I've been trying to integrate SAML with WSO2 cloud.
I have some successful experience with other vendors like onelogin, okta, ping one.
But I get a obscure 500 error with wso2.
I get a 500 error with every request I try.
I don't need much - just a SAMLRequest format that will work for WSO2.
For example, now I'm passing:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest ID="z9dac5520-d4a4-4da9-b71a-483948c1655c" IssueInstant="2017-04-29T08:40:39.677Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>
I defalate, base 64 encode and url encode it.
I tried different variations but nothing works
thanks
The request has no value for the Issuer element. Why would any IDP accept a request from an unidentified SP? You need to use a value that identifies the SP and that was previously registered out-of-band with the IDP.
Can you explain a bit more what you are trying to do here. Is that enable SAML based authentication via wso2 cloud for one of your application ? If that is the scenario, you need to login to Identity Cloud [1] and configure a service provider as described in [2]. Then only you can send SAML request to Identity Cloud for authentication.
[1] https://identity.cloud.wso2.com
[2] https://docs.wso2.com/display/IdentityCloud/Configuring+SSO+for+Custom+Applications
Once Service provider is configured to accept SAML requests as described in previous links, you can send standard SAML request to Identity Cloud. Sample SAML request is given bellow. Note that AssertionConsumerServiceURL, Destination, Issuer attributes should be changed as relavant for you. Each tenant gets a separate SSO service URL, which is in the format of "https://identity.cloud.wso2.com/identity/t/{TenantDomain}". This will be the value for "Destination" in SAML request.
<samlp:AuthnRequest AssertionConsumerServiceURL="http://apps.com/travelocity/home.jsp"
Destination="https://identity.cloud.wso2.com/identity/t/demo1org"
ForceAuthn="false"
ID="a9b1b4992f048bb1004677207cc97097a73e47cdaf4ba21360ef8cf38dc76702"
IsPassive="false"
IssueInstant="2017-05-02T12:59:45.409Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">wso2App1-wso2org-1.0</samlp:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="Issuer"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
/>
<saml2p:RequestedAuthnContext Comparison="exact"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
Related
Actually, we use Google IdP as a SSO / SAML authentication type for our application.
We have configured it to connect our users to our application and it works fine.
But recently, we have also wanted to ask a reauthentication to our users for different actions that could happen during the application lifecycle.
In deeper details, when we send a SAML request to the Google Idp, we add the attribute ForceAuthn="true" in the node "AuthnRequest" and we also add a AuthnContextClassRef to ask explicitly that we want a reauthentication by credentials.
When we send this SAML request to the Google IdP, the problem is that the IdP server doesn't ask credentials to the end user and redirect directly to the application with a successful response.
Is that normal ?
Does the Google IdP support the attribute ForceAuthn="true" ?
I didn't find any documentation on this topic.
Here is an example of the SAML request that has been sent to the IdP:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Version="2.0"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="#url_sp"
ID="#id"
IssueInstant="2021-05-31T15:34:19Z"
Destination="https://accounts.google.com/o/saml2/idp?idpid=#id"
ProviderName="#ip"
IsPassive="false"
ForceAuthn="true">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">#url_sp</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
#signature_info
</Signature>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Official answer from Google support: "Google doesn't currently implement Single Log out/account reauthentication, for SAML authorized services. You may alternatively have the use of "session lengths"".
Does any one know, how to add additional assertions in a SAML request to federated iDP? The problem is that there is no nameID in SAML request:
?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="https://testserver.domain.local:9443/commonauth"
Destination="https://idp.eu.safenetid.com/auth/realms/XXXXXXXXXX-STA/protocol/saml"
ForceAuthn="true"
ID="_b53cdb3765c8b92fa51d6079a061deaf"
IsPassive="false"
IssueInstant="2021-02-03T10:45:48.275Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">WSO2</samlp:Issuer>
<saml2p:RequestedAuthnContext Comparison="exact"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>
We configured federated iDP - SafeNet and wont to use it as second factor auth.
I configured 2 steps in SP where first step is basic auth and second step is federeted iDP - SafeNet (Saml2webSSO). But, as you can see WSO2 do not include nameID in request and username do not populated on safenet login page. May be we can, some how, configure what to include in SAML request?
You can enable NameID Policy in the authentication request by enabling the Include NameID Policy configuration in your IDP configuration. (Identity Provider > Federated Authenticators> SAML2 Web SSO Configuration )
You can add the requested NameID policy as well in the NameID format config.
I need to find the REST/SOAP API for Password Policies (Password History and Password Pattern) and Login Policies (Account Locking and Account Disabling).
I am using WSO2 IS 5.9.0.
I am creating a Multi-tenant environment from WSO2. I am able to perform all the steps from code but not able to find API for these two settings.
I have to manually do this but this is just a workaround and need to figure out the WSO2 APIs for these.
Need curl request or documentation for these 2 settings API.
From WSO2 IS 5.10.0 onwards there is a rest API to update these configurations.
However, in 5.9.0 and before that, only SOAP APIs are available. You can use https://localhost:9443/services/IdentityGovernanceAdminService SOAP service for this purpose. There are 2 operations available in this service. getConnectorList and updateConfigurations.
You can use getConnectorList to find the available connectors and their property names. Then you can use updateConfigurations operation to update property value. Message body would look like below to update Password History validation count configuration.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:gov="http://governance.identity.carbon.wso2.org" xmlns:xsd="http://model.common.application.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<gov:updateConfigurations>
<gov:configurations>
<xsd:name>passwordHistory.count</xsd:name>
<xsd:value>6</xsd:value>
</gov:configurations>
</gov:updateConfigurations>
</soapenv:Body>
</soapenv:Envelope>
The SAML2 request is sent to WSO2 Identity Server with HTTP-GET binding, but it still POSTs the response. Any idea to let WSO2IS respect the request?
[2014-03-06 17:52:25,961] DEBUG {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Request message <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_73d5b9c1-d448-4076-9e9d-98767f1e2a2d" Version="2.0" IssueInstant="2014-03-06T17:52:21" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-GET" AssertionConsumerServiceURL="http://host.tld/java-saml/consume.jsp"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://host.tld/java-saml/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" AllowCreate="true"></samlp:NameIDPolicy><samlp:RequestedAuthnContext Comparison="exact"></samlp:RequestedAuthnContext><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:AuthnRequest>
results in firefox:
You are now redirected back to http://host.tld/java-saml/consume.jsp If the redirection fails, please click the post button.
Any idea to fix it? In the request or in WSO2IS do I need to configure?
Yes.. It must be the expected behavior, SAML response must be sent as POST from IDP to the SP. (can not use HTTP Redirect) It is defined in the specification. Please check the saml-profile spec. WSO2 identity Server may not support for Artifact binding, therefore it does HTTP POST.
The identity provider issues a <Response> message to be delivered by the user agent to the service provider. Either the HTTP POST, or HTTP Artifact binding can be used to transfer the message to the service provider through the user agent. The message may indicate an error, or will include (at least) an authentication assertion. The HTTP Redirect binding MUST NOT be used, as the response will typically exceed the URL length permitted by most user agents.
I guess, POST button and the page that you shown can be changed and modified.
I'm trying to publish the WSO2 Message Broker services using the WSO2 API Manager.
If I enter the Message Broker URL containing https:// in the Publisher and validate the endpoint, it returns 'Invalid'. I can save the API however. Specifying http:// results in a valid endpoint.
Using SoapUI to test the EventBrokerService gives a valid response (status 202) accessing the Message Broker directly. Via the API Manager I get a soap:Fault:
<soapenv:Fault>
<faultcode xmlns:axis2ns6="http://schemas.xmlsoap.org/soap/envelope/">axis2ns6:Server</faultcode>
<faultstring>Error in Sender</faultstring>
</soapenv:Fault>
Any pointers?
This seems to be a hostname verification failure. So when you publish an API through API Manager you need to set the HostnameVerifier parameter in
<APIM_HOME>/repository/conf/axis2/axis2.xml.
<parameter name="HostnameVerifier">AllowAll</parameter>
Please refer https://docs.wso2.org/display/AM140/Creating+an+API for more information.