I downloaded WSO2 IS, took care of all the prerequisites and started it using "wso2server.bat --run" command.
It's running and I am able to configure it in Management Console as Identity Provider (SAML 2.0). I also added my app as Service Provider (SAML 2.0). SSO seems to be working - I navigate to my app, it redirects to WSO2 IS where I log in using default admin/admin. I am then redirected to assertion service in my app when I am authenticating a user. Everything great so far!
The problem is that when I close the browser (using incognito mode) and try to repeat that process and login to WSO2 IS using the same user (admin/admin) I get error message:
"Login failed! Please recheck the username and password and try again."
I also get similar message in console:
[2018-02-08 15:57:39,258] ERROR {org.wso2.carbon.identity.scim.common.listener.SCIMUserOperationListener} - Trying to login from an inactive account of user: admin
How is that possible? It looks like the second I use given user during SSO process - that account gets deactivated. I can't even login to WSO2 IS Management Console.
I did not change any configuration other than mentioned above.
I would appreciate any help.
Related
We have integrated KeyCloak server with Azure Active Directory as Identity Provider for SSO Login.
Log-in is working fine. However we facing problem with log-out, When user logs-out from web application, from our backend server side code we are making REST call to Keycloak server for below API.
https://keycloaktest:8443/auth/realms/<realmName>/protocol/openid-connect/logout
for this REST call we are getting 204 status code as response.
However when User tries to log-in in application again from browser it does not ask to enter credentials (active directory credentials).
In order to log-out User. We have access below URL
https://portal.azure.us/#home
and click log-out there.
https://portal.azure.us/Account/SignOut
Is there anyway to achieve this in backend i.e. when User clicks logout from browser
Just ran across this myself. The answer provided here: Logout user via Keycloak REST API doesn't work worked for me. Try adding client_id and refresh_token to your /logout request.
I have configured Keycloak to the SAML/IDP given by "samltest.id" and it works if the user logs into the application. On some user actions I want to enforce the user to enter his credentials again.
In the application I use the login method in the Keycloak JS adapter as follows:
keycloak.login({ prompt: 'login' })
Also I set the "force authentication" flag in the SAML configuration in Keycloak.
So, what is happening is, that after trying the re-login, the user is redirected to the IDP (like expected) but after entering his credentials a WARN message is shown in Keycloak log:
WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=moc, clientId=null, userId=null, ipAddress=155.41.80.192, error=invalid_code
and the user is again redirected to the IDP.
After entering the credentials again, instead of updating the active user session, an additional session is created by Keycloak (so I can see two sessions for the user in the Keycloak admin console). This way, the token (which belongs to the first session) will not be updated, so in the application I can not recognize the success of the re-login of the user.
Currently I use the Keycloak version 7.0.0
This re-login behavior work just fine, if I do it on user authenticated directly by Keycloak .
This behavior I can not just reproduce with "samltest.id" but also with another IDP.
I also thought about, to do a logout instead of re-login, but this will close the user session and if the user decides to cancel his action, he will not be able to go just back to the application without authenticating himself again.
Has someone an idea how to solve this issue? Or if it can be solved at all?
We've got an install of Azure Devops server that currently authenticates against our active directory server and authentication works, but it appears to do so by means of browser basic authentication (the browser modal prompt that asks for a simple user name and password).
I'm wondering if there is some way to configure authentication such that users that have never logged in, actually get a login page... not just the basic authentication prompt in the browser.
I appreciate any input, I've used and administered azure devops in the cloud for a LONG time, but the devops server stuff I'm new to.
NOTE: I've played with IIS settings for authentication (enabling and disabling basic authentication and forms auth etc, but nothing really seemed to help there)
it appears to do so by means of browser basic authentication (the
browser modal prompt that asks for a simple user name and password).
I'm wondering if there is some way to configure authentication such
that users that have never logged in, actually get a login page... not
just the basic authentication prompt in the browser.
What's the login page do you mean?
1.If you mean the login page to connect to TFS web portal, as I know using basic prompt with username+password is the only appraoch.
Web Portal:
Only logic page:
2.But if you mean something used for authentication when accessing the code. I think you must be familiar with PAT which is widely used in Azure Devops Service. IIS Basic Authentication is not recommended. You can check Enabling IIS Basic Authentication invalidates using Personal Access Tokens and Use the TFS Cross Platform Command Line with TFS using basic authentication or personal access tokens (PATs).
Hope it helps to resolve your puzzle :)
So after lots of research, I found that in the differences between azure devops server and azure devops services documentation. In this documentation it states that it uses windows authentication, and you will never be presented with any login experience.
I'd vote that this should be something that be configured to show a login screen, as sometimes we want to log in as users other than the users we logged into the machine as.
I'm trying to connect a Spring App Keycloak, but I get this error:
After I enter to my app, and I was redirected to Keycloak for authentication, I receive an error in my browser:
192.168.1.66 redirected you too many times.
Full url
URL: http://192.168.1.66:9092/keycloak-sp-example/sso/login?state=139%2F1ed115fb-4d4f-468c-9a72-845f9cfa9cdb&code=PVGhg5X28G8fjNt36tMGHTJIP7CQdHOhoK4XhPgUh3E.2d885db5-5c4f-43b1-9095-305494718a97
And, in the console, I got:
ERROR org.keycloak.adapters.OAuthRequestAuthenticator - failed verification of token: Token is not active.
It's a bug? Or is anything that I should configure in the console?
I found the problem, I was testing the product in a virtual machine without the correct time zone configured.
Try to sync the server timing of Keycloak and application server or else increase the access token life span which is not recommended.
I'm just starting up with Bluemix Single Sign On (SSO). Whenever I'm accessing the SSO console using Safari I get a popup with the error below.
CTJSO1502E The authentication process to the configuration dashboard failed
I do not get this error when accessing the SSO console using my firefox browser.
I've already cleared the cache in Safari. Can anyone give me a pointer or something else to try to get past this?
As it turns out the solution in Safari is that I needed to enable third-party cookies to access the SSO interface.
The iframe containing the SSO service dashboard comes to the overall Bluemix console (.ng.bluemix.net) from a host on a different DNS domain (.iam.ibmcloudsecurity.com). Session cookies for the dashboard get blocked unless 3rd party cookies are allowed, or at least permitted from .iam.ibmcloudsecurity.com.