I am working to import a service provider into my WSO2 Identity Server using the "file configuration" feature. The file I am importing from has a claim called "Local Claim"
Configuration Screenshot
Configuration XML File
<?xml version="1.0" encoding="UTF-8"?><ServiceProvider>
<ApplicationName>Local Claim SP</ApplicationName>
<Description/>
<InboundAuthenticationConfig>
<InboundAuthenticationRequestConfigs>
<InboundAuthenticationRequestConfig>
<InboundAuthKey>Local Claim SP</InboundAuthKey>
<InboundAuthType>openid</InboundAuthType>
<InboundConfigType>standardAPP</InboundConfigType>
<Properties/>
</InboundAuthenticationRequestConfig>
<InboundAuthenticationRequestConfig>
<InboundAuthKey>Local Claim SP</InboundAuthKey>
<InboundAuthType>passivests</InboundAuthType>
<InboundConfigType>standardAPP</InboundConfigType>
<Properties/>
</InboundAuthenticationRequestConfig>
</InboundAuthenticationRequestConfigs>
</InboundAuthenticationConfig>
<LocalAndOutBoundAuthenticationConfig>
<AuthenticationSteps/>
<AuthenticationType>default</AuthenticationType>
<alwaysSendBackAuthenticatedListOfIdPs>false</alwaysSendBackAuthenticatedListOfIdPs>
<UseTenantDomainInUsername>false</UseTenantDomainInUsername>
<UseUserstoreDomainInRoles>true</UseUserstoreDomainInRoles>
<UseUserstoreDomainInUsername>false</UseUserstoreDomainInUsername>
<EnableAuthorization>false</EnableAuthorization>
</LocalAndOutBoundAuthenticationConfig>
<RequestPathAuthenticatorConfigs/>
<InboundProvisioningConfig>
<ProvisioningUserStore/>
<IsProvisioningEnabled>false</IsProvisioningEnabled>
<IsDumbModeEnabled>false</IsDumbModeEnabled>
</InboundProvisioningConfig>
<OutboundProvisioningConfig>
<ProvisioningIdentityProviders/>
</OutboundProvisioningConfig>
<ClaimConfig>
<RoleClaimURI/>
<LocalClaimDialect>false</LocalClaimDialect>
<IdpClaim/>
<ClaimMappings>
<ClaimMapping>
<LocalClaim>
<ClaimUri>http://wso2.org/claims/localClaim</ClaimUri>
<claimId>0</claimId>
</LocalClaim>
<RemoteClaim>
<ClaimUri>Local Claim</ClaimUri>
<claimId>0</claimId>
</RemoteClaim>
<RequestClaim>true</RequestClaim>
<MandatoryClaim>false</MandatoryClaim>
</ClaimMapping>
</ClaimMappings>
<AlwaysSendMappedLocalSubjectId>false</AlwaysSendMappedLocalSubjectId>
<SPClaimDialects/>
</ClaimConfig>
<PermissionAndRoleConfig>
<Permissions/>
<RoleMappings/>
<IdpRoles/>
</PermissionAndRoleConfig>
<IsSaaSApp>false</IsSaaSApp>
</ServiceProvider>
When I try to import the XML file, I get the following error:
I looked at my local claims on the Identity Server I am trying to import to and I have the local claim that the error is referencing.
That error message doesn't make sense to me. Am I misunderstanding what a local claim is? I thought adding a claim to the http://wso2.org/claims dialect is how you add a local claim. So why is it throwing an error about a claim that I have in the dialect?
Problem is you have not created the claim http://wso2.org/claims/localClaim in the Identity Server you are importing this SP into. So what you need to do is add the required local claim by navigating to Claims -> Add -> Add Local Claim
After doing this try to import the service provider again.
Related
I'm using WSO2 Identity Server 5.3
I have to produce a SAML2 assertion with some multivalued attributes from the user profile.
Let's say I have a comma separated list of values for a particular claim and I must organize those attributes using the following structure in my saml assertion response:
<saml2:Attribute Name="attribute1">
<saml2:AttributeValue>value1</saml2:AttributeValue>
<saml2:AttributeValue>value2</saml2:AttributeValue>
<saml2:AttributeValue>value3</saml2:AttributeValue>
<saml2:AttributeValue>value4</saml2:AttributeValue>
</saml2:Attribute>
I configured an STS client to get SAML2 assertion and claims from a particular user which I setup with a multivalued claim.
My issue is I get the SAML assertion response as the following structure:
<saml2:Attribute Name="attribute1">
<saml2:AttributeValue>value1,value2,value3,value4</saml2:AttributeValue>
</saml2:Attribute>
I setup an instance of the travelocity application on a tomcat, tested again and I got the SAML assertion as expected after login to the application and choosing the SAML flow. I could verify it looking at the log file of the Identity Server.
I used the STS client [1] as well to get the SAML assertion but what I got when it comes to a multivalued attribute is a comma separated values for that particular attribute.
I went directly towards the admin service https://localhost:9443/services/wso2carbon-sts?wsdl using SOAP UI as my client but SAML response was the exact same case as I stated before, multivalued attribute comes as a comma separated values for that particular attribute.
Here is a sample of what I get in the Attribute Statement section:
<saml2:AttributeStatement>
<saml2:Attribute Name="http://wso2.org/claims/im" NameFormat="http://wso2.org/claims/im">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jairo_fernandezr,jb_fernandez
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://wso2.org/claims/emailaddress" NameFormat="http://wso2.org/claims/emailaddress">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jairo.fernandez#chakray.com
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://wso2.org/claims/givenname" NameFormat="http://wso2.org/claims/givenname">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Jairo
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
Now, I would like to ask you if there is another way to get a SAML assertion with multivalued attributes structured as single values instead of a comma separated values using the admin service https://localhost:9443/services/wso2carbon-sts?wsdl or another approach without setting up the travelocity application.
[1] https://github.com/wso2/product-is/tree/5.x.x/modules/samples/sts
Any comment will be greatly appreciated.
Thanks
WSO2 Identity server 5.3.0 behaves correctly when it comes to the Web SAML SSO flow.
But the service wso2carbon-sts which can be found by default at https://localhost:9443/services/wso2carbon-sts behaves differently as I described in my original post.
I have made a report of this to the WSO2 team and they registered a bug in Identity Server's project, you can see details here and follow up this if you are interested.
Thanks for your support
I have created a custom federated authenticator and configure it in an identity provider called 'kbank'.
How can I configure to have all Service Providers use this Identity Providers by default without having to individually specify it for each Service Providers. Since in API Manager, each application is created as Service Provider so there will be a lot and increasing Service Providers in our system.
In Service Provider configuration page I can see there is an option for "Default" but I don't how to specify the default.
Thank you very much.
You can specify the default authenticator or rather the default sequence using the application-authentication.xml found in IS_HOME/repository/conf/identity. You can change this using the <Sequences> section.
Here as shown below the default sequence is set as a single step authentication sequence using the BasicAuthenticator
<Sequences>
<!-- Default Sequence. This is mandatory -->
<Sequence appId="default">
<Step order="1">
<Authenticator name="BasicAuthenticator"/>
</Step>
</Sequence>
</Sequences>
You can modify it to use any authenticator as the default. You need to specify the name of the authenticator.
Thanks to this post, the solution for my problem is I have to modify <APIM_Home>\repository\conf\identity\service-providers\default.xml as follow
<ServiceProvider>
<ApplicationID>1</ApplicationID>
<ApplicationName>default</ApplicationName>
<Description>Default Service Provider</Description>
<InboundAuthenticationConfig>
<InboundAuthenticationRequestConfigs>
<InboundAuthenticationRequestConfig>
<InboundAuthKey>default</InboundAuthKey>
<InboundAuthType></InboundAuthType>
<Properties></Properties>
</InboundAuthenticationRequestConfig>
</InboundAuthenticationRequestConfigs>
</InboundAuthenticationConfig>
<LocalAndOutBoundAuthenticationConfig>
<AuthenticationSteps>
<AuthenticationStep>
<StepOrder>1</StepOrder>
<FederatedIdentityProviders>
<IdentityProvider>
<IdentityProviderName>kbank</IdentityProviderName>
<IsEnabled>true</IsEnabled>
<FederatedAuthenticatorConfigs>
<FederatedAuthenticatorConfig>
<Name>MyAuthenticator</Name>
<IsEnabled>true</IsEnabled>
</FederatedAuthenticatorConfig>
</FederatedAuthenticatorConfigs>
<DefaultAuthenticatorConfig>MyAuthenticator</DefaultAuthenticatorConfig>
<JustInTimeProvisioningConfig>
<UserStoreClaimUri></UserStoreClaimUri>
<ProvisioningUserStore>PRIMARY</ProvisioningUserStore>
<IsProvisioningEnabled>true</IsProvisioningEnabled>
</JustInTimeProvisioningConfig>
</IdentityProvider>
</FederatedIdentityProviders>
<SubjectStep>true</SubjectStep>
<AttributeStep>true</AttributeStep>
</AuthenticationStep>
</AuthenticationSteps>
</LocalAndOutBoundAuthenticationConfig>
<RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs>
<InboundProvisioningConfig></InboundProvisioningConfig>
<OutboundProvisioningConfig></OutboundProvisioningConfig>
<ClaimConfig>
<AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId>
</ClaimConfig>
<PermissionAndRoleConfig></PermissionAndRoleConfig>
</ServiceProvider>
I want to implement an SSO system with SAML 2.0 protocol using WSO2 IS as Identity Provider. I've analyzed the SSO sample https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0 to learn how to implement the Service Provider side to generate an SAML 2.0 authentication request. AFAIK another ways to implement the SAML SP would be using either OpenAM, OpenSAML or Shibboleth. But all those methods require programming knowledge from the Service Provider to implement it.
Thus my question:
Is there any Web Admin Service in WSO2 IS to ease the implementation of a SAML SP? I've find out the SAML2SSOAuthenticationService.wsdl but I'm not sure how it works and whether I need some other Admin Services in order to implement the desired solution.
You can use https://localhost:9443/services/IdentityApplicationManagementService admin service createApplication method to create the service provider.
or You can create service provider using configuration files.
please follow the setps below
1) Open the /repository/conf/security/sso-idp-config.xml file and add the following configuration to it. This adds the travelocity application as a service provider.
<ServiceProvider>
<Issuer>travelocity.com</Issuer>
<AssertionConsumerService>http://localhost:8080/travelocity.com/home.jsp</AssertionConsumerService>
<SignAssertion>false</SignAssertion>
<SignResponse>false</SignResponse>
<EnableAttributeProfile>true</EnableAttributeProfile>
<IncludeAttributeByDefault>true</IncludeAttributeByDefault>
<EnableSingleLogout>true</EnableSingleLogout>
<Claims>
<Claim>http://wso2.org/claims/givenName</Claim>
</Claims>
<LogoutUrl></LogoutUrl>
<EnableAudienceRestriction>false</EnableAudienceRestriction>
<ConsumingServiceIndex>2104589</ConsumingServiceIndex>
</ServiceProvider>
2) Create a file named travelocity.com.xml in the /repository/conf/identity/service-providers directory
3) Add the following configurations into the travelocity.com.xml file you created. This adds the necessary SAML configurations to the travelocity service provider
<ServiceProvider>
<ApplicationID>3</ApplicationID>
<ApplicationName>travelocity.com</ApplicationName>
<Description>travelocity Service Provider</Description>
<IsSaaSApp>true</IsSaaSApp>
<InboundAuthenticationConfig>
<InboundAuthenticationRequestConfigs>
<InboundAuthenticationRequestConfig>
<InboundAuthKey>travelocity.com</InboundAuthKey>
<InboundAuthType>samlsso</InboundAuthType>
<Properties></Properties>
</InboundAuthenticationRequestConfig>
</InboundAuthenticationRequestConfigs>
</InboundAuthenticationConfig>
<LocalAndOutBoundAuthenticationConfig>
<AuthenticationSteps>
<AuthenticationStep>
<StepOrder>1</StepOrder>
<LocalAuthenticatorConfigs>
<LocalAuthenticatorConfig>
<Name>BasicAuthenticator</Name>
<DisplayName>basicauth</DisplayName>
<IsEnabled>true</IsEnabled>
</LocalAuthenticatorConfig>
</LocalAuthenticatorConfigs>>
<FederatedIdentityProviders>
<IdentityProvider>
<IdentityProviderName>identityProviderIDP_IS</IdentityProviderName>
<IsEnabled>true</IsEnabled>
<DefaultAuthenticatorConfig>
<FederatedAuthenticatorConfig>
<Name>SAMLSSOAuthenticator</Name>
<DisplayName>samlsso</DisplayName>
<IsEnabled>true</IsEnabled>
</FederatedAuthenticatorConfig>
</DefaultAuthenticatorConfig>
</IdentityProvider>
</FederatedIdentityProviders>
<SubjectStep>true</SubjectStep>
<AttributeStep>true</AttributeStep>
</AuthenticationStep>
</AuthenticationSteps>
</LocalAndOutBoundAuthenticationConfig>
<RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs>
<InboundProvisioningConfig></InboundProvisioningConfig>
<OutboundProvisioningConfig></OutboundProvisioningConfig>
<ClaimConfig>
<AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId>
<LocalClaimDialect>true</LocalClaimDialect><ClaimMappings><ClaimMapping><LocalClaim><ClaimUri>http://wso2.org/claims/givenname</ClaimUri></LocalClaim><RemoteClaim><ClaimUri>http://wso2.org/claims/givenName</ClaimUri>ClaimUri></RemoteClaim><RequestClaim>true</RequestClaim></ClaimMapping></ClaimMappings></ClaimConfig>
<PermissionAndRoleConfig></PermissionAndRoleConfig>
</ServiceProvider>
please refer this link for more details
[1] https://docs.wso2.com/display/IS500/Adding+a+Service+Provider+and+Identity+Provider+Using+Configuration+Files
What would be the URL for the newly set up SAML SSO's metadata URL, or how could I download this in XML format from WSO2 Identity Server (version 4.6.0) acting as IdP?
Thanks,
Tamas
WSO2 Identity server now hosts IDPSSODesriptor metadata file on this URL.
https://localhost:9443/identity/metadata/saml2
This feature is available from Identity Server version 5.3 onward.
AFAIK there is no option to auto-generate metadata files for IS. You have to manually write the metadata file. An example is as follows, taken from this blog post.
<md:entitydescriptor entityid="https://localhost:9443/samlsso" validuntil="2023-09-23T06:57:15.396Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<md:idpssodescriptor protocolsupportenumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:keydescriptor use="signing">
<ds:keyinfo>
<ds:x509data>
<ds:x509certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE
AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou
sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:x509certificate>
</ds:x509data>
</ds:keyinfo>
</md:keydescriptor>
<md:singlelogoutservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="https://localhost:9443/samlsso" responselocation="https://localhost:9443/samlsso">
<md:singlesignonservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" location="https://localhost:9443/samlsso">
<md:singlesignonservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="https://localhost:9443/samlsso">
</md:singlesignonservice></md:singlesignonservice></md:singlelogoutservice></md:idpssodescriptor>
</md:entitydescriptor>
Yes.. Identity Server does not support to generate a IDP information as metadata file. You may need to create it manually. But I guess it would be available with a future release. There is an open public jira for this. You can find a generated SAML2 metadata file from here. However you may need to configure it according to your configurations. If you have changed your keystore, you need to change the X509 certificate data. And also urls of the samlsso endpoint. By default saml sso end point is located at https://localhost:9443/samlsso. In your service provider config, you need to configure this url as IDP url (both login and logout). You must provide the wso2carbon certificate in to service provider for validating the signature.
I use Mule Server 3.3.0 CE, I generate this code:
<mule xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:spring="http://www.springframework.org/schema/beans" xmlns:http="http://www.mulesoft.org/schema/mule/http"
xmlns:pattern="http://www.mulesoft.org/schema/mule/pattern"
xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security"
xmlns:ss="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/3.3/mule.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/3.3/mule-http.xsd
http://www.mulesoft.org/schema/mule/pattern http://www.mulesoft.org/schema/mule/pattern/3.3/mule-pattern.xsd
http://www.mulesoft.org/schema/mule/spring-security
http://www.mulesoft.org/schema/mule/spring-security/3.3/mule-spring-security.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<mule-ss:security-manager>
<mule-ss:delegate-security-provider
name="memory-dao" delegate-ref="authenticationManager" />
</mule-ss:security-manager>
<spring:beans>
<ss:authentication-manager alias="authenticationManager">
<ss:authentication-provider>
<ss:user-service id="userService">
<ss:user name="sepideh" password="16978413" authorities="ROLE_ADMIN" />
</ss:user-service>
</ss:authentication-provider>
</ss:authentication-manager>
</spring:beans>
<pattern:web-service-proxy name="myService"
wsdlLocation="http://ws.acme.com:6090/wsdl/weather-forecast">
<http:inbound-endpoint address="http://localhost:8090/service">
<mule-ss:http-security-filter realm="mule-realm" />
</http:inbound-endpoint>
<http:outbound-endpoint address="http://ws.acme.com:6090/weather-forecast" />
</pattern:web-service-proxy>
I run this project and I have below exception:
ERROR 2012-11-27 14:31:25,456 [[web_service].connector.http.mule.default.receiver.02] org.mule.exception.DefaultMessagingExceptionStrategy:
********************************************************************************
Message : Registered authentication is set to org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter but there was no security context on the session. Authentication denied on endpoint http://localhost:8090/service. Message payload is of type: String
Code : MULE_ERROR-54999
--------------------------------------------------------------------------------
Exception stack is:
1. Registered authentication is set to org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter but there was no security context on the session. Authentication denied on endpoint http://localhost:8090/service. Message payload is of type: String (org.mule.api.security.UnauthorisedException)
org.mule.transport.http.filters.HttpBasicAuthenticationFilter:160 (http://www.mulesoft.org/docs/site/current3/apidocs/org/mule/api/security/UnauthorisedException.html)
--------------------------------------------------------------------------------
Root Exception stack trace:
org.mule.api.security.UnauthorisedException: Registered authentication is set to org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter but there was no security context on the session. Authentication denied on endpoint http://localhost:8090/sevice. Message payload is of type: String
at org.mule.transport.http.filters.HttpBasicAuthenticationFilter.authenticateInbound(HttpBasicAuthenticationFilter.java:160)
at org.mule.security.AbstractEndpointSecurityFilter.authenticate(AbstractEndpointSecurityFilter.java:58)
at org.mule.security.AbstractAuthenticationFilter.doFilter(AbstractAuthenticationFilter.java:56)
+ 3 more (set debug level logging or '-Dmule.verbose.exceptions=true' for everything)
New wsdl address show me but I can't use this address for create web service.
All of solution link to this page, but I don't know how to change SoapUI to true value.
What should I change in my configuration?
Posting this might helps some one. People who migrating the HTTP connectors from Mule lower version to 3.6+ or 3.7( Because, I faced this error when upgrading). Please follow the link https://docs.mulesoft.com/mule-user-guide/v/3.6/configuring-the-spring-security-manager( We cannt configure mule-realm inside HTTP listener as like in version 3.3). When you try to hit it from SOAP UI, you will find the above error Registered authentication is set to org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter but there was no security context on the session. It is not the problem with Mule config file.Need to change SOAPUI settings
2 ways to resolve this error:
Go to SOAPUI->File->Preference->HTTP settings-> enable the option Authenticate Preemptively
or
When setting the basic Auth In SOAPUI
Authorization->Basic -> Pre-emptive auth -> enable Authenticate Pre-emptively.
By default it will be 'Use global preference' which needs to be changed to Authenticate Pre-emptively
Thanks.
Seems related and the error you are getting is a red herring. Are you getting back a success response even if this is being logged?
http://www.mulesoft.org/jira/browse/MULE-5607