A list of puns related to "Service provider (SAML)"
Hello,
I'm using FortiGate 7.0.2 as a SAML SP and for now everything seems fine:
- I switched the digest method on the IdP and SP to sha256.
- The IdP (keycloak) is signing Assertions and FortiGate is validating them.
- But the IdP is not validating responses/requests from FortiGate.
How do I need to configure the IdP to make it work when selecting a "SP certificate" in the "Service Provider Configuration" under Sing Sign-On? I selected the same certificate that I used for the IdP config below. But now after the succesful login response from the IdP it is stuck at redirecting back to FortiGate VPN.
On the IdP I enabled the requirement for the SP to sign assertions. Wether enabled or not it won't redirect.
On SAML-tracer I also saw that the first login request made by FortiGate was using SigAlg sha1. Since I get a succesful login response from the IdP I'm guessing it doesn't matter.
Must the SP certificate be different to the IdP certificate?
How can it be possible to get a succesful login response from the IdP after enabling SP certificate, if it's only used for signing requests/responses from the SP, but it still doesn't redirect to the SSL VPN?
I would think enabling SP certificate could only produce an error when IdP is validating it? Or is the IdP using this certificate to sign the response, but FortiGate is not able to validate its own certificate?
Sorry if there is too many questions. I would be happy about any general answer to those questions, thanks.
I am the iDP and they are the SP. I am going round and round with the support team for the app we are trying to set up SAML SSO on. The ONLY piece of information they have given me is the /saml/consume URL. They say I need to provide literally all the other info...... Any SSO experts in here to help?
Other apps I have set up for SAML SSO has the vendor supplying Reply URL and Entity ID and Relay info. They have all been set up without a hitch.
I have an application with oneLogin and act as identity provider for other service. Now I want to integrate another service provider. How should I go about it, whether I have to create a separate controllers again or I can use the existing controllers to make it work. What will be the best approach and how to pursue for it. Please help.
When using the F5 APM as an SAML IdP, is it possible to have the F5 automatically download and update the metadata for an External SP after it was built? I know this is a feature of AD FS, so I'm wondering if there is any crossover.
The APM is running on a slightly older version of code: 14.1.2.3.
Thanks for the info ahead of time!
We'd like to include single sign on using SAMLL/Shibboleth on our web application. In this scenario, I believe we are acting as the service provider and another institution will be the identity provider. Do we absolutely need to register to a federation (such as InCommon) which requires a fee in order to be a service provider?
I just discovered KeyCloak and I'm hoping I can get an answer to a question I have here rather than spinning up a VM of it and testing it out. Thanks in advance for any advice given!
I have an application that I want to enable SAML-based SSO for but the users would be part of two different Office 365 tenants.
Is it possible for the application to use KeyCloak as the Identity Provider and then KeyCloak "relays" to one of two Azure AD instances based on the users domain name?
Okta can do this but to use Okta solely for this "dynamic relay" (my made up term) functionality isn't cost effective.
I keep running into more and more service providers that donβt enforce SAML only authentication. Their argument is if SAML stops working users can still login. This seems logical but defeats the purpose of having SAML and being able to prevent employees from logging into an sP after they are offboarded.
Am I completely off base with my frustrations here? Itβs completely impractical to login to every service when offboarding to disable accounts.
We have a SAML identity provider (IDP) that is hosted in "The Cloud".
We want to turn an Apache web site on our network into a service provider (SP) so that users are required to authenticate against the IDP before accessing the site.
So far I have found two modules that will turn an Apache site into a service provider: Shibboleth and mod_auth_mellon. Of the two, Mellon seems simpler and easier to configure, but it also seems very unknown as I can find very little documentation on it.
Is one of these better than the other for certain situations? Is one of them under more active development than the other? Or is there some other SAML SP module for Apache that I should be aware of?
Background: I have a small SaaS app running Angular on the frontend and Flask as the API. We just got a large corporate client, and they require that we integrate SSO. I AM TOTALLY LOST AND I CAN'T FIND ANY USEFUL GUIDES OUT THERE!!
Up until now we've maintained our own user database. Fine. They are using a third-party IdP and they want to use SP-originated SAML SSO. So, we have to set up our app to be a Service Provider under this model. Doesn't sound too intense, right?
We plan to use the backend, not the JS server, to do the integration, since they only support a POST with the SAML metadata.
The problem is, I have no idea where to start. I've set up a SAML App as IdP in our Google GSuite as a test bed. However I have yet to configure a SP server that even sends any requests to the IdP!
I have tried
https://pysaml2.readthedocs.io/en/latest/examples/sp.html
https://github.com/onelogin/python-saml
https://developers.onelogin.com/saml/python
https://github.com/HarryKodden/JupyterHub-SAML
The JupyterHub solution seems to be the most promising, but I'm not sure about using Shibboleth as a dependency ...
none of the documentation on these walks me through baby steps - or if they do they are wrong or out of date.
The solution doesn't have to be Flask, or Python, but running it on Apache2 would simplify things for us. Really, a Docker of any sort that runs an app with a configurable IdP and says 'Hello World' would be a start!
Thanks!
Hello Guys,
This is a topic that I am trying to get a grasp of. Soon we will be using a service like SalesForce and would like to implement SAML & SSO. My understanding is that the credentials used to login to SalesForce should be the same as the user's AD account. However in my readings so far, I do not see any mention of AD...
What am I missing here? What readings do you recommend? Does something need to be installed locally in our environment? Is it easier to have an external service that can do this end to end (we will opt for this if it is easier)? Which providers would you recommend (Google came up with Ping Identity and a bunch of others)?
Thank you for your help
Hi, I have a few questions about our SAML setup and how it works. I've studied it over the last couple of days and think I have my head around it now for the most part. Bit of info about our setup for a better picture: Our ASA's is where the SAML tunnel group lives, we have an Azure AD environment where the SAML request is sent and on Azure we have MFA setup with password and an authenticator app to.
From what I've read about SAML, it is an XML based framework for exchanging authentication and authorisation between security domains. It creates a circle of trust between a SP (Service Provider, the ASA) and an IdP (Identity Provider, AZURE)
The XML metadata document has the data in it that allows the SP and IdP to negotiate agreements. To ensure confidentiality for the messages sent between the SP and IdP. The ASA (SP) will send the SAML request to the http://sts.windows link in a TLS tunnel using the certs of the Azure pub key on the ASA, Azure (IdP) will display the login page from there.
SAML is just a means to send data to the IdP in the Cloud (being Azure), from there when the SAML request has been accepted and negotiated successfully, the actual authentication can begin.
Azure will direct the client to a login page that requires both the password and then an approve from a users authenticator app to login (MFA authentication). On Azure the user will have MFA assigned to them and linked to an Authenticator which Azure sends over the "approve" request to once the password has been accepted. After a successful login from both, the Azure IdP will send a SAML response back to the ASA with the correct user groups as well so that information can be processed by ISE and a group-policy can be picked out from there.
Hopefully if that all makes sense and is correct, then my main question is, what sort of stuff will be in the SAML request that is sent to Azure (IdP) basically?
Thanks
REMINDER: I am not the OOP, this is a repost sub.
Warning: Unsatisfying update
Internet provider customer service rep wanted to be on the phone call with me while my sister was having a medical crisis and be involved in the conversation.
We use a common internet provider, big American company name. We have internet with them and my mom called them to upgrade to include cable TV into the plan. She came to a plan agreement with them and the rep proceeded to pitch the new mobile phone plan that the company is rolling out. After the generic sales pitch my mom told her that she wasn't interested in switching cell phone providers, the rep wasn't relenting. Finally after 40m she talked my mom into a "well maybe we'll think about switching, but let me get my daughter to discuss the plan because she's on the plan too and is the one who pays the bill".
[NOTE: This was all on speaker phone so both my mom and me could hear her and she could hear us both. Also my mom is over 70 and knows almost nothing of cell phones, especially smart phones.]
This is where I came into the conversation. The rep pitched the sales deal to me and rambled off a bunch of junk tier phones at ridiculous prices. I was upfront with her about how those deals were awful and we weren't interested in the slightest. She kept pitching more and more info at me, I kept telling her that I'm not interested and to just process the cable TV part of the deal. She outright refused to process the order for cable upgrades without us agreeing to a phone plan. I told her that if phones were forced as part of the cable package that we were also no longer interested in adding cable and to cancel the whole plan.
She then hit me with this number. "The deal was going perfectly until you showed up. I don't want to do business with you, put your mom back on the phone." I called her on her underhanded and patronizing sales tactic and told her that it wasn't going to work on me, I knew the deal was terrible and not worth it. She began clapping back with rude comments like "I don't understand why you're so against a good deal, you don't know good deals" and "please leave so I can talk to your mom alone, she was sensible".
I told her I wanted her name so I could report her. She ignored my request and kept on doing her s
... keep reading on reddit β‘I dont drive, so I depend on my husband to drive me to and from work. I usually call him at around 3pm to ask him to pick me up. Yesterday I tried to call him 20x and he wouldnβt answer me and my call goes to voice mail. At first I was worried that something might have happened to him or something. Then I took a look at his bank account to check if he got a new transaction, and I saw that he had a transaction from an address that clearly told me that he was at his brotherβs house. I know what heβs doing there, and it pissed me off that he wouldnβt answer my call. It was already 3:30 and nothing. What pissed me off, is I have some supplies to be delivered to our client which needed to be delivered same day. I was thinking if he doesnβt want to talk to me, he doesnβt need a phone, so I called our service provider and asked his number to be disconnected. I gave them the reason that phone got lost by my husband. I called Uber and deliver supply then went home. Around 4:30 husband came home and told me his phone is not working, he went to my office to pick me up but Im not there any more. He asked me why his phone is not working, so I told him that. I had it disconnected, since he wouldnβt answer my calls anyway. He didnt say anything( heβs the kind that dont engage in arguments)but he didnt sleep in our room instead stayed in the guest room, and this morning he didnβt make breakfast( he usually does) he took me to work but gave me the silent treatment all through out.all IWant from him is an apology and I will have his phone reconnected.AITA
Edit: somebody from the thread suggested that I mention that my husband is a SAHH, heβs retired and receives monthly SS benefit which he spends on himself. I work and earns 3x as much, I pay all the bills.
" How do these services know that the purchases were made for goods and services and not just a payment from a friend or family member? Most of them are adding an extra form during the payment process for the payer to identify the nature of the payment. "
This will likely take many by surprise for common transactions even down to a garage sale level.
I've posted about this before but have learned a lot of new info to the point where I think my problem and questions need to be re-stated. We are running PAS-OS 9.1.8, and GlobalProtect 5.2.8.
We recently implemented Duo Multi-Factor Authentication (MFA) and have configured GlobalProtect's SAML Identity Provider to use Duo's SSO service (in turn Duo uses Azure AD for authenticating creds). This works great when users connect GP AFTER logging into Windows. But when they connect GP first (at the Windows lock screen), they get stuck halfway through authentication. Here's how things work when connecting AFTER logon.
Like I said, the above works with connecting AFTER Windows sign-on, but when we try to use Connect Before Logon, the process gets stuck between step 5 and step 6. We see the Azure AD credentials authenticate succesfully and the Microsoft prompt goes away (so step 5 must be working), and we briefly see the Duo MFA Universal Prompt attempt to open (when means step 6 is starting), but that Duo prompt flashes on the screen for only a split-second and then the GP window just shows a blank window and stays there indefinitely. It never times out or changes. In the logs, the last thing we see GP do is open two Duo web service URLs. Then nothing until we cancel GlobalProtect.
Any suggestions on how to troubleshoot this? Is it the cookies maybe?
Another tale from my days as a sysadmin/tech support person for a University.
The building we occupied was slated to be completely renovated, top to bottom. It was originally built in the late 1960s so we were pretty jazzed to begin this project.
Since I was the head of the systems and tech support group, I got called in early to meet with the various planning folks and the outside architects to come up with the networking and power requirements.
The University had various standards for what was provided for each room based on some formula, plus the appropriate building codes. A faculty office was so many square feet, had so many power outlets, and so many network drops, should have a window. A staff office was smaller, might not have a window, and so on. A laboratory had this or that depending on the type, conference room had a projector or flat panel monitor, or whatever.
From the get-go I stressed that as a "computer intensive" department, we would need more power outlet and more network drops than the standard. Which meant we would also need more switches, so the data/communications room might have to be larger also.
The architectural company had sent two people to attend the meetings, an older guy and younger woman. Both were very professional but as the meeting went on I got the impression the younger person didn't understand what our special requirements would involve. The older guy didn't say much, mostly he was taking notes on his laptop.
By the end of the first meeting, which lasted three hours I think, we were wrapping things up and I had the sinking feeling that I was going to have to justify our special needs several times more. The University planning folks were clearly concerned about fitting this project into the budget they had been given, and I was making waves right at the start.
There was a funny incident as we were walking out of the conference room. The young lady, who was very enthusiastic, gave me a smile and remarked on how exciting this project was. "We've never done a project like this before!"
I kind of did a double take, forced myself not to laugh, and said something like, "you might not want to spread that piece of information around too much".
She looked at me with a puzzled look on her face, then realized what I meant and gave me a sheepish grin.
In the end the project was completed with a minimum of headaches, but it was a long haul.
Morning all. I am trying to set up IDP Google SSO in NetSuite using SAML and am having an issue. Hoping someone here has done this and knows what I am missing.
I've got everything set up and let the SAML config propagate overnight, but this morning when I test the login through the Google Service Provider page, I get the warning below from Netsuite.
>SAML request contains the wrong configuration. You must reconfigure the destination in the SAML request.
I was using the Google how-to for setting this up, but it may be missing a few steps.
Any idea what the issue is?
I have a large pack and I can see that they can be quite the distraction sometimes and I understand some people might get a little annoyed with their meddling (eleven dogs is a lot of curious noses) and I try to keep them under control but I absolutely love it when the workers have positive interactions with them.
Like the mechanic teaching Rebeca how to fix a oil leak and handing her his tools as she watches right by his side, not even fazed when she eventually decides to take off with them. The landscaper carrying Lily around upsidedown on his break and laughing hysterically as she barrels trough the neatly pilled leaves. The delivery guy tough talking Milo while I sign or his driver sharing his peanuts with the two seniors over "old people talk" as he calls it. The maintenance guy just oh, so casually scooping the puppies into his bag as he works.
It just makes my day and I hope it gives them a little joy too.
It just irritates me so much and honestly it's hurtful.
My eyebrow lady just HAS to make a remark if I have an acne spot or if I'm not wearing makeup that day. Or when an old nail tech comments on my natural nails, or the lady who does waxing comments on my growth.
It's fucking rude. And that's common sense.
u/usdgrind posted a similar scenario and I have a feeling we are not the only two impacted. Long story short, we are both on the "Extended" payback plan, but our loan terms switched to "Standard" when our loan service provider changed from myfedloan to Mohela. This is ironic because everyone impacted was told:
"The transfer of your loans will not affect your loan's existing terms, conditions, interest rates, loan discharge or forgiveness programs, available repayment plans, COVID-19 emergency payment pause or the 0% interest period...."
I can't speak for u/usdgrind, but this changes my payment from ~$160 monthly to ~$460 (187% increase LOL). Unfortunately for us, Mohela claims they cannot switch us over to "Extended" because our current balance is under $30k. This doesn't make any sense because there is no documentation or communication that states once balances are under $30k, your loan terms change. The fact remains: we were both on the "Extended" plan and we provided no consent to switch over to the "Standard."
If you are impacted, please contact Mohela and ask to speak to a supervisor (I am working with Richard). I also recommend creating a complaint with the Ombudsman Group (https://studentaid.gov/feedback-ombudsman/disputes/prepare).
Don't let Mohela tell you there are other alternatives (refinancing, other payback options, or loan consolidation).
I personally do not want any changes because my loans boost my credit score. My student loans are the oldest accounts on my credit report so they help boost my score by increasing my credit age. If I consolidate, this will hurt me because my credit age will decrease, thus lowering my score (during a time when I am looking to purchase my first home).
Got an email today from Virgin saying they are putting my bill up and said I can leave them with no termination fees. I get over 100mb down from Virgin and canβt find another provider who can give me even close to that in my area. It looks like Iβm stuck with them tbh as we do a lot of gaming in my house, sometimes 3 Xboxes on at once. Is VM the only real option for anything over 100mb?
From what Iβve heard/read Virgin Media is Bristolβs number one choice.
Today Flexa (a payment service provider for digital currencies) announced that Gamestop is now making use of their service
source: https://twitter.com/FlexaHQ/status/1471565814142808079
Their webpage shows a transaction on Gamestop with a digital currency called Gemini dollar:
Source: developer.flexa.network/connect/
So what is the connection to Loopring, you might ask?
On their currency page it shows that they plan to add LRC, and that it will be 'available soon'
Source: https://flexa.network/currencies
Maybe this has something to do with the upcoming announcement that we're expecting for Q4?
Dear Spectrum Internet and fios,
Rot in hell.
There are so many things wrong with 2 companies controlling the majority of the internet traffic of the United States but Iβm not here to talk about that.
What I am here to talk about is the bullshit throttling of download speeds just to get us to pay more.
We already pay you $40 a month just to get β100 mb/sβ internet, that is the highest internet level you offer, there is no reason to throttle us to pay you more, but here we are.
So itβs after Christmas, I got a bunch of money and I buy a couple of games on steam, sounds simple enough right?
No.
It took almost a full fucking day to download Half Life Alyx because my download speeds couldnβt break 10 mb/s. I still havenβt downloaded all of my games for that same reason.
After sitting there in my anger at my internets failure to do anything, I go onto google.com to see if there is better internet services.
I happen to stumble upon an article saying that the International space station got an upgrade to its internet and can send and receive data at over 600 mb/s.
Are you kidding me.
Are You FUCKING kidding me.
I have to suffer through single digit download speeds, sometimes dropping to kilobytes per second while fucking astronauts can send and receive data at almost a full gigabyte per second.
WHAT THE ACTUAL FUCK
I have had enough of these fucking pains knocking on doors late in the evening asking 'Who's your current provider", how about stop annoying people you annoying fucks..
2 times today they called to my home within 40 minutes to encourage us to change providers and get annoyed when we decline. Like honestly do you think randomly calling to peoples homes at 5pm is an effective means of marketing. If anything it makes me want to avoid it even more because of how Scrooge McDuck it feels.
Sure, during the winter months I want nothing better to do after work than to stand by my front door, letting all the heating out while listening to someone who's probably paid and treated very poorly try and sell shitty package deals. Who ever does the market research for these dumb fucking service providers needs to update themselves and discover the fucking internet.
gonna fly to sydney soon and which bank and service provider do yall think is the best?
Iβm a sucker for romance, and every roleplay I have must have at least hints of it. But I donβt think I truly was able to enjoy one.
The character traits that I encounter seem to mostly be βNeeds to be protectedβ, βsoftβ, βis on the receiving end in almost everythingβ (e.g. small spoon), etc etcβ¦
Even if my roleplay advertisements specifically state that I want my partnerβs character to give and take equally, everything always ends up with me being the one to give, and those who had the potential of remaining fair ghosted, and honestly itβs draining. It has been like this for the entirety of the 2,5 years that I have been roleplaying.
Usually this is followed by almost every plot point to revolve around my partnerβs character and not mine, often ending up playing other characters while my partner only plays their main.
This resulted in me feeling more like the love interest or a dating simulator instead of the other main character, and because of this, I also became accustomed to viewing receiving as weird and almost undesirable in the off chance it occurs.
Some times I want to stop roleplaying because of this.
I've spent 30 minutes on hold with FUDelity to get this message. I was trying to move my IRA shares to ComputerShare, have DRS'd 100% already of shares in my trading account. Any ideas wtf this means? I got this message after being on hold for 12 minutes listening to their hold music and random tidbits of investing advice. Obviously, I was already connected to them. This has now happened two calls in a row.
Need a good recommendation, moving to Brussels in 3 weeks.... THNX
We are a growing ISP and are looking to replace Logic Monitor as our network monitoring platform. I'm a bit overwhelmed with all of these new cloud monitoring companies that have popped up over the last few years. They all seem so focused on monitoring the 'full-stack' and bill themselves as infrastructure monitoring platforms, but every time I speak with them their actual "NETWORK" monitoring seems like they have no clue how to do it. We are a network provider. We don't have cloud workloads, we aren't a software development house.
I am most familiar with Solarwinds and have been using it at pretty much every organization I've worked at for the the last 10 years. I've looked at Data Dog, New Relic, OpsView, SevOne, and several others, but none of them seem to be able to provide a true single pane of glass for monitoring.
I've looked at Kentik and their solution looks AMAZING for service providers, but I was so disappointed when I got into the product and noticed that all it does is look at interfaces and flow data. It doesn't do anything in the way of monitoring, alerting, up/down, cpu, memory, etc.
What is really out there for service providers or large enterprises that want REAL network monitoring and everything that comes with it. (advanced alerting, up/down, flow data, bandwidth utilization, path monitoring, etc.) We would prefer an on-premise solution if possible, but are open to exploring cloud solutions. (we're not looking at open-source solutions, we want something off the shelf)
I am an Indian and I was browsing about ways on how to call internationally and how much would each of those methods cost. As compared to price rates of the regular service providers, calling over skype was way cheaper and in some cases free. How does this happen, when essentially the same end result is obtained.
Since they want me to sit in a queue for paying $150. Thought I'd share their info. They aren't using GoDaddy like you think. I did a Wireshark of the game. Ya some TCP traffic goes to GoDaddy, some also goes to Russia. Then this weird amount of UDP packets don't go to either. Just loading a profile and you'll see UDP sent to France. They are using OVH SAS as a service provider too. Lots of ways to screw up when you use this many companies
Hey there.
I've been trying to solve this for hours now. My company decided that we need some ticketing system for non-IT backoffice departments. Someone decided it should be OSTicket and it is required to login on it using our ADFS service. I did find free SAML plugin (https://github.com/salihkiraz/osticket-auth-saml) for it and managed to make it work, but there's something weird going on. There are currently several other apps using our ADFS with their relaying party trusts. Our company policy is quite loose so ADFS has configured Windows Integrated Authentication and it works properly (I did change the useragents and we have a wildcard setup in intranet zone so no problem here). All other apps refirect to ADFS on login attempt and get back immidiately with their claims. But this OSTicket plugin for some reason redirects to ADFS form and just stops there. I did notice all other apps are just forwarder do /adfs/ls/wia, this one just stops at /adfs/ls. If I put my credentials in the form it gets logged in perfectly. It just doesn't get to NTLM part.
I quite frankly checked most things now:
I'm kind of out of ideas here and there's literaly close to no information online what can cause this issue. Either that or I can't build proper query for Google.
Some info:
The host running OSTicket:
http://adfs.fqdn/adfs/services/trust
Identity Provider X509 Certificate - the IDPSSODescriptor X509 CertificateIdentity Provider SSO URL - https://adfs.fqdn/adfs/ls/
Service Provider Entity ID - https://osticket.fqdn
Assertion ConsPlease note that this site uses cookies to personalise content and adverts, to provide social media features, and to analyse web traffic. Click here for more information.