command to create system scripts in OpenIDM

openidm/bin ./create-openidm-rc.sh --systemd | sudo tee /etc/systemd/system/openidm.service

forgerock openidm to get header information via curl

curl -X GET --header "Content-Type: application/json" "http://subscribers.example.com:18080/am/oauth2/.well-known/openid-configuration " | jq .

Openidm Syncing OpenIDM with LDAP cn configuration steps

1. Add a target userPassword property that maps to the source password property. Notice when you select password from the Property List, you get a warning message that the source property is encrypted. For example: 2. Select the option in the editor to create the default transformational behavior for this property. You should be directed to the Tranformation Script tab and the inline script will be automatically populated with the following script: openidm.decrypt(source); Note: The business logic is that if the source password property is not null, then decrypt the source password property before sending it to the target. 3. Go to the Conditional Updates tab and view the automatically populated script: object.password != null Save your changes. 4. Verify the target userPassword property was added to the list, the source property is password, and the property has both a condition and 296 Create a Situational Event Script You need to use a situational event script to create the dn for a directory entry during provisioning (onCreate). There is no single attribute on the user managed object in the repository to create the necessary dn on the LDAP directory server, therefore, you need to use a script to construct the entry: 1. Select the Behaviors tab while editing the mapping. 2. Expand the Situational Event Scripts section so you can view the option to add a script. 3. Select the onCreate event from the selector option, if necessary, and select Add Script. 4. Leave the Type as Javascript and select Inline Script, if necessary. 5. Enter the following in the Inline Script field: target 5. Enter the following in the Inline Script field: target.dn = 'uid=' + source.userName + ',ou=People,ou=subscribers,dc=example,dc=com'; The script should be on one line. 6. Save your changes to return to the Behaviors tab and then select Save again to save the changes. Warning: It is easy to forget to select Save again to ensure your settings on the Behaviors tab are updated. You will lose your changes if you move away from the page.

AWS and ADFS integration error "principal exists outside the account of the Role being assumed"

"principal exists outside the account of the Role being assumed(Service: AWSSecurityTokenService,Status Code:400; Error Code: ValidationError" Solution: Your AD role is not matching the ADFS role or your AWS role is not attached to SAML Identity Provider.

ADFS and AWS integration error

Error RoleSessionName is required in AuthnResponse (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: requestId; Proxy: null). Please try again. Solution: Update the AD users email attribute. If the email is not correct, you will still see the same error. Error: Principal exists outside the account of the Role being assumed (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: 73ca564c-45ae-44de-9146-1633efbe10ba; Proxy: null). Please try again. Solution: Fix the email issue as well Error: Your request included an invalid SAML response. To logou Solution: Invalid email address is password in SAML assertion to AWS

Github and ADFS SAML integration error method="GitHub::Authentication::SAML.rails_authenticate" ip=yourip at="failure - Invalid SAML response" login=_unknown errors='["Digest mismatch", "No assertion found", "Audience is invalid. Audience attribute does not match

 ADFS and Github integration error

Error on github side

method="GitHub::Authentication::SAML.rails_authenticate" ip=yourip at="failure - Invalid SAML response" login=_unknown errors='["Digest mismatch", "No assertion found", "Audience is invalid. Audience attribute does not match

Solution:

The issue was Github Single Sing on URL and/or Issuer url was not correct, make sure to compare the value of IDP ACS and entityid with GitHub configuration.

github integration with ADFS using SAML "failure - Invalid SAML response" '["Digest mismatch"]'

 ADFS and Github SAML integration error

Error

"failure - Invalid SAML response" '["Digest mismatch"]'

Solution:

This error is a SAML integration error and it can occur during any application SAML integration. The real cause of this error is due to the Certificate miss-match. The issue was Github had a different certificate than the IDP certificate. make sure you download the correct certificate from the ADFS side or if you don't know which certificate, you can copy the certificate from the IDP file and upload the certificate (after decrypting) to the GitHub side. Also, make sure the IDP encryption is checked on the GitHub site and the certificate is showing correct values after uploading into GitHub.

other issues could be, the user does not exist on the GitHub side(user has to be present in Github users directory) or the right roles are not being passed.

GCP Network tiers selection

 Premium

hight cost.

Traffic leaves the GCP network closer to the destination. 

Less distance and hope

More secure and faster transportation.

 Standard

Lest expensive

Traffic leaves the Google network near the Source.

Most of the traffic stays on the public network.

KeyClock initial username and password

after unzipping the Keyclock folder go to the following url and enter the username and password. whatever you entered for the first time will be your admin username and password. 

 http://localhost:8080/auth

GCP Folders definition

Projects

1. Core components of GCP

2. GCP requires to use Projects.

3. Each resource only belongs to one Project.

4. Projects can be part of an Organization.

5. Projects are core IAM implementation point.

6. Projects provisioning is simple only one mandatory field is required and free of charge.

7. Projects can have different owners and users associated with and they can be managed and billed separately. 

8. Resources belongs to Projects they are be instances, cloud store boxes, services or API's.

GCP resource policy Most restricted vs least restricted

Most restricted policy always override least restricted policy in GCP at any level

GCP Organization Hierarchy

ADFS 4 and AWS SAML integration in Gov cloud error Specified provider doesn't exist

ADFS 4 integration with AWS in gov cloud 

Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: b1234-5446-468b-127-e9876e; Proxy: null) (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: e859daed-2997-123255-b6d8-a6898723a2; Proxy: null). Please try again.

I came to know that when you use a SAML provider in AWS GovCloud (US) Regions, you should use the following URL for the XML document that contains relying party information and certificates [1]: https://signin.amazonaws-us-gov.com/static/saml-metadata.xml instead of “https://signin.aws.amazon.com/saml”

. You cant change this url with already configured relying party, it is better you create new relaying party and enter us-gov url to fix Provider doesn't exist error.