Authenticator SAML

Hi all

trying to let authenticator SAML in connection settings of the server I m a 404:

Error HTTP 404 data recovery of https://view_connection_server_fqdn/SaaS/API/1.0/get/metadata/IDP.XML

I need to enable to work with Identity Manager, clues?

Thank you.

Could you please put what measures have you taken? You must add Horizon Workspace /vIDM broker for connections view details.

Tags: VMware

Similar Questions

SAML WSRP
I have a WLP 10.3 environment and we plan to add features SAML. When you browse the documentation of WL SAML configuration I see many references to WSRP and see if you use WSRP, then you must use SAML. However, if I use NOT of WSRP but need SAML yet will I installation/configuration WSRP? Docs are very vague on this. Thanks for all suggestions and recommendations. Points will be awarded. (It's on the WL portal, no WLS)

Thank you
According to this link at the bottom, looks like that to SAML 1.1, there is no need of RDBMS database store policy. But for SAML 2.0, it does not mention to create a domain with RDBMS, store too much policy db and if SAML 2.0 is used for servers, weblogic then one more. I'm guessing that otherwise SAML for several Weblogic domains.

If you try to use SAML 1.1. And since your SAML is between single WLP and an external source, may be political store RDBMS is not necessary at all. It's my guess.

There are also many flavors of SAML as exactly what SAML device you are usihg. As authenticator SAML or identity is or service provider, Single Sign on Web Application or Web services, etc.

http://download.Oracle.com/docs/CD/E12840_01/WLS/docs103/secmanage/SAML.html

Thank you
Ravi Jegga

See 6.2 + Horizon Workspace 2.1.1

Hello
I have some problem with 6.2 and Horizon Workspace 2.1.1 view combination. I use my own certificate for both products. When I have an earlier version of view (see 6.1.), everything works fine.) After the upgrade to the latest version 6.2, I have red alert to the authenticator of SAML 2.0. He said: "the untrusted certificates". I use the SLA of Terena certificate. This certificate works in a previous version of view. If I click on check, he said verified successfully, but that a red alert is still on.
I tried to manually add CA for the connection to the server, but without result.
You have ideas, what is the problem?
Thank you

This problem has been fixed in the latest version of Horizon 6.2.1:

When you add an authenticator of SAML in administrator mode, a "Detected invalid certificate" window may appear, even if the URL of the metadata points to a certificate approved in the certification authorities folder roots approved in the Windows certificate store. This problem may occur when an authenticator SAML existing with a self-signed certificate using the same URL metadata when the trusted certificate has been added to the Windows certificate store.

Workaround solution:
1. Delete all certificates approved for the metadata URL in the certification authorities folder roots approved in the Windows certificate store.
2. Remove the SAML authenticator with the self-signed certificate.
3. Add the certificate of trust for the metadata URL in the certification authorities folder roots approved in the Windows certificate store.
4. Add again the SAML authenticator.
It is help for me

WebEX meeting server authentication question

Hi all

We have configured the LDAP authentication integration in WebEx. We want to avoid the brute force attack and to minimize the use of the password of the internet domain, are there other methods of authentication?

If we help to use stand-alone account WebEx, any policy password as complexity, duration and expiration date in WebEx?

Thank you!!

Danny

Hey Danny,

If you have activated the LDAP authentication and integration with CWMS (via CUCM), then your users profile directory using LDAP credentials to authenticate on CWMS. It is not possible to disable the requirement for active profile users authentication.

There are two other user accounts on CWMS management methods:

1. LDAP via SAML 2.0 integration (Single Sign-On), but that you have IIP provider accessible from the internet, would require that authentication would be on this end. You can read more here:

http://www.Cisco.com/c/en/us/TD/docs/collaboration/CWMS/2_7/Planning_Guide/cwms_b_cwms-planning-system-requirements-2-7/cwms_b_cwms-planning-system-requirements-2-7_chapter_0111.html

http://www.Cisco.com/c/en/us/TD/docs/collaboration/CWMS/2_7/Administration_Guide/cwms_b_cwms-administration-2-7/cwms_b_cwms-administration-2-7_chapter_01110.html#id_13124

2. using local profiles CWMS. With local user profiles, user accounts are created manually or by importing of CUCM (you can still have the integration Directory to import profiles of CUCM, but requiring users to use created locally passwords on CWMS (do not enable LDAP authentication)), and passwords are created manually by end users locally on CWMS. Regarding the strengthening of password, you can consult this document:

http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_7/Administration_Guide/cwms_b_cwms-administration-2-7/cwms_b_cwms-administration-2-7_chapter_01110.html#concept_E2AC8672B23C487887A8AFFAE6C1EBDB

I hope this helps.

-Dejan

Exception: "could not validate SAML token.

We have a configuration of rating system that we use to generate a PDF of Psalm we you connect through the EJB client and usually have had no problems. Until today. At some point today we started seeing some exceptions are thrown on the client:
Caused by: com.adobe.idp.um.api.UMException | [com.adobe.idp.um.api.impl.AuthenticationManagerImpl] errorCode:16421 errorCodeHEX:0 x 4025 message: SAML - Assertion impossible to validate the token has expired and therefore not valid for user [administrator@DefaultDom]. Its valid until time [kill Feb 04 10:58:45 MST 2014] turns out to be before the current time [kill Feb 04 16:04:41 MST 2014]
Bounce just the application server running the client code has solved the problem, but we would like to better understand what is happening and why. Nothing of what I can find in the docs seems to indicate the cause/solution and possible solutions have links which seem to no longer work: http://cookbooks.adobe.com/post_Renewing_the_context_to_handle_session_expiry-16410.html
Any suggestions or insight would be greatly appreciated. Thank you!

PROBLEM

Using the same instance of ServiceClientFactory to call remote services exposed by the LiveCycle container can lead to

exceptions related to the expiration of the assertion

Solution

To handle the timeout use the ThrowHandler mechanism provided by the ServiceClientFactory framework

Detailed explanation

LiveCycle provides a client sdk for java-based client call its services remotely.

An invocation involves the creation of an instance of ServiceClientFactory setting user credentials in thefactory instance passes this factory to a customer of service or creating an InvocationRequest directly

Use the client to perform the actual request.

For more details, see Invoking

LiveCycle ES using the Java API .

An instance of ServiceClientFactory once created is valid for a certain

period of time that is default 120 min., if the same instance is used to call beyond that period, while he leads to an exception indicating that

the session has expired [com.adobe.idp.um.api.impl.AuthenticationManagerImpl]

errorCode:16421 errorCodeHEX:0 x 4025 message: could not validate SAML

Token - Assertion has expired and therefore not valid for the user

[administrator@DefaultDom]. Its valid until time [Thu Oct 22

17:07:53 IST

2009] turns out to be before the current [Thu Oct

[22 17:58:18 2009 IST]

This isn't a problem if the ServiceClientFactory instance is used for a short time. However if you want to make a long

the task as great conversion number of documents to PDF, applying the policies their etc., then it would be a problem.

Session time-out

Before fxing the question some info on what is session time-out.
- When you use an instance of ServiceClientFactory to invoke service suite fow arrives
- You set credentials in the properties and call the service
- LiveCycle server side validates the credentials and issues a context. It's the kind of a ticket which can be reused later rather than the actual credentials.
- After receiving the response from the server the ServiceClientFactory instance deletes its own copy of credentials and instead stores the context for calls more later on that this instance of context is passed instead of the credentials of the user
- This fow everything is done to ensure that the credentials of the user are not sent for each remote call, thus improving security.
For more information about the context, refer to

Identity of the user in LiveCycle .

Solution

Fx this problem you need to re authenticate to LiveCycle and get the context new draw. the best way to do this is to use the ThrowHandler provided by the ServiceClientFactory framework

Step 1 - create a Throwhandler

______________________________________________________________________ ______________________________________________

/**

* This ThrowHandler caches the credentials of the user and use them

to update the framework in the

* ServiceClientFactory to expiration.

*/

private public static class SimpleTimeoutThrowHandler implements

{ThrowHandler}

private String username;

private String password;

public SimpleTimeoutThrowHandler (String username, String

{password)

me.username = username;

This.password = password;

}

public boolean handleThrowable (Throwable t, ServiceClient

SC,

ServiceClientFactory EFC, MessageDispatcher md,

IR InvocationRequest, int numTries) survey

{DSCException}

{if (timeoutError (t))}

The call to AuthenticationManager does not require

the authentication if the default properties

are the people

AuthenticationManager am =

New

AuthenticationManagerServiceClient (ServiceClientFactory.createInstance (getDefaultProperties()));

AuthResult ar = null;

try {}

AR =

AM. Authenticate (username, Password.GetBytes ());

} catch (UMException e) {}

throw new IllegalStateException (e);

}

Context ctx = new Context();

ctx.initPrincipal (ar);

Refresh the ServiceClientFactory instance with

the new context

scf.setContext (ctx);

Logger.info ("refresh the related context

ServiceCLientFactory");

Now say CFS to try again, the invocation

Returns true;

}

Check so that we do not again wrap the exception

If (t instanceof DSCException)

throw (DSCException) t;

If (t instanceof RuntimeException)

throw (RuntimeException) t;

How is it possible to get that much?

throw new IllegalStateException (t);

}

Private boolean timeoutError (Throwable t) {}

If (!) () t.getCause () instanceof UMException)) {}

Returns false;

}

UMException EU = t.getCause ((UMException));

Check that UMException is due to the

expiry of the assertion/context

if(UMConstants.errorCodes.E_TOKEN_INVALID ==)

{ue.getErrCode ()}

Returns true;

}

Returns false;

}

}

______________________________________________________________________ __________________________________________

This ThrowHandler would be invoked by the ServiceClientFactory to receipt of any exception. The manager would then determine if it's a timeout on the exception and then update the context associated with the instance of the factory and told him to retry the invocation.

STEP - 2 record Manager

______________________________________________________________________ __________________________________________

ServiceClientFactory.installThrowHandler (new

SimpleTimeoutThrowHandler (username, password));

______________________________________________________________________ __________________________________________

Note: the Manager should be listed only once in the application

STEP 3 - make your invocation

Following example would try to apply policies to all the fles present in a directory

______________________________________________________________________ __________________________________________

Properties p = getDefaultProperties();

p.setProperty (DSC_CREDENTIAL_USERNAME, username);

p.setProperty (DSC_CREDENTIAL_PASSWORD, password);

EFC ServiceClientFactory =

ServiceClientFactory.createInstance (p);

Now, to make a long running operation

String inputDirName = "path-of-entry-dir";

String outDirName = "path - to the-out-dir";

String policyName = "the-policy-name ';

Download the file = new File (inputDirName);

Folder outDir = new queue (outDirName);

RightsManagementClient rmClient = new

RightsManagementClient (CFS);

DocumentManager docManager = rmClient.getDocumentManager ();

Iterate over all in the inDir pdf and apply the

policies. If it takes a

{for (file pdfFile: {inDir.listFiles ())}

The inDoc document = new Document (pdfFile, false);

Document securedDoc = docManager.applyPolicy (inDoc,

pdfFile.getName (), policyName, null, null, null);

securedDoc.copyToFile (new

File (outDir, pdfFile.GetName ()));

}

______________________________________________________________________ __________________________________________

Now the invocation would end even if it takes a lot of time. If any session time-out occurs then our ThrowHandler would take care of it.

Here's a sample:

TimeOutSample.zip

Custom authentication tokens

"Adobe Flash Access Overview on protected streaming" white paper States the following:
Flash Access supports the business logic of the licensing stage decoupling based on the chips in use with Flash Media Server deployments. For example, when users visit a web portal for rental or to subscribe to the content, they may need to authenticate by providing a user ID and password to confirm their registration. They might also need a financial transaction. The web portal enters the results of these operations in an authentication token that is sent to the client application. The customer can then include the token in the licence application. The license server checks the authenticity of the token before issuance of the licence. Check token is stateless and was completed independently by each server without reference to a database or another shared state. Token is based on a secret or public key shared infrastructure (PKI).
This raises the following questions:
- How the web portal must generate the token? This is a serialized AuthenicationToken or some other binary token?
- If it's an AuthenicationToken, then how the web portal must generate a token such as this feature is part of the license server?
- How the chips are based on a shared secret or PKI? What is incorporated into the class AuthenticationToken ?
As I read, the paragraph refers to the regime "of custom authentication", not the authentication scheme name of user/password supported and as such, it is not to use serialized Flash Access AuthenticationTokens. What is meant by "custom authentication" is quite honestly, not very clear in the documentation. I believe that the following scenerios should work, if I would be interested in your comments from anyone:
In the first scenario, the "portal" should generate a custom binary token and pass this token to the client flash in response. How the token is passed is an exercise left to the reader. It could be loaded via a cookie, JavaScript or ActionScript. It doesn't really matter. Nevertheless, the token is eventually read by the Flash client and applied using the DRMManager.setAuthenticationToken (...) method. The license server must then retrieve the token by using RequestMessageBase.getRawAuthenticationToken (...). In this case, the token format is completely defined by the developer or provider. The flash never access client issues a query for the authentication License Server Manager (/flashaccess/authentication/v1 / *).
A second case, which I am not sure would work, would be the flash client requests a token for authorization as usual, using DRMManager.authenticate (...), but the license server authentication requests handler returns a token custom instead of a serialized AuthenticationToken. The workflow would then proceed as described in the first case.
A third case, the Flash client is able to authenticate with the name of user and password standard schema, but the license server may ignore the username/password real name (data can be same passwords and usernames dummy). The license server would generate an AuthenticationToken, but would benefit from ApplicationProperies to store its information "custom token. The token would be then sent back to the customer and in turn transmitted to the same license server. The license server then inspect AuthenticationToken.getCustomProperties to determine the appropriate course of action.
No matter what scenario is used, I have a few concerns with custom authentication tokens:
First of all, this forum has several questions about custom authentication tokens. The documentation is not clear on what is intended and how exactly these tokens must be produced, transferred and consumed. It would be very useful for Adobe to provide an example with its reference implementation code.
Second, as developers of server Flash Access License remain to design their own authentication scheme customized, there is a real concern that the invented approach can be precarious, allowing re-use of authentication tokens. A published set of best practices would help to ensure custom tokens are generated in a way that does not leak the information, allow attacks by replay or session hijacking.
Finally, there seems to be some confusion about the use of tokens for authentication and authorization. The reference implementation clearly only use them for authentication, as the RefImplLicenseReqHandler makes additional checks the database for the authenticated user is allowed (subscriber) to access the content. However, the paragraph quoted above suggests using these tokens for authentication and authorization. At least, that's what I understand by the notion that "audit token is stateless and was completed independently by each server without referring to a database or other shared state. I don't see how that's possible, unless the token contains authentication and authorization information. I'm wrong?
I appreciate the thoughts of someone else on the custom authentication tokens. Thank you.
-Aaron J

The workflow for "custom authentication" is exactly what you described in your first scenario. Namely, the client application gets a token through certain channels and calls DRMManager.setAuthenticationToken (...) to provide the token. When the client requests a license from the license server, this token is included in the request. The server application calls RequestMessageBase.getRawAuthenticationToken (...) for the access token and perform any validation is required for this type of token before issuing the permit. With a custom authentication, the SDK AuthenticationToken class is not used - this class is only used to represent the authentication tokens issued by using the name of user and password Flash Access authentication scheme. A custom authentication token can be binary data - the Flash Access SDK is not involved in the generation or to consume these chips - it's your server implementation to manage the following steps.

The motivation behind the 'custom authentication' scheme is not to force content providers to invent a new way to authenticate users, but to allow you to take advantage of all infrastructure you already have in place. For example, if you are already running the SAML tokens to authenticated users, you can continue to do so, and you would just plug the SAML validation code in your license server. As a general rule, an authentication token is signed to prevent tampering. It would be possible to generate a signature using a symmetric key or with a private key. Then, checking on the server would involve checking the signature, either by using the same shared symmetric key or with the public key corresponding to the private key. (This is what is meant by 'token is based on a secret or public key shared infrastructure (PKI) ")

Although the API reference to "authentication tokens", it would also be possible to take advantage of this authorization mechanism. For example, if you have a web portal to access the information on which a user is allowed to access the content, the Portal could issue an authorization token that says that the user X is allowed to play the content Y and Z. When the license server receives this token in a license application for content, simply, check the token is still valid and that the token States it is allowed to grant access to the content Y. This workflow, the license server doesn't have access to the database that contains authorization information, making it easier to deploy the server in a highly scalable way.

Is this address your questions and concerns?

Authentication of perimeter in ALSB 2.6
Hi friends, I use ALSB 2.6 version. The scenario to implement is given as:
There are three systems A, B and C which are all exposed through web services. These three systems are integrated through the AquaLogic service bus. Systems A/B/C will make calls to each other through the service bus and no direct calls will be made. We can implement security using the authentication of perimeter in this scenario, so that whenever a request is made from A to C, the credentials of the user are passed by A to C in the SAML token that C can be used to authenticate the user before serving the response. Is it possible or other better quality than the authentication of perimeter to implement security? Pls answer. It will be a great help for me. Thanks in advance, Vishal
I think you can pass the SAML token in the Security Web service headers. Service bus also allows to configure pass through in which he transmits the intact secure message to a business service.

Please refer following security FAQ for support of the security service bus.
http://eDOCS.BEA.com/ALSB/docs26/security/security_faq.html

Hope this will help you.

Thank you
Jayesh@yagna

Phone verification (two-factor authentication) on Sierra is not available in Bangladesh

I upgraded to El Capitan in macOS Sierra today. But when I tried to set up two mobile verification or authentication my country (Bangladesh) was not listed there. I was wondering why this service is not available here in Bangladesh? Please give me a solution for telephone based it services.

If it is not supported in your country, then I'm afraid you're out of luck. As to why, you have to ask Apple https://getsupport.apple.com/ instead we support single users in these Community Forums.

Two-factor authentication

On my iMac after Sierra was an option to unlock with Apple Watch (security preferences panel). I click it and it says I need to disable the verification of two factor and enable two-factor authentication. Fine.

Did. Now the option to activate Apple Watch unlock on the mac has disappeared.

It works on my other Mac but not the iMac.

Also in the preferences to iCloud account, then on devices, I see that my Apple Watch can be used to receive the codes!

Someone knows how to fix these?

Tried to run iCloud power switch, disconnect the watch and repair, restart everything.

Just to be clear, the Mac is capable of auto unlock, it's an iMac end of 2015 and system report confirms it is compatible.

The apple support page also suggests watches should be able to receive the codes:

Can I choose my device of trust preferred to iCloud two-factor authentication?

I've recently implemented Icloud two-factor authentication, because I love the he adds extra security.

As usual, I have my macbook on me, I also have to log on windows pc, every now and then.

Unfortunately, ICloud chooses my headless mac mini which I use as a server at home instead of my laptop or Iphone.

I would like to stop receiving the confirmation on this machine code, everyone was faced with a similar problem?

If so how to solve it?

Codes to go to all the secure devices.

Of course, you can trust features remove at any time.

When you try to configure the authentication of two step my location appears as a bad place

Hi, I'm trying to implement the authentication of two floors on all my devices, however when I do this I get a message on another device connected in iCloud saying that another device is trying to connect in icloud to a display location near London, I don't live in London but.

Could someone help?

I'm having the same problem! Having the two devices in front of me, but have the message saying that another device tries to log on to London? I also don't live anywhere near London, I recently updated my email ID well and it's the old e-mail ID that requires authentication?

Sorry I can not help but hoping someone else has an answer us?

Zambia - two-factor authentication

I wanted to set up authentication two factor for my access iCloud. Zambia does not appear on the drop-down list numbering country codes, so I couldn't continue. Any ideas in addition to a password?

I've wanted to do this to the attention of Apple support, but fell select my position as Zambia was not an option under the Africa/Middle East. (I'm sure I did contact the Apple Support before...)

What subject of audit in two steps instead, though of course it is available for your country?

Check whether or not the magsafe power adapter is authentic

Hello! I bought some 60 W MagSafe 2 Power adapter MD565CH/A, 85 W MagSafe 2 Power adapter MD506CH/A & 45 W MagSafe 2 Power adapter MD592CH/A but the serial number in each category is same for example there are 10 units for 60 W & all have the same serial number. I have a doubt, be they authentic shape Apple or not. Kindly help.

You will need to call Apple for confirmation.

Why Apple has the code of two factor authentication on the same device that I log in with?

I just installed Sierra and chose to use the two factor authentication with my iPhone chosen as a device to receive the code.

But then, Apple displays a digit code 6 on my Mac itself and then asked me to go on my Mac.

What sense does that make?

A wild guess - were you log into your account in Safari on Mac when he showed you the digit code 6 on Mac? And you had already completed the sign-in icloud in System Preferences?

If so, the macOS has been approved, but Safari wasn't. If macOS was able to show the code. It seems strange to first have the same computer application and provide the code, but really it is two layers of security and you had gotten through the first layer already.

Security preferences say I turn on 2 authentication, even if it is already

I'm trying to set up the auto unlock with my Apple Watch on macOS Sierra, and the security preferences say I must activate 2FA before I can use my Apple Watch to unlock my Mac, but it is already lit. Any help?

Make sure you are not confusing that two factors of authentication with the two-step verification.

Authenticator SAML

Similar Questions

Maybe you are looking for