We have done WSO2 IS configurations with multiple LDAPs with multiple clients successfully before. This time with a new client we are getting an error as show in image. "Error occured while getting all user claims for ... in carbon.super.
The case is we have created a service and mapped custom claims to map to LDAP. The issue is with a field mapped with http://wso2.org/claims/role attribute . If we remove this attribute from the custom claims the error goes away.
But we are using roles in business logic(Internal roles created in WSO2) which we get as null in case we remove this attribute.
We want to know the solution. Is there some change required at LDAP side ? Or how we can achieve the roles without mapping as a claim with LDAP?
Related
I'm setting up OIDC provider for Cognito User pool. The open id connect service I'm using is Paypal. At the step where paypal issues code and redirects to cognito's /oauth2/idpresponse endpoint after which cognito is supposed to exchange the code for access token, I'm receiving "Exception processing authorization code" error. As you can see the error message is not very discriptive.
I have no idea what I'm doing wrong. I did setup open id connect properly. Setup client settings in cognito and etc.
These are the endpoints I'm using for openid connect:
https://www.sandbox.paypal.com/signin/authorize
https://api.sandbox.paypal.com/v1/identity/openidconnect/tokenservice
https://api.sandbox.paypal.com/v1/oauth2/token/userinfo
https://api.sandbox.paypal.com/v1/oauth2/certs
In app client settings I have auth code grant flow and implicit flow enabled. I have custom domain setup. I provided paypal client id and secret
My guess is if I'm able to somehow debug idpresponse endpoint I should be able to solve the problem. Is there any way to do that? Maybe cloudwatch?
I don't know about debugging Cognito's endpoints, but I had the same problem and fixed it by doing the following:
Go to your User Pool in AWS.
In the side navigation under Federation, select Attribute mapping.
Click the tab of the identity provider you're having issues with (in my case it was Google).
There should be three columns, Capture, Google attribute, and User pool attribute. Make sure all of the attributes that are checked in the Capture column are mapped to an attribute in the User pool attribute column.
UPDATE:
After submitting this answer, I realized that the checkboxes in the Capture column are not checked by default. If you marked any attributes as required in the Attributes section of your user pool, then you need to map those attributes to the attributes provided by your external identity providers.
For example, I marked email as a required attribute in my user pool settings. So, when I added Google as an identity provider, I had to go to Federation->Attribute mapping, click on the tab for Google, check the box in the Capture column next to email, and select Email from the dropdown box in the User pool attribute column.
After taking these steps, the sign in work-flow worked for me.
My guess is the auth flow works just fine between Cognito and your identity provider, but Cognito doesn't know how to map the attributes returned from the identity provider to the attributes you have set in your user pool (in General settings->Attributes under the Which standard attributes are required section).
I am just following what is on the guide
I've already populated the user's profile information but so far I only get sub. I want to get something same like in the guide:
{
"sub":"admin",
"email":"admin#wso2.com",
"website":"https://wso2.com",
"name":"admin",
"family_name":"admin",
"preferred_username":"admin",
"given_name":"admin",
"profile":"https://wso2.com",
"country":"Sri Lanka"
}
CONFIG
Identity Server - AWS Cloud with Domain and SSL + Nginx Proxy
Sample Web App - local machine
UPDATE:
It is an open bug. What
is the workaround to get the other fields? Based on that jira, only
the password grant is not fix, where to get the fix for code and
impilict grant?
I tried hosting the IS also locally, same results
To retrieve OIDC claim attributes to id_token or userinfo endpoint, the following steps needs to be done correctly(assuming you are working on IS 5.2.0).
1. Update relevant claims' Mapped Attribute with your underlying user store's matching attributes.
2. Update requested claims to Service provider [1].
3. Update missing attributes in '/_system/config/oidc' for scope 'openid' (Configuration changes in IS 5.2.0 [2]).
I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.
When trying to evaluate policies, I get the following error:
Error while retrieving attribute values from PIP attribute finder : Illegal access attempt to cache ] owned by tenant {[client1.mydomain.com],[1]} by tenant {[client2.mydomain.com],[2]
This occurs after successfully creating policies on client1, and then trying to create policies on client2. This seems to ocurr when testing policies on client2 that involve roles.
Any idea what is wrong?
Thanks
What is the version of WSO2IS? Did you deployed Identity Server in a cluster? Then this may be a know issue. Actually, this can not be configuration issue.. This must be an issue with WSO2IS with using caching... However you can avoid caching issue by disabling it.. Please open entitlement.properties file and disable caches..(Specially attribute cache) And restart the server.
I have a situation where I need to setup a standalone version of wso2 Identity Server and have that act as the SSO provider into all of the products in Stratos.
Currently I have Stratos Identity Server configured so that I can login via the standalone Identity Server, using admin.
However, if I use another user I either
get a "Authorization Failure"
or cannot login.
First Question
1) I have the same user created in both Identity Server (that is not admin). Why would I get the "Authorization Failure" ?
Second Question
2) Why is it I can not even get to the "Authorization Failure" problem if I have a user created with username in format of user#domain.com ?
UPDATE:
I figured out that if I remove the property tags in user-mgt.xml that reference the usernames with regular expressions I am able to create usernames in the format of name#domain.com. But I am still unable to use that username to login, the error log says that the account has not been activated.
I also created two instances of wso2 identity server and configured them in such a way to test being able to use one to login to the other. I was able to do this by making sure that the same username and password was in both servers list of users. This way I do not get the "Authorization Failure"
The answers I came up with.
1. I need to have the same username and password in each Identity Server.
2. I cannot have format name#domain.com unless I have Multi-tenancy configured. Otherwise wso2 will try to find the ACTIVATE field in the Tenant table and not find it.
UPDATE: I got this installed and configured and it turned out that I now get another error about
Issuer details are not valid. Issuer details should be registered in advance
So my answer turned out not to to be valid.
I wonder why I get this new login failure?
UPDATE RESOLVED!!:
I resolved this problem by downloading just the wso2 stratos IS 1.5.2 package. I installed it. Configured with same configuration I was using before. Now I can login without problems across domains.