ADFS Taleo Relying Party Configuration

Similar Messages

• Where is SAML Relying Party configuration stored?

  We are successfully configuring SSO using SAML 1.1 using either the console or WLST scripts. We have 3 different Relying Parties and everything works great. However, after restarts, our Relying Parties are gone! I assume that WLST and console both are updating the Mbean behind the scenes, but where does the SAML Relying Party configuration get persisted since we are not using the RDBMS store. Internal LDAP? An XML file? I can't find it documented anywhere.

  The StationGlobals.ini file is in your TestStand Config directory, which is found at <TestStand Application Data>\Cfg.
  On Windows 7, this is C:\ProgramData\National Instruments\TestStand 4.2\Cfg. I don't remember off-hand what the exact path is on versions of Windows earlier than Vista... Somewhere under C:\Documents and Settings\<Username>\. You can just search for StationGlobals.ini if you need to.

• ADFS 3.0 WAP and Non-Claims-Aware Relying Party Trusts

  I am attempting to migrating a Windows Claims SharePoint page to ADFS 3.0 (Windows Server 2012 R2) and the WAP (Web Application Proxy) from UAG, but are running into problems when our external users attempt to authenticate.  Users from our external
  domain (call it Domain2.com) have been accessing our SharePoint pages via SAML tokens but when I attempted to move them to the new WAP and off of UAG, they get a http/500 error.  The WAP error log gives the following:
  Warning Event ID 13016 - Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because there is no UPN in the edge token or in the access cookie
  Error Event ID 12027 - Web Application Proxy encountered an unexpected error while processing the request. Error: The specified username is invalid. (0x8007089a).
  I presume the Error Event ID 12027 is because there is no UPN in the token and we are using KCD/Kerberos so I need to pass a UPN.
  The ADFS server and WAP are joined to Domain1.com.  Domain1.com is Active Directory and there is an account for every user in Domain2.com that is allowed access to our SharePoint Sites.  These account contain the standard
  info... UPN, Email Address, sAMAccountName, etc.  The UPN, Email, and sAMAccountName do not always match the accounts with the Domain2.com accounts; however, we have been using an Active Directory Field labled employeeNumber that is synchronized
  on both domains and we have been using a custom lookup based on the employeeNumber in AD.
  When login's occur via Domain1.com, no problem, the UPN is pulled from the Active Directory Claim Provider Trust.  When a user attempts to access from Domain2.com, we have configured ADFS to forwards them to an STS that collects the employeeNumber
  from Domain2.com via a Web Auth SAML token.  We are able to use the SAML token if we use the standard Claims-Aware Relying Party Trust (CARPT) and convert our SharePoint sites to use the trusted URN via powershell scripts, but we are trying to retain
  functionality similar to how we are using UAG so we don't want to change every single SharePoint site to the SAML configuration, hence we are trying to use the Non-Claims-Aware Relying Party Trust (NCARPT)
  Problem1: When we are using CARPT we can configure the custom translation for our employeeNumber lookup in AD.  But CARPT uses SAML Tokens not Kerberos Tolkens so we cannot login when SharePoint is configured for Kerberos.
  Problem2: When we are using NCARPT it works great when authenticating via local (Domain1.com) credentials and look's up the user in AD, but when we attempt to authenticate with remote (Domain2.com) credentials we are unable to configure the employeeNumber
  lookup and ADFS doesn't just go out and make that correlation on its own.
  Question1: Can I configure CARPT to use Kerberos?
  Question2: If not, can I configure NCARPT to lookup the AD employeeNumber, match the UPN, and add the UPN to the token?
  Question3: If neither option is available, am I just stuck with UAG or is there something out (not scheduled for EOL) there that can handle the translation between SAML and Kerberos Tokens?
  Let me know if I left something out, I tend to ramble, but not sure of all the info that is needed...

  Hi,
  Based on the description, is there trust between domain 1 and domain 2? If not, we can try to create trust between these two domains to see if it helps.
  Regarding Event ID 13016 and Event ID 12027, the following article can be referred to for more information.
  Web Application Proxy Troubleshooting
  https://technet.microsoft.com/en-us/library/dn770156.aspx
  Besides, for ADFS questions, in order to get more and better help, it's recommended that we ask for suggestions in the following forum.
  Claim based access platform (CBA), code-named Geneva
  https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Cannot log in to OBIEE relying party trust

  Hello everyone!
  I have deployed an environment in two locations.
  The first one contains:
  2 x Domain Controllers (let's name it DC1 and DC2)- both are connected through vpn to the 3rd domain controler( DC3) in second location
  5 x ADFS Servers connected to the load balancer  - there is no connection between ADFS servers and 3rd domain controler(DC3) in second location
  The second contains:
  1 x Domain Controller (DC3)
  2 x Clustered OBIEE servers connected to the DC3's AD LDAP. Also these servers are connected to the LB and are accessible from the internet
  If I had test environment containing OBIEE servers in first location everything was ok. I could log into OBIEE weblogic servers through SSO (ADFS). 
  Now there is a problem. I can't log in to OBIEE becouse I am getting on OBIEE site 403 - forbidden.
  In ADFS logs all the time I am getting  when I am trying to connect OBIEE following error:
  Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '2' seconds.
  I read many articles in oracle support and microsoft sites wchich indicated on:
  differences between network time servers - I synchronized the time between all servers.
  permissions for users and groups who can access to the obiee - I did it
  The main question is: Is it possible the problem persists becouse my DC3 is not connected to the ADFS servers?

  If your AD site topology is correctly configured, with the appropriate subnets bound to that site, then it should use the DCs in Location 1... also, when you say there is no connectivity between ADFS in Location 1 and DC#3 in Location 2, is that a firewall
  rule prohibiting that? Presumably, DC#1 and DC#2 are able to replicate across the VPN to DC#3? Just curious why AD FS is unable to "reach" DC#3? btw...If you turn on trace logging in AD FS do you see the expected claims being surfaced for the relying
  party?
  http://blog.auth360.net

• ACS50001: Relying party with identifier was not found.

  Hi,
  I set up Azure ACS that uses ADFS for single sign on based on the article from Ben Morris below.
  http://www.ben-morris.com/set-up-a-federated-identity-provider-on-azure-using-active-directory-and-adfs-2-0/
  When I try to run my MVC application, it gives the following error. Any help will be highly appreciated.
  An error occurred while processing your request.
  HTTP Error Code:  400 
  Message:  ACS20000: An error occurred while processing a WS-Federation sign-in request. 
  Inner Message:  ACS50001: Relying party with identifier 'https://tftestacs.accesscontrol.windows.net/' was not found. 
  Regards,
  Vinod.

  Greetings, Vinod!
  Here's an article which talks about creating a MVC application using ACS on Azure AD:
  http://azure.microsoft.com/en-in/documentation/articles/active-directory-dotnet-how-to-use-access-control/
  For reference on error codes, please follow:
  https://msdn.microsoft.com/en-us/library/azure/gg185949.aspx
  Thank you,
  Arvind

• Party Configuration

  Hi
  My scenario: SAP ECC -> SAP PI -> Web Service -> B2B Gateway
  In SAP ECC we 20 the partner is created as V02 (same as B2B trading partner name) of type "SP". When the IDOC reaches PI it fails showing the error in moni as "Party and Service not defined".
  I have read this blog /people/shabarish.vijayakumar/blog/2006/09/13/wanna-party and configured party and business service for the receiver and business service for ECC sender. But reprocessing the IDOC from we19 in ECC the message again fails in moni with the same error.
  In the party configuration, I gave the following values:
  Agency: SAP
  Scheme: ALE#SP
  Name: V02
  I am doubting that my agency value is not right. Can it be any arbitrary value or should be related to ECC system/client name. Please help.

  Hi
  To give further information
  Scenario: SAP ECC-> SAP PI -> Web Service -> B2B Gateway -> Trading Partner V02
  The IDOC control record looks like this
  <EDI_DC40 SEGMENT="1">
    <SNDPOR>SAPVDO</SNDPOR>
    <SNDPRT>SP</SNDPRT>
    <SNDPRN>MTD</SNDPRN>
    <RCVPOR>A000000003</RCVPOR>
    <RCVPRT>SP</RCVPRT>
    <RCVPRN>V02</RCVPRN>
  </EDI_DC40>
  Now I have configured a party named TP_V02. Created a business component called TP_V02_B2B in it. Then in the party configuration added the Agency=TP_V02_B2B, Scheme=ALE#SP and Name=V02. This is for receiver system.
  For sender I created a business component without party and called it SAPVDO and added adapter specific identifiers where logical system I have given as SAPVDO.
  I am still getting the error in moni as Party and Service not defined.

• How to config Rules between Service Identity and Relying Party Application in Azure ACS?

  I am going to implement an Authorization Server talks to ACS OAuth2 endpoint with Java following this
  article.
  First, I created a Service Identity using the ACS Management Service by OData protocol, and then add a password credential in ACS Management Portal.
  Id: "22194691",
  Name: "oauth2-client-sample",
  Description: "Test",
  RedirectAddress: "http://localhost:8080",
  SystemReserved: false
  Second, I created a relying party application in ACS Management Portal with no Identity Providers, assume that its ID is 22194640 and its Realm is "https://oauth2-res-sample.herokuapp.com/".
  Third, I created a Delegation by ACS Management Service and got an Authorization Code(for example, XkbSXdM0d0v8wQ835hvKUg==) from ACS,
  POST /v2/mgmt/service/Delegations
  Authorization: Bearer XXXX(SWT from ACS)
  Content-Type: application/json
  {"ServiceIdentityId": "22194691", "RelyingPartyId": "22194640",
  "NameIdentifier": "[email protected]", "IdentityProvider": "WAAD"}
  At last, I posted the authorization code and service identity to ACS to request an Access Token,
  POST v2/OAuth2-13
  Content-Type: application/x-www-form-urlencoded
  grant_type=authorization_code&client_id=oauth2-client-sample
  &client_secret=xxxxxxxx&code=XkbSXdM0d0v8wQ835hvKUg%3D%3D
  &redirect_uri=http%3A%2F%2Flocalhost%3A8080
  &scope=https%3A%2F%2Foauth2-res-sample.herokuapp.com%2F
  But I got the following error from ACS,
  error: "invalid_request" error_description: "ACS50000: There was an error issuing a token. ACS60000: An error occurred while processing rules for relying party 'https://oauth2-res-sample.herokuapp.com/'
  using the service identity or identity provider named 'oauth2-client-sample'. ACS60000: Policy engine execution error. Trace ID: e8a1fa8c-19d8-4271-8095-80938ea45e69 Correlation ID: 82a0e83e-202f-4957-8871-cdcdf927b512 Timestamp: 2015-02-23 02:21:34Z"
  This is the Rule Group for the relying party application, pass through all the first claims to output. But
  I don't know what's wrong.

  Hello Cary!
  Request your confirmation if you could resolve the problem stated above? If no, please let us know at the earliest and we'll be glad to help. If yes, please share your valuable inputs for community's reference.
  Thank you,
  Arvind

• Third party configuration

  Hello Friends,
  I am in production support project and handling many data load or data monitor activities daily. In project the data is coming from many sys like R/3, Flatfile and legacy sys.
  As still I have not understood the data flow from legacy sys as how the transfer rule has been activated in this or how BAPI works while extracting the data from 3rd party.
  Would like to know –
  What are the steps to configure third party (BAPI) tools?
  How the data is extracting from third party?
  I am extracting the data from informatica sys.
  Thanks it would be great help for me.
  Regards,
  Jain

  Hi,
  can any one please send me a documents for this topic.
  1.     Third party configuration
  2.     Data extraction from third party rule
  3.     Bapi role in data extraction.
  It would be great help for me.
  Mail id -
  [email protected]
  Regards,
  Jain

• Setting time in  adf-faces-config.xml configuration file

  Hello check this link
  http://jdevadf.oracle.com/adf-richclient-demo/docs/tagdoc/af_convertDateTime.html
  this specifies "Timezone can be set per web-app in adf-faces-config.xml configuration file. If timeZone is not set on the converter, then timezone will be defaulted to the value set in adf-faces-config.xml configuration file. If it is not set in the configuration file, then it will be defaulted to GMT."
  how to set timezone in adf-faces-config.xml configuration file please specify
  Regards
  Mayur Mitkari

  where in adf-faces-config.xml i can add this line , and howThis might help: http://docs.oracle.com/cd/E24382_01/web.1112/e16181/af_global.htm#BJECDDDE

• SAML Credential Mapper Relying Party "Post Form"

  Hi,
  Has anybody used Custom Post Form for SAML credential Mapper Relying Party.
  If so can you pls tell the specs. It is saml V2
  I am trying like this in a html
  <input type="hidden" name="TARGET " value="ddddd" />
  <input type="hidden" name="SAML_AssertionConsumerURL" value="ddddddd" />
  <input type="hidden" name="SAML_AssertionConsumerParams" value="homogenousMap" />
  <input type="hidden" name="SAML_ITSRequestParams" value="" />
  But everytime it gives a Internal server error in the logs
  ####<Oct 13, 2008 2:16:19 PM PDT> <Debug> <SecuritySAMLService> <pd7000163> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1223932579244> <BEA-000000> <SAMLServlet (samlits): doGet(): Unexpected throwable while handling request, returning INTERNAL_SERVER_ERROR: java.lang.NullPointerException>
  I am also not finding any details about samlits servlet.
  WEblogic front line support also does not know. No weblogic documentation on the actual implementation.
  Thanks
  Vishnu

  Vishnu, you should also try cross-posting in the WLS-Security forum.
  WebLogic Server - Security

• B2B Add on -  Party configuration using B2B - AS2 Aadapter

  Can anyone help me  to configure Party using B2B AS2 Adapter .
  I tried configuring the channel using Party passing the Sender ID . Getting this error.
  Cannot get channel binding: com.sap.aii.af.service.cpa.CPAObjectNotFoundException: Couldn't retrieve binding for the given channelId: Binding:CID=67140c68525433f4a8468af588477d5e;

  Hi Mithali,
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/cdded790-0201-0010-6db8-beb9bb2b2660?QuickLink=index&…
  Under Sender Agency; put <your Business Service / System / Comm. Comp name>; example XID_112 or whatever
  Under Sender Schema; put ALE#KU; if your Partner type of Sender is KU in WE20
  This combination will derive the sender Party.
  Similarly you can put the receiver boxes if you want to de-normalise and derive the receive party name.
  Let me know if it helps; else can help you more!!
  Thanks
  Saurabh

• Using two User Stores for one relying party trust

  Hi all,
  We got a request to implement a trust with an external party. 
  Internal users should be able to make use of that application. But also external users, which have their account stored in a different user store (question is asked if its a SQL or LDAP kind of store).
  Is it possible to have a SSO effect for both internal and external users? 
  Somehow ADFS has to know if the user is internal or external. I can imagine an internal user being in the office will get a nice SSO feeling. From what i think this is not possible for external users. External users should still authenticate once on our sts
  (adfs). Lets say this is true, is it possible for ADFS to see if a user is external, and then use the User Store that belongs to that external user?
  You also must take in mind that an internal user could also be in a internet cafe, so SSO is not possible. Also this time the user should authenticate to the sts. But this time it has to use Active Directory as User Store.
  I know internal users have a username in a different format then external users. 
  Is it possible for ADFS to know which User Store to pick based on the format of the username?
  Thanks in advance for the reaction.

  Hi,
  Thank you for your posting!
  Since Active Directory Federation Service is not an extension of Active Directory schema, I suggest you refer to the following forum to get professional support:
  Claims based access platform (CBA), code-named Geneva Forum
  http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  Thank you for your understanding and support.
  Best Regards,
  Amy Wang

• XI : Party configuration

  Hi all,
  I am configuring a scenario using IDOCS. I'm using program RSEINB00 to read my flat file and transfert it to the proper scenario. It works fine. The problem I have is I am receiving other idocs with different partner numbers with same scheme and I can't add them to my party because the scheme is the same.
  Exemple A: 1 Idoc
  Agency       Scheme         Name
  TEST1         ALE#LI#LF    123                     <--- works fine
  Exemple B : 2 Idoc
  TEST1         ALE#LI#LF    123
  TEST1         ALE#LI#LF    456                    <---- cant add to party TEST1
  Do I need to create a new party so I can process a different partner using the same scheme for the same scenario? Is there way to make it generic (not specifie the partner) so every time it sees ALE#LI#LF it sends it to my scenario?
  I forgot to mention i'm on XI 3.0 patch 14
  Thanks

  Hi,
  Please check this blog if helpful
  Outbound Idoc's - Work around using "Party"?
  Thanks!

• EDI X12 Party configuration

  Hi
   I receive a error while processing a file with ISA 11 field as ^ and *T*>~GS* (>) before GS.
  Please let me know what configuration should i do to avoid this.
  In party i have alredy configured these values but still the error occurs.
  Error: 2 (Field level error)
  SegmentID: ISA
  Position in TS: 1
  Data Element ID: ISA11
  Position in Segment: 11
  Data Value: ^
  7: Invalid code value.
   The sequence number of the suspended message is 1. 

  Then there's a mismatch between the Agreement and what the Trading Partner is sending.
  Are you sure you set the correct Agreement to interpret ISA11 as the Repetition Character and not the Standards Identifier?
  This setting is on the Envelopes section of the Them->You tab of the agreement.
  Also, you should disable the Fallback Settings in case the problem is actually Agreement resolution.

• Incident Search helps relations between Sold-to Party & Configuration Item

  Hi experts,
  Can someone help me to know what is the best approach for the following scenario:
  When I select de Sold-to Party e.g (BP 70), then when I try to use the search help for "Configuration item" it should filter only for my BP, but this is NOT happening. The result that is showing are all items of all BP's.
  How can I modify the BOL Object "Product" Search help or I have to create a "Z".
  Is this the correct approach?
  Thanks & Kind Regards,
  César Felce

  Hi,
  In you can create a z class with interface IF_BSP_WD_CUSTOM_F4_CALLBACK.
  In get v method of configuration item put below logic.
  ls_map type if_bsp_wd_valuehelp=>gtype_param_mapping
  lt_inmap type if_bsp_wd_valuehelp=>gtype_param_mapping_tab
  lt_outmap type if_bsp_wd_valuehelp=>gtype_param_mapping_tab
  ls_map-f4_attr = 'BP_ID'.
  ls_map-context_attr = bp value.
  append ls_map to lt_inmap.
  append ls_map to lt_outmap.
  create object rv_valuehelp_descriptor
  type cl_bsp_wd_valuehelp_f4descr
  exporting
  iv _help_id = '(zclass)'
  iv_help_id_kind = if_bsp_wd_valuehelp_f4descr=>help_id_kind_comp
  iv_inputmapping= lt_inmap
  iv_output_mapping = lt_outmap
  iv_trigger_submit = abap_true.
  Now in method if_bsp_wd_custom_f4_callback~retrieve_custom_values of your zclass put logic
  check is_search_help is not initial and is_search_help-selopt is not initial.
  loop at is_search_help-selopt assigning <fs_selopt>.
  check <fs_selopt>-shlpfield = 'BP_ID'.
  lv_bpid = <fs_selopt>-low.
  endloop.
  Now you have your sold to party id in lv_bpid.
  now write the logic to fetch configuration items based on sold to party id and fill ct_results_tab which will your output searchhelp.
  Thanks,
  Tejaswini P.