I am new to WSO2 and I follow this post to enable Single Sign On (SSO) for the following scenario:
Virtual machine running centos (IP: 192.168.0.18)
WSO2 IdentityServer 4.1.0 installed with https port: 9443
WSO2 ApplicationServer 5.1.0 installed with https port: 9443
Here is the problem:
when I access the application server console management, I am
redirected to the identity provider login page as expected and I can
login.
I am then redirected to the initial request (Application Server MGT
Console) but a message appears telling me that the
Authentication/Authorization fails.
In log files I can see following error:
TID: [0] [AS] [2013-05-14 16:13:32,128] INFO
{org.wso2.carbon.identity.authenticator.saml2.sso.common.builders.AuthenticationRequestBuilder}
- Building Authentication Request {org.wso2.carbon.identity.authenticator.saml2.sso.common.builders.AuthenticationRequestBuilder}
TID: [0] [AS] [2013-05-14 16:13:32,388] ERROR
{org.wso2.carbon.identity.authenticator.saml2.sso.util.Util} -
Content is not allowed in prolog.
{org.wso2.carbon.identity.authenticator.saml2.sso.util.Util} TID: [0]
[AS] [2013-05-14 16:13:32,389] ERROR
{org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator}
- System error while Authenticating/Authorizing User : Error occured while processing saml2 response
{org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator}
org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticatorException:
Error occured while processing saml2 response
at org.wso2.carbon.identity.authenticator.saml2.sso.util.Util.unmarshall(Util.java:87)
at org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator.login(SAML2SSOAuthenticator.java:64)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
I search the net for this error but I was not able to find something that could help me to solve this problem.
Any help is welcome.
Thanks.
this is due to a version difference between the SAML components being used in the two servers. We will make a public patch available.
Related
I am running keycloak 19.0.2 in dev mode. When trying to login to microsoft from keycloak (SSO) using the oauth2 flow, I get 502 error in the browser on the callback to keycloak. The code param has a strange value also.
I believe it has something to do with user permissions, but I can clearly see I have defined them.
The callback to the keycloak server throws a 502 error and has strange values in the code params.
The keycloak server errors with the following logs:
2022-10-17 13:08:46,517 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (executor-thread-42)
Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: Could not obtain user profile
from Microsoft Graph
2022-10-17 13:08:46,542 WARN [org.keycloak.events] (executor-thread-42)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=8ca06b23-d544-4464-a3bf-448be5308802,
clientId=recruit-api, userId=null, ipAddress=127.0.0.1,
error=identity_provider_login_failure, code_id=62aaf7bf-9c08-4c88-a7c3-e6f7af282de1,
authSessionParentId=62aaf7bf-9c08-4c88-a7c3-e6f7af282de1,
authSessionTabId=WjArYJ99WyM
I am trying to setup ADFS (Windows Server 2012 R2) SSO using Keycloak (12.0.2). On ADFS side all looks fine, but when I run test (using IdP-initiated logon on ADFS and trying to proceed to Keycloak), I see "internal error" Web page and the below in Keycloak logs:
ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-1) Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider.
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:512)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:559)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:259)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:174)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [...]
Are there any typical hints on how to study that ("could not process" isn't awfully informative)?
Thanks.
i m working on a scenario 'connecting to Backend service with Simple SOAP binding' required to expose as a RESTful using WSO2 ESB and API manager .
Api Manager is a essential in my scenario so can't ignore it.
I Have configured both but facing some issues in Authentication .
below is the error log describing the problem.
[2015-10-06 18:10:59,721] ERROR - APIUtil Unauthorized client domain :null. Only
"[]" domains are authorized to access the API.
[2015-10-06 18:10:59,727] ERROR - AbstractKeyValidationHandler Error while valid
ating client domain
org.wso2.carbon.apimgt.api.APIManagementException: Unauthorized client domain :n
ull. Only "[]" domains are authorized to access the API.
at org.wso2.carbon.apimgt.impl.utils.APIUtil.checkClientDomainAuthorized
(APIUtil.java:3916)
at org.wso2.carbon.apimgt.keymgt.handlers.AbstractKeyValidationHandler.c
heckClientDomainAuthorized(AbstractKeyValidationHandler.java:92)
at org.wso2.carbon.apimgt.keymgt.handlers.AbstractKeyValidationHandler.v
alidateSubscription(AbstractKeyValidationHandler.java:73)
at org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService.validat
eKey(APIKeyValidationService.java:157)
at org.wso2.carbon.apimgt.keymgt.service.thrift.APIKeyValidationServiceI
mpl.validateKey(APIKeyValidationServiceImpl.java:131)
at org.wso2.carbon.apimgt.impl.generated.thrift.APIKeyValidationService$
Processor$validateKey.getResult(APIKeyValidationService.java:278)
at org.wso2.carbon.apimgt.impl.generated.thrift.APIKeyValidationService$
Processor$validateKey.getResult(APIKeyValidationService.java:266)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:32)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:34)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadP
oolServer.java:176)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
[2015-10-06 18:10:59,749] ERROR - APIUtil Unauthorized client domain :null. Only
"[]" domains are authorized to access the API.
[2015-10-06 18:10:59,750] WARN - APIAuthenticationHandler API authentication fa
ilure due to Unclassified Authentication Failure
.
Please suggest me where i am doing wrong.
Note That i m using a simple publically available Soap service for scenario.
This is happen maybe because your token is expired. So set the below value on identity.xml
AccessTokenDefaultValidityPeriod to -1
and restart the server
for more information read
https://docs.wso2.com/display/AM190/Token+API#TokenAPI-Configuringthetokenexpirationtime
We are currently trying to deploy CAS 4.0.1 on a JBoss EAP 6.3.0 server.
The login webflow was customised in order to redirect to a specific login form depending on the service calling CAS for authentication. Depending on these forms, we use specific authentication handlers, and a specific Credential model. Besides that, the configuration is rather standard.
At the moment, we are experiencing the following issue: when a user attempts to access a service secured by CAS, he is correctly redirected to the portal, and the expected login view is rendered ; upon successful login, the Service Ticket is delivered to the authentication filter on the service side (standard j_spring_cas_security_check), which then validates it successfully against CAS' ticket registry. We see in the logs that CAS is rendering the cas2ServiceSuccessView ; however, instead of delivering the expected XML response, the user is redirected to the login form.
We then confirmed that we were in fact getting a 404 error after the cas2ServiceSuccessView... Any idea what could trigger such behaviour/what we could have done wrong ?
Note that we are getting the same error regardless of how we call CAS for the ST validation: whether it is manually through /serviceValidate?ticket=ST-YYY&service=XXX, or via the /j_spring_cas_security_check on the service side...
Edit: we have the same behaviour running CAS on Tomcat 7.
Thanks in advance.
Below the debug logs that we are getting:
08:54:10,806 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) Last-Modified value for [/cas/serviceValidate] is: -1
08:54:10,809 INFO [org.perf4j.TimingLogger] (http-/0.0.0.0:8080-7) start[1433314450807] time[2] tag[VALIDATE_SERVICE_TICKET]
08:54:10,810 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] (http-/0.0.0.0:8080-7) Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-3-uecoOwdbdIn4bc2WvXfe-cas-test
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Wed Jun 03 08:54:10 CEST 2015
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
08:54:10,810 DEBUG [org.springframework.validation.DataBinder] (http-/0.0.0.0:8080-7) DataBinder requires binding of required fields [renew]
08:54:10,811 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) Rendering view [org.springframework.web.servlet.view.InternalResourceView: name 'cas2ServiceSuccessView'; URL [/WEB-INF/view/jsp/cas2ServiceSuccessView.jsp]] in DispatcherServlet with name 'cas'
08:54:10,811 DEBUG [org.springframework.web.servlet.view.InternalResourceView] (http-/0.0.0.0:8080-7) Added model object 'assertion' of type [org.jasig.cas.validation.ImmutableAssertion] to request in view with name 'cas2ServiceSuccessView'
08:54:10,811 DEBUG [org.springframework.web.servlet.view.InternalResourceView] (http-/0.0.0.0:8080-7) Removed model object 'pgtIou' from request in view with name 'cas2ServiceSuccessView'
08:54:10,811 DEBUG [org.springframework.web.servlet.view.InternalResourceView] (http-/0.0.0.0:8080-7) Forwarding to resource [/WEB-INF/view/jsp/cas2ServiceSuccessView.jsp] in InternalResourceView 'cas2ServiceSuccessView'
08:54:10,812 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) Successfully completed request
08:54:10,814 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) DispatcherServlet with name 'cas' processing GET request for [/cas/login]
08:54:10,814 DEBUG [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] (http-/0.0.0.0:8080-7) Mapping request with URI '/cas/login' to flow with id 'login'
In SpringSecurity 4.x, CasAuthenticationFilter's defaultFilterProcessesUrl path is changed.
So Change '/j_spring_cas_security_check' to '/login/cas' in Configuration.
... and of course, the cause was rather silly: somehow (I have to look at our merge/git history), the viewResolver bean defined in cas-servlet.xml did not have a basenames property set.
After I invoke single-log-out (SLO), by calling 'GET' on https://[PingFederate Server Instance]:[Port]/sp/startSLO.ping, my PingFederate server begins making requests to my SP logout services. [I know this because I can see it happening in Fiddler.]
But when one my SPs invokes “https://<PingFederate DNS>:XXXX” + request.getParameter(“resume”); (per #Scott T.'s answer here), I get an error message:
Error - Single Logout Nonsuccess Response status:
urn:oasis:names:tc:SAML:2.0:status:Requester Status Message: Invalid
signature Your Single Logout request did not complete successfully. To
logout out of your Identity Provider and each Service Provider, close
all your browser windows. Partner: XXXX:IDP Target Resource:
http://<domain>/<default SLO endpoint>
My Questions:
What is this error message referring to?
How can I resolve this error condition?
This error is likely due to a mismatch in configuration between IdP and SP. The signing keys/certificate for SAML messages used at one end, must match the verification certificate at the other end. Check your Credentials configuration on your connection for both IdP and SP. See this section in the PingFederate Administration Guide for some details.