WSO2 Identity Server SAML2 Response Issuer verification failed - wso2
I have set up WSO2 Identity Server with Office 365 (AAD) Identity Provider, the sso sample app travelocity.com and configured my Azure Active Directory application with the necessary permissions.I have disabled user consent on both side, Azure AD & my Identity Server.
Using the sample app, the login is working fine but I receive the following error from travelocity.com
An error has occurred
SAML2 Response Issuer verification failed
I guess the authentication is working, from the debug logging enabled (truncate some string for readbility) :
[2018-05-28 14:24:36,909] DEBUG {org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder} - Building SAML Response for the consumer 'http://testsso.myapp.com/travelocity.com/home.jsp'
authenticatedIdPs: eyJ0eXAiOiJKV1QiLCAiYWx[TRUNCATED]
[2018-05-28 14:24:36,749] DEBUG {org.wso2.carbon.identity.data.publisher.application.authentication.AbstractAuthenticationDataPublisher} - Retrieving current IDPw for user
[2018-05-28 14:24:36,748] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container
[2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Removing post authentication sequnce tracker cookie for context : 09808b90-af77-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - ConsentMgtPostAuthenticationHandler is enabled. Hence executing for context : 09808b90-af77-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,717] DEBUG {org.wso2.carbon.identity.application.authz.xacml.handler.impl.XACMLBasedAuthorizationHandler} - In policy authorization flow...
[2018-05-28 14:24:36,716] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Executing Post Authentication Management Service for context 09808b90-af77-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Step processing is completed.
[2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - UNFILTERED_IDP_CLAIM_VALUES map property set to [#odata.id:https://outlook.office365[TRUNCATED] acf5e8c015e'),Alias:my.user,DisplayName:my USER,MailboxGuid:dxxxxxxxxxxxef1a,Id:[TRUNCATED]79639#[TRUNCATED]8c015e,#odata.context:https://outlook.office365.com/api/v2.0/$metadata#Me,EmailAddress:my.user#mycompany.com,]
[2018-05-28 14:24:36,713] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedExternalClaimDAO} - Cache hit for external claim list for dialect: http://wso2.org/oidc/claim in tenant: -1234 [2018-05-28 14:24:36,712] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Executing claim handler. isFederatedClaims = true and remote claims = [#odata.id:https://outlook.office365.com/api/v2.0/Users('a[TRUNCATED]980a-82ba0f179639#[TRUNCATED]1-88e0-6acf5e8c015e'),Alias:my.user,DisplayName:my USER,MailboxGuid:[TRUNCATED]4bb9-b0f1-89b84064ef1a,Id:[TRUNCATED]-980a-82ba0f179639#[TRUNCATED]-88e0-6[TRUNCATED],#odata.context:https://outlook.office365.com/api/v2.0/$metadata#Me,EmailAddress:my.user#mycompany.com,]
[2018-05-28 14:24:36,711] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultSequenceHandlerUtils} - Service Provider Mapped Roles: null
[2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil} - JWT Header :{"typ":"JWT", "alg":"none"}
[2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Handling Post Authentication tasks
[2018-05-28 14:24:36,707] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Authenticated IDP data for the IDP 'Azure Active Directory' couldn't be found in previous authenticate IDPs as well. Using a fresh AuthenticatedIdPData object
[2018-05-28 14:24:36,514] DEBUG {org.wso2.carbon.identity.authenticator.office365.Office365Authenticator} - Claim URL: https://outlook.office365.com/api/v2.0/me
[2018-05-28 14:24:36,078] DEBUG {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} - Authentication Context is null
[2018-05-28 14:24:36,970] DEBUG {org.wso2.carbon.identity.sso.saml.builders.SignKeyDataHolder} - Initializing Key Data for super tenant using system key store
[2018-05-28 14:24:36,911] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container
[2018-05-28 14:24:36,860] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Query string : sessionDataKey=7d7081e3-b733-47e6-9d28-b9d169a4caf1
[2018-05-28 14:24:36,749] DEBUG {org.wso2.carbon.identity.data.publisher.application.authentication.AbstractAuthenticationDataPublisher} - Returning roles, Azure Active Directory
[2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Post authentication handler ConsentMgtPostAuthenticationHandler returned with status : SUCCESS_COMPLETED for context identifier : [TRUNCATED]c-54c01ea2c3d6
[2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Post authentication handler MissingClaimPostAuthnHandler completed execution for session context : 09808b90-af77-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Post authentication handler XACMLBasedAuthorizationHandler returned with status : SUCCESS_COMPLETED for context identifier : [TRUNCATED]01ea2c3d6
[2018-05-28 14:24:36,716] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - PASTR cookie is not set to context : 09808b90-af77-49ad-b63c-54c01ea2c3d6. Hence setting the cookie
[2018-05-28 14:24:36,716] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - No stored pastr cookie found in authentication context for : 09808b90-af77-49ad-b63c-54c01ea2c3d6 . Hence returning without validating
[2018-05-28 14:24:36,707] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Authenticated IDP data of the IDP 'Azure Active Directory' couldn't be found in current authenticate IDPs. Trying previous authenticated IDPs
[2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Office365Authenticator can handle the request.
[2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - No previous authenticated IDPs found in the authentication context.
[2018-05-28 14:24:36,071] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get first priority handler for the given handler list.
[2018-05-28 14:24:36,070] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Created singleton instance for org.wso2.carbon.identity.auth.service.handler.HandlerManager
[2018-05-28 14:24:36,945] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container
[2018-05-28 14:24:36,861] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - No SaaS SAML service providers found for the issuer : travelocity.com. Checking for SAML service providers registered in tenant domain : carbon.super
[2018-05-28 14:24:36,860] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get first priority handler : DefaultAuthenticationManager(org.wso2.carbon.identity.auth.service.AuthenticationManager)
[2018-05-28 14:24:36,858] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Created singleton instance for org.wso2.carbon.identity.auth.service.handler.HandlerManager
sessionDataKey: 7d7081e3-b733-47e6-9d28-b9d169a4caf1
commonAuthAuthenticated: true
[2018-05-28 14:24:36,079] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Executing the Step Based Authentication...
[2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler} - Concluding the Authentication Flow
[2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - MissingClaimPostAuthnHandler is enabled. Hence executing for context : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,717] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - XACMLBasedAuthorizationHandler is enabled. Hence executing for context : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler} - Handling post authentication
[2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Returning claims from claim handler = []
[2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade} - Trying to find the IdP for name: Azure Active Directory
[2018-05-28 14:24:36,707] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Office365Authenticator returned: SUCCESS_COMPLETED
[2018-05-28 14:24:36,661] DEBUG {org.wso2.carbon.identity.authenticator.office365.Office365Authenticator} - Claim URL: https://outlook.office365.com/api/v2.0/me
[2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} - No authenticators found.
[2018-05-28 14:24:36,079] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler} - Authentication Graph not defined for the application. Performing Step based authentication. Service Provider :sso_test
[2018-05-28 14:24:36,079] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler} - In authentication flow
[2018-05-28 14:24:36,751] DEBUG {org.wso2.carbon.identity.data.publisher.application.authentication.AbstractAuthenticationDataPublisher} - Publishing authentication success
[2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Post authentication handler ConsentMgtPostAuthenticationHandler completed execution for session context :[TRUNCATED]-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Post authentication handler MissingClaimPostAuthnHandler returned with status : SUCCESS_COMPLETED for context identifier : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - UNFILTERED_SP_CLAIM_VALUES map property set to []
[2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - UNFILTERED_LOCAL_CLAIM_VALUES map property set to []
[2018-05-28 14:24:36,713] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} - Cache hit for local claim list for tenant: -1234
[2018-05-28 14:24:36,710] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - No role attribute value has received from the external IDP: Azure Active Directory, in Domain: null.
[2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil} - JWT Body :{"iss":"wso2","exp":15275174767093000,"iat":1527517476709,"idps":[{"idp":"Azure Active Directory","authenticator":"Office365Authenticator"}]}
[2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Receive a response from the external party
[2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} - Finding already authenticated IdPs of the step {order:1}
[2018-05-28 14:24:36,080] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - No current authenticated IDPs in the authentication context. Continuing with the previous authenticated IDPs
[2018-05-28 14:24:36,072] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get first priority handler : DefaultAuthenticationManager(org.wso2.carbon.identity.auth.service.AuthenticationManager)
[2018-05-28 14:24:36,860] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get first priority handler for the given handler list.
authenticatedUser: aff5b6e8-3ee4-470f-980a-82ba0f179639#7ab7bec6-e60d-43b1-88e0-6acf5e8c015e
[2018-05-28 14:24:36,745] DEBUG {org.wso2.carbon.identity.data.publisher.application.authentication.AbstractAuthenticationDataPublisher} - Publishing session creation
[2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Post authentication evaluation has completed for the flow with session data key : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.PostAuthnMissingClaimHandler} - Post authentication handling for missing claims started
[2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Post authentication handler XACMLBasedAuthorizationHandler completed execution for session context : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,716] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Starting from current post handler index 0 for context : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,711] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultSequenceHandlerUtils} - Getting Service Provider mapped roles of application: sso_test of user: null
[2018-05-28 14:24:36,710] DEBUG {org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade} - A registered IdP was found
[2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Request is successfully authenticated.
[2018-05-28 14:24:36,708] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - There are no more steps to execute.
[2018-05-28 14:24:36,708] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Step 1 is completed. Going to get the next one.
[2018-05-28 14:24:36,080] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Starting Step: 1
[2018-05-28 14:24:36,079] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler} - Executing the Step Based Authentication...
[2018-05-28 14:24:36,807] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler} - Sending response back to: /samlsso...
" <script type='text/javascript'>"
<!--$additionalParams-->
<input type='hidden' name='SAMLResponse' value='PD94bWwgdmVyc2lvbj0iMS4wIiB[TRUNCATED]NhbWwycDpSZXNwb25zZT4='/>
" <p>"
" If the redirection fails, please click the post button.</p>"
[2018-05-28 14:24:37,057] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - samlsso_response.html <!--
[2018-05-28 14:24:37,032] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
uij0SKVN2wbNcBFhUva/zdYZdLJFncZjbx6bDrpKkL9cXKQdzcNnoPTo7NqO3ENqCxzynYV60eEa
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignedInfo>
yzoB9khd18faM/pHPpy2XyU12G9XIf5Es9jAcQ==
D1I1TBLWDDa03X2Juouoijh3I9+SujuWp724eFbt7UmUFsi6Xw2yiMA6D+t7sCeWQD315ddyt/zL
V9MaQ4SUT+m2a17DjxTEQ0ErrQtqvnrv3+VtgT4/kV1HbkzF6UKyR7FLrV6y1SbMrwEXVrB8qfOg
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<saml2p:Response Destination="http://testsso.myapp.com/travelocity.com/home.jsp" ID="_4ef05bebd4ab91eabd769cc4ee37d501" InResponseTo="niblbbpjdnlokandnpbbbmcpjdpajlonncldcnpi" IssueInstant="2018-05-28T14:24:36.921Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
" </script>"
" document.forms[0].submit();"
" </p>"
<html>
-->
[TRUNCATED]
CXaL/gdwMsqcCjwBsuxY0gprp1zSB6jaTPyhiso84uirKJ+VELaY32tYhuRB4GdAVBg+eB1pESNC
</ds:Transforms>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
qfyXM7xEotWoxmm6HZx8oWQ8U5aiXjZ5RKDWCCq4ZuXl6wVsUz1iE61suO5yWi8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="_54459a8d0c72b06aaa9cbe446f9362f1" IssueInstant="2018-05-28T14:24:36.935Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
/mvTmWZLM7GM6sApmyLX6OXUp8z0pkY+vT/9+zRxxQs7GurC4/C1nK3rI/0ySUgGEafO1atNjYml
</ds:SignatureValue>
SOu0s4wPMg1mAnpz6suXzBXn3nq+u+zxszUBSmB6Ji3iw7vy2w/X8GJPb6YgCk0cW69mDMxr61zy
<ds:SignatureValue>
[2018-05-28 14:24:37,027] DEBUG {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - <?xml version="1.0" encoding="UTF-8"?>
[2018-05-28 14:24:37,017] DEBUG {org.wso2.carbon.identity.sso.saml.builders.SignKeyDataHolder} - Initializing Key Data for super tenant using system key store
" </form>"
" <button type='submit'>POST</button>"
[2018-05-28 14:24:37,031] DEBUG {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - PD94bWwgdmVy[TRUNCATED]SZXNwb25zZT4=
</ds:SignatureValue>
rlsAPDJe8WsU8n2kRf4n43gj+UiHOrCL1EeqcQ==
<ds:Transforms>
[TRUNCATED]
CBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxDTALBgNVBAoTBFdTTzIxEjAQBgNVBAMTCWxv
CUXBkoV2V4tJg2GozJJQL+iiWen3HhRW1bc93msuJ+BJOQMIs4MOb4bYS4XWyrjMw4aWlAsCw91g
</ds:SignedInfo>
<ds:DigestValue>zo728mSqUt83wg9P5p0xQWMqna0=</ds:DigestValue>
<ds:Reference URI="#_4ef05bebd4ab91eabd769cc4ee37d501">
<ds:SignedInfo>
</body>
" <!--$params-->"
" <form method='post' action='http://testsso.myapp.com/travelocity.com/home.jsp'>"
" <body>"
[TRUNCATED]
V8up9UQHeb58Eds6BJ5PJvMrCPTGy59Q03er7X1rzIMNVN0ijaFFQTOd2CCS21OHF+g5709TQun9
</ds:SignedInfo>
<ds:DigestValue>f+rrjvtlOhgKz8tVnHE+3nEzoZM=</ds:DigestValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCAjGgAwIBAgIEAoLQ/TANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</html>
" <p>You are now redirected back to http://testsso.myapp.com/travelocity.com/home.jsp"
Variables http://testsso.myapp.com/travelocity.com/home.jsp, $response, $relayState and $additionalParams will be replaced by the corrosponding values
qfyXM7xEotWoxmm6HZx8oWQ8U5aiXjZ5RKDWCCq4ZuXl6wVsUz1iE61suO5yWi8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[TRUNCATED]-82ba0f179639#[TRUNCATED]-88e0-6acf5e8c015e</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="niblbbpjdnlokandnpbbbmcpjdpajlonncldcnpi" NotOnOrAfter="2018-05-28T14:29:36.921Z" Recipient="http://testsso.myapp.com/travelocity.com/home.jsp"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2018-05-28T14:24:36.935Z" NotOnOrAfter="2018-05-28T14:29:36.921Z"><saml2:AudienceRestriction>fefd4ede6"><saml2:AuthnContext><sa<saml2:Audience>travelocity.com</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2018-05-28T14:24:36.952Z" SessionIndex="4cd87270-9341-4a54-8d14-1c0ml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="#odata.id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">https://outlook.office365.com/api/v2.0/Users('[TRUNCATED]980a-82ba0f179639#[TRUNCATED]-88e0-6acf5e8c015e')</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="Alias" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">my.user</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="DisplayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">my USER</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="MailboxGuid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[TRUNCATED]-89b84064ef1a</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="Id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[TRUNCATED]-82ba0f179639#[TRUNCATED]-88e0-6acf5e8c015e</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="#odata.context" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">https://outlook.office365.com/api/v2.0/$metadata#Me</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">my.user#mycompany.com</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>
Pty9jqM1CgRPpqvZa2lPQBQqZrHkdDE06q4NG0DqMH8NT+tNkXBe9YTre3EJCSfsvswtLVDZ7GDv
[TRUNCATED]
C6xKegbRWxky+5P0p4ShYEOkHs30QI2VCuR6Qo4Bz5rTgLBrky03W1GAVrZxuvKRGj9V9+PmjdGt
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCAjGgAwIBAgIEAoLQ/TANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
<ds:SignatureValue>
</ds:Reference>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
<ds:Reference URI="#_54459a8d0c72b06aaa9cbe446f9362f1">
[TRUCATED]
au4CTXu9pLLcqnruaczoSdvBYA3lS9a7zgFU0+s6kMl2EhB+rk7gXluEep7lIOenzfl2f6IoTKa2
</ds:Reference>
</ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
<ds:Transforms>
THKojJjQvdVCzRj6XH5Truwefb4BJz9APtnlyJIvjHk1hdozqyOniVZd0QOxLAbcdt946chNdQvC
Can I consider my configuration working as is or is there a real issue there ?
Thank you.
In your SAML response, the issuer is localhost. It's mismatching with what you have used. That is you have used travelocity.com as the issuer. If you want to change the issuer in identity server, you can do it by navigating to the following directory on your identity server. Resident Identity Provider -> SAML2 Web SSO Configuration -> Identity Provider Entity Id:
I landed in the same scenario and I resolved this by aligning the identity provider entity id in all locations.
WSO2 verifies the received SAML response to ensure it is issued by the expected SAML Identity Provider. WSO2 includes its Id in the SAML response's tag.
Steps I used to align the entity id
Amended the IdPEntityId in the service provider's sso.properties file (I am using java)
SAML2.IdPEntityId=localhost.com
On WSO2 management portal, I amended the resident entity id under Main >> Identity >> Identity Providers >> Resident. I set the Home Realm Identifier to localhost.com as well.
I then amended the service provider's IdP Entity ID Alias to localhost.com too.
Once I completed this, the tag in XML now came with the expected entity id and issue resolved.
Related
How can I correctly create a WSO2 ESB API that uses HTTPS instead HTTP as protocol?
I am not so into WSO2 ESB and I have the following doubt.
I have deployed on my Carbon server some APIs, that works fine.
These APIs are using HTTP as protocol. For some reason I have to change it into HTTPS.
My doubs is: have I only to change the protocol attribute (of the resource tag) value form http to https?
<?xml version="1.0" encoding="UTF-8"?>
<api context="/meteo_forecast_weekly_v2/location" name="meteo_forecast_weekly_v2" xmlns="http://ws.apache.org/ns/synapse">
<resource methods="GET" protocol="http" uri-template="/{localizationId}">
...............................................................
...............................................................
...............................................................
Or have I also to configure a certificate in my Carbon server?
EDIT-1: I tryied to do as suggested by BHA but when I do the call in this way I obtain this unknown protocol error:
$ curl -k https://XXX.YYY.ZZZ.WWW:8280/meteo_forecast_weekly_v2/location/1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Into the WSO2 stacktrace I obtain this error log:
TID: [-1] [] [2017-11-14 14:46:00,107] ERROR {org.apache.synapse.transport.passthru.SourceHandler} - HttpException occurred {org.apache.synapse.transport.passthru.SourceHandler}
org.apache.http.ProtocolException: Invalid request line: ü8Ò�;Cá©h0ß©�ø_¹i°eõ»Ê.,q5© À0À,À(À$ÀÀ
at org.apache.http.impl.nio.codecs.AbstractMessageParser.parse(AbstractMessageParser.java:208)
at org.apache.synapse.transport.http.conn.LoggingNHttpServerConnection$LoggingNHttpMessageParser.parse(LoggingNHttpServerConnection.java:407)
at org.apache.synapse.transport.http.conn.LoggingNHttpServerConnection$LoggingNHttpMessageParser.parse(LoggingNHttpServerConnection.java:381)
at org.apache.http.impl.nio.DefaultNHttpServerConnection.consumeInput(DefaultNHttpServerConnection.java:265)
at org.apache.synapse.transport.http.conn.LoggingNHttpServerConnection.consumeInput(LoggingNHttpServerConnection.java:114)
at org.apache.synapse.transport.passthru.ServerIODispatch.onInputReady(ServerIODispatch.java:82)
at org.apache.synapse.transport.passthru.ServerIODispatch.onInputReady(ServerIODispatch.java:39)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:113)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.http.ParseException: Invalid request line: ü8Ò�;Cá©h0ß©�ø_¹i°eõ»Ê.,q5© À0À,À(À$ÀÀ
at org.apache.http.message.BasicLineParser.parseRequestLine(BasicLineParser.java:287)
at org.apache.http.impl.nio.codecs.DefaultHttpRequestParser.createMessage(DefaultHttpRequestParser.java:119)
at org.apache.http.impl.nio.codecs.DefaultHttpRequestParser.createMessage(DefaultHttpRequestParser.java:51)
at org.apache.http.impl.nio.codecs.AbstractMessageParser.parseHeadLine(AbstractMessageParser.java:156)
at org.apache.http.impl.nio.codecs.AbstractMessageParser.parse(AbstractMessageParser.java:206)
... 14 more
TID: [-1] [] [2017-11-14 14:46:00,113] INFO {org.apache.synapse.transport.passthru.SourceHandler} - Writer null when calling informWriterError {org.apache.synapse.transport.passthru.SourceHandler}
Why? What is the problem?
Yes, you only have to change protocol value. By default ESB uses it's default keystore which is in <ESB_HOME>/repository/reources/security/wso2carbon.jks. When you're in production it's recommended to change the default keystore.
WSO2 Identity Server - Tenant Admin Login failure - Error occurred while getting tenant user realm for tenant id
I have started facing problem with tenant admin login to the WSO2 Administrative console at random intervals. I am using the WSO2 Identity Server 5.1.0.
TID: [46] [] [2016-09-04 19:09:10,344] #tenant1.edu [46] [IS]ERROR {org.wso2.carbon.core.util.AnonymousSessionUtil} - Error occurred while getting tenant user realm for tenant id : 46
org.wso2.carbon.registry.core.exceptions.RegistryException: Error occurred while getting tenant user realm for tenant id : 46
at org.wso2.carbon.registry.core.jdbc.EmbeddedRegistryService.getUserRealm(EmbeddedRegistryService.java:441)
at org.wso2.carbon.core.util.AnonymousSessionUtil.getRealmByTenantDomain(AnonymousSessionUtil.java:133)
at org.wso2.carbon.core.services.authentication.AuthenticationAdmin.login(AuthenticationAdmin.java:92)
at sun.reflect.GeneratedMethodAccessor108.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
Caused by: org.wso2.carbon.user.core.UserStoreException: Error occurred while getting tenant user realm for tenant id : 46
at org.wso2.carbon.user.core.common.DefaultRealmService.getTenantUserRealmInternal(DefaultRealmService.java:193)
at org.wso2.carbon.user.core.common.DefaultRealmService.access$000(DefaultRealmService.java:60)
at org.wso2.carbon.user.core.common.DefaultRealmService$1.run(DefaultRealmService.java:153)
at org.wso2.carbon.user.core.common.DefaultRealmService$1.run(DefaultRealmService.java:150)
at java.security.AccessController.doPrivileged(Native Method)
at org.wso2.carbon.user.core.common.DefaultRealmService.getTenantUserRealm(DefaultRealmService.java:150)
at org.wso2.carbon.registry.core.jdbc.EmbeddedRegistryService.getUserRealm(EmbeddedRegistryService.java:436)
... 67 more
Caused by: org.wso2.carbon.user.core.UserStoreException: Error while reading realm configuration from file
at org.wso2.carbon.user.core.config.RealmConfigXMLProcessor.buildTenantRealmConfiguration(RealmConfigXMLProcessor.java:230)
at org.wso2.carbon.user.core.tenant.JDBCTenantManager.getTenant(JDBCTenantManager.java:323)
at org.wso2.carbon.user.core.tenant.JDBCTenantManager.getTenant(JDBCTenantManager.java:53)
at org.wso2.carbon.user.core.common.DefaultRealmService.getTenantUserRealmInternal(DefaultRealmService.java:172)
... 73 more
Caused by: org.wso2.carbon.CarbonException: Error in building Document
at org.wso2.carbon.utils.CarbonUtils.replaceSystemVariablesInXml(CarbonUtils.java:1082)
at org.wso2.carbon.user.core.config.RealmConfigXMLProcessor.preProcessRealmConfig(RealmConfigXMLProcessor.java:241)
at org.wso2.carbon.user.core.config.RealmConfigXMLProcessor.buildTenantRealmConfiguration(RealmConfigXMLProcessor.java:211)
... 76 more
Caused by: java.lang.NullPointerException
at org.apache.axiom.om.impl.dom.jaxp.DocumentBuilderFactoryImpl.newDocumentBuilder(DocumentBuilderFactoryImpl.java:93)
at org.wso2.carbon.utils.CarbonUtils.replaceSystemVariablesInXml(CarbonUtils.java:1078)
... 78 more
TID: [46] [] [2016-09-04 19:09:10,345] #tenant1.edu [46] [IS]ERROR {org.wso2.carbon.core.services.authentication.AuthenticationAdmin} - System error while Authenticating/Authorizing User : Error occurred while getting tenant user realm for tenant id : 46
TID: [-1234] [] [2016-09-04 19:09:10,895] ERROR {org.apache.catalina.core.ApplicationDispatcher} - Servlet.service() for servlet bridgeservlet threw exception
java.lang.NullPointerException
TID: [-1234] [] [2016-09-04 19:09:10,896] ERROR {org.apache.tiles.servlet.context.ServletTilesRequestContext} - Servlet Exception while including path
org.apache.jasper.JasperException: org.apache.jasper.JasperException: Unable to compile class for JSP
at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:549)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:378)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.wso2.carbon.ui.JspServlet.service(JspServlet.java:155)
at org.wso2.carbon.ui.TilesJspServlet.service(TilesJspServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
During this time I can login to the WSO2 Administrative console using the super admin account. However, all the tenant admin logins are failing. The issue goes away once the identity server is restarted.
Any help in this regard is appreciated.
This issue is already identified with[1] and fixed for 5.2.0. Can you try with a latest pack and see if you can reproduce this? [1] https://wso2.org/jira/browse/IDENTITY-5030 [2] https://wso2.org/jenkins/view/All%20Builds/job/product-is_release-productis-5.2.0/org.wso2.is$wso2is/
WSO2 API Manager 1.10 redirect to carbon or publisher
I have 2 stores nodes, 2 publisher nodes, 2 gateway workers, 1 Gateway Manager. The workers nodes and Gateway Manager uses a SVN Deployment Synchronizer. All machine has a apache doing a reverse proxy. I added a CA certificate using [1], except creating a own key store.
When I publish a api at Publisher node and try get it at worker node, all calling is redirecting to carbon. So, when I try [2] I receve [3].
WORKER1
CATALINA-server.xml:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
proxyPort="443"
bindOnInit="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
enableLookups="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
clientAuth="false"
compression="on"
scheme="https"
secure="true"
SSLEnabled="true"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
keystorePass="wso2carbon"
URIEncoding="UTF-8"/>
Carbon.xml
...
<HostName>apigateway.serpro.gov.br</HostName>
<MgtHostName>apigateway.serpro.gov.br</MgtHostName>
...
<ServerURL>local:/${carbon.context}/services/</ServerURL>
...
<DeploymentSynchronizer>
<Enabled>true</Enabled>
<AutoCommit>false</AutoCommit>
<AutoCheckout>true</AutoCheckout>
<RepositoryType>svn</RepositoryType>
<SvnUrl>http://<manager ip>/repos/wso2</SvnUrl>
<SvnUser><user></SvnUser>
<SvnPassword><password></SvnPassword>
<SvnUrlAppendTenantId>true</SvnUrlAppendTenantId>
</DeploymentSynchronizer>
...
api-manager.xml
...
<KeyValidatorClientType>WSClient</KeyValidatorClientType>
...
<RevokeAPIURL>https://${carbon.local.ip}:${https.nio.port}/revoke</RevokeAPIURL>
...
[1] - http://wso2.com/library/knowledge-base/2011/08/adding-ca-certificate-authority-signed-certificate-wso2-products/
[2] - https://apigateway.serpro.gov.br/calc/1.0/divide?x=2&y=1
[3] - https://apigateway.serpro.gov.br/carbon/admin/login.jsp
The problem was the apache configuration. I find it at [1] All APIManager configuration was works very well. At Apache ,all calling for "/" will be redirect to :9443/ Now works well. [1] - https://docs.wso2.com/display/CLUSTER420/Configuring+Apache+Httpd
Java Security error when overriding doGetExternalRoleListOfUser in WSO2 IS
I am overriding the method doGetExternalRoleListOfUser of the class classActiveDirectoryUserStoreManager in WSO2 IS. I do this to make IS return Active Directory nested group of a user since IS just return "direct" groups of a user as OOB feature.
The code is quite simple, but when we consume the IS service getUserClaimValues to check the information of a user, I get the following soapFault error:
<soapenv:Fault>
<faultcode>soapenv:Server</faultcode>
<faultstring>Error occurred while accessing Java Security Manager Privilege Block</faultstring>
<detail>
<ns:RemoteUserStoreManagerServiceUserStoreException xmlns:ns="http://service.ws.um.carbon.wso2.org">
<UserStoreException xsi:type="ax2656:UserStoreException" xmlns="http://service.ws.um.carbon.wso2.org" xmlns:ax2657="http://api.user.carbon.wso2.org/xsd" xmlns:ax2656="http://core.user.carbon.wso2.org/xsd" xmlns:ax2664="http://tenant.core.user.carbon.wso2.org/xsd" xmlns:ax2660="http://dao.service.ws.um.carbon.wso2.org/xsd" xmlns:ax2662="http://common.mgt.user.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:RemoteUserStoreManagerServiceUserStoreException>
</detail>
</soapenv:Fault>
the following log appears in IS log:
ERROR {org.wso2.carbon.user.core.common.AbstractUserStoreManager} - Error occurred while accessing Java Security Manager Privilege Block
ERROR {org.wso2.carbon.identity.user.profile.ui.client.UserProfileCient} - org.apache.axis2.AxisFault: org.apache.axis2.databinding.ADBException: Unexpected subelement {http://base.identity.carbon.wso2.org/xsd}code
The code is quite simple, just access to Active Directory to retrieve nested group of each group of the user, returning it in a String []
This is the debug log:
[2016-06-30 11:15:03,736] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user 00269097C
[2016-06-30 11:15:03,737] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in 00269097C : 00269097C
[2016-06-30 11:15:03,784] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=person)(cn=00269097C)) in SearchBase:
[2016-06-30 11:15:03,810] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Name in space for 00269097C is CN=00269097C,OU=Usuarios,DC=dc1,DC=dc2,DC=and
[2016-06-30 11:15:03,811] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: 00269097C exist: true
[2016-06-30 11:15:03,859] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=person)(cn=00269097C)) in SearchBase:
[2016-06-30 11:15:03,860] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :streetAddress
[2016-06-30 11:15:03,861] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :mail
[2016-06-30 11:15:03,861] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :sn
[2016-06-30 11:15:03,862] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :organizationName
[2016-06-30 11:15:03,863] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :telephoneNumber
[2016-06-30 11:15:03,863] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :role
[2016-06-30 11:15:03,863] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :profileConfiguration
[2016-06-30 11:15:03,864] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :givenName
[2016-06-30 11:15:03,864] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :im
[2016-06-30 11:15:03,865] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :url
[2016-06-30 11:15:03,865] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :country
[2016-06-30 11:15:03,866] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :mobile
[2016-06-30 11:15:03,891] DEBUG {org.wso2.carbon.user.core.common.AbstractUserStoreManager} - Retrieving internal roles for user name : 00269097C and search filter *
[2016-06-30 11:15:03,893] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user 00269097C
[2016-06-30 11:15:03,893] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in 00269097C : 00269097C
[2016-06-30 11:15:03,942] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=person)(cn=00269097C)) in SearchBase:
[2016-06-30 11:15:03,968] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Name in space for 00269097C is CN=00269097C,OU=Usuarios,DC=dc1,DC=dc2,DC=and
[2016-06-30 11:15:03,969] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: 00269097C exist: true
[2016-06-30 11:15:04,088] ERROR {org.wso2.carbon.user.core.common.AbstractUserStoreManager} - Error occurred while accessing Java Security Manager Privilege Block
[2016-06-30 11:15:04,095] ERROR {org.wso2.carbon.identity.user.profile.ui.client.UserProfileCient} - org.apache.axis2.AxisFault: org.apache.axis2.databinding.ADBException: Unexpected subelement {http://base.identity.carbon.wso2.org/xsd}code
Any help?
I have found out that it might be that the IS web service client is not up-to-date and that causes the validation error shown. Could it be possible? How can I find that client and version?
Spring security does not allow me to re-login t oaccounts that were logged out
I can easily log in any user into my application, but once I log out I can not log in with the same user again. So I need to re-run the application to be able to log in with that account. When I try to log-in for the second time it shows the following message which is supposed to be shown against concurrent accesses. Maximum sessions of 1 for this principal exceeded. Logout <a href="<c:url value="/j_spring_security_logout" />" > Logout</a> myproject-security.xml <session-management invalid-session-url="/index"> <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> </session-management> <logout delete-cookies="JSESSIONID,User,UserID"/> </http>
I included the following codes into my web.xml <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener>