WSO2 SAML SSO for different carbon versions - saml

I'm trying to setup SAML based SSO for set of WSO2 products (all used by latest versions available for now):
WSO2 Identity Server 4.5.0
WSO2 Business Rules Server 2.0.0
WSO2 ESB 4.7.0
WSO2 Business Activiti Monitoring 2.4.0
WSO2 Application Server 5.2.0
SSO works fine for BAM and AS, but failed for other servers (BRS, ESB).
I'm getting on IS side exception like:
[Fatal Error] :1:1: Content is not allowed in prolog.
[2013-11-01 22:16:26,830] ERROR {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Error in constructing AuthRequest from the encoded String
org.xml.sax.SAXParseException: Content is not allowed in prolog.
nd
As I understand problem is: IS, AS and BAM all based on carbon 4.2.0 - and as result SSO working fine, but BRS and ESB latest versions based on older carbon (4.1.0 or 4.0.0) and there are compatibility problem in message encoding between different carbon versions.
Question - is it possible to fix somehow tools based on older carbon version to make it working with latest carbon 4.2.0 based IS 4.5.0?
Or, in general, how setup SAML SSO independently from each carbon (or even not carbon-based at all) service providers used?

Yes this is a know issue. Identity Server 4.5.0 can not be used to do SSO with older carbon versions. This is due that SAML2 SSO authenticator in older carbon version is not complaint with IS 4.5.0 IDP. Actually there is some bug in the older versions. However there are some fixes for that. They can be found in public jiras (not sure). ESB and BRS are going to release soon, before end of Nov, Therefore you can try with newer versions as they are also based on Carbon 4.2.0 platform,

I am getting exactly same issue with same configuration. #Asela as you mentioned, I can either go with ESB 4.8.0 (or) IS 4.1.0; but what kind of issues we'll have when we go for decentralized federated SAML2 IdP.
Is IS 4.1.0 is compatible with ESB 4.7.0, and is tested in decentralized federated SAML2 IdP? If so, we would downgrade our IS to 4.1.0.

Related

WSO2 IS 5.3.0 - IWA authentication option not available

We are using WSO2 Identity Server for user authentication.
We have upgraded from WSO2 IS 5.2.0 version to WSO2 IS 5.3.0.
We are using the IWA (Integrated Windows Authentication) for user authentication for our applications.
In WSO2 5.3.0 version we do not see the option to select IWA under the Authentication Type “Local Authentication” while registering the application under “Service Provider”. This option was available in WSO2 IS 5.2.0 and we were able to use it properly.
Can you please let us know if this feature is deprecated or disabled in the WSO2 IS 5.3.0 version? Please let us know the steps to enable IWA in WSO2 IS 5.3.0
From IS 5.3.0 onwards we moved to Kerberos based IWA Authentication. The motive behind this decision was to overcome the limitations faced in NTLM based IWA.
To mention a few, NTLM based IWA forced the WSO2 Identity Server to be run on Windows and the AD was required to plugged in as the primary user store.
To read more about IWA Authentication using Kerberos please refer this blog.
So to answer,
Can you please let us know if this feature is deprecated or disabled
in the WSO2 IS 5.3.0 version? Please let us know the steps to enable
IWA in WSO2 IS 5.3.0
Yes, we deprecated the NTLM based IWA Authenticator in IS 5.3.0. However, for the benefit of the users preferring to use the NTLM based authenticator we have the tag compatible with IS 5.3.0.
You can build the tag and drop the authenticator jar to IS_HOME/repository/components/dropins. Then you should be able to see the authenticator listed under local authenticators and use it as in IS 5.2.0
Are you sure it is activated in your installed instance :
Open the <wso2is_home>/repository/conf/security/authenticators.xml file and add the following lines inside the <Authenticators> tag.
<Authenticator name="IWAUIAuthenticator" disabled="false">
<Priority>5</Priority>
</Authenticator>
Source : https://docs.wso2.com/display/IS530/Configuring+IWA+Single-Sign-On
Jeff

Domino client web services and SOAP 1.2

I create a client in Domino to consume a web service that works with SOAP 1.2 and has HTTPBinding.
The client generation tool for Domino Designer Web services an error is displayed when trying to generate reporting that the SOAP accepted version is 1.1.
I decided to create the client with CXF framework through tool wsdl2java. In an agent I used these classes to consume the web service, however the below error was displayed. I think it's because of the SOAP version, but I'm not sure.
com.sun.xml.internal.ws.protocol.soap.MUTube getMisUnderstoodHeaders
INFO: Element not understood={http://www.w3.org/2005/08/addressing}Action
Also generated a jar of classes generated by wsdltojava and imported to another agent, but the error below is displayed.
java.lang.UnsupportedClassVersionError: JVMCFRE003 bad major version; class=, offset=6
The question is, no way consume a web service with SOAP 1.2 in Domino only supports up to version 1.1?
Thanks a lot!
I don't believe that Domino's web service consumer supports SOAP 1.2 at this time. You might be able to do what you need with an agent though - here's one way: How can I call a SOAP 1.2 Web service from a LotusScript agent?
In fact there is no way to natively consume a web service with soap version 1.2. There are already several requests from IBM to upgrade the SOAP version. What I did, was to develop a new layer through a new web service with the version SOAP 1.1, which internally calls the web service with the SOAP version 1.2;

SSO jbpm 6.2 via CAS server 4.0.0?

I want to use SSO jbpm 6.2 via CAS server 4.0.0 (and cas is running on tomcat) but i don't know how to do it. I searched on google but i can't find how to config wildfly of jbpm 6.2 with CAS server.
Please help me, thank you for your help !
I have no expirience with CAS but this tutorial helped me set up jbpm 6.1 with WSO2 Identity Manager.
http://riyazmsm.blogspot.mx/2014/05/jbpm-60-sso-integration-with-wso2.html
It might not be the same but this can put you on the right track since CAS can also handle SAML. Wildfly uses picketlink to handle security federation, reading the docs will be helpful on your journey.

Single Sign On using SAML implementation with JBOSS 4.3 server

We are trying to design a Single Sign On using SAML implementation. Our application uses JBOSS 4.3 server. Based on research JBOSS 4.3 does not support SAML standards. Anyone who has same experienced? What alternative can we used for this scenario.

Connecting to Jira remotelly Using Netbeans or other client tools

I am using Atlassian JIRA™ (Professional Edition, Version: 3.0.3-#75 and Netbeans IDE 7.1
But when trying to validate a connection to Jira from netbeans it gave me this error "Jira RPC services are not enabled"
while I have enabled it and also I enabled allow remote calls in Jira
To be more specific "RPC JIRA Plugin" that I have installed is
The standard JIRA RPC services, both SOAP and XML-RPC.
Plugin Version: 1.1
JIRA version: 3.0
It has
System XML-RPC Services (xmlrpc)
The standard JIRA XML-RPC services.
RPC Field Coordinator (rpcFieldCoordinator)
Issue Service (issueService)
User Service (userService)
Token Manager (tokenManager)
System SOAP Services (soap)
The standard JIRA SOAP services.
Magic Field Validator (magicFieldValidator)
Project Service (projectService)
My global configurations are:
Allow users to vote on issues ON
Allow users to watch issues ON
Allow unassigned issues ON
Cache issues ON
External user management OFF
Logout Confirmation Never
Use Gzip Compression OFF
Accept remote API calls ON
BTW, it is not just netbeans, I got same problem with other tools as well to connect to jira
I will apreciate if my answer be found ASAP .
Thanks
Answering an old question, but I thought someone else might find this useful.
I got the same error today setting up an issue tracker in NetBeans 7.2 and I eventually tracked it down to NetBeans not being able to correctly resolve (using DNS) the (local) host name that was running our JIRA server. When I changed NetBeans to use 'No Proxy' in the main settings, it worked fine.
EDIT: Note that as of version 7.0 of the JIRA server, Atlassian have depracated the SOAP/XML-RPC API, so the JIRA Plugin for Netbeans no longer works. :-(