Situation:
Our instance of WSO2 API Manager 3.0 is not logging out via the Publisher. Logout does work via the Store.
Details:
When a user clicks the logout link in the Publisher they are prompted with an OpenID Connect Logout prompt: "Do you want to logout?". Upon clicking 'Yes' the user is returned the Publisher with the session still active.
The same user is able to logout via the Store. When they logout from the Store their Publisher sessions is also logged out.
The problem arises only when they attempt to logout of the Publisher session.
Configuration:
Our WSO2 instance is connected to an Oracle Cloud IAM.
The callback settings for both the Publisher and Store are the same.
e.g. https://our-iam-server.our-companny.com/signout.html
Navigation to Store settings (working):
Identity (menu bar in Carbon) -> Service Providers -> List -> admin_admin_store -> Edit -> Inbound Authentication Configuration -> OAuth/OpenID Connect Configuration -> Edit -> Enable OIDC Backchannel Logout -> Backchannel Logout Url
Navigation to Publisher settings (not working):
Identity (menu bar in Carbon) -> Service Providers -> List -> admin_admin_publisher -> Edit -> Inbound Authentication Configuration -> OAuth/OpenID Connect Configuration -> Edit -> Enable OIDC Backchannel Logout -> Backchannel Logout Url
Value is the same on both pages:
We customized the JavaScript on both the Store and Publisher with the following:
var str = document.referrer;
var substr = "oauth2_logout_consent.do"
if(str.includes(substr)){
alert("relocating to https://[IAM-hostname]/signout.html");
window.location.replace("https://[IAM-hostname]/signout.html");
}
In the Store, the 'alert' block is reached and logout is successful.
In the Publisher, the 'alert' block is never reached.
Any ideas?
Solution: Upgrade to API-Manager version 3.1.
Reason: Version 3.0 does not have the 'Logout Endpoint URL' parameter as show below. Version 3.1 does.
Related
I am running WSO2 Identity Server 5.7.0 and using OpenID Connect. I currently receive an invalid redirect error when I navigate to https://MY_DOMAIN/oidc/logout, when I think I should be redirected to a page under the /authenticationendpoint resource. I noticed in the "Logout Endpoint URL" under Resident Identity Provider > Inbound Authentication Configuration > OAuth2/OpenID Connect Configuration is set to "https://MY_DOMAIN:-1/oidc/logout".
I am assuming the Logout Endpoint URL is configured based on the OIDCLogoutEPUrl config value in identity.xml. In my identity.xml file this value is set to ${carbon.protocol}://${carbon.host}:${carbon.management.port}/oidc/logout.
My first question: Is the Logout Endpoint URL value only copied to the database when WSO2 is first run and the databases are initialized?
Followup question: If the answer to that is no, how can I configure that value without re-seeding the database?
Thanks for your help.
Answering to your first question:
Logout Endpoint URL will not be added to database during first run. Value is being read from identity.xml -> OAuth -> OIDCLogoutEPUrl always during server start up. However its important to have path "oidc/logout" in order to deliver logout request to "OIDCLogoutServlet" [1].
Once OIDCLogoutServlet receive the logout request further redirection customization you can do by changing OIDCLogoutConsentPage, OIDCLogoutPage.
Reference
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/internal/OIDCSessionManagementComponent.java#L65
So im getting the error:
The ad account is not enabled for usage in Ads API. Please add it in
developers.facebook.com/apps -> select your app -> settings ->
advanced -> advertising accounts -> Ads API. Account XXXXXXXX not
enabled for this application.
While trying to make a add/remove user from a custom audience. Here is my code:
FacebookAdsApi.init(access_token=access_token)
custom_audience = CustomAudience('123456789')
response = custom_audience.remove_users(
schema=CustomAudience.Schema.email_hash,
users=[
'example#email.com',
]
)
But when i go to the App control panel the Ad Account is already added.
What am i missing? I gave the app access to the Ad Account on the business configuration panel.
It seems that you need to also manage the AdAccounts that are going to be access by this API on:
Products > Marketing API > Configuration
This solved the issue.
For getting user info in wso2 sso, im using bellow api:
https://localhost:9443/oauth2/userinfo?schema=openid
the result is like this:
{
"sub": "mahyar.z",
"family_name": "Zarif Kar Asli",
"email": "mahyar.z#mtnirancell.ir"
}
But i expect more claims. In Service Provider -> Claim Confiquration i added some local claim dialect. In user profile list i can see these claims but in JSON result from api just some of them are appeared.
Im using AD as user store, and i added local claim that is mapped with AD user attributes. For example i added http://wso2.org/claims/custom/company claim that is mapped with company attribute in AD.
I can see user company in User Profile but it is not in JSON result, as you can see.
So how can i get all user info's?
What you should do is:
Place the claims you want to return in the dialect wso2.org/oidc/claim (Add External Claim)
Add Claims to Service Providers -> Claim Settings -> Claims Requested -> Add Claim URIs
Edit adding claims in Registry -> Browse -> Tree -> _system / identity / oidc -> Properties / openid
I had tried WSO2 Identity Server integrated with QlikSense by SAML 2 Protocol .
The Statckoverflow doesn't allow embed image,Sorry.
I had setted WSO2 SP Configuration and Qliksense Server SAML2 Configuration ,but logs of Qliksense display "Exists SAML Attribute statement : 0".
The SAML authenticate process has Failed in SAML Response to Qliksense。
Also, I just found WSO2 SAML Response missing the tag of "attribute statement " 。
SAML Response(SP:QlikSense):
miss attribure statement
WSO2 Log Screnshot
I think the key point is "Invalid AttributeConsumingServiceIndex in AuthnRequest "
Is it any possible edit AttributeConsumingServiceindex in WSO2 Configuration?
It seems you are not sending the correct AttributeConsumingServiceIndex value in your SAML request which is correspond to the WSO2 SP.
You can find the AttributeConsumingServiceIndex from the Issuer list view of your SP.
Click on your SP
Expand Inbound Authentication Configuration -> SAML2 Web SSO Configuration
Here the Issuer list view shows the "Attribute Consuming Service Index" value.
Either you have to include this value in the SAML authentication request's AttributeConsumingServiceIndex attribute or you have to omit this attribute in the SAML request.
You can change the Attribute Consuming Service Index from WSO2 IS and get Qlik working.
Click Browse under Registry in Main tab in IS Management Console.
Navigate to _system >config >repository >identity >SAMLSSO
Under this directory, you will find one file for each SAML SSO service provider you have configured in IS. File name does not have any resemblance to the SP, so you will have to check each to find what it is.
Once you click on the file it will go to the Detail view, (Originally it is in Tree View by default)
In detailed view, you can check Properties for that SP by clicking the "+" icon on the right side of Properties tab. (With the properties identify the correct file for Qlik )
You will see AttributeConsumingServiceIndex property in the list.
Change this value to 1 and save property.
Restart the server and try Qlik login again
I'm using the javascript client library to try to get a list of users in a domain, but I'm getting a 404 not found in the response.
gapi.client.load('admin', 'directory_v1', function() {
var request = gapi.client.directory.users.list({ domain: "mydomain.com"});
request.execute(function(resp) {
console.log(resp);
});
});
I have a load function before this that gets the userinfo and that works fine, it's just the directory api I can't get working. I added the admin.directory.user scope, and I have the proper client id and api key. I enabled the Admin SDK in the Services tab of my project. The account that the project was created in has all administrator privileges except super admin. Is there some extra step you have to take to use admin sdk apis? What am I missing?
Any help would be appreciated.
You need to grant Oauth access for ClientId in admin console.
Security -> Advanced settings -> Manage Oauth client access
And then add your client ID and the scope needed.