Trying to configure WSO2 AM (3.1.0) to authenticate / authorize purely with SAML SSO. As the SAML IdP we use the Azure AD.
While it's working to configure the Publisher or Store (Dev Portal) to use SAML SSO (https://apim.docs.wso2.com/en/latest/install-and-setup/setup/sso/okta-as-an-external-idp-using-saml/), the underlying primary userstore is still LDAP (with start tls) for admin console. Our goal is to get rid of the LDAP connection.
When we configure the admin console to use SAML SSO (https://is.docs.wso2.com/en/5.9.0/learn/configuring-saml2-single-sign-on-across-different-wso2-products/), we could login into the admin console.
Issue: when the admin console is configured to use SAML SSO, then when a user in the dev portal tries to create application credentials, we get following error
Caused by: org.apache.axis2.AxisFault: Access Denied. Please login first.
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:531) ~[axis2_1.6.1.wso2v41.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v41.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:457) ~[axis2_1.6.1.wso2v41.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228) ~[axis2_1.6.1.wso2v41.jar:?]
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) ~[axis2_1.6.1.wso2v41.jar:?]
at org.wso2.carbon.apimgt.keymgt.stub.subscriber.APIKeyMgtSubscriberServiceStub.createOAuthApplicationByApplicationInfo(APIKeyMgtSubscriberServiceStub.java:1348) ~[org.wso2.carbon.apimgt.keymgt.stub_6.6.163.jar:?]
at org.wso2.carbon.apimgt.keymgt.client.SubscriberKeyMgtClient.createOAuthApplicationbyApplicationInfo(SubscriberKeyMgtClient.java:64) ~[org.wso2.carbon.apimgt.keymgt.client_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.createOAuthApplicationbyApplicationInfo_aroundBody42(AMDefaultKeyManagerImpl.java:720) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.createOAuthApplicationbyApplicationInfo(AMDefaultKeyManagerImpl.java:715) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.createApplication_aroundBody0(AMDefaultKeyManagerImpl.java:125) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.createApplication(AMDefaultKeyManagerImpl.java:91) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication_aroundBody8(AbstractApplicationRegistrationWorkflowExecutor.java:145) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication(AbstractApplicationRegistrationWorkflowExecutor.java:123) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.generateKeysForApplication_aroundBody6(AbstractApplicationRegistrationWorkflowExecutor.java:119) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.generateKeysForApplication(AbstractApplicationRegistrationWorkflowExecutor.java:116) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.complete_aroundBody2(ApplicationRegistrationSimpleWorkflowExecutor.java:78) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.complete(ApplicationRegistrationSimpleWorkflowExecutor.java:66) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.execute_aroundBody0(ApplicationRegistrationSimpleWorkflowExecutor.java:54) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.execute(ApplicationRegistrationSimpleWorkflowExecutor.java:47) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.APIConsumerImpl.requestApprovalForApplicationRegistration_aroundBody144(APIConsumerImpl.java:3876) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
First I assumed that the issue is with the different authenticator for the admin services, but the user can create and publish APIs, create an application in the dev portal. The exception occurs when generating the application credentials.
Any ideas?
Do you have multiple key managers? If yes, Please make sure you have enabled the stickiness in the LB level.
Related
Actually, we use Google IdP as a SSO / SAML authentication type for our application.
We have configured it to connect our users to our application and it works fine.
But recently, we have also wanted to ask a reauthentication to our users for different actions that could happen during the application lifecycle.
In deeper details, when we send a SAML request to the Google Idp, we add the attribute ForceAuthn="true" in the node "AuthnRequest" and we also add a AuthnContextClassRef to ask explicitly that we want a reauthentication by credentials.
When we send this SAML request to the Google IdP, the problem is that the IdP server doesn't ask credentials to the end user and redirect directly to the application with a successful response.
Is that normal ?
Does the Google IdP support the attribute ForceAuthn="true" ?
I didn't find any documentation on this topic.
Here is an example of the SAML request that has been sent to the IdP:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Version="2.0"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="#url_sp"
ID="#id"
IssueInstant="2021-05-31T15:34:19Z"
Destination="https://accounts.google.com/o/saml2/idp?idpid=#id"
ProviderName="#ip"
IsPassive="false"
ForceAuthn="true">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">#url_sp</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
#signature_info
</Signature>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Official answer from Google support: "Google doesn't currently implement Single Log out/account reauthentication, for SAML authorized services. You may alternatively have the use of "session lengths"".
I am using WSO2 API Manager 2.6.0 and configured Pre packaged Identity Server 5.7.0 as Key Manager. When I create an Application in API Store and generate keys I can see that Service Providers are getting created in Identity Server. Also I am able to obtain token using the generated consumer id and secret.
However when I pass that token to my APIs I am getting unclassified authentication error. Below is the exception that I can see in the logs,
ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAllURITemplates(WSAPIKeyDataStore.java:77)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getAllURITemplates(APIKeyValidator.java:791)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.doGetAPIInfo(APIKeyValidator.java:639)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.findMatchingVerb(APIKeyValidator.java:573)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getResourceAuthenticationScheme(APIKeyValidator.java:357)
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:127)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:210)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:158)
at org.apache.synapse.rest.API.process(API.java:325)
at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149)
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95)
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303)
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:92)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337)
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:383)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:151)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
at org.wso2.carbon.apimgt.gateway.handlers.security.keys.APIKeyValidatorClient.getAllURITemplates(APIKeyValidatorClient.java:189)
at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAllURITemplates(WSAPIKeyDataStore.java:75)
... 21 more
Caused by: java.lang.NullPointerException
at org.wso2.carbon.apimgt.gateway.handlers.security.keys.APIKeyValidatorClient.getAllURITemplates(APIKeyValidatorClient.java:183)
... 22 more
Any help would be much appreciated.
Please cross check with this issue [1]
[1] https://github.com/wso2/product-apim/issues/3768
Having WSO2 API Manager 2.1.0 and WSO2 IS 5.3.0 KM (with prepackaged Key Manager) I set up the Key Manager as described in the documentation.
The main intention is authenticate and authorize users with other federated IdPs and add some authorization capabilities. My assumption is that users auhorized with WSO2IS will receive an OAuth token valid for the defined APP and API.
So far all on localhost with IS offset 1. I created an API, an application and that is usable from the API Store.
When trying to authorize a client through WSO2 IS using the code grant_type authorization:
https://localhost:9444/oauth2/authorize?response_type=code&client_id=KJTbkbFmcDvslo2fjhzfQkaBH3Ea&redirect_uri=http%3A//localhost%3A8080/test2/callback
I am asked for credentials and authorization grant (looks ok) and then I receive an exception on IS:
[2018-03-27 10:43:51,822] ERROR {org.apache.catalina.core.StandardWrapperValve} - Servlet.service() for servlet [OAuth2Endpoints] in context with path [/oauth2] threw exception
java.lang.RuntimeException: org.apache.cxf.interceptor.Fault
at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:116)
...
Caused by: java.lang.NullPointerException
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:251)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.sendRequestToFramework(OAuth2AuthzEndpoint.java:1163)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:135)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorizePost(OAuth2AuthzEndpoint.java:574)
What I assume I misconfigured some endpoint, however - any idea which service is invoked by the OAuth2AuthzEndpoint implementation or potential cause for this exception?
This is already reported in https://wso2.org/jira/browse/IDENTITY-5581.
You can WUM update the WSO2 IS 5.3.0 to resolve the issue.
I want to set up WSO2 APIM login with Github.
I have integrated WSO2 IS with APIM and installed WSO2 IS Github authenticator, then followed the user guide Configuring Github Authenticator to set up Github authenticator. It works for the sample app which mentioned in the doc.
However, when I changed SP to APIM, I got
Error 401 : Authorization Required.
The server couldn't verify that you are authorized to access the requested resource.
Also I have read [Article] How To Setup a WSO2 API Manager Store Login with Google, it seems no more special configuration. Bad thing is I cannot connect Google, I cannot test it. :(
How can I fix this? Any suggestion? Thanks you.
This is because the default roles of the user is internal/everyone, We can update the internal/everyone roles permission or change the default roles in user-mgt.xml
<Realm>
<configuration>
.....
<EveryOneRoleName>everyone</EveryOneRoleName> <!--change it-->
</configuration>
</Realm>
and it will work.
I am a beginner to WSO2. I am facing some challenges in integrating WSO2 identity server with ESB. I followed the "http://wso2.org/library/articles/2010/10/using-xacml-fine-grained-authorization-wso2-platform/" blog. I am getting some errors related to authenticating the user when using entitlement component in ESB.
Following is the error i get in console:-
[2012-07-06 19:23:42,312] ERROR - EntitlementMediator User name not
provided for the Entitlement mediator - can't proceed [2012-07-06
19:23:42,312] ERROR - EntitlementMediator Error occured while
evaluating the policy org.apache.synapse.SynapseException: User name
not provided for the Entitlement mediator - can't proceed at
org.wso2.carbon.identity.entitlement.mediator.EntitlementMediator.mediate(EntitlementMediator.java:149)
at
org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:60)
at
org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:114)
at
org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:154)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:181)
at
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
at
org.apache.synapse.transport.nhttp.ServerWorker.processEntityEnclosingMethod(ServerWorker.java:409)
at
org.apache.synapse.transport.nhttp.ServerWorker.run(ServerWorker.java:261)
at
org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:173)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Can any one please help me understanding it.
Thanks in advance.
Charan
Have a look at this article[1] as to see how you can secure.
[1] http://wso2.org/library/articles/2011/06/securing-web-service-integration
This is because the service request to the ESB proxy service is not secured using a username token based policy. Please make sure that proxy is secured with Username token based security scenario as per the article and your client is sending the username token credentials in the WS Security header of the request to the proxy service.