I am running WSO2 Identity Server 5.7.0 and using OpenID Connect. I currently receive an invalid redirect error when I navigate to https://MY_DOMAIN/oidc/logout, when I think I should be redirected to a page under the /authenticationendpoint resource. I noticed in the "Logout Endpoint URL" under Resident Identity Provider > Inbound Authentication Configuration > OAuth2/OpenID Connect Configuration is set to "https://MY_DOMAIN:-1/oidc/logout".
I am assuming the Logout Endpoint URL is configured based on the OIDCLogoutEPUrl config value in identity.xml. In my identity.xml file this value is set to ${carbon.protocol}://${carbon.host}:${carbon.management.port}/oidc/logout.
My first question: Is the Logout Endpoint URL value only copied to the database when WSO2 is first run and the databases are initialized?
Followup question: If the answer to that is no, how can I configure that value without re-seeding the database?
Thanks for your help.
Answering to your first question:
Logout Endpoint URL will not be added to database during first run. Value is being read from identity.xml -> OAuth -> OIDCLogoutEPUrl always during server start up. However its important to have path "oidc/logout" in order to deliver logout request to "OIDCLogoutServlet" [1].
Once OIDCLogoutServlet receive the logout request further redirection customization you can do by changing OIDCLogoutConsentPage, OIDCLogoutPage.
Reference
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/internal/OIDCSessionManagementComponent.java#L65
Related
I am using WSO2-IS 5.3.0. I have configured many service provider and SAML SSO is working as expected. But when it comes to Logout, One functionality is working fine. It means it redirects me to a common logout page after an invaliding session.
Here, I have one case, I have one service provider for it, I need to perform single logout but it should redirect to my custom login page. Though IS providing the option to configure return URL(SLO Response URL) you can see in the below screenshot. I have done that but still its redirects to the common logout page.
Do I need any other configuration too?
You are performing an IdP initiated SLO as per the given request URL. In that case, you can use the returnTo parameter in that request to redirect the response.
So set the SLO response URL to return to URL of the Enable IdP initiated SLO config. Sample request would be as follow.
https://localhost:9443/samlsso?slo=true&spEntityID=travelocity.com&returnTo=https://localhost:8080/avs.com/slo
But, you might have to define the SP specific parameters in the request.
Reference : http://daytodayjava.blogspot.com/2015/08/saml2-idp-initiated-single-logout-with.html
My IS is running on EC2 and sending slo to https://ec2-52-XXXXX.amazonaws.com:9443/samlsso?slo=true after logout the page redirects to localhost:9443/authenticationendpoint/samlsso_logout.do . I was expecting it should be https://<IS_Server>:9443/authenticationendpoint/samlsso_logout.do . Any idea what I am missing? How/Where to specify and change the urls?
You have to specify the host name at carbon.xml. Please see my answer here for details.
You need to configure SLO URL in management console. Goto - Add service Provider > Inbound Authentication Configuration >SAML SSOconfiguration.
You need to tick tick the enable single logout and past the SLO URL in relevant box.
For more details,
IS 5.1.0 here
IS 5.0.0 here
I'm currently working with WSO2 suite and I've been trying to do an example from wso2 official documentation server, that you can find here. I already configure everything step by step and when i run travelocity application in my localhost it looks like the example says, i click in the link and it redirects me to Identity Server login. I type in user and password, and then it redirects me to travelocity home page, but then i run into this error: SAML 2.0 based Single Sign-On
Error when processing the authentication request!
I check out the debuging log and it says that authentication succeeded and Identity Server sent the response to travelocity.
I have no idea what could be happening, please help me out.
I shared the log files here. My English is bad and i'm new working with WSO2, please be patient with me.
The logs at WSO2 IS side says Signature validation for Authentication Request failed. The possible reason could be that you have not selected the correct certificate alias at WSO2 IS.
To do that, edit your service provider's SAML configuration and update the Certificate Alias with the correct value. In default case it should have the value wso2carbon. In case you have configured it to something else, select the one you have configured.
I am studying wso2 and trying to configure the sso sample follow by this article
https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0
In this article, it configured home.jsp as assertion consumer url, so when user access home.jsp, it will first go to identity server for authentication and then redirect back to home.jsp, this is fine. However, I realized if I have another jsp file, for example, new.jsp, if I hit new.jsp, it still redirects me to home.jsp. So what should I do to redirect me to new.jsp?
I searched about previous posts, and someone mentioned about RelayState , so how should I set the target url to this RelayState? Any sample will be appreciated.
If you want to redirect ACS(Assertion Consumer Service) to other url you have to do some customization in the authentication process. Basic authenticator is the default and local authenticator in WSO2 Identity Server. In this case after successfully authenticate, we have to invoke the custom implementation. Please look at this blog post[2] for write custom authenticator.
This extends from the Basic Authenticator.
1.Create a jar file by building as a maven project.
2.Put this jar file to dropins directory that located inside the /repository/components directory.
3.Edit the login.jsp with new custom authenticator name and that located
/repository/deployments/server/webapps/uthenticationendpoint/login.jsp
4.Configure the application-authentication.xml that is located /repository/conf/security/application-authentication.xml.
AuthenticatorConfig name=" BasicCustomAuthenticator" and enabled="true"
5.Restart the server.
6.Log into the Management console and configure new authenticator for each service Provider under “Local & Outbound Authentication Configuration”. Select you customized authenticator from drop down list as the Local Authenticator. Then Update.
[1] http://xacmlinfo.org/2015/10/15/custom-authenticator-for-wso2-identity-server-wso2is-sso-login/
I've developed a sso filter and it worked fine with identity server4.1
However, when I migrate to 4.5, it keeps redirecting to localhost:9443 instead of the url i configured.(My Identity server is on another server)
So is it a bug or do i need do some extra configuration on identity server?
Yes, you need to do one more config. Locate the application-authenticators.xml file in the path wso2is-4.5.0/repository/conf/security/application-authenticators.xml. Locate the bellow config
loginPage="https://localhost:9443/authenticationendpoint/login.do"
There change the hostname accordingly.
You means that from your filter, it is always redirecting to localhost:9443 (SAML Auth request)? Or else after authenticating (after entering user name and passwords) with Identity Server, it redirected to localhost:9443?