idp | Itinero data processor | Map library

We are using keycloak as IDP and have some custom plugins/Spi, we are in process of updating our keycloak instance to version 17 Quarkas distribution and the SPIs began to break (error below) during keycloak build process. I've made sure that there are no keycloak libraries packed as part of jar.

The SPI looks like below and have corresponding entries in Manifest file under Manifest/services/org.keycloak.services.resource.RealmResourceProviderFactory

Custom SPI/plugin

We have a server with about a dozen small applications each in their own subfolder of the server (//URL/app1, //URL/app2, etc).

I've got the basic SSO authentication round trip working. I set up my account with my IDP and have the response set to go to a common landing page (ACS URL). Since the landing page is currently shared with all the apps, it is in a separate folder distinct from the apps (//URL/sso/acsLandingPage.cfm)

I'm now working on my first app. I can detect the user is not logged in so I do a initSAMLAuthRequest(idp, sp, relayState: "CALLING_PAGE_URL") and that goes out, authenticates, then returns to the landing page.

But how do I redirect back to my target application and tell it the user is authenticated?

If I just do a the original app doesn't know about the SAML request.

Is there a function that I can call in the original app that will tell if the current browser/user has an open session?

Do I need to set up separate SP for each application so rather than one common landing page each app would have its own landing page so it can set session variables to pass back to the main application? (the IDP treats our apps as "one server", I can get separate keys if that is the best way to deal with this).

My current working idea for the ACS landing page is to parse the relayState URL to find out which application started the init request and then do something like this:

ACSLandingPage.cfm

I had to update simplesamlphp on an old PHP server, the old version of the library was from 2010. Simplesamlphp is used as a Service Provider (SP) in a SP initiated enviroment.

I replaced it with the 09/'20 release and configured it the same. It's all working except one thing.

Simplesamlphp uses the PHPSESSION to store the session, by feature it replaces the php session with his and should set the old one again once the cleanup() method is called (on the session instance), after the authentication's complete.

This is not working, but I was fine with it because it didn't matter for the user.

Now I have to implement a button to test the SAML integration on a protected page. By protected I mean it requires to be authenticated (through Zend Auth) to view the page, otherwise it automatically redirects (server side) the user to the homepage.

This is the code of the Action of this button (to test the SAML integration), that is inside this protected controller:

I'm trying to configure AWS Cognito to work with ADFS as a SAML provider in a dotnet core 3.1 MVC application. I believe I have ADFS and Cognito correctly configured as I can log into the application using a user in ADFS. I am at a stage where I can login and logout, however when logging out ADFS throws the error:

MSIS7054: The SAML logout did not complete properly.

This does still log the user out of ADFS. I think I’ve narrowed it down to the SAML logout messages ADFS receives need to be signed. References: here, here and here

Amazon describe how to do this from there end

To set up the SAML IdP to add a signing certificate: To get the certificate containing the public key which will be used by the identity provider to verify the signed logout request, choose Show signing certificate under Active SAML Providers on the SAML dialog under Identity providers on the Federation console page.

However, I’m not sure how I take their public key (which is just a string) and provided that to ADFS. The only thing I can seem to find is an encryption tab, that takes a certificate file (Is there some conversion thing I need to do?). I have tried this, which is putting the key inside a .cert file and adding to the relaying party encryption tab of ADFS, however this did not work.

Any help would be appreciated.

Thanks, Adam

I'm trying to use AWS Cognito as an authorizer for my REST API in AWS API Gateway.

It asks me to fill in the Issuer URL:

I digged through the AWS Cognito User Pool page, there is no such thing.

I found a related answer here: AWS: Cognito integration with a beta HTTP API in API Gateway? and I quote:

In an Android app which uses AWS services, if I deregister a registered ConnectivityManager.NetworkCallback, the app can no longer contact AWS services. I am uncertain why this is occurring, or how to contact the AWS services again. Currently, the only way to reconnect to AWS is to terminate the app and restart it.

To elaborate, one function of the app is to connect the user's Android device to a different WiFi network hotspot for the purposes of setting up an IoT device. At this moment of use, the user would be logged in using AWS's Cognito service. Because how an app can connect to WiFi was changed starting with API level 29, this associated code is only invoked on such devices and the problem is isolated to said devices. Here is the relevant snippet for how the connection is being created:

We're currently developing a SaaS platform (with a React frontend and an ASP.NET Restful API backend) using the DDD principles. We also use our own Identity Provider (using IdentityServer4).

All IdP-related data is stored in its own seperate database (users, claims, resources,...).

Now there's this issue where we can't wrap our heads around:

Whenever a users logs onto our SaaS platform using our IdP, we want to store some of the user data (id, language, email & name) in our application database. This is because we want to ensure referential integrity between users and other domain entities.

Another reason to store this, is because we need to access users' languages from our domain (to send out emails etc).

So what we can do is read the users' claims and store these in our database. But next to that, whenever a users changes any of this data (lets say a users updates his language) in the IdP, we'd also need to update this data in our application database (since we want the users to receive emails in their set language).

I was thinking of creating a middleware that checks all UserClaims whenever a user performs an API call, but that would mean that we'd constantly have to make a db-request on every API call.

What is the best way to sync user data between the IdP and another database without having to do it manually?

I am trying to use MS Graph API to configure Azure AD Connect Cloud Sync from these instructions but I am having trouble calling this endpoint in Powershell using client credentials:

I am trying to add the ruby-saml in my project. But I am a bit confused about how to implement it in my scenario. I am on a website let's say abc.com and there is a button. When I click on the button, I need to redirect to the website xyz.com where I need to pass SAML XML and send it to xyz.com/SAML. The SAML request will be processed by xyz.com and then they will send me a response. Could anyone give me some idea how to achieve it?

Also, I am confused about these fields. Could someone give me a quick summary?

settings.assertion_consumer_service_url
settings.sp_entity_id
settings.idp_entity_id
settings.idp_sso_service_url
settings.idp_slo_service_url