When configuring SAM2 with SSO, we are not able to proceed because of a configuration issue in the "Inbound Authentication Configuration" page. The log is showing as below:
[2020-12-03 13:04:28,617] ERROR - JspTilesRequestContext JSPException while including path '/sso-saml/add_service_provider.jsp'.
javax.servlet.jsp.JspException: ServletException while including page.
at org.apache.tiles.jsp.context.JspUtil.doInclude(JspUtil.java:102) ~[tiles-jsp_2.0.5.wso2v1.jar:?]
at org.apache.tiles.jsp.context.JspTilesRequestContext.include(JspTilesRequestContext.java:88) [tiles-jsp_2.0.5.wso2v1.jar:?]
at org.apache.tiles.jsp.context.JspTilesRequestContext.dispatch(JspTilesRequestContext.java:82) [tiles-jsp_2.0.5.wso2v1.jar:?]
at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:465) [tiles-jsp_2.0.5.wso2v1.jar:?]
at org.apache.tiles.jsp.taglib.InsertAttributeTag.render(InsertAttributeTag.java:140) [tiles-jsp_2.0.5.wso2v1.jar:?]
at org.apache.tiles.jsp.taglib.InsertAttributeTag.render(InsertAttributeTag.java:117) [tiles-jsp_2.0.5.wso2v1.jar:?]
at org.apache.tiles.jsp.taglib.RenderTagSupport.execute(RenderTagSupport.java:171) [tiles-jsp_2.0.5.wso2v1.jar:?]
at org.apache.tiles.jsp.taglib.RoleSecurityTagSupport.doEndTag(RoleSecurityTagSupport.java:75) [tiles-jsp_2.0.5.wso2v1.jar:?]
at org.apache.tiles.jsp.taglib.ContainerTagSupport.doEndTag(ContainerTagSupport.java:80) [tiles-jsp_2.0.5.wso2v1.jar:?]
at org.apache.jsp.admin.layout.template_jsp._jspx_meth_tiles_005finsertAttribute_005f7(template_jsp.java:780) [hc_2077817849/:?]
at org.apache.jsp.admin.layout.template_jsp._jspService(template_jsp.java:443) [hc_2077817849/:?]
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:71) [tomcat_9.0.31.wso2v1.jar:?]
I believe you are using API Manager server (Not the Identity Server). WSO2 API Manager doesn't support SAML Inbound Authentication. Hence you are seeing an error trying to add SAML configurations.
If you want to SSO SAML applications, you might have to use WSO2 Identity Server or any alternative.
P.S. Management Console may contain the SAML option for Inbound Authentication as it is using the same component as in the Identity Server. But will throw an error upon trying to edit. Therefore, please stick to the alternative
IS Documentation
Related
I am using oidc JS cilent library OIDC JS
I have client code that connects to WSO2 IDP sever using openID connect endpoints.The flow is implicit configured on WSO2 server
WSO2 version :wso2is-5.3.0
The normal login works fine. When it comes to silent refresh for access-token it fails.
I am using "signinSilent" method of oidc to do silent login via iframe and get latest access token.
This works fine with Gluu server.
Here is the screenshot of error we are getting,
Error:
Refused to display '<idp authz url>' in a frame because it set 'X-Frmae-Options' to 'deny'
You can go to {carbonhome}/repository/deployment/server/webapps/oauth2/WEB-INF and add this to HttpHeaderSecurityFilter:
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>false</param-value>
</init-param>
This will disable the X-Frame-Options header and thus allow all domains. However, be careful when doing this. You can also set the antiClickJackingOptions and define the domains for which it is allowed.
In order to avoid this problem, the domain that will call the Identity Server, has to be added to the oauth2 web application shipped on WSO2 IS in its filter for CORS. To do it, just modify this file:
<wso2is_home>/repository/deployment/server/webapps/oauth2/WEB-INF/web.xml
And add the base URL you are going to allow in param-name cors.allowed.origins:
[...]
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param> <param-name>cors.allowed.origins</param-name>
<param-value>https://whatever.com, https://whatever2.com</param-value>
</init-param>
[...]
After modify this and restart WSO2 IS, the browser will not block it again
I'm using the WSO2 API Manager and I've added an API to it that was created in the WSO2 ESB and when trying to use the TryIt feature I get the following error in the console log.
[2014-09-16 13:59:26,614] ERROR - APIAuthenticationHandler API authentication failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /Sub, version: v1.0.0 with key: null
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:157)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:92)
at org.apache.synapse.rest.API.process(API.java:285)
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:83)
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:64)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:220)
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:83)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:344)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:168)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
I'm trying to send a GET request and there are no parameters for this API and in the Authorization field I have entered
Bearer XXXACCESS+TOKEN+GOES+HEREXXXX
When testing this from Advanced REST client or the REST Client in the store it works. I've changed the port numbers in the various files (authorize, login, token, revoke) to match my port offset, I've also configured my API Store addresses in api-manager.xml.
When you add that particular resource to your API, please select "OPTIONS" verb as well. Otherwise this error would be given.
Also, check whether your /etc/hosts entries direct 'localhost' to '127.0.0.1' instead of the IP address of your machine. In that case, please open
{API-M installation DIR}/repository/conf/api-manager.xml
And, modify the section relevant to the Swagger appropriately by adding your IP address (or host-name)
from this,
<!--Configuration to enable/disable sending CORS headers from the Gateway-->
<Enabled>true</Enabled>
<!--The value of the Access-Control-Allow-Origin header. Default values are
API Store addresses, which is needed for swagger to function.-->
<Access-Control-Allow-Origin>https://localhost:9443,http://localhost:9763</Access-Control-Allow-Origin>
<!--Configure Access-Control-Allow-Headers-->
<Access-Control-Allow-Headers>authorization,Access-Control-Allow-Origin,Content-Type</Access-Control-Allow-Headers>
</CORSConfiguration>
to this (add your own server IP instead),
<!--Configuration to enable/disable sending CORS headers from the Gateway-->
<Enabled>true</Enabled>
<!--The value of the Access-Control-Allow-Origin header. Default values are
API Store addresses, which is needed for swagger to function.-->
<Access-Control-Allow-Origin>https://192.168.56.101:9443,http://192.168.56.101:9763</Access-Control-Allow-Origin>
<!--Configure Access-Control-Allow-Headers-->
<Access-Control-Allow-Headers>authorization,Access-Control-Allow-Origin,Content-Type</Access-Control-Allow-Headers>
</CORSConfiguration>
The above answer assumes that you didn't add any port offset to the API Manager. If you did, you should also change the port value(simply add that value to the existing port value) in the above configuration accordingly.
Thank you.
-Chathura
After installing the Identity Server, I can't follow the tutorial
here
because "OAuth" doesn't appear under main->manage in the admin console. Inspecting carbon.xml shows that it is hidden by default (reasonable explanations are welcome).
Enabling it in carbon.xml makes it appear, but when I register a new application, I get this error:
ERROR {org.apache.catalina.core.ApplicationDispatcher} - Servlet.service() for servlet
bridgeservlet threw exception {org.apache.catalina.core.ApplicationDispatcher}
java.lang.NullPointerException
at org.apache.jsp.application.configure_002dservice_002dprovider_jsp._jspService(org.apache.jsp.application.configure_002dservice_002dprovider_jsp:155)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:111)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:403)
...
ERROR {org.apache.tiles.jsp.taglib.RoleSecurityTagSupport} - IO Error executing tag: JSPException
while including path '/application/configure-service-provider.jsp'. ServletException while
including page. {org.apache.tiles.jsp.taglib.RoleSecurityTagSupport}
java.io.IOException: JSPException while including path '/application/configure-service-provider.jsp'. ServletException while including page.
at org.apache.tiles.jsp.context.JspTilesRequestContext.include(JspTilesRequestContext.java:91)
at org.apache.tiles.jsp.context.JspTilesRequestContext.dispatch(JspTilesRequestContext.java:82)
at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:465)
....
Anybody else seen this before? I'm using WSO2 Identity Server 5.0.0
That article was written for WSO2 IS 4.6.0 and have not tried in IS 5.0 yet. But you should be able to get it working with IS 5.0 too. The only challenge is IS 5.0 has a little different UI structure than 4.6.0.
For OAuth related configuration in IS 5.0, please go to Service Providers and add a new Service Provider. Then go to Inbound Authentication Configurations > OAuth/OpenID Connect Configuration > Configure
Hope this helps.
Edit: You can find official docs here.
What would be the URL for the newly set up SAML SSO's metadata URL, or how could I download this in XML format from WSO2 Identity Server (version 4.6.0) acting as IdP?
Thanks,
Tamas
WSO2 Identity server now hosts IDPSSODesriptor metadata file on this URL.
https://localhost:9443/identity/metadata/saml2
This feature is available from Identity Server version 5.3 onward.
AFAIK there is no option to auto-generate metadata files for IS. You have to manually write the metadata file. An example is as follows, taken from this blog post.
<md:entitydescriptor entityid="https://localhost:9443/samlsso" validuntil="2023-09-23T06:57:15.396Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<md:idpssodescriptor protocolsupportenumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:keydescriptor use="signing">
<ds:keyinfo>
<ds:x509data>
<ds:x509certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE
AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou
sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:x509certificate>
</ds:x509data>
</ds:keyinfo>
</md:keydescriptor>
<md:singlelogoutservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="https://localhost:9443/samlsso" responselocation="https://localhost:9443/samlsso">
<md:singlesignonservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" location="https://localhost:9443/samlsso">
<md:singlesignonservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="https://localhost:9443/samlsso">
</md:singlesignonservice></md:singlesignonservice></md:singlelogoutservice></md:idpssodescriptor>
</md:entitydescriptor>
Yes.. Identity Server does not support to generate a IDP information as metadata file. You may need to create it manually. But I guess it would be available with a future release. There is an open public jira for this. You can find a generated SAML2 metadata file from here. However you may need to configure it according to your configurations. If you have changed your keystore, you need to change the X509 certificate data. And also urls of the samlsso endpoint. By default saml sso end point is located at https://localhost:9443/samlsso. In your service provider config, you need to configure this url as IDP url (both login and logout). You must provide the wso2carbon certificate in to service provider for validating the signature.
How do I solve the error:
Unable to read WSDL from URL: https://workflowtest.site.edu/_vti_bin/Lists.asmx?WSDL.
Error: 401 Unauthorized.
I can successfully view the WSDL from the browser using the same user account.
I'm not sure which authentication is being used (Basic or Integrated).
How would I find that out?
The code making the call is:
<cfinvoke
username="username"
password="password"
webservice="https://workflowtest.liberty.edu/_vti_bin/Lists.asmx?WSDL"
method="GetList"
listName="{CB02EB71-392E-4906-B512-8EC002F72436}"
>
The impression I get is that ColdFusion doesn't like being made to authenticate to get the WSDL.
Full stack trace:
coldfusion.xml.rpc.XmlRpcServiceImpl$CantFindWSDLException: Unable to read WSDL from URL: https://workflowtest.liberty.edu/_vti_bin/Lists.asmx?WSDL.
at coldfusion.xml.rpc.XmlRpcServiceImpl.retrieveWSDL(XmlRpcServiceImpl.java:709)
at coldfusion.xml.rpc.XmlRpcServiceImpl.access$000(XmlRpcServiceImpl.java:53)
at coldfusion.xml.rpc.XmlRpcServiceImpl$1.run(XmlRpcServiceImpl.java:239)
at java.security.AccessController.doPrivileged(Native Method)
at coldfusion.xml.rpc.XmlRpcServiceImpl.registerWebService(XmlRpcServiceImpl.java:232)
at coldfusion.xml.rpc.XmlRpcServiceImpl.getWebService(XmlRpcServiceImpl.java:496)
at coldfusion.xml.rpc.XmlRpcServiceImpl.getWebServiceProxy(XmlRpcServiceImpl.java:450)
at coldfusion.tagext.lang.InvokeTag.doEndTag(InvokeTag.java:413)
at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2662)
at cftonytest2ecfm1787185330.runPage(/var/www/webroot/tonytest.cfm:16)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:196)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:370)
at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)
at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:279)
at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:86)
at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:74)
at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.CfmServlet.service(CfmServlet.java:175)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
at jrun.servlet.FilterChain.service(FilterChain.java:101)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
CFInvoke can only pass basic authentication, not windows integrated authentication.
Sharepoint won't be able to downgrade to basic authentication since sharepoint needs to know who is calling the services to check authentication and authorization of the data being requested.
Your best bet here is to create an asp.net proxy service you can call with CFInvoke which will impersonate the windows authentication you need to call the sharepoint web service.
Another option would be to create a C# com object which makes the authenticated call and passes the information back to CF when you call the C# com object from CF.
This blog post on cfsilence.com might help. ColdFusion/Sharepoint Integration - Part 1 - Authenticating
What it boils down to:
ColdFusion uses the Apache Axis web service library
by default, this library can do nothing but basic HTTP authentication
you can configure Axis to use an alternative HTTP client library (Jakarta Commons)
this one can do NTLM authentication, no need to change code or IIS authentication scheme
after a restart of ColdFusion, you should be good to go
I know nothing about ColdFusion but I my first suspect would be a simple permision problem rather than anything CF specific.
Does that CF call use Basic or Integrated authentication? Does IIS match?
Can you browse to the WSDL using IE/Firefox and the same user account?
It it's a permission error like darpy and Ryan suggest, the easiest thing to do is grant the right permission to ColdFusion. On Windows, ColdFusion defaults and runs as the Local System account. You can change that by updating the LogOn properties of the Windows Service for ColdFusion.
I had the same problem.
Open your IIS, and change the LoginType to Basic.
(in my german Windows it is: "Verzeichnissicherheit" -> "Steuerung des Anonymen Zugriffs und der Authentifizierung" -> "Bearbeiten" -> Set the checkbox for "Standardauthentifizierung" )
-Kevin