Hello folks,
IF we are deploying WSS and the client connection is explicit mode using PAC file, and if we create user-based rules in the portal, do we need to allow inbound connections from WSS to the On-Prem Auth-Connector?
My question is related to opening inbound ports in the perimeter firewall
I know there are 2 options: Captive Portal and SAML.
But I am wondering do we need to allow inbound connection? If yes, then which ports?
Regards
Fawaz Musthafa
However, if you expect your employees to log into ShareFile with Active Directory credentials, via a configured SAML 2.0 identity provider, and not via ShareFile credentials, then there is a way to skip this confirmation flow.
This document (7023346) is provided subject to the disclaimer at the end of this document.
Error message: Unable to associate the server with the Driver Set.
com.novell.admin.common.exceptions.UniqueSPIException: (Error-603) The requested attribute could not be found. In the Directory, if an attribute does not contain a value then the attribute does not exist for the specific object.
Or run the /opt/novell/eDirectory/bin/idm-install-schema script to extend schema.
Then attempt to add the server to the driver set again.
Additionally, make sure the new server holds a read write replica of the partition where the driver set resides.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.
Hi Folks,
Come across CVE-2018-5241 and i believe that it does affect our proxy which runs on 6.6.5.13. As per KB https://support.symantec.com/en_US/article.SYMSA1450.html recommended to upgrade to 6.6.5.17.
Is it really required ? Or should i refer any other possibilities.
Note : We do not use SAML realm(Attached Sysinfo)
Regards,
Anoop
1. Open a Remote Desktop Session to the cloud connector server.
2. Open the StoreFront Management Console.
3. On the StoreFront Management Console, select Manage Authentication Methods.
4. On the Manage Authentication Methods window, select SAML Authentication.
5. Open Windows PowerShell ISE as Administrator.
6. Run the following code in Windows PowerShell ISE.
Note: Remember to change the value of the $storeVirtualPath variable to reflect the name of your actual store.
$storeVirtualPath=“/Citrix/Saml”
$auth=Get-STFAuthenticationService-Store (Get-STFStoreService-VirtualPath$storeVirtualPath)
$spId=$auth.AuthenticationSettings[“samlForms”].SamlSettings.ServiceProvider.Uri.AbsoluteUri
$acs=New-ObjectSystem.Uri$auth.Routing.HostbaseUrl, ($auth.VirtualPath +“/SamlForms/AssertionConsumerService”)
$md=New-ObjectSystem.Uri$auth.Routing.HostbaseUrl, ($auth.VirtualPath +“/SamlForms/ServiceProvider/Metadata”)
$samlTest=New-ObjectSystem.Uri$auth.Routing.HostbaseUrl, ($auth.VirtualPath +“/SamlTest”)
Write-Host“SAML Service Provider information:
Service Provider ID: $spId
Assertion Consumer Service: $acs
Metadata: $md
Test Page: $samlTest”
7. This command will output the SAML Service Provider Information.
Create the Application in Azure
8. On your web browser, navigate to portal.azure.com.
9.Log in with your Microsoft Azure credentials.
10. Open Azure Active Directory.
11.On the Azure Active Directory blade, select Enterprise Applications.
12.On the Enterprise Applications blade, select New Application.
13.On the Add an application blade, select Non-gallery application.
14. On the Add your own application blade, enter a name for the application and click Add.
15.After the application is crated, on the new application blade, under Manage select Users and Groups.
16.On the Users and Groups blade, select Add user.
17.On the Add Assignment blade, select Users and Groups.
18.On the Users and groups blade, select theAD Users or Groups to which you want to provide access.
19. Click Select.
20.On the Add Assignment blade select Assign.
21.Back on the application blade, under Manage select Single Sign-On.
22.On the Single Sign-On blade, under Single Sign-on Mode, select SAML-based Sign-on.
23.Under step 2 Domain and URL’s, enter the following information.
a. Identifier (Entity ID): Service Provider ID from step 7.
b. Reply URL: Assertion Consumer Service from step 7.
24. On step 3 User Attributes, make sure user.userprincipalname is selected as the User Identifier.
25.On step 4 SAML Signing Certificate, click on Metadata XML.
26.Click Save on the top of the blade.
Note: This will download an XML file to your computer.
27. Place the Metadata XML file on a directory on your StoreFront Server.
28. Open Windows PowerShell ISE as Administrator one more time.
29. Run the attached code in Windows PowerShell ISE.
Note: Remember to change the value of the $storeVirtualPath variable to reflect the name of your actual store, and the value of the –FilePath parameter to reflect the actual path of the file in your computer.
Get-Module“Citrix.StoreFront*”-ListAvailable|Import-Module
$StoreVirtualPath=“/Citrix/Saml”
$store=Get-STFStoreService-VirtualPath$StoreVirtualPath
$auth=Get-STFAuthenticationService-StoreService$store
Update-STFSamlIdPFromMetadata-AuthenticationService$auth-FilePath“C:FedMetStoreFront.xml”
– Cause: Misconfiguration of the JVM heap sizes
Suggestions: Clear any custom settings to the Initial heap size and Max heap size on the properties of the driver set, misc tab. Then try to load the vrdim modules. ****Too large of heap settings accounts for about 90% of these issues****
Additional detail on these errors can be found using the +misc flag in ndstrace. All jvmloader messages come under the MISC flag on Linux/Unix, and under the MISC OTHER flag on dstrace.dlm (Windows). Unfortunately there is no way of seeing them on Netware ( but we can always check the SYS:/ETC/JAVA.CFG file there)
– Cause LD_LIBRARY_PATH not set properly causing “error: libjvm.so: cannot open shared object file: No such file or directory” and “JVM interface initialization failed <failed, -299 (0xfffffed5)>, unloading DIRXML” errors.
Verify that echo $LD_LIBRARY_PATH returns a valid path. . /opt/novell/eDirectory/bin/ndspath will get it running for the current session, then restarting ndsd should load vrdim. The path can be set by exporting it after logging in as root, or adding it to an env_idm file in /etc/opt/novell/eDirectory/conf directory.
LD_LIBRARY_PATH=//opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/server://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/native_threads::$LD_LIBRARY_PATH:/opt/novell/eDirectory/lib64/apr:/opt/novell/eDirectory/lib64:/opt/novell/lib64:/opt/novell/eDirectory/lib64/nds-modules:$LD_LIBRARY_PATH
– Cause: Damage/corruption in the DirXML-ServerKeys attribute that resides in the local DIB’s Pseudo-Server object
Suggestions: DSDUMP (only done by Novell support) is needed to remove the attribute with pre-IDM 3.6. Use the new command within the dxcmd utility for IDM 3.6 and later.
– Cause: Too much memory allocated to eDirectory cache.
Suggestions: Check the eDirectory cache configuration from iMonitor -> Agent Configuration -> Cache Maximum Size. Try reducing this size if it seems high and reload dirxml.dlm (Windows) or restart ndsd (Linux).
– Cause: Corruption/damage/insufficient rights on the libraries IDM requires in the box (check the install log, also do an rpm -V on the IDM packages)
Suggestions: This is by far the hardest to track down properly, but here are some options:
> Use rpm -V liberally against all IDM-related libraries. The command line works well for that:
rpm -qa | grep DXML | xargs rpm -V
> ldd your IDM libraries to see the dependencies they have, and check those dependencies as well. The checkbin.sh script can help greatly when checking dependencies, it is part of the ntsutils package that can be downloaded here: https://www.novell.com/communities/node/2332/supportconfig-linux
> use strace / ltrace to track what is happening. strace works on scripts, so that will probably be the best option. ltrace can only be run against binary files. These tools provide a lot of information, and quite a bit of it requires basic C knowledge
> For a quick solution, reinstall IDM on top of itself. That will simply overwrite the libraries/rights. If you run IDM 3.0.1 or 3.5.1 installer with the -DCLUSTER_INSTALL=”true” option, it will only lay down the rpms again without extending the schema (even though it does show the messages that its doing that).
If the above still does not resolve the issue, ensure the jclnt symbolic link is pointed to the correct directory. View TID 7006778 for further information.
Document ID: 5393130
Security Alert: No
Distribution Type: Field Test File
Entitlement Required: Yes
Files:
Products:
Superceded Patches:
Document ID: 5378650
Security Alert: No
Distribution Type: Public
Entitlement Required: Yes
Files:
Products:
Superceded Patches: None
We have a working SAML authentication in our Field Office that uses WSS as their secure webgateway. I used BCCA as our IDP but didnt set up an incoming firewall policy to my BCCA server. I have an outgoing policy to threatpulse but I dont see any logs hitting this policy. Makes me wonder how they communicate to one another in my current setup. WSS can see my internal BCCA as active.
-Philip
Patch update for the Identity Manager SAP HR driver with the SAP JCO version 3. This patch will take the driver version to 4.0.3.0. You must have IDM 4.6 or later to use this driver.
Document ID: 5377310
Security Alert: No
Distribution Type: Public
Entitlement Required: Yes
Files:
Products:
Superceded Patches: None