wso2 metadata.xml validUntil - wso2

Our ws02 metadata that is available via the url (https://ourserver:9443/identity/metadata/saml2) has a "validUntil" date on it that is only a few hours long. This causes some issues with Service providers that only refresh the metadata url periodically. Is there a way to change the validUntil time on the metadata in the url so it can be longer?
WSO2 Identity Server 5.3.0

WSO2 IS 5.3.0 does not support configuring SAML metadata validity time out of the box. But this feature has been added through a WUM update. You can find the public PRs for this feature in [1] and [2]. If you don't have WUM you can get the this fix by building the product from the public branch[3].
[1] https://github.com/wso2/carbon-identity-framework/pull/1980
[2] https://github.com/wso2-extensions/identity-metadata-saml2/pull/29
[3] https://github.com/wso2/product-is

Related

WSO2 API Manager(wso2am-4.1.0) - Customize Login Pages for Developer Portal and Publisher

I'm trying to customize the login pages for the dev portal and publisher and I'm referring to the below documentation.
https://apim.docs.wso2.com/en/latest/reference/customize-product/customizations/customizing-login-pages-for-dev-portal-and-publisher/
The 1st step tells to download the Identity Server and in the 2nd step, it says to start up the server using api-manager.sh which could be a mistake.
However, I have the following questions related to the scenario.
In order to customize the login pages in APIM, should I start up the IS as a key manager as well?
Can't we customize the login pages just by using the JSP files readily available in the authentication endpoint in APIM?
I guess the documentation should be updated. You can use the existing jsp files in the authentication endpoint if you use OAuth2/OpenID. If you are using SAML, then you have to use WSO2 IS as the IDP with WSO2 API Manager.
Some samples can be found in [1].
By default API Manager uses OAuth2/OpenID. You can do the service provider configurations in API Manager. OAuth2/OpenID and SAML use the jsp files used in the authentication endpoint.
[1] - https://github.com/wso2/samples-is/tree/master/re-branding-the-default-login-page

Identity Server does not validate SAML LogoutRequest Signature

I've got WSO2 IS running and a service provider that has SAML inbound authentication set up. I've enabled the "Enable Signature Validation in Authentication Requests and Logout Requests" checkbox for the SAMl service provider.
If I send an AuthnRequest that is not properly signed, it will error. However, if I send a LogoutRequest with no signature (or with a signature made from a completely different cert/key), it will log my user out without error. How can I enable actual signature validation WSO2 IS?
I'm running the latest WSO2 Docker Container. I believe that is IS 5.7.0 according to this startup logging:
Starting WSO2 Carbon...
Operating System : Linux 4.9.93-linuxkit-aufs, amd64
Java Home : /home/wso2carbon/java/jre
Java Version : 1.8.0_144
Java VM : Java HotSpot(TM) 64-Bit Server VM 25.144-b01,Oracle Corporation
Carbon Home : /home/wso2carbon/wso2is-5.7.0
Java Temp Dir : /home/wso2carbon/wso2is-5.7.0/tmp
Seems the signature validation [1] is skipping in the logout request due to an issue in the code. Please refer the git issue [2] to track this.
[1] https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/ee338982c1add8f75f1132a6b3bacb30cee7989b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java#L130
[2] https://github.com/wso2/product-is/issues/4048

Not getting remote claims from wso2

I have using wso2 IS with another configured identity provider like: google,yahoo.
when i logged form IDP and redirect back to callback URL my application
call /outh2/token API to fetch id_token base on authorization_code but the problem is not getting remote claim (IDP custom claim attribute) which i have configured in service provider mapping.I have facing this issues randomly not for all user.
Success claims Log:TID: [-1234] [] [2018-04-24 07:25:03,300] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Returning claims from claim handler = [middle_name:M,given_name:abc,family_name:xyz,email:abc.xyz#domain.com,]
Failure claims Log: 07:32:19,062] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Returning claims from claim handler = []
Seems like you are facing the issue mentioned in [1]. This issue is fixed in master branch and also the fix is available as wum update for IS-5.4.0 and IS-5.5.0. You can either try the latest milestone of WSO2 Identity Server or get a wum updated pack of IS 5.4.0 or IS 5.5.0.
[1] https://github.com/wso2/carbon-identity-framework/issues/1494

Publishing WSO2 api statisticcs

I'm following below links for publishing WSO2 statistics. But i'm getting "405 method not allowed" when i login to https://localhost:9443/admin-dashboard. So i'm unable to enable the statistics.
I'm using ws02 API 2.0 and ws02API analytics 2.0.
Could anyone help me on this.
Thanks,
Santosh
#santosh.a
I assume you have configured apim_wso2metrics_db datasource as common database for wso2am and wso2am-analytics. Next,Follow documentation to configure wso2am-analytics with wso2am-api-manager. Configuring APIM Analytics. Most important Step 2: Edit <APIM_HOME>/repository/conf/api-manager.xml and enable analytics and check the DASServerURL and DASRestApiURL, make sure it is pointing to analytics server IP.
Once configuration is enabled. you will be able to see analytics on API Store and API Publisher under statistics sections. You can also go to dashboard by https://<wso2am-analytics>/portal

How to integrate WSO2 API Manager (AM) 1.10.0 with PingFederate SAML 2.0?

How to integrate WSO2 am 1.10.0 with PingFederate SAML 2.0? Any instructions?
From WSO2 web site, I only saw docs on how to set up SSO among WSO2 products: https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 . But I did not see documentation on how to enable WSO2 AM 1.10.0 with external identity providers such as PingFederate via SAML2.
Any help is appreciated.
*** UPDATE:
I followed the instructions here https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 - just assuming WSO2 IS as PingIdentity. For the mojority part it's working, but I cannot generate keys when subscribing to an API. It says "invalid credentials" even if I have logged into applications and subscriptions and can create applications from /store UI.
I can confirm that this can be done without adding a separate wso2 IS server into the picture. I fixed several issues (Cannot generate keys, cannot publish APIs, etc..) by: What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:
Change the following:
https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
to: https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/
Reason is my server certificate only recorded the domain name, not ip address.
The solution was also mentioned here: wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."
Basically, you can do this by adding PingFederate as an IDP in WSO2 AM and configuring federated SAML SSO configurations. An example of how to achieve this with Shibboleth is given in [1]. You can follow the same steps to do any configurations according to your requirement.
Refer [2] for configuring SAML SSO Federated authenticator in general
[1] https://docs.wso2.com/display/IS510/How+To%3A+Configure+Shibboleth+IdP+as+a+Trusted+Identity+Provider
[2] https://docs.wso2.com/display/IS510/Configuring+SAML+2.0+Web+SSO