Currently with wso2 Identity service we are using when we send a password reset link the link is not expiring after used. Looking at the documentation at the newer versions of wso2 identity this should be expiring after being used it seems the confirmation code is not expiring and letting the user click the link multiple times.
Related
I followed the below steps to enable password recovery using email notification.
https://docs.wso2.com/display/IS530/Password+Recovery
When I click forgot password button on dashboard login page, it asks for username and after that throw below error
Code : 20017
Message :Notification based password recovery is not enabled
I checked code in github and found property recovery.notification.password.enable is used but could not locate in any config file or any documentation. I am using WSO2IS 5.3.0.
How can i enable password recovery through end user dashboard if not mentioned in above mentioned steps.
Assume you are following the old and deprecated method. The steps for new APIs are available at the REST API Guide, It is also linked from the section "Password recovery using REST APIs" in the page you referred.
What you need to do is enable the Notification Based Password Recovery Enabled at the Resident Identity Provider configuration at management console and optionally set the expiry time for notifications.
We are going to be using WSO2 Identity server to authenticate users into a web portal. The web portal will contain many sso links to other systems. Currently, the only identity protocol we are using is CAS (From Ellucian).
Our issue is when someone logs into our web portal, using CAS from wso2, then that user browses around through the portal for 10+ minutes, then that user clicks a link to a service relying on the wso2 session, that session has timed out, and the user must log into wso2 again.
Is it possible to programatically extend the user's session by sending something from the web portal periodically? Like a URL call saying "Hey, I'm still using the wso2 session, don't end it please!".
Any request that you will make from that browser to WSO2 IS from your application e.g. portlet, servlet, that will access session will automatically extend it.
If you are using the SSO features of IS, it has a default session idle timeout of 15 minutes. You can increase this timeout as described in [1]. As this is a idle timeout any request that access the session in the IS will delay the session expiry time as described in this answer
[1] https://docs.wso2.com/display/IS510/Configuring+Session+Timeout
We are using WSO2 IS 5.0.0 and are implementing the user recovery process. We have noticed that when the user gets the confirmationCode from the email sent from executing the soap call "sendRecoveryNotification" in UserInformationRecoveryService that the confirmationCode is only valid for one attempt.
Is there a way to set the confirmationCode to remain valid until the user successfully updates their password as well as other similar operations requiring WSO2 generated confirmationCodes?
This is fixed with [1] and will be available in IS 5.1.0-Alpha-2
Isura
[1]https://wso2.org/jira/browse/IDENTITY-3175
I'm currently using WSO2 Identity server along with several service providers. I have also configured Single sign on between them.
According to the documentation a system admin can configure a validity in seconds for any SSO sessions under /repository/conf/identity.xml, so that an user can enter their credentials, tick "remember me", and log-in to any service provider while the session is still valid. However, changing this value doesn't seem to have any effect. Users can still log-in to the other service provider even when the SSO Session has supposedly expired.
Searching a bit more threw this JIRA on WSO2 Oxygen Tank, describing exactly the same problem and has a patch that calls setMaxAge on the "Remember me" cookie, but this hasn't fixed the issue.
Furthermore, according to this question sessions in memory must be persisted after 15 minutes, and the persistence doesn't work properly. There are a few patches. Yet still, when I try a value of, say, 30 seconds, I can still log-in on another service provider after the SSO session has supposedly expired, so I don't think it's a persistence issue since the session is still on the cache.
How exactly is the session expired on the identity server? Does it send LogoutRequests to every configured service provider on timeout, or is the expiration only valid for new sessions?
How exactly is the session expired on the identity server?
By default Identity Server 5.0 have session for 15mins and it only can reduce the time using the web.xml (which is at <IS_HOME>/repository/conf/tomcat/carbon/WEB-INF/ folder)
If you installed Service Pack 1 for the Identity Server 5.0, it have the session persistence as well. So using that
Identity Server's session timeout can be increased as mentioned in the docs.
Does it send LogoutRequests to every configured service provider on timeout, or is the expiration only valid for new sessions?
Identity Server session timeout only valid for new sessions, and it does not send any LogoutRequests to service providers to invalidate existing Service Providers' sessions.
I have a situation where I need to setup a standalone version of wso2 Identity Server and have that act as the SSO provider into all of the products in Stratos.
Currently I have Stratos Identity Server configured so that I can login via the standalone Identity Server, using admin.
However, if I use another user I either
get a "Authorization Failure"
or cannot login.
First Question
1) I have the same user created in both Identity Server (that is not admin). Why would I get the "Authorization Failure" ?
Second Question
2) Why is it I can not even get to the "Authorization Failure" problem if I have a user created with username in format of user#domain.com ?
UPDATE:
I figured out that if I remove the property tags in user-mgt.xml that reference the usernames with regular expressions I am able to create usernames in the format of name#domain.com. But I am still unable to use that username to login, the error log says that the account has not been activated.
I also created two instances of wso2 identity server and configured them in such a way to test being able to use one to login to the other. I was able to do this by making sure that the same username and password was in both servers list of users. This way I do not get the "Authorization Failure"
The answers I came up with.
1. I need to have the same username and password in each Identity Server.
2. I cannot have format name#domain.com unless I have Multi-tenancy configured. Otherwise wso2 will try to find the ACTIVATE field in the Tenant table and not find it.
UPDATE: I got this installed and configured and it turned out that I now get another error about
Issuer details are not valid. Issuer details should be registered in advance
So my answer turned out not to to be valid.
I wonder why I get this new login failure?
UPDATE RESOLVED!!:
I resolved this problem by downloading just the wso2 stratos IS 1.5.2 package. I installed it. Configured with same configuration I was using before. Now I can login without problems across domains.