We are using PingFederate as an SP and have configured opentokenadapter. We are also using PingFederate Apache Agent (mod_pf.so) for SSO. When the user is clicking on logout link below steps are happening:
Call goes to the logout url defined in mod_pf.conf file (PingFederateCancelURL) This is our application logout page.
Another call goes to /sp/startSLO.png and I can see SLO logs in the pingfederate server.
However there is no call going to IDP configured for this connection. Are we missing any configuration?
P.S. We have not configured Logout Service in the opentoken adapter configuration.
Adding Logs:
2016-06-13 03:01:36,128 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.websso.servlet.IntegrationControllerServlet] GET: https://ny-pingfed-app02.na.rtdom.net:9031/sp/startSLO.ping
2016-06-13 03:01:36,128 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [10.221.56.36:7600, 10.221.56.29:7600]
2016-06-13 03:01:36,128 DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of lookupAuthnBeansAndSessions on org.sourceid.saml20.service.impl.localmemory.SpSessionRegistryMapImpl#7a85063c{bean->session=19, nidKey->sessionlists=7, pfsessionid->beanslist=17} w/args: [oYxtMFSy5GYQ5lK3EN1Lkt] returned {SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca=WebSsoSession{entityId='https://devci-casshib-ny.mediaocean.com/idp/shibboleth', assertionId='_36dab27f092d6367407cb9042e350aed', sessionIndex='_0d66d53a8fea5733ea5621a7b90b923b', nameId(value)=_3aa309b361c657bf1bc2a307d19ac432}}
2016-06-13 03:01:36,131 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.saml20.service.impl.grouprpc.SpSessionRegistryGroupRpcImpl] called mode:GET_MAJORITY lookupAuthnBeansAndSessions([oYxtMFSy5GYQ5lK3EN1Lkt]) on [10.221.56.36:7600, 10.221.56.29:7600] responses:
[sender=10.221.56.36:7600, retval={SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca=WebSsoSession{entityId='https://devci-casshib-ny.mediaocean.com/idp/shibboleth', assertionId='_36dab27f092d6367407cb9042e350aed', sessionIndex='_0d66d53a8fea5733ea5621a7b90b923b', nameId(value)=_3aa309b361c657bf1bc2a307d19ac432}}, received=true, suspected=false]
[sender=10.221.56.29:7600, retval={SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca=WebSsoSession{entityId='https://devci-casshib-ny.mediaocean.com/idp/shibboleth', assertionId='_36dab27f092d6367407cb9042e350aed', sessionIndex='_0d66d53a8fea5733ea5621a7b90b923b', nameId(value)=_3aa309b361c657bf1bc2a307d19ac432}}, received=true, suspected=false]
2016-06-13 03:01:36,131 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [10.221.56.36:7600, 10.221.56.29:7600]
2016-06-13 03:01:36,131 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.saml20.service.impl.grouprpc.SpSessionRegistryGroupRpcImpl] called mode:GET_NONE unregisterSessionsReceived([[SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca]]) on [10.221.56.36:7600, 10.221.56.29:7600]
2016-06-13 03:01:36,230 DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of unregisterSessionsReceived on org.sourceid.saml20.service.impl.localmemory.SpSessionRegistryMapImpl#7a85063c{bean->session=18, nidKey->sessionlists=6, pfsessionid->beanslist=16} w/args: [[SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca]] returned null
2016-06-13 03:01:36,263 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.util.log.internal.TrackingIdSupport] [cross-reference-message] PFSessionXRefID:_0d66d53a8fea5733ea5621a7b90b923b
2016-06-13 03:01:36,501 WARN [org.eclipse.jetty.servlet.ServletHandler]
javax.servlet.ServletException: org.sourceid.websso.profiles.ProcessRuntimeException: org.sourceid.saml20.adapter.AuthnAdapterException: Logout functionality invoked, but no logout service is configured for this adapter.
at org.sourceid.servlet.ServletExceptionSupport.throwServletException(ServletExceptionSupport.java:26)
at org.sourceid.websso.servlet.IntegrationControllerServlet.process(IntegrationControllerServlet.java:88)
at org.sourceid.websso.servlet.EnforcerServletBase.checkProcess(EnforcerServletBase.java:84)
It seems that Logout Service is mandatory parameter. What should be it's value? Should it be IDP's SLO endpoint or application's (which SP is protecting) logout url?
Related
I am trying to setup OAuth authentication (OpenID Connect) with Azure AD and Spring Cloud Data Flow server. Following below documentation reference but no help.
https://docs.spring.io/spring-cloud-dataflow/docs/current/reference/htmlsingle/#appendix-identity-provider-azure
https://docs.spring.io/spring-cloud-dataflow/docs/current/reference/htmlsingle/#configuration-security-oauth2
When I push data flow server in open source cloud foundry, i get below error (if OAuth2 config is removed from application.yml, it gets deployed without issue):
redentials/instance.key and /etc/cf-instance-credentials/instance.crt
18:16:57.512: [HEALTH.0] Failed to make TCP connection to port 8080: connection refused
18:16:57.512: [CELL.0] Timed out after 1m0s: health check never passed.
18:16:57.515: [CELL/SSHD.0] Exit status 0
18:17:07.588: [APP/PROC/WEB.0] Exit status 137 (exceeded 10s graceful shutdown interval)
18:17:07.857: [API.3] Process has crashed with type: "web"
18:17:07.931: [API.3] App instance exited with guid ff60a149-d91f-4d9c-90b9-661c3bb8ad0f payload: {"instance"=>"e35f4a5d-a4f0-433d-6546-82ed", "index"=>0, "cell_id"=>"231ab214-d841-46ba-b20f-243aeac9bbfa", "reason"=>"CRASHED", "exit_description"=>"Instance never healthy after 1m0s: Failed to make TCP connection to port 8080: connection refused", "crash_count"=>3, "crash_timestamp"=>1622845027800626529, "version"=>"3a0686fb-a43a-4528-a425-21a544
From the logs, I do not see any hint of OAuth2.0 setup is taking effect by data flow server. Here is my application.yml entries related to OAuth2 config:
spring:
cloud:
dataflow:
security:
authorization:
provider-role-mappings:
dataflow-server:
map-oauth-scopes: true
role-mappings:
ROLE_VIEW: dataflow.view
ROLE_CREATE: dataflow.create
ROLE_MANAGE: dataflow.manage
ROLE_DEPLOY: dataflow.deploy
ROLE_DESTROY: dataflow.destroy
ROLE_MODIFY: dataflow.modify
ROLE_SCHEDULE: dataflow.schedule
security:
oauth2:
client:
registration:
dataflow-server:
provider: azure
redirect-uri: 'https://data-flow-server/dashboard'
client-id: 977-95bc-4f3645d77f43
client-secret: ~02K-5pf182_E-x-PWn
authorization-grant-type: authorization_code
scope:
- openid
- profile
- email
- offline_access
- api://dataflow-server/dataflow.view
- api://dataflow-server/dataflow.deploy
- api://dataflow-server/dataflow.destroy
- api://dataflow-server/dataflow.manage
- api://dataflow-server/dataflow.modify
- api://dataflow-server/dataflow.schedule
- api://dataflow-server/dataflow.create
provider:
azure:
issuer-uri: https://login.microsoftonline.com/sdf3s-3244f65-b82d-5ec2fd32d5aa/v2.0
user-name-attribute: name
access-token-uri: https://login.microsoftonline.com/sdf3s-3244f65-b82d-5ec2fd32d5aa/oauth2/v2.0/token
token-uri: https://login.microsoftonline.com/sdf3s-3244f65-b82d-5ec2fd32d5aa/oauth2/v2.0/token
user-authorization-uri: https://login.microsoftonline.com/sdf3s-3244f65-b82d-5ec2fd32d5aa/oauth2/v2.0/authorize
authorization-uri: https://login.microsoftonline.com/sdf3s-3244f65-b82d-5ec2fd32d5aa/oauth2/v2.0/authorize
resourceserver:
jwt:
jwk-set-uri: https://login.microsoftonline.com/sdf3s-3244f65-b82d-5ec2fd32d5aa/discovery/v2.0/keys
I want to use SSHLibrary to connect remote server.
*** Settings ***
Library SSHLibrary
*** Test Cases ***
Connection
${RemoteServer}= openconnection 127.0.0.1 port=2123
login 127.0.0.1 gfi
${username}= Executecommand pwd
But i am getting error as authentication failed
TRACE : Arguments: [ '127.0.0.1' | port=2123 ]
TRACE : Return: 1
INFO : ${RemoteServer} = 1
TRACE : Arguments: [ '127.0.0.1' | 'gfi' | delay='0.5 seconds' ]
INFO : Logging into '127.0.0.1:2123' as '127.0.0.1'.
DEBUG : Adding ssh-ed25519 host key for [127.0.0.1]:2123: 56cde5c5d3a8494218b68ed41b4e837d
FAIL : Authentication failed for user '127.0.0.1'.
DEBUG :
Traceback (most recent call last):
File "c:\python27\lib\site-packages\SSHLibrary\library.py", line 914, in login
is_truthy(look_for_keys), delay, proxy_cmd)
File "c:\python27\lib\site-packages\SSHLibrary\library.py", line 973, in _login
raise RuntimeError(e)
Ending test: Launchvm.Launchvm.Connection
This is first time i am using SSHLibrary .Does it require any preconditions to use SSHLibrary.
Can someone help how to solve authentication failed.
You have to take a look at the arguments for SSHLibrary - Login keyword.
As seen in the documentation Login first argument is username.
However, in your code you give 127.0.0.1 as username.
login 127.0.0.1 gfi
And I assume that is not the username.
You can also see this in the log message, that it try to login 127.0.0.1:2123 as 127.0.0.1.
INFO : Logging into '127.0.0.1:2123' as '127.0.0.1'.
If you update the code and call login keyword with username and password as expected, it should run fine.
login <username> <password>
I have one API that have been published in WSO2 API gateway.
When I test API, I got this error message from console.
Exception in thread "pool-65-thread-1"
java.lang.NumberFormatException: For input string: "0:0:0:0:0:0:0:1"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Long.parseLong(Long.java:589)
at java.lang.Long.parseLong(Long.java:631)
at org.wso2.carbon.apimgt.impl.utils.APIUtil.ipToLong_aroundBody512(APIUtil.java:7851)
at org.wso2.carbon.apimgt.impl.utils.APIUtil.ipToLong(APIUtil.java:7847)
at org.wso2.carbon.apimgt.gateway.throttling.publisher.DataProcessAndPublishingAgent.run_aroundBody4(DataProcessAndPublishingAgent.java:155)
at org.wso2.carbon.apimgt.gateway.throttling.publisher.DataProcessAndPublishingAgent.run(DataProcessAndPublishingAgent.java:141)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
According to the blog, they say it need to disable IPv6.
I just disable by registry for IPv6 and add IPV6support only at JAVA_OPTS at wso2server.bat file.
Then I restart again, it still show as IPv6 address.
[2020-01-15 14:40:21,171] INFO - PassThroughListeningIOReactorManager
Pass-through HTTP Listener started on 0:0:0:0:0:0:0:0:8280
[2020-01-15 14:40:21,172] INFO - PassThroughHttpMultiSSLListener Starting
Pass-through HTTPS Listener...
[2020-01-15 14:40:21,192] INFO -
PassThroughListeningIOReactorManager Pass-through HTTPS Listener
started on 0:0:0:0:0:0:0:0:8243
[2020-01-15 14:40:21,449] INFO -
TaskServiceImpl Task service starting in STANDALONE mode...
[2020-01-15 14:40:21,509] INFO - RegistryEventingServiceComponent
Successfully Initialized Eventing on Registry
[2020-01-15 14:40:21,652] INFO - JMXServerManager JMX Service URL :
service:jmx:rmi://localhost:11111/jndi/rmi://localhost:9999/jmxrmi
When I run again, I got same error.
Please help to answer?
In the latest API Manager versions, we have provided IPv6 support for throttling usecases. If you take the latest pack or a WUM updated pack of your current version
, you should not get this issue.
Also as a workaround, you could set an IPv4 address using X-Forwarded-For header and invoke the API
I have configured my wso2 with custom name by setting
-->
secu.helomyl.in
<!--
Host name to be used for the Carbon management console
-->
<MgtHostName>secu.helomyl.in</MgtHostName>
It starts and i can access the url and get wso2.But the below error is in the logs.Can you please help?
[2017-02-17 14:46:32,513] INFO - QpidServiceComponent Successfully connected to AMQP server on port 5673
[2017-02-17 14:46:32,514] WARN - QpidServiceComponent MQTT Transport is disabled as per configuration.
[2017-02-17 14:46:32,514] INFO - QpidServiceComponent WSO2 Message Broker is started.
[2017-02-17 14:46:32,533] WARN - PropertiesFileInitialContextFactory Unable to create factory:Illegal character in query between indicies 66 and 1
amqp://admin:admin#clientid/carbon?brokerlist='tcp://15.100.133.77 :5673'
^
[2017-02-17 14:46:33,044] INFO - PassThroughHttpSSLListener Starting Pass-through HTTPS Listener...
[2017-02-17 14:46:33,047] INFO - PassThroughListeningIOReactorManager Pass-through HTTPS Listener started on 0.0.0.0
Check the api-manager.xml in wso2am-2.0.0/repository/conf location. There is space in the below configuration. That causes the issue.
tcp://15.100.133.77 :5673
Hi Any one can help to get out from this Issue.
I'm newbie to pingfederate and tried do IDP Initiated log-out.
with the IDP SLO URL appeding TargetResource parameter to redirect after the logout. user logout is working fine and after log off Pingfederate doesnt redirect to TargetResource URL and still showing pingfederate log out page.
EDIT: I'm using PingFederate 6.10 version and from the documentation understand TargetResource parameter can be used to redirect after log-off.
URL for IDP SLO :
https://Machine-IP:9031/idp/startSLO.ping?PartnerSpId=HRIM:SAML2:PRODUCTION-IDP&TargetResource=http://Machine-IP:8005/logout
Am i missing any configuration for the redirection.
EDIT-2:
Below is Ping Federate server log, PF server throws
"Nonsuccess Response status: urn:oasis:names:tc:SAML:2.0:status:Responder
Status Message: Unexpected Runtime Authn Adapter Integration Problem."
entityId: HRIM:SAML2:PRODUCTION-IDP (SP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
relayState: aDz9NF0AZEMnJmAy6EM5N9vq8XNcEA
SignatureStatus: VALID
Binding says to sign: true
09:56:31,632 DEBUG [TrackingIdSupport] [cross-reference-message] entityid:null subject:null
09:56:31,632 WARN [HandleLogoutResponse] Invalid response: InMessageContext
XML: <samlp:LogoutResponse Destination="https://192.168.2.64:9031/idp/SLO.saml2" InResponseTo="hk6gFs__DcEmUVt.W5B9YJT6e5R" IssueInstant="2015-06-19T13:56:31.363Z" ID="EpSPm27S53BhzqTEnX6OYS-DeLu" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">HRIM:SAML2:PRODUCTION-IDP</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#EpSPm27S53BhzqTEnX6OYS-DeLu">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>q7i/J6rrBAvwehMrFnr11sQTg6g=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>KMfBgt792oj3mfQ6JiWklHNUlh8QpDliYhLGr4NPJ5ti6UnvSBQNVOOIuHXpwvodCElEQJR527M/
94erFkCA9SK1rwy/Ib6jyCZPCaim3qLavOmBQOaiY8ymBEqTPeMvtN/IVKSf4yOhAYEmiIHS/rMs
m2D+UY898kgn+L+/SYs=</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
<samlp:StatusMessage>Unexpected Runtime Authn Adapter Integration Problem.</samlp:StatusMessage>
<samlp:StatusDetail>
<Cause>org.sourceid.websso.profiles.RequestProcessingException: Unexpected Runtime Authn Adapter Integration Problem.</Cause>
</samlp:StatusDetail>
</samlp:Status>
</samlp:LogoutResponse>
entityId: HRIM:SAML2:PRODUCTION-IDP (SP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
relayState: aDz9NF0AZEMnJmAy6EM5N9vq8XNcEA
SignatureStatus: VALID
Binding says to sign: true
-------------------------------------
Nonsuccess Response status: urn:oasis:names:tc:SAML:2.0:status:Responder
Status Message: Unexpected Runtime Authn Adapter Integration Problem.
-------------------------------------
09:56:31,632 DEBUG [IdpSessionRegistryMapImpl] getRegisteredAuthnBeans(MV8o6ixVX2KuJ9t3lbi5Re) found [IdpHashableAuthnBean: 86d72689520858914485566f334f6d3fde4b08d5] authn beans
09:56:31,632 DEBUG [IdpSessionRegistryMapImpl] getIssuedSessions for authnbean IdpHashableAuthnBean: 86d72689520858914485566f334f6d3fde4b08d5 assertion ids: []
09:56:31,632 DEBUG [IdpSessionRegistryMapImpl] getIssuedSessions for authnbean IdpHashableAuthnBean: 86d72689520858914485566f334f6d3fde4b08d5 assertion ids: []
09:56:31,632 DEBUG [InterReqStateMgmtMapImpl] Object removeAttr(key: GkIkCfHYlNs9B1UyPtmmiD, name: HtmlFormIdpAuthnAdapter:SESSION): {username=carol#highroads.com, DN=cn=Carol,ou=Users,dc=highroads,dc=com, TargetResource=http://172.25.242.205:8005/index}
09:56:31,632 DEBUG [IdpSessionRegistryMapImpl] unregisterAuthnBean IdpHashableAuthnBean: 86d72689520858914485566f334f6d3fde4b08d5 from session id MV8o6ixVX2KuJ9t3lbi5Re. Session now has 0 beans associated with it.
![I'm getting following error page in browser][1]
[1]: http://i.stack.imgur.com/eC43g.png
The /idp/startSLO.ping endpoint does not support a PartnerSpId query parameter. When you hit that endpoint, you're telling PingFed to start a "single logout" which is intended to log you out of ALL the SPs that PingFed is aware of for the browser session - so the PartnerSpId (used to identify the partner with which you want to SSO with, when using the startSSO endpoint) is unneeded.
From the documentation on that endpoint, it only supports three parameters: TargetResource, InErrorResource, and Binding, all of which are optional.
I got my Issue resolved. follow below URL and its very helpful.
https://ping.force.com/Support/PingIdentityVideoLibrary?id=2415947630001