I'm very new in WSO2 AM and I have this scenario:
I create a new tenant on carbon, on that new tenant I create a JDBC userstore, my users are listed in the "Identity > Users and Roles" tab correctly, then I create a new Service Provider with OAuth/OpenID Connect Configuration and grant_type password.
When I want to test my configuration (¿generate a new token?) via Postman > Get New Access Token like the following Image:
When I request the token the answer is
{"error_description":"Users in the tenant domain : carbon.super do
not have access to application
myapplication","error":"invalid_grant"}
I don't understand why it tries to use the carbon.super domain when I'm using my new domain in the Access Token URL.
Searching in Google I found that when I enable my Service Provider like a "SaaS Application" can work, but when I do it the new response is:
{"error_description":"Authentication failed for
nicolas_webfile","error":"invalid_grant"}
I'm using WSO2 API Manager 2.6.0
As you're using API Manager, change the request as below.
URL: http://localhost:8243/token
Username: user#webfile.com
Related
I've configured in deployment.toml the hostname of an Active-Active WSO2 API Manager cluster so each node is properly named: node1.cloud.client.com, node2.cloud.client.com.
Besides I've configured the https_endpoint for the API Gateway URL: gateway.cloud.client.com.
When I login to the developer portal console and access the Oauth2 tokens screen I see localhost:9443 as the token endpoint URL. How can I customize it to a proper hostname? Should it point to a node nodeX.cloud.client.com or the gateway gateway.cloud.client.com?
If you are using the resident KeyManager, this resides in the control plane and not in the gateway. Therefore please use the nodeX.cloud.client.com.
There are two places that shows the token endpoint in the devportal.
At the applications.
At the API overview page
You can customise both of them as you want.
You can use the admin portal to update the token url shown at application view page by updating the resident key manager.
Log in to admin portal (https://cp-host/admin)
Select resident Key manager from keymanagers tab.
Update the display token endpoint and revoke endpoint as you want.
You can change the token endpoint that is shown in the devportal API view by updating the deployment.toml file of the control plane.
Please update the following section in you configuration with the appropriate token endpoint.
[[apim.gateway.environment]]
name = "Default"
type = "hybrid"
.
.
http_endpoint = "http://nodeX.cloud.client.com"
https_endpoint = "https://nodeX.cloud.client.com"
..
You can customize the token endpoint URL by adding the following configuration to the deployment.toml file.
[apim.key_manager]
service_url = "https://<key_manager_url>/services/"
This configuration specifies the key manager URL which involves in generating access tokens. You can see the Key Manager related configurations here
According to your setup, the key manager URL should point to nodeX.cloud.client.com
[apim.key_manager]
service_url = "https://nodeX.cloud.client.com/services/"
When trying to login via my AWS Cognito's login page via Azure AD with email#live.com credentials, I'm being redirected to https://login.live.com/oauth20_authorize.srf?response_type=code&client_id=51483342-xxx-xxx-xxx-xxxx... and the page is throwing a 404 error.
Steps:
Created an Azure AD Enterprise Non Gallery Application.
Added identifier to enterprise application: urn:amazon:cognito:sp:ap-southeast-1_xxxxx
Added reply url as: https://xxxxx.auth.ap-southeast-1.amazoncognito.com/saml2/idpresponse
Downloaded the SAML Signing Certificate > Federation Metadata XML and uploaded it on Cognito by adding a new SAML identity provider.
Mapped SAML attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to Email under Cognito Attribute Mapping.
Enabled the AzureAd identity provider under App Client Settings on Cognito.
Allowed OAuth Flows: Authorization code grant, Implicit grant.
Invited an existing xxx#live.com user to Azure Active Directory and assigned a role to the user in the newly created Enterprise application.
Validated SSO from Enterprise Application > SSO > Validate. It's working as correctly, without any errors.
Problem:
When trying to login via Cognito's login url: https://xxxxx.auth.ap-southeast-1.amazoncognito.com/login?response_type=token&client_id=Cognito-App-Client-ID&redirect_uri=Callback-url-specified-in-cognito-app-client-settings --> AzureAd, I'm being redirected to https://login.microsoftonline.com/... where I enter the added user's email Id: xxx#live.com, after clicking next, instead of a password prompt the page throws a 404 error.
Also tried with inviting another user with email: xxx#mydomain.com, this also results in the same 404 error.
Tried in different browsers: chrome, firefox, safari. All result in the exact same error.
Azure AD SSO SAML2.0 integration doesn't work well with personal accounts.
Integrating with OIDC on the other hand works really well.
Azure AD integration with AWS Cognito.
SSO established between wso2 identity server and wso2 api manager. Added API_Publisher and API_Store as a service provider in identity server.
Created 2 tenants in Identity server, as citizen.in and business.in and created users under those tenants. When i try to login to API-M Publisher with API-URL/Publisher the page redirects to Identity server for authentication but the authentication fails.
"Login failed! Please recheck the username and password and try again."
Also checked the users in the tenants are showing in OpenLDAP
Looks like you have not enabled SaaS Application option in the service providers you created.
Ref: https://docs.wso2.com/display/AM260/Configuring+Identity+Server+as+IDP+for+SSO
Can anyone help me out with a guideline to configure a specific Service Provider to a specific Tenant only, i.e. exclude all tenants from accessing the specific Service Provider.
I tried creating Service Provider using the guidelines from:
https://docs.wso2.com/display/IS530/Configuring+a+Service+Provider
by the way I used oauth2 with Implicit flow.
Then I created multiple tenant domains like:
abc.com
xyz.com
I created rob under abc.com tenant and sam under xyz.com.
when I use url(https://localhost:9443/oauth2/authorize?response_type=token&client_id=my_client_id_was_here&redirect_uri=my_redirect_uri_was_here) to login, login page showed up but I was ABLE to login using both rob and sam credentials.
What I want is to do is to restrict users of only one specific domain/tenant to access my service provider.
Thanks in advance
To restrict a service provider to a specific tenant, you have to create that service provider inside that tenant. So to create a SP inside "abc.com". Log into that tenant using a tenant user (rob#abc.com) and create the service provider inside it.
I have created 2 tenants in WSO2 identity server.
We need to deploy a sample application to which users belonging to both the tenants should have access to using SAML 2.0.
Please suggest how the sample application can be configured as service provider in WSO2 Identity Server to achieve this requirement.
Assuming that the above is done, we would also like to know how the application can identify which User belongs to which tenant once the login is successful? is this some information that would be passed in SAML response ?
You can create the service provider in SaaS mode. With this configuration, service provider will be visible to all the tenants in the Identity Server. You can find how to configure a SaaS application from the documentation at [1]
If you want to return the tenant domain with the subject identifier in the saml response, you can enable 'Use tenant domain in local subject identifier' in 'Local & Outbound Authentication Configuration' of the service provider. More information is available in [2].
[1] https://docs.wso2.com/display/IS510/Configuring+a+Service+Provider#ConfiguringaServiceProvider-Addingaserviceprovider
[2] https://docs.wso2.com/display/IS510/Configuring+Local+and+Outbound+Authentication+for+a+Service+Provider
is olso needed to put in the url the query param for select the right tenant, I modifyed the urls in the metadata.xml generated from the WS2 IS from someting like this:
https://your-domain:9443/samlsso
to
https://your-domain:9443/samlsso?tenantDomain=tenant-name
And use this metadata.xml in the SP
Otherwise when the SP send the saml message the IS will geneate the log "Service Provider with the issuer 'xxx' is not registered." if your SP is not registered in the super tenant
WSO2 IS 5.10