I am testing the SLO aka Single Logout Service for HTTP Redirect SAML 2.0 binding. I am able to SSO successfully but I need a HTTP Redirect endpoint on CAS to point to from my SAML-SP for SLO. The endpoint I am getting a 404 is http://cas-server:8080/idp/profile/SAML2/Redirect/SLO.
For SSO, the endpoint http://cas-server:8080/idp/profile/SAML2/Redirect/SSO is working fine.
My CAS version is 5.0.6.
Here is a snippet from my Idp metadata xml with the endpoints for SLO and SSO :
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://cas-server:8080/idp/profile/SAML2/Redirect/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://cas-server:8080/idp/profile/SAML2/POST/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://cas-server:8080/idp/profile/SAML2/POST-SimpleSign/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://cas-server:8080/idp/profile/SAML2/SOAP/SLO"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="http://cas-server:8080/idp/profile/Shibboleth/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://cas-server:8080/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://cas-server:8080/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://cas-server:8080/idp/profile/SAML2/Redirect/SSO"/>
Please help me understand if HTTP Redirect is supported for SLO scenarios.
TIA.
Based on the 5.0.x documentation, the following endpoints are supported:
/cas/idp/profile/SAML2/Redirect/SSO
/cas/idp/profile/SAML2/POST/SSO
/cas/idp/profile/SAML2/POST/SLO
/cas/idp/profile/SAML2/Unsolicited/SSO
If you see the 5.1.x documentation, the endpoints are as follows:
/cas/idp/profile/SAML2/Redirect/SSO
/cas/idp/profile/SAML2/POST/SSO
/cas/idp/profile/SAML2/POST/SLO
/cas/idp/profile/SAML2/Redirect/SLO
/cas/idp/profile/SAML2/Unsolicited/SSO
/cas/idp/profile/SAML2/SOAP/ECP
So at a minimum, you need to be on 5.1.x, or better yet, latest patch release of 5.3.x if you have to stay on Java 8.
Related
I am currently using the FLASK developer HTTP server, and I am trying to build a local service (run on localhost) that serves files for a remote visualization website.
Here is the code for the python side
#app.route('/task/<path:path>', methods=['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'TRACE', 'PATCH'])
def static_file1(path):
p = "./task/" + path
return flask.send_file(p, conditional=True)
For safari, it just works like a charm.
As this screenshot indicates, flask development http server can serve files partially.
However, it didn't work for firefox for one request but not for the other.
And here are the headers for the first failed request
Successful request header
So I do believe the CORS header (Access-Control-Allow-Origin) is set correctly, otherwise the second request would fail.
Then what did I do incorrectly?
Second part:
It also doesn't work in Chrome, both requests failed, but I found the article below explaining new security features:
https://developer.chrome.com/blog/private-network-access-preflight/#:~:text=%23%20What%20is%20Private%20Network%20Access,to%20make%20private%20network%20requests.
But even with "Access-Control-Allow-Private-Network" set to "true" (See screenshot above), both requests still failed in chrome. And error msg:
Access to XMLHttpRequest at 'http://localhost:10981/task/a5c8616777d000499ff0cd5dbb02c957/datahub.json' from origin 'https://somepublic.website' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `local`.
Any suggestion would be helpful!
Thanks!
Update 1:
After enabling ad-hoc SSL context (unsigned certificate) on the flask side, and using https on both localhost and "the public website", and changing the "#allow-insecure-localhost" flag in chrome to true, it works in chrome now. But still doesn't in firefox.
If you check the specification you will see that it is a "Draft Community Group Report" and
This specification was published by the Web Platform Incubator Community Group. It is not a W3C Standard nor is it on the W3C Standards Track.
The contribute list is made up entirely of people working for Google.
I can't find any mention of it in Firefox's bug tracker.
It looks like this is a highly experimental specification, which Firefox simple doesn't implement.
There doesn't appear to be any way to persuade Firefox to provide access from a secure, public Oritin to an insecure private origin.
I am using WSO2 identity server(wso2is-km 5.7) for multifactor authentication for an application.
I have set policy as:
First time login to application: Basic Authentication + email OTP.
This sets a device cookie in the browser, so when I logout from the application and try to login to the same application again it should just ask me for basic authentication.
Second and further login to application:Basic authentication(no email otp this time).
This whole policy works fine when i am carrying out this activity from intranet(Corporate network) but the same doesn't work if I try to login from internet(we have put WSO2 behind WAF[web application firewall]). Here i am being prompted for email otp even on second and further login to the application, meaning the device cookie is not being correctly set here.
Please refer the error below:[ERROR]
Error occurred when converting cookie value to JSON.Unexpected token END OF FILE at position 993
My guess is the cookie being set in the internet case is not proper(appended with some garbage value during SSL offloading at WAF).
How do i reslove this issue??
I am trying to get user photos out of Microsoft Exchange using the GetUserPhoto REST request documented here: https://msdn.microsoft.com/en-us/library/office/jj190905%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396
My problem is no matter what I do the connection gets closed automatically and it can't authenticate using NTLM. Microsoft even provides code but when you run this in a IIS web application even if it is using an application pool running as a domain user, it never can authenticate.
This is my current code that isn't working:
request = System.Net.WebRequest.Create($"https://{Settings.ExchangeServer}/ews/exchange.asmx/s/GetUserPhoto?email={primarySmtpAddress}&size=HR240x240") as System.Net.HttpWebRequest;
request.ServerCertificateValidationCallback = delegate { return true; };
request.UseDefaultCredentials = true;
resp = request.GetResponse() as System.Net.HttpWebResponse;
Now I can put this in a console application and run it and then it works. But in IIS it just won't work at all. I've even tried RestSharp with no luck.
Sounds like a delegation issue eg the credentials your impersonating can only be used to access resources local to the IIS server they are being impersonated on. For you to access Exchange you need to have delegation configured correctly see https://blogs.msdn.microsoft.com/emeamsgdev/2012/11/05/ews-from-a-web-application-using-windows-authentication-and-impersonation/
The problem was it wasn't trying to connect with TLS 1.2. Once it clicked in my head, the error message was saying the connection closed and not actually returning a 401. I user ServiceManager to set it to TLS1.2 and then it started working.
Glen Scales help point me in the right direction though to troubleshoot it further.
I am trying to implement Single Sign Out using idsvr 3, I have two client apps (a MVC 5 and an asp.net core) both registered as clients and logging in works perfect
MVC 5 - Client A Asp.NET core - Client B
When both apps are logged in and i click on the log out link on Client B , Client A is logged out successfully. But on vice versa (Logging out of Client A first) Client B is not logged out. On checking on the browser's (Chrome Version 56.0.2924.87) console i get the following error
Refused to frame
'https:/client_B/myDomain/Signout_oidc/?sid=2adc40bd3ae432a81671118b09a'
because it violates the following Content Security Policy directive:
"frame-src 'self' https:/client_B.myDomain https:/client_A.myDomain".
How can I resolve this?
Try to add below code to your IdentityServerOptions instance.
CspOptions = new CspOptions
{
FrameSrc = "*"
}
More information how to configure CSP in IdvSrv3 in the documentation:
IdentityServer3 > CSP
IdentityServer Options
Thanks #Damian, I found where the issue was.
Issue was with client A URL, it had an underscore () character in it. In some way that violated a CSP rule or something else. Removing the '' character in the url solved the problem.
I have created webservice client based on this link http://px.pats.no/px/Eclipse_tutorial.html
I do realize that i am using WSDL1.1 specification.
From my WSDL i have the following serivce part(removed the xml tags as i was not able to paste in SO)
service name="BAPI_CUSTOMER_DISPLAYService"
documentation SAP Service BAPI_CUSTOMER_DISPLAY via SOAP documentation
port name="BAPI_CUSTOMER_DISPLAYPortType" binding="s0:BAPI_CUSTOMER_DISPLAYBinding"
soap:address location="http://**:8000/sap/bc/soap/rfc"
port
service
Following is my client
BAPI_CUSTOMER_DISPLAYService locator = new BAPI_CUSTOMER_DISPLAYServiceLocator();
URL urlLocation;
urlLocation = new URL("http://**:8000/sap/bc/soap/rfc");
System.out.println(locator.getBAPI_CUSTOMER_DISPLAYPortTypeAddress());
BAPI_CUSTOMER_DISPLAYBindingStub sapStub = new BAPI_CUSTOMER_DISPLAYBindingStub(urlLocation,locator);
sapStub.setUsername("****");
sapStub.setPassword("*****");
sapStub.BAPI_CUSTOMER_DISPLAY("1");
I am getting the following error
AxisFault
faultCode: {http://xml.apache.org/axis/}HTTP
faultSubcode:
faultString: (403)Forbidden
faultActor:
faultNode:
faultDetail:
{}:return code: 403
This service requires client certificate for authentication procedure.
{http://xml.apache.org/axis/}HttpErrorCode:403
(403)Forbidden
at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:2443)
at org.apache.axis.client.Call.invoke(Call.java:2366)
at org.apache.axis.client.Call.invoke(Call.java:1812)
at functions.rfc.sap.document.sap_com.BAPI_CUSTOMER_DISPLAYBindingStub.BAPI_CUSTOMER_DISPLAY(BAPI_CUSTOMER_DISPLAYBindingStub.java:234)
at functions.rfc.sap.document.sap_com.SAPClient.main(SAPClient.java:33)
Any help is appreciated. My intention is to consume services with any java technologies.
This is Urgent.