I'm using Spring Security 4.2.13.RELEASE and spring-security-saml2-core 1.0.10.RELEASE.
The idp is Google (and I don't have access to its configuration).
My application is run on a tomcat-like server. After this short briefing, my issue!
Often, users complain about problem of connection, they are connect to their idp and when they try to access to my application they go to an error page. This page explain "Authentication Failed: Error validating SAML message". If they empty their web browser cache, they can have the right redirection to the idp and connect to my application.
Why appear this error? It seems configuration is right if they empty their cache.
I have change session time of tomcat to be the same of the idp, I also change maxAuthenticationAge and maxAssertionTime of WebSSOProfileConsumerImpl and WebSSOProfileConsumerHoKImpl but it seems the problem is steel here.
What should I do?
I have change the log level. The error was a session duration too short.
On the log, there is a stack exception bug this stack is only shown in debug mode.
maxAuthenticationAge was the right property to modifiy, I made a mistake on duration computation.
Related
Whenever I use google chrome to hit my application, almost any requests that I make are not hitting the rest service. However, I can login and hit the rest service, the problem is once I get to the home page, any requests after the initial login all fail. Instead it seems like the session is becoming invalidated. I checked some other stack overflow threads and saw this may have to do with a 302 error occurring when the browser is trying to load the favicon.ico. I can see in the network tab of my developer tools that this is infact getting a 302. I am unsure if this is the actual issue and or is there is another issue.
We are trying to use pretender.io to our application which developed in AngularJS, Spring and Hibernate konnectnow.com which hosted at amazon server.
Here are the steps I followed:
Signup at prerender.io and got token: cFeRZcsv3JnAftreuhMO
Checked documentation and understood that I need to install middleware and decided to use Spring one.
In web.xml added pom added as mentioned https://github.com/greengerong/prerender-java
Added !# to the URL in all the pages.
Restarted tomcat server.
Logged into pretender.io with login details and found that nothing getting crawl.
For testing purpose the url konnectnow.com/#!/planpage changed to konnectnow.com/?_escaped_fragment_=/planpage
Nothing comes up, got error page isn’t working.
Checked Crawl Stats at pretender.io and found that as:
Status Code: 505, Cache Hit: Miss, Response Time(sec): 1.51sec, URL:
http://localhost:8080/#!/planpage
Not sure why it takes local host.
Can some one help me how to make this work.
We recommend using html5 push state instead of the #! in your URLs if possible. Html5 push state is better since nothing after a # is sent to the server, which can lead to issues for the crawlers that are checked by their user agent (Facebook, Twitter, etc).
You should set the forwardedURLHeader in order to have the Prerender Java middleware use a different host for your website instead of your proxy URL.
https://github.com/greengerong/prerender-java#forwardedurlheader
I also see that you posted your prerender token publicly so we regenerated your token to prevent someone else from using it. Please find your new token when you log into your Prerender.io account. I've also emailed you there.
I am integrating an application with AD/LDAP authentication via JAAS, and while this interface is working fine 90% of the time, occassionally I am getting technical errors when users try to log in.
The errors in the logs are like :
INFO -[LdapLoginModule] user provider: ldaps://<AD server>:636/DC=global,DC=mycompany,DC=com
INFO -[LdapLoginModule] searching for entry belonging to user: <user name>
INFO -[LdapLoginModule] authentication failed
INFO -[LdapLoginModule] aborted authentication
When enabling additional logs, I can see the below exception :
javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry
(This is not a credentials issue - as I explained it is occurring randomly and if user tries to login with same creds a few more times it will eventually succeed)
Checking the LdapLoginModule.java code from the below link, I am trying to follow the logs output in the code to understand where exactly this occurs but I am not able to understand exactly why the "authentication failed" output is reached/thrown :
LdapLoginModule.java
Could someone please help me understand what might be causing this random issue and point me to the right direction ? Could it be an issue on AD side or on JAAS config ?
Below some additional info :
SSL is enabled
"AD server" is not a domain controller but rather a DNS method of load balancing
Using anonymous binding (search-first) mode
JAAS config :
LDAP_AD {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldaps://<AD server>:636/DC=global,DC=mycompany,DC=com"
userFilter="(&(sAMAccountName={USERNAME})(objectcategory=user)(memberof=CN=aGroup,OU=Security Groups,OU=Groups,OU=Geneva,OU=Switzerland,OU=EMEA,DC=global,DC=mycompany,DC=com))"
useSSL=true
debug=true;
};
Any idea on the root cause of this would be much appreciated.
Many thanks,
George
As you note there is a load balancer in the way, your symptoms suggest you are getting load balanced to a node that is not in sync. Which is unlikely, but more likely is an AD DC that is not happy with your config, but the others are ok with it.
On a new user, or a newly changed user, the replication delay would be a common example of this problem in real life.
On existing users, this seems less likely.
It also may have something to do with the memberOf attribute which is not a static attribute, rather it is a dynamic query that is evaluated when you query for it.
We are using Spring SAML extension to provide support for SSO to our customers. Its working fine with our dev environment IDP(okta). However, one of our client is using Tivoli as IDP and we are running into a problem where after certain amount of time, user will start getting unable to authenticate error.
Based on the research we found out that, Tivoli is setting SessionNotOnOrAfter attribute for
<saml:AuthnStatement AuthnInstant="2015-09-14T20:14:14Z" SessionIndex="xxxx" SessionNotOnOrAfter="2015-09-14T21:14:14Z"> in our SAML assertion response.
I would like to know what are the options do we have as SP to handle this scenario. Should we prompting user to re-authenticate themselves whenever they run into an issue or is there are way where we can set up our application in a certain way so that it can refresh session automatically.
Thanks
Sahil
This SessionNotOnOrAfter attribute will expiry the Payload. The SP should not receive the same Payload for ever If so there will be lot of chance for middle man attack.
The SP should implement the KeepAlive functionality to ping back the IDP saying that extend the session of the same payload.So IDP can update this attribute with current data and time stamp.
I'm using Spring Social to get some informations via the LinkedIn API. Everything works fine : I can connect to my application using LinkedIn, I can recover some granted informations about my connections...
However, sometimes, I can't access anymore to LinkedIn and get this error :
16:28:00,741 WARN [RestTemplate] GET request for "https://api.linkedin.com/v1/people/id=FNXqbb779g:(id,first-name,last-name,headline,location,industry,distance,relation-to-viewer,current-share,num-connections,num-connections-capped,summary,specialties,proposal-comments,associations,honors,interests,positions,publications,patents,languages,skills,certifications,educations,three-current-positions,three-past-positions,num-recommenders,recommendations-received,phone-numbers,im-accounts,twitter-accounts,date-of-birth,main-address,member-url-resources,picture-url,site-standard-profile-request:(url),api-public-profile-request:(url),site-public-profile-request:(url),api-standard-profile-request,public-profile-url)?format=json" resulted in 403 (Forbidden); invoking error handler
According to the error message, I'm not authorized to get the required informations (despite the fact that one minute before, I could access them).
Any ideas why ?
It seems that either your session token is getting expired or you're probably running into throttle limits. A session token is valid for some duration, you may need to check logs and see whether you are getting something like
"Your session has expired and the post data is lost. Please
re-authenticate and re-post the data"
Also check about throttle limits here:
https://developer-programs.linkedin.com/documents/throttle-limits