Tried to reset the admin password for WSO2 Identity server and API manager, following instructions for API Manager and Identity server
but now the old applications are not being listed and in the wso2 carbon logs for identity server it shows "Illegal access attempt at from IP address while trying to authenticate access to service APIKeyValidationService". Any advice on how to debug the issue?
Related
I have hosted the instances of wso2 api manager as well as wso2 analytics in the same parent directory. wso2 api manager is working great, but I cannot access even the login screen of wso2 analytics after the configuration. When I inspected in the network tab of the browser, I can see the Exception occurred :java.security.cert.CertificateException: No subject alternative names matching IP address 10.12.2.5 found executing GET https://10.12.2.5:9443/api/am/admin/v1/custom-urls/carbon.super error. I am using version 3.2.0 for both apim and analytics. I have configured both of them to point to the same apim db. Also, I have enabled the ssoEnabled to true in auth.configs section in deployment.yaml file. How can this error be resolved?
The above error may have occurred due to the hostname verification process [1] of the dashboard server when connecting to the Publisher profile of the APIM server.
As a temporary solution, you can set the hostnameVerificationEnabled to false in the <WSO2_API-M_ANALYTICS_HOME>/conf/dashboard/deployment.yaml file of the dashboard profile which will skip the hostname verification process.
(But skipping the hostname verification is not recommended in the prod environment, and hence you have to configure hostnames of the deployment according to your Common Name(CN)/Subject Alternative Name(SAN))
[1] https://lightbend.github.io/ssl-config/HostnameVerification.html
I have setup WSO2 IS (5.6.0) and APIM (2.5.0) recently.
I have then tried to integrate both of them together so that IS can be used IDP and APIM can be logged in using SSO.
I did the changes according to this Link
(https://docs.wso2.com/display/AM250/Configuring+Identity+Server+as+IDP+for+SSO)
Things look fine and I am accessing https://apim.com/publisher URL for login in, I am getting IS login page.
Then I enter, username and password, it authenticates as well but then I get below error in browser:
Error when processing authentication request! Please try again.
Below are the logs from backend:
DEBUG {org.wso2.carbon.identity.sso.saml.validators.SSOAuthnRequestAbstractValidator} - Thread local tenant domain is set to: carbon.super
[2019-02-17 01:12:56,196] DEBUG {org.wso2.carbon.identity.sso.saml.validators.SPInitSSOAuthnRequestValidator} - Authentication Request Validation is successful..
[2019-02-17 01:12:56,803] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Query string : null
[2019-02-17 01:12:56,804] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - No SaaS SAML service providers found for the issuer : API_PUBLISHER. Checking for SAML service providers registered in tenant domain : carbon.super
[2019-02-17 01:12:56,825] ERROR {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Error when processing the authentication request!
org.wso2.carbon.identity.base.IdentityException: Error while reading service provider configurations for issuer : API_PUBLISHER in tenant domain : carbon.super
Can someone please check and let me know where I am doing wrong.
Thanks
It seems like you haven't enabled IdP initiated SSO in the Service Provider configurations at the WSO2IS side. Find the attached service provider configuration screenshot below,
I want to integrate WSO2 Identity server and API manager together so that user authentication can be done by WSO2 Identity server and API level authorization can be done in the API Manager.I am using WSO2 identity server separately so that one day if i have to remove API Manager , authentication will work properly.
Can someone explain the workflow/architecture? Where should i keep the users , in the identity server or in the API Manager? I Would like to have the /oauth2/token token generation code to hit the Identity server .How can i achieve this?
Is there a cloud hosting for WSo2 Identity server.
Thanks
If you want to configure WSO2 IS as an keymanager all the detailed steps can be found in WSO2 doc https://docs.wso2.com/display/CLUSTER44x/Configuring+the+Identity+Server+5.2.0+as+a+Key+Manager+with+API+Manager+2.0.0
I successfully configured WSO2 API Manager 1.8.0 [e.g. https://wso2am.com:9443] and WSO2 Identity Server 5.0.0 SP1 [IS] acting as Key Manager [e.g. https://wso2is.com:9443] in a clustered setup on 2 different servers.
I also configured a Service Provider in the IS using a SAML SSO Inbound Authenticator and tested it with travelocity.com sample app.
The sample app builds the SAML request in the right way, but https://wso2am.com:9443/samlsso?SAMLRequest=[base64stuff] returns an HTTP Status 405 - HTTP method GET is not supported by this URL.
Changing the url in https://wso2is.com:9443/samlsso?SAMLRequest=[base64stuff]
leads to successful authentication.
Basically I want to be redirected to wso2am login page and not wso2is login page.
In this way, I could deploy in DMZ WSO2AM only, leaving WSOIS in the internal network.
How can I do?
Thanks
In this scenario I think your authentication request must be directed to IS server, not APIM. The IS server is the one who does the authentication. Hence it acts as the IDP. APIM is just a service provider (SP). Even if you succeeded (even it's not the correct behaviour) with sending a SAML request to https://wso2am.com:9443/samlsso endpoint, it will redirect you to the login page in IS server. So you have to send the SAML request to the https://wso2is.com:9443/samlsso endpoint for successful authentication & for the correct behavior.
In a Dev environment, I'm try to install BizTalk on windows 7 with local accounts. The PC is not part of a domain. The install goes fine, and I've followed the msdn documentation for BizTalk on windows 7. SSO is the first thing that fails when I try and run the BizTalk configuration utility.
It created the SSODB database, built the tables, etc. but the SSO configuration failed. I see errors in the event log like:
SSO AUDIT
Function: GetApplications2
Tracking ID: a9b83ad5-1f05-407f-9d0b-63b4e4acd7d5
Client Computer: VM-BizTalk (mmc.exe:3572)
Client User: VM-BizTalk\Jeremy
Application Name: -
Error Code: 0xC0002A02, The SSO system is currently disabled.
The SSO service is running under a local account. This is not recommended and will limit the functionality of SSO. See your documentation for details.
SSO Service Account: VM-BizTalk
Access denied. The client user must be a member of one of the following accounts to perform this function.
SSO Administrators: SSO Administrators
SSO Affiliate Administrators: -
Application Administrators: -
Application Users: -
Additional Data: VM-BizTalk\Jeremy
Secret server access denied.
Client User: VM-BizTalk\Jeremy
Both the sso service account and my account are part of the SSO administrators group (local accounts and groups).
Well, I did a little more digging, and found an additional error in the BizTalk Configuration log file:
Failed to generate and backup the master secret to file: C:\Program Files\Common Files\Enterprise Single Sign-On\SSO0FAB.bak (SSO) Additional Information (0x80070005) Access is Denied.
Searching this error I discovered a blog entry:
http://blogical.se/blogs/mikael_sand/archive/2009/10/01/failed-to-create-the-master-secret-file-why-do-these-things-always-happen-to-me.aspx?CommentPosted=true#commentmessage
Which advises this solution:
Unconfigure BizTalk and delete the SSODB and BusinessRulesDB. The wizard does not delete them.
Now create the SSO Administrators group manually and add the install account and the BizTalk Service Account to it.
Log out and log back in. Restart the installation.
I did the above steps. Additionaly, after step 2 I re-ran the BizTalk install, chose repair, then went through the install process which took me though the configuration steps and finally a successful configuration!