I've got WSO2 IS running and a service provider that has SAML inbound authentication set up. I've enabled the "Enable Signature Validation in Authentication Requests and Logout Requests" checkbox for the SAMl service provider.
If I send an AuthnRequest that is not properly signed, it will error. However, if I send a LogoutRequest with no signature (or with a signature made from a completely different cert/key), it will log my user out without error. How can I enable actual signature validation WSO2 IS?
I'm running the latest WSO2 Docker Container. I believe that is IS 5.7.0 according to this startup logging:
Starting WSO2 Carbon...
Operating System : Linux 4.9.93-linuxkit-aufs, amd64
Java Home : /home/wso2carbon/java/jre
Java Version : 1.8.0_144
Java VM : Java HotSpot(TM) 64-Bit Server VM 25.144-b01,Oracle Corporation
Carbon Home : /home/wso2carbon/wso2is-5.7.0
Java Temp Dir : /home/wso2carbon/wso2is-5.7.0/tmp
Seems the signature validation [1] is skipping in the logout request due to an issue in the code. Please refer the git issue [2] to track this.
[1] https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/ee338982c1add8f75f1132a6b3bacb30cee7989b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java#L130
[2] https://github.com/wso2/product-is/issues/4048
Related
I'm unable login into Wso2 APIM and showing invalid login details but yesterday it was working fine and able to login.
Apim version: 3.2.0.
Identity server wso2 is-km: 5.10.0
I have not changed any of the configuration.
My Wso2 APIM is integrated with wso2 Is.
Below error:
2022-03-07 13:58:07,464] INFO - TimeoutHandler This engine will expire all callbacks after GLOBAL_TIMEOUT: 120 seconds, irrespective of the timeout action, after the specified or optional timeout
[2022-03-07 13:58:07,749] ERROR - OAuth2Service Error while finding application state for application with client_id: oYDtSc**************
After that tried logging into Wso2 Identify server with admin as usually but not data it showing like list of users and list of identity providers but previously I saw list of providers etc.
Please help me in this situation.
I am running WSO2 APIM 3.2.0 and Analytics 3.2.0 on different client servers. I did all the required settings to configure WSO2 APIM with WSO2 Analytics. Started both the servers successfully and WSO2 APIM URL's open well. But, when I open the Analytics Dashboard URL (https://<Analytics_Host>:9643/analytics-dashboard/login), I get the below warning in the dashboard server logs, and the login page does not appear. Only a blank screen appears.
WARN {org.wso2.msf4j.internal.MSF4JHttpConnectorListener} - Unmapped
exception feign.RetryableException: No subject alternative names
matching IP address <APIM_IP> found executing GET
https://<APIM_Host>:9443/api/am/admin/v0.16/custom-urls/carbon.super
In the browser console I can see errors as shown in the below screenshot.
One more thing I noticed is in the management console of WSO2 APIM, difference in Service Providers list when compared with my local. I didn't find all the service providers on the client server which I can see on my local.
WSO2 APIM Carbon Console Service Providers list on my local:
WSO2 APIM Carbon Console list on the client server:
Am I missing out on some configurations? Need suggestions on this issue.
Our ws02 metadata that is available via the url (https://ourserver:9443/identity/metadata/saml2) has a "validUntil" date on it that is only a few hours long. This causes some issues with Service providers that only refresh the metadata url periodically. Is there a way to change the validUntil time on the metadata in the url so it can be longer?
WSO2 Identity Server 5.3.0
WSO2 IS 5.3.0 does not support configuring SAML metadata validity time out of the box. But this feature has been added through a WUM update. You can find the public PRs for this feature in [1] and [2]. If you don't have WUM you can get the this fix by building the product from the public branch[3].
[1] https://github.com/wso2/carbon-identity-framework/pull/1980
[2] https://github.com/wso2-extensions/identity-metadata-saml2/pull/29
[3] https://github.com/wso2/product-is
I have a TIBCO Web Service that I want to publish on a WSO2 UDDI Server.
I configure the UDDI server on the Infrastructure -> Servers tab and I try to publish my application on the server.
I tried authenticating as root, admin and uddi but I always get the same error on WSO2 Side:
TID: [0] [Greg] [2015-09-10 15:25:28,108] INFO {org.apache.cxf.phase.PhaseInterceptorChain} - Application {urn:uddi-org:v3_service}UDDIPublicationService#{urn:uddi-org:v3_service}save_tModel has thrown exception, unwinding now: org.apache.juddi.v3.error.FatalErrorException: A Key Generator cannot be added for the root publisher. Try signing in as a different user {org.apache.cxf.phase.PhaseInterceptorChain}
I tried to google a bit but I found only answers relevant to WSO2 API Server (which I don't have).
As far as I can remember, the WSO2 server doesn't have any custom configuration. This is the content of my tomcat-user.xml:
<user username="admin" password="admin" roles="tomcat,manager,admin"/>
<user username="root" password="root" roles="tomcat,manager,admin"/>
<user username="uddi" password="uddi" roles="tomcat,manager,admin"/>
jUDDI doesn't allow you to create tModels key generators as the root user. Try it again using a different user name. This is probably in WSO2's configuration. Since it's probably an integration issue between the two, contact WS02 for support.
Alternatively, you can just download jUDDI and use the standalone server and use the the jUDDI web user interface to publish the service.
~ jUDDI PMC
I have two instances of WSO2 on two different machines, with the same policy published to both instances. Both WSO2 instances have admin/admin.
I use SOAPUI (running on 192.168.0.9) to try to test against the EntitlementService webservice and:
If I use SOAPUI to test against the EntitlementService webservice on the same machine that SOAPUI is running on (192.168.0.9), using either localhost or IP address, I get a XACML response with a Permit. However,
If I used SOAPUI to test against the EntitlementService webservice on the other machine (192.168.0.210), I get a XACML response with a Deny, and an "Illegal access attempt" error in the 192.168.0.210 WSO2 log:
Illegal access attempt at [2014-05-12 15:26:47,0563] from IP address
192.168.0.9 while trying to authenticate access to service EntitlementService
In both cases above, I have BASIC authentication and the 'admin' username and password setup in SOAPUI.
If I run Tryit on the 192.168.0.210 WSO2 admin to test against the 192.168.0.210 WSO2, I get a Permit, i.e., this shows that the policy on the 192.168.0.210 should return a Permit.
Finally, I'm pretty sure that this is something with WSO2, and not with SOAPUI, as I also tested from the 192.168.0.9 machine using Firefox and a plugin called RESTclient, to test doing the POST of the XACML request in the content body.
Is there something in WSO2 Identity Server that would cause it to return a Deny if the requests are coming from a different machine?
Thanks,
Jim
P.S. I'm seeing the following in the WSO2 wso2carbon.log file:
TID: [0] [IS] [2014-05-12 15:59:40,798] ERROR {org.wso2.carbon.core.services.authentication.AbstractAuthenticator} - Invalid remote address detected. {org.wso2.carbon.core.services.authentication.AbstractAuthenticator}
org.wso2.carbon.core.common.AuthenticationException: Authentication Failed : Invalid remote address passed - 0:0:0:0:0:0:0:1
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.validateRemoteAddress(AuthenticationUtil.java:178)
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.getRemoteAddress(AuthenticationUtil.java:156)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.getRemoteAddress(AbstractAuthenticator.java:304)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:136)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.isAuthenticated(AuthenticationHandler.java:171)
{org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
Is there some way to turn off the remote address validation?