Shibboleth with LDAP authentication

I'm running in "Internal Server Error" trying to authenticate by using shibboleth with LDAP. Here is the ColdFusion error.

Element MYSITESHIBBOLETH. USER name is not defined in the SESSION. The specific sequence of files included or processed is: \\commonspotshare.mysite.com\commonspot$\TEST\test.mysite.com\authenticate.cfm, line: 32

And here's the line in the file authenicate.cfm 32.

mysiteShibboleth.png

Well, I got it to work. I need to use reReplace() to extract the part that I need to make work of cfif and the session be prepared.

session.testShibboleth = StructNew();

session.testShibboleth.username = REReplace (http_header.headers.eppn, "@test.com", "","ALL");

session.testShibboleth.mail = http_header.headers.eppn;

session.testShibboleth.groups = ArrayToList (rematch ('WEB\.)) (([A - z-] +', http_header.headers.member));

session.testShibboleth.isAuthenticated = "true";

Tags: ColdFusion

Similar Questions

  • Help with LDAP authentication

    Can anyone help me please with the fields required for LDAP authentication. My network administrator has sent me the following

    LDAP://xxx.xxx.XX.x:389 / o = companyname? UID

    Should the host be ldap://xxx.xxx.xx.x or just xxx.xxx.xx.x?
    What looks like the DN? Wouldn't be just o = companyname, uid = % LDAP_USER %?

    I tried a bunch of different scenarios against the LDAP test, but not luck. I checked THAT LDAP is working properly by means of other applications that use it.

    First, use Google for some free LDAP viewers. Those who will help a lot, and they usually work approximately 30 days before you have to pay to save them.

    Then, specify the address of the LDAP server in the program, connect and try to find your information. My big problem has tried to get all understood, was that I also had to precede the domain name, something like user domain\username. Once I saw that in the LDAP viewers, and I used the same formula in my authentication routines, everything worked perfectly.

    Among the free that I used was called LDAP administration tool.

    Hope this helps, get LDAP working has been a huge headache until this.

    Bill Ferguson

  • TMSE user import of CUCM with LDAP authentication

    Hi all

    We are plannig to deploy the CMR for TMSPE users. We must be able to import users of CUCM and keep AD authentication for users who will use the CMR.

    is there anyway we can do this?

    Kind regards

    Hi Alex,

    You can import the user into TMS / TMSPE directly in AD with filter custom.

    Also, you can activate the AD authentication and Windows Server to be part of the domain.

    Once this user can use the LDAP credentials to authenticate for CMR in the premises.

    http://www.Cisco.com/c/dam/en/us/TD/docs/Telepresence/infrastructure/TMS...

    Please see page 19 from above the document where you can enter the AD user import.

    You must also enter the configuration of Active directory on the MSDS of network settings.

    Administrative Tools > Configuration > network settings > Active Directory

    It is possible in the most recent version.

    Kind regards

    RACLOT

  • Asa and Cisco ldap authentication

    Hi all

    I have a problem with LDAP authentication.

    I have a cisco Asa5510 and windows Server 2008 R2

    I create the LDAP authentication.

    AAA-server LDAPGROUP protocol ldap
    AAA-server host 10.0.1.30 LDAPGROUP (inside)
    Server-port 389
    LDAP-base-dn dc = systems, dc = local
    LDAP-naming-attribute sAMAccountName
    LDAP-login-password *.
    LDAP-connection-dn CN = users, OU = users, DC = network, DC = local
    microsoft server type

    but when I test, I have an error (user account work directly to the server)

    AAA-authentication server LDAPGROUP host 10.0.1.30 userid password test *.

    INFO: Attempt to <10.0.1.30>IP address authentication test (timeout: 12 seconds)
    ERROR: Authentication rejected: not specified

    Help, please

    concerning

    Frédéric

    You have the account with username 'user' in ' 'reseaux.local' and "Utilisateurs.reseau.local '?"

    If so, can you check if they are two other AD domain? The bug pointed out that ASA do not support authentication via LDAP refererals multi-domain.

    You might consider to using an account administrator AD in "reseaus.local" for ASA to connect to AD.

  • Change the role of the user once authenticated LDAP authentication

    Hi forum,

    I do know that if it is possible, I have not found a solution so far

    I have a simple web application with LDAP authentication. We would like to use LDAP for authentication and store the information of user roles in the database. After authentication, LDAP assigns the role of "guest" to the user and the home page (the only page available for this role) is displayed.

    In this home page, the user must select a profile (the same user can have multiple profiles) in a list retrieved from the database. The profile of each user has an associated role. After selection, we want to change the role of the user "guest" to the role associated with the selected profile.

    I don't think that implementation of a custom plug-in fits my needs because the role assignment requires the participation of the user.

    Any suggestions?

    Thanks in advance,

    Tatiana.

    Hello

    Well, the problem is that you need to change the subject of the user authenticated, who's a JAAS thing to do. The only way this can work is indeed use a custom LoginModule and then access the user object to add a security principal that represents the role you want to add.

    Frank

  • LDAP authentication TWICE - authentication by default custom and Oracle?

    Hi all

    I have create an application with 2 pages (including the login page). My login page customized (for example...) 101) uses the authentication scheme that is customized with LDAP authentication.

    My question is...
    When I put in my URL of the login page in IE. Apex always redirect me to another page of connection (it looks like the default Oracle login page). The URL is http://xxxx.com/pls/apex_dev/wwww_flow_custom_auth_std.login_page?...

    After I entered the username and password, it transfers me to my custom login page. Again, I have to enter the same username and password... Can someone tell me how can I remove/disable the default Oracle login page? Because I don't want to authenticate LDAP in TWICE. I'm really grateful if anyone can guide me how to turn off in detail.


    Thank you mnay

    The Sessison. not valid Page in the authentication scheme must be set to 101 (from the selection list). Is it? There should be nothing in the invalid Session of URL attribute.

    Scott

  • Authentication with LDAP...

    I managed with a LDAP hook which authenticate my domain account and it works well and everyone can connect!

    What I want to do is authenticate with LDAP and then leave through the eyes of the table to the top of my list of authorized users, or to refuse the connection.
    It's a small number of users is not a big problem for me to have the table with 5 or 6 users.

    I like the fact that the credentials of the user are managed by LDAP, and I don't want the hassle of creating ad groups that are managed by a third party.

    Does make sense?
    I would like to have some sort of model in the APEX that says...
    Okay, I know your domain account is valid now, let me see what you can do...
    you are an end-user - ok to connect
    you are an administrator of app - ok to connect
    you are person - not allowed - go
    I know how to deal with permitting components once the connection is permitted - just trying to find out how allow/deny connections

    Would I do that on the page of authentication scheme and if so where does make sense to put in a routine for that.

    Management of the Session of the page?
    Connection of transformation... perahaps here = > authentication process after?

    Thanks for your advice.

    I'm playing with some pl/sql that looks like this in treatment/Post-Authentication connection process

    declare
    Ditto Boolean: = FALSE;
    Start
    If: P101_USERNAME = "< a user authorized >."
    then same as: = TRUE;
    on the other
    owa_util. REDIRECT_URL ("< back to login page > '");
    end if;
    end;

    Hello

    I use LDAP had encountered the same problem. I think you have several choices available. It is the setting of "Message authentication" on the 'authentication scheme"that you use. Allows you to (citing the help): 'specify a block of code to run through the procedure of Application Express login (login API) after step of authentication (verification of login credentials). The login procedure executes this code after it has executed its normal functions include setting a cookie and to the recording of the session and just before it redirects to the page of the desired application. Specify this code as an anonymous block of PL/SQL that returns no value.

    Another method, which is what I used (probably not knowing the foregoing there!), has been to add in a branch on page 1 (the login page redirects always connections to page 1). Direction parameters are:

    Branch point: on charge: before header
    Target type: Page of this Application
    Page: 101
    Clear Cache: APP
    Condition type: NOT Exists (SQL query returns no line)
    Term 1:

    SELECT 1 FROM MYUSERTABLE WHERE UPPER(LOGINNAME) = UPPER(v('APP_USER'))

    Then, even if the user has valid credentials, the branch on page 1 always redirect them back to page 101 if their LOGINNAME does not exist in the MYUSERTABLE table.

    I'm sure there are other ways as well, and others advise on "message authentication" If you want to use

    Andy

  • Use an authentication process after with LDAP

    I am new to APEX decently and have implemented the LDAP authentication for my application. It works as expected.  However, because of our training guidelines, no one can access the application without the proper training.  I have a table in the database for users who will be managed by the owner of the system once the development is complete and each user has an ACTIVE field which can be displayed/hidden.  I need a procedure after authentication which checks the field ASSETS in the table USE to ensure that it returns TRUE before give us them access to the application.  Any help would be greatly appreciated!

    Request Express 4.2.1.00.08

    DECLARE

    number of l_is_active;

    l_return boolean;

    BEGIN

    Select count (*)

    in l_is_active

    the user

    where ldap_id =: P101_USER_ID

    and active = 't';

    IF l_is_active > 0 THEN

    l_return: = TRUE;

    ON THE OTHER

    l_return: = FALSE;

    END IF;

    END;

    Hello

    It is certainly possible to put this code in the audit function, but the result may not be what you expect. This function runs on every request, as an additional Sentinel who checks whether the session can be used by the APEX. If it returns false, APEX creates a new session and redirects you to the page of invalid session (i.e. the connection). I think that it is better to create a permission based on the above query and activate this permission at the application level (in the security of the application tab). If authorization fails after the connection, APEX permission error message displays, where you can explain why access is not allowed.

    Kind regards

    Christian

  • El Capitan LDAP authentication

    I am trying to setup on El Capitan Macbook LDAP authentication. I've prepared OpenLDAP server on the Linux host with the necessary users. This LDAP was added in the directory as LDAPv3 with set of mappings of RFC2307 utility.

    Computer can connect to LDAP, because green circle seen in there:

    Users and groups > connection options > network server account > hostname of the LDAP server

    The problem is that the user is unable to connect by using LDAP. No matter what I go to the login prompt (including complete DN), I can see say journal entry:

    SecurityAgent: Unknown user 'adrian' connection attempt SPENT for the audit.

    How can I review more about connection?

    So that the own Apple Open Directory is based on OpenLDAP, it is not the same. Not only do you have conveniently add additional entries to OpenLDAP i.e. Apple own LDAP schema, but you also need to configure Kerberos on the Linux server as well as Open Directory uses a combination of LDAP and Kerberos for authentication.

    In my view, it is possible to do all the extra steps to get a Linux server to fully act as the equivalent of an Open Directory server, but that you're barely at half way.

    See - http://deepport.net/archives/setting-up-a-linux-server-for-os-x-clients/

    and - http://www.torriefamily.org/~torriem/wiki/computer_stuff:opendir_and_ldap

    These articles do not cover Kerberos, but perhaps of additional useful information for the previous link.

    See - http://blog.michael.kuron-germany.de/2009/04/building-your-own-opendirectory-ser ver-on-linux /

    and - http://cs.unk.edu/~zhengaw/projects/openldap-server/

  • AnyConnect user using the user certificate authentication and LDAP authentication

    Hello

    I'm trying to implement the Anyconnect VPN for my office. Now, I want the user to authenticate the user certificate based (which is install user local system are we) CN value and LDAP authentication. A help how to achieve this requirement. We install Certificate ROOT and INTERMEDIATE Godaddy and even already installed ASA. Also, we have the user certificate installed on each system user to authenticate the user.

    Any help please.

    Hi subhasisdutta,

    This link will certainly help you with the configuration:

    http://www.Cisco.com/c/en/us/support/docs/security/AnyConnect-secure-mob...

    Hope this info helps!

    Note If you help!

    -JP-

  • With LDAP in ASA 5510 VPN

    I have problem in LDAP ASA, I want to create LDAP authentication in remote access VPN before I try, I want to try local LDAP and the problem

    debugging ldap 255

    ldap authentication, aaa-server test

    Name or IP address of the server: 10.40.5.2

    Username: rian

    Password: *.

    [2] starting a session

    [2] new query Session, context 0x41d1a04

    starItedr

    [2] create LDAP context with uri = ldap://10.40.5.2:389

    NFO: Attempt to <10.40.5.2>IP address authentication test (timeout: 12 seconds)

    [2] to connect to the LDAP server: ldap://10.40.5.2:389, status = success

    [2] failed to bind as returned administrator code of invalid credentials (49)

    [2] output fiber Tx = 37 bytes Rx = 109 bytes, status =-2

    [2] end of session

    ERROR: Authentication server fails: invalid password

    What is the problem?

    If I connect to the server with the username and password for ldap, I can connect. more information I have 2 domain first id.seapro.ad.crs.org second ID (ID of the domain user). I have the first field of use Plug and second not too.

    Please help me, what is the problem?

    Right answers. 'administrator' is not a valid dn connection in an ldap infrastructure. Follow what srue said and that will lead you in the right direction.

    (6 points in this conversation).

  • access remote vpn with ldap

    Hi all

    IM, configuration of a vpn for remote access with ldap, for what I see in some examples, I need to create a user/pass.

    In my case, I already configured the aaa for the ldap Protocol Server. I also have the Group tunnl with the authentication server.

    I need to create a user/pass?

    Thank you.

    Hello

    I see what you mean!

    It is not necessary for the integration of LDAP.

    You don't have authentication LDAP not the LOCAL database, so no need for this.

    Do not forget to rate all my answers

    Julio Carvajal
    Main and specialist of the Core network security
    CCIE #42930, 2-CCNP JNCIS-SEC
    For immediate assistance commit to http://i-networks.us

  • Another failure of the LDAP authentication

    I'm trying to setup LDAP authentication for my ASA, as well as the AD Agent.  Currently my authentication fails with the following debug output...

    [- 2147483610] Starting a session

    [- 2147483610] New Session request, the 0xcc854d8c, reqType = authentication context

    [- 2147483610] Fiber has started

    [- 2147483610] Create LDAP context with uri = ldap://10.11.1.15:389

    [- 2147483610] Connect to the LDAP server:

    LDAP://10.11.1.15:389

    status = success

    supportedLDAPVersion [-2147483610]: value = 3

    supportedLDAPVersion [-2147483610]: value = 2

    [- 2147483610] Liaison as a Sargent\

    [- 2147483610] Authentication Simple for Sargent\ to 10.11.1.15

    [- 2147483610] LDAP search:

    Base DN = [DC = City, DC = charlottesville, DC = org]

    Filter = [sAMAccount = sargentm]

    Range = [subtree]

    [- 2147483610] The analysis of returned search results State failure

    [- 2147483610] Fiber output Tx = 308 bytes Rx = 677 bytes, status =-1

    [- 2147483610] End of the session

    ERROR: Authentication rejected: not specified

    I can however run successful AD etc., queries using the following commands.

    show the identity of the user ad-users city.charlottesville.org filter sargentm

    Ideas?

    Replace the below listed command within the parameters of the server:

    sAMAccount name-attribute LDAP

    With

    LDAP-naming-attribute sAMAccountName

    Note: the sAMAccountName is configured correctly.

    Jatin kone

    -Does the rate of useful messages-

  • Help with the easy VPN server with LDAP

    Hello

    I used to be able to set up our easy VPN server with local authentication.

    But now, I'm trying to use LDAP authentication to match with our policies.

    Can someone help me please to check the config and tell me what is wrong with him?

    My router is a Cisco1941/K9.

    Thank you in advance.

    Ryan

    Current configuration: 5128 bytes
    !
    ! Last configuration change at 13:25:16 UTC Tuesday, August 28, 2012, by admin
    ! NVRAM config update at 05:03:14 UTC Monday, August 27, 2012, by admin
    ! NVRAM config update at 05:03:14 UTC Monday, August 27, 2012, by admin
    version 15.2
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    no password encryption service
    !
    router host name
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    AAA new-model
    !
    !
    AAA group ASIA-LDAP ldap server
    Server server1.domain.net
    !
    AAA authentication login ciscocp_vpn_xauth_ml_1 local
    AAA authentication login ASIA-LDAP-AUTHENTIC ldap group ASIA-LDAP
    local VPN_Cisco AAA authorization network
    Group ldap AAA authorization network ASIA-LDAP-ASIA-LDAP group authorization
    !
    !
    !
    !
    !
    AAA - the id of the joint session
    !
    !
    No ipv6 cef
    !
    !
    !
    !
    !
    IP domain name domaine.net
    IP cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    Crypto pki token removal timeout default 0
    !
    Crypto pki trustpoint TP-self-signed-765105936
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 765105936
    revocation checking no
    rsakeypair TP-self-signed-765105936
    !
    !
    TP-self-signed-765105936 crypto pki certificate chain
    certificate self-signed 01
    30820229 30820192 A0030201 02020101 300 D 0609 2A 864886 F70D0101 05050030
    2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
    69666963 37363531 30353933 36301E17 313230 36323630 39323033 0D 6174652D
    355A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
    532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3736 35313035
    06092A 86 4886F70D 01010105 39333630 819F300D 00308189 02818100 0003818D
    C1B7E661 4893D83A EFE44B76 92BAA71A 6375 854 C 88 D 4533E51A 49791 551D8EF7
    F82E2432 E65B401D 27FE4896 2105B38A CB1908C1 9AE2FC19 8A9393C3 1 B 618390
    EE6CB1CC 5C8B8811 04FA198E 16F3297B 6B15F974 13EE4897 97270547 31 74270
    4590ACA6 68606596 97C5D4D5 462CACA0 CDDAC35A 17415302 CFD4E329 8E7E542D
    02030100 01A 35330 03551 D 13 51300F06 0101FF04 05300301 01FF301F 0603551D
    23041830 1680142E FF686472 569BCCF1 552B 1200 1 060355 5B660F30 D35060DB
    1D0E0416 04142EFF 9BCCF155 68647256 2B1200D3 5060DB5B 660F300D 06092 HAS 86
    01010505 00038181 00558F64 05207 D 35 AA4BD086 4579ACF6 BCF6A851 4886F70D
    1D0EA15B 75DBFA45 E01FBA5C 6F827C42 1A50DD11 8922F1E5 3384B8D8 8DD6C222
    0187E501 82C1C557 8AD3445C A4450241 75D771CF 3A6428A6 7E1FC7E5 8B418E65
    74D265DD 06251C7D 6EF39CE9 3 D FE03F795 692763 AE865885 CFF660A5 4C1FF603
    3AF09B1E 243EA5ED 7E4C30B9 3A
    quit smoking
    license udi pid CISCO1941/K9 sn xxxxxxxxxxx

    ISM HW-module 0
    !
    !
    !
    secret admin user name of privilege 15 5 $1 rVI4$ WIP5x6at0b1Vot5LbdlGN.
    ryan privilege 0 0 pass1234 password username
    !
    redundancy
    !
    !
    !
    !
    !
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    !
    Configuration group customer isakmp crypto VPN_Group1
    xxxxxxxxxxxx key
    DNS 10.127.8.20
    pool SDM_POOL_1
    ACL 100
    netmask 255.255.255.0
    ISAKMP crypto ciscocp-ike-profile-1 profile
    match of group identity VPN_Group1
    authentication of LDAP-ASIA-AUTHENTIC customer list
    whitelist ISAKMP ASIA-LDAP-authorization of THE
    client configuration address respond
    virtual-model 1
    !
    !
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    !
    Profile of crypto ipsec CiscoCP_Profile1
    game of transformation-ESP-3DES-SHA
    set of isakmp - profile ciscocp-ike-profile-1
    !
    !
    !
    !
    !
    !
    !
    interface Loopback0
    IP 10.127.15.1 255.255.255.0
    !
    the Embedded-Service-Engine0/0 interface
    no ip address
    Shutdown
    !
    interface GigabitEthernet0/0
    IP xxx.xxx.xxx.xxx 255.255.255.224
    automatic duplex
    automatic speed
    !
    interface GigabitEthernet0/1
    IP 10.127.31.26 255.255.255.252
    automatic duplex
    automatic speed
    !
    type of interface virtual-Template1 tunnel
    IP unnumbered Loopback0
    ipv4 ipsec tunnel mode
    Tunnel CiscoCP_Profile1 ipsec protection profile
    !
    local IP SDM_POOL_1 10.127.20.129 pool 10.127.20.254
    IP forward-Protocol ND
    !
    IP http server
    local IP http authentication
    IP http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    !
    IP route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
    IP route 10.0.0.0 255.0.0.0 10.127.31.25
    IP route 10.127.20.128 255.255.255.128 GigabitEthernet0/0
    !
    Note access-list 100 category CCP_ACL = 4
    access-list 100 permit ip 10.0.0.0 0.255.255.255 everything
    !
    !
    !
    !
    !
    !
    !
    LDAP attribute-map ASIA-username-map
    user name of card type sAMAccountName
    !
    Server1.domain.NET LDAP server
    IPv4 10.127.8.20
    map attribute username-ASIA-map
    bind authenticates root-dn CN = xxx\, S1234567, OU = Service accounts, OR = Admin, OU = Acc
    DC = domain, DC = net password password1
    base-dn DC = domain, DC = net
    bind authentication-first
    !
    !
    control plan
    !
    !
    !
    Line con 0
    line to 0
    line 2
    no activation-character
    No exec
    preferred no transport
    transport of entry all
    output transport lat pad rlogin lapb - your MOP v120 udptn ssh telnet
    StopBits 1
    line 67
    no activation-character
    No exec
    preferred no transport
    transport of entry all
    output transport lat pad rlogin lapb - your MOP v120 udptn ssh telnet
    StopBits 1
    line vty 0 4
    transport telnet entry
    !
    Scheduler allocate 20000 1000
    end

    Router #.

    Ryan,

    It seems that you are facing the question where it is indicated in the section:

    Problems with the help of "authentication bind first" with user-defined attribute maps:

    * Then you are likely to see a failure in your authentication attempt. You will see the error message "Invalid credentials, result code = 49.  The newspapers will look something like the journals below: *.

    Which is the same error you see. Go ahead and replace in your attribute map and test again.

    If you remove the command "bind-first authentication' configuration above, everything will work correctly.

    https://supportforums.Cisco.com/docs/doc-17780

    Tarik Admani
    * Please note the useful messages *.

  • WLC with RADIUS authentication servers

    I WLC user authentication with Cisco ISE which is linked with LDAP, now ISE is not accessible. Will be wireless users could always connect and use the Services of WLC?

    Hello Irshad-

    All customers who have already been authenticated will continue to work and to be allowed on the network until they leave the network and/or re-auth, idle, etc type timers expire. At that point, customers will not be able to join the SSID and won't have access to the network.

    To avoid that from happening, you can:

    1. create a redundancy by having more than one node of ISE

    2. create a secondary authentication via another RADIUS or LDAP server

    I hope this helps!

    Thank you for evaluating useful messages!

Maybe you are looking for