WSO2 IS 520/530 userInfo issue openid - wso2

Able to get only,
{"sub":"u003#tenant.com#carbon.super"}
Things done :
Not able to choose dialect in claim configuration in Wso2-IS 530
WSO2 IS 5.1.0 as OAuth/OIDC IdP response with different claims on UserInfo endpoint
Issue : https://wso2.org/jira/browse/IDENTITY-4463
Tried mapping claims & oidc etc .. nothing seems working : ref
Can some one help me out ?
Update:
call is made to
https://localhost:9443/oauth2/token?scope=openid
Environment is "milti-tenant", I am basically trying to getUserInfo who resides within a domain, not a user from admin.
For a valid token, even the claims are not being fetched under service calls..: reference Oauth2 validation

Related

WSO2 IS Custom claim dialect not passed to the Service Provider

I'm using WSO2 Identity Server version 5.10
I'm facing a strange behaviour. I configured some external IdPs (SAML2 based)
I configured claims returned by these IdPs with WSO2IS local claims. For example, let's suppose that my external IdP returns these SAML attribute name:
a, b and c I configured claim in this way:
External IdP Claim configuration
Identity Provider Claim URI
Local Claim URI
a
http://wso2.org/address
b
http://wso2.org/givenname
c
http://wso2.org/lastname
Then I defined a custom claim dialect in this way; let's call it custom_claim_dialect. I defined in it my claim mapping in this way:
Custom claim dialect
Dialect URI
Claim URI
Mapped Local Claim
custom_claim_dialect
a
http://wso2.org/address
custom_claim_dialect
b
http://wso2.org/givenname
custom_claim_dialect
c
http://wso2.org/lastname
Then I defined a Service Provider (Inbound configuration: SAML2 Web SSO) and I configured it by using these external IdPs
In my Service Provider I configured my claims by adding the custom dialectby specifying it in Service Provider Claim Dialect
Then I tried the access the access to the Service Provider. All worked pretty good just only the first time.
WSO2IS asks to me the consent for the claims and I can land on my authenticated page.
When I close the browser and clent cookies and I try again the access. All works good (no consent ask is showed by WSO2IS) but when I land on my private page no
attribute is contained in the SAML Response.
If i configure my ServiceProvider with WSO2IS local claims, all works good.
Is this correct? Am I missing anything?
Thank you
Angelo
UPDATE
I'm pretty sure it's a kind of bug.
I debugged till the class org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler
The org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler.handleClaimMappings(StepConfig, AuthenticationContext, Map<String, String>, boolean) returns the correct claims Map In fact I printed the following log:
INFO {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Returning filtered claims {familyName=Surname, name=Example, dateOfBirth=1980-01-01, spidCode=ABCD123456789A, fiscalNumber=TINIT-SRNXPL80A41A662G, MultiAttributeSeparator=,} to SP mySP
In some point during the process WSO2 IS decides that this Map must not be used.
Any tip?
UPDATE 2
This picture shows how I configure my SP claims. As you can see I'm using a defined custom claim. When I define custom claim, I can't make claims mandatory
Did u try making these claims mandatory on the IS SP side? Making claims mandatory will ensure that u always receive the claim for the applications.
If caching is the problem then u can try to JIT provision the user[1]. This way we can save the claims from FIDP on the IS side. "Provision silently" is an easy option to check.
[1] https://is.docs.wso2.com/en/latest/learn/configuring-just-in-time-provisioning-for-an-identity-provider/

WSO2 Identity Server 5.0.0 Api for session management

Does WSO2 Identity Server has api for session management?
I have an app with SAML SSO.
What I would like to achieve is to check if for given saml token there is an active session.
Validity of the SAML token has nothing to do with validity of the user session.
In theory - when user does "logout", the identity server should execute SLO (single logout), however based on our experience with WSO2IS 5.0.0 it works only for limited number of options.
Since version 5.2.0 there's OpenID Connect Session Management implemented using iframes, see http://malithiedirisinghe.blogspot.be/2016/03/openid-connect-session-management.html
But generally - you will have hard time to synchronize session between multiple service providers and WSO2 IS. With the claim based authentication (SAML, OAuth 2.0) the sessions between the IdP and SP are independent. (the only option I've see when the IdP is working as the pass-through-proxy for backend SP, but that's not what WSO2IS is intended for)
In version WSO2IS 5.3.0 there should be "user session management" implemented, but I haven't worked with that yet (managing session for WSO2IS, not external SPs)
Seems like it does, you should investigate the documentation here and here, those links were provided by a WSO2 team member to me or ask directly to your local WSO2 office.

UserProfileMgtService is not able to find user in WSO2 IS 5.2.0

I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.

Configuring Single Sign-On Across Stratos

I have a situation where I need to setup a standalone version of wso2 Identity Server and have that act as the SSO provider into all of the products in Stratos.
Currently I have Stratos Identity Server configured so that I can login via the standalone Identity Server, using admin.
However, if I use another user I either
get a "Authorization Failure"
or cannot login.
First Question
1) I have the same user created in both Identity Server (that is not admin). Why would I get the "Authorization Failure" ?
Second Question
2) Why is it I can not even get to the "Authorization Failure" problem if I have a user created with username in format of user#domain.com ?
UPDATE:
I figured out that if I remove the property tags in user-mgt.xml that reference the usernames with regular expressions I am able to create usernames in the format of name#domain.com. But I am still unable to use that username to login, the error log says that the account has not been activated.
I also created two instances of wso2 identity server and configured them in such a way to test being able to use one to login to the other. I was able to do this by making sure that the same username and password was in both servers list of users. This way I do not get the "Authorization Failure"
The answers I came up with.
1. I need to have the same username and password in each Identity Server.
2. I cannot have format name#domain.com unless I have Multi-tenancy configured. Otherwise wso2 will try to find the ACTIVATE field in the Tenant table and not find it.
UPDATE: I got this installed and configured and it turned out that I now get another error about
Issuer details are not valid. Issuer details should be registered in advance
So my answer turned out not to to be valid.
I wonder why I get this new login failure?
UPDATE RESOLVED!!:
I resolved this problem by downloading just the wso2 stratos IS 1.5.2 package. I installed it. Configured with same configuration I was using before. Now I can login without problems across domains.

WSO2 Identity Server: Cannot use custom claims with OAuth2

We've Installed Pre-Packaged Identity Server 5.1.0 with API Manager 1.10.0 and use sqlserver as a data store.
We use OAUTH2 to authorize our API's and we want to map our local claims to a service provider (an application?). Behind the API we have a .Net Wcf Service with some logging where we read the header with WebOperationContext.Current.IncomingRequest.Headers["assertion"] and print the claims which are present.
The Claims which are returned are:
{"iss":"wso2.org/products/am"
"exp":1462357259751
"wso2url/claims/subscriber":"Sjaak"
"wso2url/claims/applicationid":"1003"
"wso2url/claims/applicationname":"DefaultApplication"
"wso2url/claims/applicationtier":"Medium"
"wso2url/claims/apicontext":"/Test/v1.0"
"wso2url/claims/version":"v1.0"
"wso2url/claims/tier":"Silver"
"wso2url/claims/keytype":"PRODUCTION"
"wso2url/claims/usertype":"APPLICATION"
"wso2url/claims/enduser":"Sjaak#carbon.super"
"wso2url/claims/enduserTenantId":"-1234"
"wso2url/claims/emailaddress":"sjakie#chocola.nl"
"wso2url/claims/givenname":"Sjakie"
"wso2url/claims/lastname":"van de Chocoladefabriek"
"wso2url/claims/role":"Internal/subscriber
Internal/everyone
Application/Sjaak_DefaultApplication_PRODUCTION"}
Where wso2url is http://wso2.org, but we cannot post this, because I don't have 10 reputation points...:(
The information in these claims is good, but only we want to use our own uri, so not wso2.org, but myorg.com. And we want to add other claims, with for example our own userId and some other stuff.
Among other things we have followed the guide for configuring claims for a service provider but had no success with this. We have made the assumption that an application is a service provider for which we can use the claims.
Has anyone got an idea what we are doing wrong? What do we need to do to add custom claims?
Thanks in advance!
[Added on 9th may]
Maybe this can point us in the right direction?
When we add a subscription to an application and we generate a new key than there is no new Service provider in the list:
The list of service provider without a new one for user Sjaak, so there is missing: Sjaak_CalculatorApp_PRODUCTION
But even when we do this for user admin the claims are not coming through. We have the following claim configuration and in my logging still the same claims as described above are there, no new ones, so no claim named accountnaam and no voogd.com uri:
Service Provider(SP) - It provides services to some end users and relies on a trusted Identity provider(IDP) to handle authentication and authorization for them. SP may use multiple protocols(Oauth2, SAML2, etc.) to communicate with IDP.
Claims are defined for SP, since same claims can be send over different protocols. In the default case, Identity server uses wso2 claim dialect(start with wos2.com) for claims. If you want a different claim dialect than this, use "Define Custom Claim Dialect" option in the service provider configuration. In there you can map wso2 claims(Local Claim) to your own claims(Service Provider Claim).