-sign-in-issue. From here I was able to change my default directory (Switch Directory -> Set your default directory dropdown). Now when I open portal.azure.com it opens my own subscription without an issue.
I'm looking for a way to automate the process of updating admin credentials inside an enterprise app in AAD. Looking at the Microsoft docs e.g. here this should be possible via the graph api. Whenever I attempt these steps I'm running into "InternalServerError" along with "Microsoft.Graph.ServiceException: Code: UnknownError".
My dotnet code for validating existing credentials is the following.
await graphServiceClient.ServicePrincipals[$"{servicePrincipalId}"].Synchronization.Jobs[$"{jobsId}"]
.ValidateCredentials(null,null,null,credentials)
.Request()
.PostAsync();
The result is the error above with the same error for any other synchonization method. I've considered it could be a permissions issue but I've found that the api does a reasonable job of sending permission issues back so I'm stumped at this point.
Does anybody have any advice on this?
I see that you're updated that "The result is the error above with the same error for any other synchronization method". In such scenario, I would do the basic sanity checks
Validate the credentials that
you're using
Make sure the user context has necessary scopes/roles
defined too
Make sure the template and the parameters that you're
is correct.
Once you assigned app role to the user that you're using for delegating permissions, it worked for you.
We are using OpenAM to authenticate with out Active Directory users. We are running into a very odd problem.
We login using the mail attribute which belongs to the user object class in Active Directory. Upon logging in a Not found error appears on the screen. Looking into the network tab we see that there was a request to openam/json/realms/root/users/<mail#domain.com>, but it returns a 404.
If we close the tab and reload the login url again, it immediately goes to the consent screen and displays the user's conical name. Accepting the agreement successfully sends us to the specified redirect uri.
Info:
There a module that looks into a Data Store that is hooked pulls a certain organization group (the data store appears to work fine)
There is a simple chain that uses that module
Any ideas?
I was able to determine the problem after digging into the OpenAM logs.
I turned on message level debugging and say that the Not found error was not a problem with find the user in AD, but a problem finding groups in AD.
By default the datastore we had created was searching for groups with some arbitrary attributes, but our AD does not have groups. We set all the group search fields to be blank and this resolved our problem.
While trying to use the query editor in developer console.
"SELECT ID FROM ACCOUNT"
It throws an erorr saying "This session is not valid for use with the REST API".
Any idea what excatly tthe issue here. Earlier it workerd fine.
The same problem when i click on "Open" dialog of developer console and select objects.
"CANNOT LOAD OBjects.This session is not valid for use with the REST API"
I ran into this same issue, where I could open Visualforce pages, Apex, etc but it would give me the error "This session is not valid for use with the REST API" any time I tried to use the Query Editor or create a new Trigger (which needs the object list) via the Developer Console. I tried every browser, flushing cookies, logging in as other users, etc with the same results.
I found that our org has API white listing enabled (https://help.salesforce.com/HTViewHelpDoc?id=security_control_client_access.htm&language=en_US) which blocks the API calls access unless explicitly granted.
From the Salesforce Documentation
"Contact Salesforce to enable API Client Whitelisting. After it’s enabled, all client access is restricted until explicitly allowed by the administrator. This restriction might block access to applications that your users are already using. Before you enable this feature, you should configure and approve connected apps for any client applications you want users to continue using, or give the users a profile or permission set with “Use Any API Client” enabled."
So adding the "Use Any API Client" permission set to your user profile should fix the issue.
To do this via a Permission Set, you can go to Setup > Users > Permission Sets and create a new one. Add a System Permission of 'Use Any API Client'.
There may be a way to enable API access for the Developer Console via whitelisting or the app settings but I was not able to easily find a way. You would definitely want to test whatever functionality you are creating with a user that does not have that permission enabled.
This is happening because of connected app is not configured correctly.
On 'API (Enable OAuth Settings)' panel, move 'Access and manage your data (api)' option from left to right of Selected OAuth Scopes field and then save the setting.
Wait for few minute and then try. It should work.
Looks like just the session is expired. Did you try to close developer console, relogin to your SF sandbox and open developer console again?
Create a Permission Set, and add a System Permission of 'Use Any API Client'.
And associate this permission set to users. It will solve the problem.
I'am creating application which can be used by unknown and logged in users. Only difference is that logged in user can use some additional functions like saving its content in database.
All communication is based on ajax calls, so what I need is to deny access to some controller functions (end points) in backend for unknown users and on the client side I need to know that it is in logged in state to set this extra functions active. Only one page, login form should be in dialog. I'm little bit confused, because standard Spring Security aproach doesn't fit this case. I was reading this tutorial but I cant't fully understand it.
First: What Principal object does? They send credentials to this endpoint on submit with login() function but where is handled password check? What if I have my users in database?
Second Is it possible to write this configuration in XML style? I guess that it can be done with <intercept-url/> in spring-security.xml file.
Principal Object
The Principal Object is used to be able to get basic information about a user that is attempting to login when using automatic server authentication (i.e. LDAP). However, you will only be able to get a username from the principal object. With a server JBoss/WildFly, for example, you can link the server to Active Directory to allow Microsoft Windows to authenticate users.
Simple Solution
First, Spring Security will add additional complexity to your application where it doesn't sound like you are trying to do that. Instead, use a simple Servlet Filter. If you are using LDAP on a JBoss/WildFly sever, you can make a POST to j_security_check and the server will send the request to the filter if correct credentials are provided. Inside the filter, you may use the getName() function of the Principal object to get the username so that you may store it in the user's session. However, if you are not using LDAP, you may make a simple POST to a Java Servlet or Spring Controller (with an #RequestMapping) to attempt to login the user and store the user's information in the session.
At this point, you can filter out what URLs you will allow users to see. For example, the URL that contains /administrator/some/other/stuff.jsp could be restricted if the URL contains the word "administrator" in the first directory of the URL.