I have setup WSO2 IS (5.6.0) and APIM (2.5.0) recently.
I have then tried to integrate both of them together so that IS can be used IDP and APIM can be logged in using SSO.
I did the changes according to this Link
(https://docs.wso2.com/display/AM250/Configuring+Identity+Server+as+IDP+for+SSO)
Things look fine and I am accessing https://apim.com/publisher URL for login in, I am getting IS login page.
Then I enter, username and password, it authenticates as well but then I get below error in browser:
Error when processing authentication request! Please try again.
Below are the logs from backend:
DEBUG {org.wso2.carbon.identity.sso.saml.validators.SSOAuthnRequestAbstractValidator} - Thread local tenant domain is set to: carbon.super
[2019-02-17 01:12:56,196] DEBUG {org.wso2.carbon.identity.sso.saml.validators.SPInitSSOAuthnRequestValidator} - Authentication Request Validation is successful..
[2019-02-17 01:12:56,803] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Query string : null
[2019-02-17 01:12:56,804] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - No SaaS SAML service providers found for the issuer : API_PUBLISHER. Checking for SAML service providers registered in tenant domain : carbon.super
[2019-02-17 01:12:56,825] ERROR {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Error when processing the authentication request!
org.wso2.carbon.identity.base.IdentityException: Error while reading service provider configurations for issuer : API_PUBLISHER in tenant domain : carbon.super
Can someone please check and let me know where I am doing wrong.
Thanks
It seems like you haven't enabled IdP initiated SSO in the Service Provider configurations at the WSO2IS side. Find the attached service provider configuration screenshot below,
Related
I were following the sample provided in OneLogin Developer Portal - https://developers.onelogin.com/quickstart/authentication/java-spring. I did everything described in the article. But on running the application, authentication happens; I were taken to OneLogin page and I enters the credentials. But on redirection, I get following error.
"http://localhost:8081/login" is the redirect url configured in admin portal. And it is the default url which is been passed in the first request.
https://kore-wireless-dev.onelogin.com/oidc/2/auth?client_id=<?>&redirect_uri=http://localhost:8081/login&response_type=code&scope=openid profile email&state=UY6Tam
In the sample code, the endpoint is not implemented. But I don't think application developer needs to implement that endpoint.
I tried Github SSO. Where we can specify different redirect urls in app configuration (spring-security-url) and github sso configuration (app-url). And after authentication github will redirect to spring-security-url. And then that endpoint will redirect to app-url.
Is Spring Security OAuth2 is not compatible with OneLogin? Or what I am missing here.
I have recently faced the same issue. In my case, we had to modify the Authentication Method of the Token Endpoint in OneLogin oidc application. When it was set to Basic, it was throwing the Unauthorised error. Probably, the sample application invokes the OIDC token endpoint with credentials (clientID and clientSecret) in the payload request (POST Auth Method) rather than in request header(Basic Authentication method). Sharing the screenshot of the same here.
I am using PingFederate HTML FormAdapter and ADFS for a simple login page and user authentication. If the user keeps the login page open/idle for 10 or more minutes and enters credentials and clicks login, I am getting the below exception. If the login is before 10 minutes, it is working fine. Is there a timeout in ADFS that I can increase?
Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.CookieManagers.InvalidContextException: MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetOriginalRequestFromResponse(ProtocolContext context, Boolean deleteCookie)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
I have seen this issue before. Some things to try:
Verify that the federation service is operating within its operating capacity.
Verify that it is not experiencing network outages.
Check that the IIS supports federation.
You can check this with:
setspn -L <hostname>
This lists current SPNs.
If it is not there, set the SPN
setspn -a http/adfs <machine name> <service account name>
If there is an issue you can re-run the ADFS Proxy wizard and recreate the IIS sites.
Check that the ADFS app pool is running.
Check the troubleshooting guides:
https://social.technet.microsoft.com/wiki/contents/articles/19057.ad-fs-2-x-troubleshooting-proxy-server-event-id-230-congestion-avoidance-algorithm.aspx
https://www.experts-exchange.com/questions/28657729/ADFS-Error-364-Encountered-error-during-federation-passive-request.html
In API Manager 2.0.0 I have configure a federated authenticator for oauth2, setting-up with a google authentication, and configure a service provider for an application to use this federated authenticator. Then I follow the tutorial [1] in order to use this application with the google authentication.
When I try to generate the keys from the Store portal using Code or Implicit grant types, the server give me the following error:
Error occurred while calling token endpoint: HTTP error code : 400
and in the log shows:
{"error_description":"Provided Authorization Grant is invalid","error":"invalid_grant"}
Can anyone help me with this problem? How can I configure a federated authenticator to consume te APIs/Applications?
Thanks.
Here you can see the debug log of APIM.
[1] http://xacmlinfo.org/2015/04/28/federated-authentication-for-granting-oauth2-access-token-with-wso2-api-manager-apim/
Probably your Service Provider doesn't allow Implicit and Code grants by default.
To change this log into carbon on Service Providers -> List. Choose your SP and then click on Edit.
In the edit page, go to Inbound Authentication Configuration -> OAuth/OpenID Connect Configuration. Your application key and secret should be listed here, the one that you generate on the store.
Click on edit, this will bring all the OAuth grants available. Probably Code and Implicit are unchecked. Check them and click on Update, you should be able to generate tokens using both grants now.
In our ASP.Net project, I am using Kentor.AuthServices.HTTPModule and have configured ADFS.
Have given the SAML Assertion Consumer Binding as "redirect" and Trusted-URL as "ourSiteUrl".
After ADFS login is successful, it will redirect to ourSiteURL/AuthServices/Acs?SAMLResponse=... and it throws an Exception
Kentor.AuthServices.Exceptions.InvalidSignatureException: Cannot
verify signature of message from unknown sender
win-3obaenpbsol.dc10.inapp.com/adfs/services/trust.
What could be the reason for this issue?
The reason is that AuthServices does not recognize the Idp with entity id win-3obaenpbsol.dc10.inapp.com/adfs/services/trust.
I also see that you are using the Redirect binding when sending the response to AuthServices, which is not supported. That is a setting you need to change on the ADFS side.
To make configuration easier, please use metadata. AuthServices supports importing ADFS metadata and AuthServices generates metadata that ADFS can consume at ourSiteURL/AuthServices/.
I successfully configured WSO2 API Manager 1.8.0 [e.g. https://wso2am.com:9443] and WSO2 Identity Server 5.0.0 SP1 [IS] acting as Key Manager [e.g. https://wso2is.com:9443] in a clustered setup on 2 different servers.
I also configured a Service Provider in the IS using a SAML SSO Inbound Authenticator and tested it with travelocity.com sample app.
The sample app builds the SAML request in the right way, but https://wso2am.com:9443/samlsso?SAMLRequest=[base64stuff] returns an HTTP Status 405 - HTTP method GET is not supported by this URL.
Changing the url in https://wso2is.com:9443/samlsso?SAMLRequest=[base64stuff]
leads to successful authentication.
Basically I want to be redirected to wso2am login page and not wso2is login page.
In this way, I could deploy in DMZ WSO2AM only, leaving WSOIS in the internal network.
How can I do?
Thanks
In this scenario I think your authentication request must be directed to IS server, not APIM. The IS server is the one who does the authentication. Hence it acts as the IDP. APIM is just a service provider (SP). Even if you succeeded (even it's not the correct behaviour) with sending a SAML request to https://wso2am.com:9443/samlsso endpoint, it will redirect you to the login page in IS server. So you have to send the SAML request to the https://wso2is.com:9443/samlsso endpoint for successful authentication & for the correct behavior.