Our OPS team have configured a SSO tile that connects to ADFS. I am building a sample application that utilize an SSO service instance. I can deploy my application to PCF and remote debug my SSO configuration. These things work.
What I need is a way to access the SSO service instance while I am developing on my PC. Otherwise only way to verify my code really works is to deploy my application to PCF and either add log statements or configure remote debugging. Both of these are pretty time consuming.
I looked into configuring ssh access to pivotal services. That works for database service instances, but not for SSO service instance. Has anyone figured it out?
After repeated trials and error, I found the solution. Posting it here in case someone else has similar issue
In PCF, for your SSO add a new application. Auth redirect url for this application should point to your localhost. In my case it is http://localhost:8080
run cf env . Copy the p-identity section only and save to vcap_services.json. Then update the clientId and clientSecret with the values from the new application created in previous step.
Use the following command to start your application
VCAP_APPLICATION=true VCAP_SERVICES=$(cat vcap_services.json) SPRING_PROFILES_ACTIVE=... ./gradlew bootRun
Related
I have a web application running in a docker container. I need to let only the users authenticated with Microsoft SSO (only the users in my AzureAD tenant). The web application is written in Spark Java and trying to change the existing basic authentication to Azure with MSAL4j is proving to be time consuming and difficult.
Is there a way to authenticate all users with SSO externally to the container without having to change my application?
I saw an Azure NGINX solution on NGINX site but it seemed to not have a free version. Anything I can use out of the box or develop?
TIA!
There is no way to authenticate all users with SSO externally to the container without having to change your application. You would need to change your application code and add the Azure Authentication manually.
I am currently trying to run an integration test with Selenium on the following setup:
IdentityServer4 hosted in a net core 3.1 REST service - running in its own docker container (securityservice)
MVC Test Web User Interface running under net core 3.1 - running in its own docker container (testuserinterface)
The selenium test is running on my local pc under a net core 3.1 test project
Where I am getting the issue is when i attempt to access a secure page on the Web Application the redirect is attempted to the identity server to show the user login page, however the url that the redirect is setup with id that of the docker container (e.g. http://securityservice/accouunt/login). This url is not accessible from my local browser so my test is failing locally.
Is there a way that the login url can be customised (only for test purposes) to be that of the local machine and the locally exposed docker port (e.g. http://127.0.0.1:dockerport/account/login).
I have tried many different examples and combinations with currently no success.
Any help in this area would be most appreciated.
Thanks in advance,
Stuart
What I have done for local development and testing in some cases is to create a local HTTPS certificate using mkcert and then in my local host file add an entry to map the domain of the certificate to 127.0.0.1
So I can use urls like https://identityservice:6001 to point to my IdentityServer.
Hello I've followed so far the tutorial https://developers.sap.com/tutorials/s4sdk-odata-service-cloud-foundry.html
step by step and I'm having issues, to run the solution on local machine.
I'm running windows 10 and according to tutorial I have set an environment variable to be as following:
destinations=[{name: "ErpQueryEndpoint", url: "xxxx.s4hana.ondemand.com", username: "INT_USER", password: "xxxxxxxx"}]
when i run the solution on localhost i get this:
Message Error occured while handling request: com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException: com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException: Failed to get destinations of provider service instance: Failed to get access token for destination service. If your application is running on Cloud Foundry, make sure to have a binding to both the destination service and the authorization and trust management (xsuaa) service, AND that you either properly secured your application or have set the "ALLOW_MOCKED_AUTH_HEADER" environment variable to true. Please note that authentication types with user propagation, for example, principal propagation or the OAuth2 SAML Bearer flow, require that you secure your application and will not work when using the "ALLOW_MOCKED_AUTH_HEADER" environment variable. If your application is not running on Cloud Foundry, for example, when deploying to a local container, consider declaring the "destinations" environment variable to configure destinations.
Be sure to set the destinations variable so it is visible to your application. You can check using System.getenv("destinations"); in your code.
I have an MVC5 EF6 application configured to authenticate using organizational authentication (Azure AD) which works fine when running in IIS Express on my development PC. It was developed using Visual Studio 2013.
I have now deployed the application to an AWS EC2 instance using the Cloud Formation wizard in the AWS Visual Studio toolkit. I have also reconfigured the application entry in the Azure AD to run against the deployed version instead of the development version.
When the application is run by navigating to the ec2 instance from a browser, the user is presented with the Microsoft authentication page, so I know the deployed app is running. After successful authentication I get the following error:
ID3206: A SignInResponse message may only redirect within the current web application: '/' is not allowed.
I have tried all the potential solutions I can find from SO and other forums concerning this issue. These include several different ways of ensuring a backslash is at the end of a URL. However, none of these approaches fixes my issue.
My issue seems to be slightly different in that the error states that:
application: '/' is not allowed
All other similar references I've seen have something like:
application: '/appname' is not allowed
My application does not have this issue in development using IIS Express.
Can anyone offer any potential solutions or avenues to research concerning this?
The redirect error only occurs using the Amazon Cloud Formation tool (inside the AWS Explorer in VisualStudio) to deploy to AWS. If Amazon's Elastic Beanstalk tool is used instead to reply to AWS, the redirect after successful authentication works fine.
Deploying to Azure using VisualStudio results in a successful redirect too.
So, although this is not a definitive answer as to why the Cloud Formation deployment causes the redirect error, using Amazon Elastic Beanstalk instead will redirect correctly.
My typical workflow is that I develop on localhost, but with Google Apps Marketplace this hasn't been possible. OpenID works fine, but access to Data APIs via Oauth results in errors.
Token invalid - Invalid token: ACL not found for domain: 358xxxxxxxxx and consumer: 736xxxxxxxxx
Currently I have been using the following workflow, but it is very tiresome.
local develop » local push to github » remote pull from github » remote test » repeat
Is there a way to develop locally or another suggested workflow?
Solution:
A mashup of #koma and #JTeagle suggestions, I have multiple branches with Oauth keys in each config respective of the branch. I also created a unique localhost domain my_project.dev which satisfies Google's requirements (since their localhost trigger wasn't working for me)
I am not sure what github as to do with it, but if I understand well, it is difficult to do OAUTH on localhost. That is indeed cumbersome.
My solution for this problem is to register my dynamic DNS domainname in the Google Api Console and then do port forwarding on the router to my development machine.
This way, your development environment can do all the OAUTH requests and the callbacks from Google hit the router, and I can debug them.