WSO2 Logout ID token signature validation failed - wso2

I want to logout from my service provider saas registered in wso2.
I'm login with tenant user es. tenant#domain.com;
When I make the logout request "https://:9443/oidc/logout?id_token_hint=&post_logout_redirect_uri=" it response with this error:
"ID token signature validation failed."
I've check "Use tenant domain in local subject identifier" option in service provider

There's couple of things that could've gone wrong here. First, the entered id_token_hint param could be expired or invalid. How did you obtain the IDToken in this case?
Second, have you registered the post_logout_redirect_uri in the SP configurations in the IdP? Follow this to verify if the post_logout_redirect_uri is configured properly in the IdP. https://is.docs.wso2.com/en/5.9.0/learn/openid-connect-logout-url-redirection/

Related

WSO2 identity Server: can not login?

I have create a service provide use OIDC. When I login to this.'invalid_grant, Invalid authorization code received from token request' Occured. How can I change my configuration on service provide so that I can login?
Thanks
This should not be a configuration issue in most of the cases and might be an issue with the token request which you send to exchange the authorization code into an access token.
Tip: You may validate whether the client id used in the /oauth2/authorize request is matching with the one sent in the /oauth2/token request.

How to use Cognito LOGOUT endpoint to really log out?

I'm trying to use Federated Authentication to enable login with Microsoft AD. It works fine and we can login. But when I call LOGOUT endpoint as the documentation says ( https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html ) and try to login again I'm not being redirected to Microsoft page to type my email and password again.
It seems like the email and password I typed are in cache and I just can see this login page again if I clean cache. How can we really logout the user in a way that when he login he needs to type his email and password again ?
Edit: I enabled 'Sing Out Idp Flow' as suggested in the answer but now I'm getting a 400 response saying "Required String parameter client_id is not present"
Does anybody have any clue how to solve this problem ?
You will need to ensure you select 'Enable IdP sign out flow' on your SAML Identity provider in Cognito. After navigating your browser to the logout endpoint, you should then be redirected to the SAML IDP logout aswell.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-console.html
Select Enable IdP sign out flow if you want your user to be logged out
from the SAML IdP when logging out from Amazon Cognito.
Enabling this flow sends a signed logout request to the SAML IdP when
the LOGOUT Endpoint is called.
Configure this endpoint for consuming logout responses from your IdP.
This endpoint uses post binding.
Edit: I enabled 'Sing Out Idp Flow' as suggested in the answer but now I'm getting a 400 response saying "Required String parameter client_id is not present" Does anybody have any clue how to solve this problem ?
You need to include the client_id parameter when calling the logout endpoint, the parameter is specified as required in the documentation you provided. The client id can be found in AWS Cognito console in User pools > Your User pool name > App Integration > Your app client name and you should see a Client ID there.

WSO2 Federated IDP RefreshToken with invalid username

community.
I'm using WSO2 IS 5.7.0 to integrate an Angular app with an external IDP.
The external IDP is configured with SAML2 and the service provider Inbound Authentication is set with Oauth/OpenID.
The service provider uses Federated Authentication to comunicate with the IDP.
The user uid from the IDP is matched with the claim userid, so when I ask for an oauth token, I get the correct scopes (matching a local user with roles configured) to use the token with WSO2 AM. This is working well whe I get the initial oauth token using code grant.
If I introspect this token, I can verify the token belongs to the username XXXXXXXX and the scopes are the ones to consume an API on WSO2 AM, based on the roles associated to the local user XXXXXXXX.
The problem is when the refresh token is used to get a new access token after expiration. The new access token comes with the same scopes, but I cannot consume the same API I was consuming with the first token. I get a 403 Forbidden on every call and the AM log shows:
WARN - APIAuthenticationHandler API authentication failure due to Invalid Credentials
(The first WARN appears only once)
WARN - APIAuthenticationHandler API authentication failure due to The access token does not allow you to access the requested resource
(this WARN appears on the subsequent calls)
If I introspect the receibed token, I can see the same scopes as the original access token, but the username is different:
FEDERATED/XXXXXXXX#carbon.super.
I think this username change on the token information leads to the 403 error.
The problem is worst if I activate the Service Provider option "Use tenant domain in local subject identifier" on the Local & Outbound Authentication Configuration. In this case, every time I ask for a new token with refresh token, the tenant is appended to the username on an infinite loop:
XXXXXXXX#carbon.super#carbon.super#carbon.super#carbon.super
On every token I get, the introspect shows me another #carbon.super is appended to the username of the actual token. In this case, the FEDERATED/ is not always present on the username.
I expect the username associated to the refreshtoken to be equal to the one on the first access token.
Is there a configuration to solve this or this is a bug? is resolved on new releases of WSO2 IS?
(sorry for my english)
Thanks!
Similar issue is reported[1] and fixed with PR[2].
[1] https://github.com/wso2/product-is/issues/4472
[2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/1022
If you don't have a WSO2 subscription, upgrading to the 5.8.0 will resolve the issue.

wso2 - Does wso2 identity server support IDP initiated logout from federated IDP?

We are using WSO2 Identity Server 5.3.0. I configured trust between WSO2 IDP (symbolic name "IDP1") and the Service provider (symbolic name "SP1"). Then I configured second trust between WSO2 acting as a service provider ("SP2") and federated IDP (symbolic name "IDP2", some public/gov service). SP1 protects some resources, access to them is granted only when users are authenticated to IDP2. Everything is based on SAML protocol.
Login works fine - login requests are redirected from WSO2(=IDP1) to IDP2.
IDP1 initiated logout works fine too.
But IDP2 initiated logout fails with message (in a browser): "Attention: Something went wrong during the authentication process. Please try signing in again." It generates the record to the WSO2 log: "{...DefaultRequestCoordinator} Context does not exist. Probably due to invalidated cache".
During the IDP2 initiated logout correct LogoutRequest is sent to WSO2 (https://amsrv.mydomain.org:9443/commonauth).
Does WSO2 support such scenario (IDP2 initiated logout)?
SLO is working based session ID. You cannot invalidate a session that is not recognized by the IDP.
Your log seens to indicate that the context [pointed by the session id provided in the SLO request] does not exist so cannot be terminated.
Please deactivate Ciphering on the flow, put a Wireshark and look at it. WSO2IS is providing a screen in user dahsboard to see which session are open and with which ids.
I suspect that IdP2 is sending the session ID of the session between Client and IdP2... not the session ID of session between Client and IdP1.
Jeff

Custom Query Param in WSO2 SAML 2.0 Request

Can add custom query param with wso2 SAML 2.0 request rather than SAMLRequest,RelayState?
I want to make SAML request with target URL query param to make redirection to target URL after authentication success.
Example :9443/samlsso?SAMLRequest=jZPRb9owE.........&targetURL=home.jsp
You can add custom query parameters in to SAML Request... But only the "RelayState" would be redirected back to the service provider by WSO2IS. If you want to redirect to a target URL after authentication success, You must configure it as ACS in the service provider configurations of the WSO2IS.
You can use any parameter. But only Relaystate will be redirected back to SP.