I am trying to use wso2 SSO. I have set the SP in carbon and set the assertion url like this
Here assertion url is like this http://example.com/acs. Now when trying to login on the SSO login screen i keep getting the below message
TID: [-1234] [] [2017-10-31 20:14:14,381] ERROR
{org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}
- ALERT: Invalid Assertion Consumer URL value 'http://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp'
in the AuthnRequest message from the issuer 'simplesaml1'. Possibly
an attempt for a spoofing attack
Here example.com is same as the domain i used in the image. I have used example.com only because stackoverflow doesnt let me add that domain name.
Can anyone kindly let me know from where wso2 keep reading that url. Its not in metadata also. Also why that url is invalid? Any help will be appreciated.
This complaint is about that the assertion consumer URL of the SAML request is different from the provided URL of the Identity Server. Please check the assertion consumer URL of the SAML request from the service provider.
Related
I have created an custom authentication endpoint, like https://www.custom-auth.localpc, which is being redirect to by WSO2 when i try to login.
However, when I click in OK and send the POST back to http://localhost:9443/commonauth, WSO2 replies with a 302 that redirects to http://localhost:9443/https://www.custom-auth.localpc?loginStatus=true.
When I checked the console log, I found the following error:
ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Exception in Authentication Framework
org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: No authenticator can handle the request in step : 1
The service provider that requests the login is correctly configured because it works with WSO2 default authentication endpoint.
Any thought on this?
So, the issue was quite simplier that I thought. The redirects from wso2 were more of a misdirection.
So, when submitting the data, the field username and password must be lowercase.
Any issue found with the post data, it redirects with a 302 to the carbon login page.
I think this may happen because of the canHandle() method. you can refer other custom authenticators which are using external endpoint and try these are how handle the request.
I've been trying to configure WSO2is to accept a SAML auth request from Spring Security and pass it along to an external IDP for authentication. I've configured the SP and IDP on WSO2 correctly enough to have my request be redirected to SSOCircle, but when Circle sends the SAML response back to WSO2 it gives a "Not a valid SAML 2.0 Request Message!" error page. Which this makes sense as it's not a request being sent to the server.
I think my problem revolves around the AssertionConsumerService in the metadata I've uploaded to Circle "https://MyLocalHost:8080/samlsso" which is the url for the Resident Identity Provider. I've been hunting around different end point to use for, but have not been find anything.
The closest I've been able to get was following the example here https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0 but this appears to be used for just logging into the WSO2 server itself.
EDIT after changing the endpoint to commonauth
Here are the logs after the request lands on the server.
DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - SAMLSSOAuthenticator returned: INCOMPLETE {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler}
DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - SAMLSSOAuthenticator is redirecting {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler}
DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Step is not complete yet. Redirecting to outside. {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler}
DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Session data key is null in the request {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
I have a WSO2 Identity Server installed (SP1 included) and I was doing some integration tests with Liferay. I was able to do saml sso login without any problem (with included attributes), but then I installed the critical patch 1256 and it doesn't let me to sign on anymore.
Here's what the log says:
TID: [0] [IS] [2015-05-28 12:16:22,774] ERROR {org.wso2.carbon.identity.sso.saml.builders.assertion.DefaultSAMLAssertionBuilder} - Error when reading claim values for generating SAML Response {org.wso2.carbon.identity.sso.saml.builders.assertion.DefaultSAMLAssertionBuilder}
TID: [0] [IS] [2015-05-28 12:16:22,775] ERROR {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - Error processing the authentication request {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}org.wso2.carbon.identity.base.IdentityException: Error while building the saml assertion
I was trying to figure out what could change between patches. When I delete all requested claims or deactivate the option " Include Attributes in the Response Always" it has no problem at all, but it doesn't work for me that way.
Thanks in advance
Did you change the Subject Claim URI? By default it is not select... If this can be an bug in WSO2IS with above patch. I also see this error when i selecte the email address as the Subject Claim URI. There is public jira as well.
I have configured the sample travelocity.com webapp to work with saml2 SSO following link configure SSO web app
But when i try to login using account i get following error message on browser
Here is what i get in logs:
TID: [0] [IS] [2015-03-10 21:06:26,835] WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - Signature validation for Authentication Request failed. {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}
After again i tried without restart of server i got this error:
TID: [0] [IS] [2015-03-10 20:30:51,261] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
I am not sure what is wrong. I have also installed latest service pack . I am using wso2is-5.0.0
Please help.
This same web application is working fine with WSO2IS. I have already tried out it..Details can be found from here as well
According to the error, it says Signature validation for Authentication Request failed it means that SAML2 Auth request that is sent by Web application has been signed and WSO2IS tries to validate the signature of it. WSO2IS does not validate the signature by default, you may have probably tick on following configuration in the SAML2 SSO configuration.
Enable Signature Validation in Authentication Requests and Logout Requests
Please verify it and un-tick it and see.
If you want to really validate the signature of SAML2 Auth requests, you need to tick it. Then you must chose the proper Certificate Alias value from the combo box. Please note proper value is NOT the wso2carbon.cert. Proper value is wso2carbon. Then it would work for you.
Second error may be related to browser cache, just clear the browser cache and try out.. (or open new browser)
Most probably this is a mismatch in the keystores.
Just copy
$WSO2IS/repository/resources/security/keystore.jks
To
$TOMCAT/saml2-web-app-pickup-dispatch.com/WEB-INF/classes
This way, both keystores are the same. Restart Tomcat and it should work fine.
The SAML2 request is sent to WSO2 Identity Server with HTTP-GET binding, but it still POSTs the response. Any idea to let WSO2IS respect the request?
[2014-03-06 17:52:25,961] DEBUG {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Request message <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_73d5b9c1-d448-4076-9e9d-98767f1e2a2d" Version="2.0" IssueInstant="2014-03-06T17:52:21" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-GET" AssertionConsumerServiceURL="http://host.tld/java-saml/consume.jsp"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://host.tld/java-saml/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" AllowCreate="true"></samlp:NameIDPolicy><samlp:RequestedAuthnContext Comparison="exact"></samlp:RequestedAuthnContext><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:AuthnRequest>
results in firefox:
You are now redirected back to http://host.tld/java-saml/consume.jsp If the redirection fails, please click the post button.
Any idea to fix it? In the request or in WSO2IS do I need to configure?
Yes.. It must be the expected behavior, SAML response must be sent as POST from IDP to the SP. (can not use HTTP Redirect) It is defined in the specification. Please check the saml-profile spec. WSO2 identity Server may not support for Artifact binding, therefore it does HTTP POST.
The identity provider issues a <Response> message to be delivered by the user agent to the service provider. Either the HTTP POST, or HTTP Artifact binding can be used to transfer the message to the service provider through the user agent. The message may indicate an error, or will include (at least) an authentication assertion. The HTTP Redirect binding MUST NOT be used, as the response will typically exceed the URL length permitted by most user agents.
I guess, POST button and the page that you shown can be changed and modified.