After I installed WSO2 EEM (Enterprise Mobility Manger), I could add device to device management. But I couldn't open the Publisher/Store, all the page will jump to the https://localhost:9443/publisher/acs or https://localhost:9443/samlsso. Should I to install the WSO2 Identity Server or config the SSO for it?
You don't need to install any identity components or configure sso explicitely. They are already there in vanilla EMM. When you go to https://localhost:9443/publisher, it should be redirected to login page.
https://localhost:9443/authenticationendpoint/login.do
Then when you enter credentials it should redirect you in below urls.
1) https://localhost:9443/publisher/acs
2) https://localhost:9443/publisher
If this doesn't work for you, there should be exceptions in log file. Please check that.
There was a missing part in EMM documentation in the SSO configuration section[1]. Hope you are trying out this VM. Please follow the steps which are given in here in order to get publisher and store working properly.
The reason which you encountered becuase of app-manager.xml file that is in the /repository/conf directory didn't properly configure.
<SSOConfiguration>
<!-- URL of the IDP use for SSO -->
<IdentityProviderUrl>https://<EMM_HOST>:<EMM_HTTPS_PORT>/samlsso</IdentityProviderUrl>
<Configurators>
<Configurator>
<name>wso2is</name>
<version>5.0.0</version>
<providerClass>org.wso2.carbon.appmgt.impl.idp.sso.configurator.IS500SAMLSSOConfigurator</providerClass>
<parameters>
<providerURL>https://<EMM_HOST>:<EMM_HTTPS_PORT></providerURL>
<username>admin</username>
<password>admin</password>
</parameters>
</Configurator>
</Configurators>
</SSOConfiguration>
1.https://docs.wso2.com/display/EMM201/General+Server+Configurations
Related
WSDL 1.1 & WSDL 2.0 are not opening in the management console when I open the WSDL in the management console it shows This site can’t be reached error I don't know why this happening. So please help me to sort this out.
Note: No error throws in both carbon and wire logs
Thanks!
you have misconfiguration problem i think. becouse you have wso2 in AWS and this ip-10-50-11-169... is not a hostname or your ip adress.
Can you check your /etc/hosts on server? maybe you must change fqdn in aws account
or you can check wso2 hostname/ip adress configuration in axis2.xml <parameter name="WSDLEPRPrefix"..
You need to add the following property to your axis2.xml to pick the correct FQDN/Hostname when generating WSDL URLs. So add the Hostname you are using to access the services here or if you are using the same hostname used for management console add the hostname with the correct service port.(8280 or 8343)
<parameter name="WSDLEPRPrefix" locked="false">http://ei.wso2.com:80</parameter>
Refer to instructions here.
Also, make sure the FQDN is resolvable and your security groups are allowing access to relevant ports.
I am trying to make /oauth2/token API call from reactjs fronted and getting CORS error.
My friend asked the same question and got answer for the same also.
Please open the link for solution.
WSO2 IS returns CORS error when wrong credentials sent
But when I am trying to perform the same in WSO2IS 5.9.0 the configuration is getting overwritten to the default config.
How to perform this in 5.9.0 using deployment.toml file?
As I have mentioned in that earlier answer you need to add the given tomcat filter in the web.xml.j2 file in the path repository/resources/conf/templates/repository/conf/tomcat. The .j2 files will not get replaced by the deployment.toml at the server startup.
When testing the WSO2 identity server rel. 5.1 using the Travelocity tool, I see a number of error messages recorded in the log file, telling:
"Server is not picking up the client certificate. Mutual SSL authentication is notdone"
The message repeats every 3 minutes.
Where is the missing certificate stored that needs to be updated to connect the Travelocity to the WSO2 IdP without writing error logs? In the travelocity.jks store at the client side, I currently see an alias entry for localhost and another entry for the IDP.
I've raised the debug level at the log4j.properties to the values:
log4j.logger.org.wso2.carbon.user=DEBUG
log4j.logger.org.wso2.carbon.identity=DEBUG
log4j.logger.org.wso2.carbon.idp.mgt=DEBUG
This is actually not an error log. This is a debug log. If you removed the following debug level entry from the log4j.properties file you will not see this.
log4j.logger.org.wso2.carbon.identity=DEBUG
MutualSSLAuthenticator is a carbon authenticator which is shipped by default with WSO2 IS 5.1.0. This authenticator is by default enabled from the authenticators.xml file located at
IS_HOME/repository/conf/security/ directory. This is actually not getting invoked by the SAML authentication flow, or OpenID flow which you might be trying with the Travelocity sample application. But, the log gets printed as the framework checks if the authenticator is capable of handling the authentication.
This authenticator is used with the OOTB supported Workflow Management Feature [1], for server to server authentication.
You can also disable this authenticator by commenting out the below configuration at authenticators.xml file, and yet, authentication with Travelocity sample application will work successfully.
<Authenticator name="MutualSSLAuthenticator">
<Priority>5</Priority>
<Config>
<Parameter name="UsernameHeader">UserName</Parameter>
<Parameter name="WhiteListEnabled">false</Parameter>
<Parameter name="WhiteList">
</Config>
</Authenticator>
[1]https://docs.wso2.com/display/IS510/Workflow+Management
here is a brief explanation of my problem :
I am using WSO2 Mobile Device Manager on local-ip:9443/
When I try to go to the store and do authentification (local-ip:9443/store/) I am being automatically redirected to localhost:9443/authenticationendpoint/login.do
Where can I configure the redirection address?
FYI: I was using V1 of WSO2 EMM and I did the same thing by modifying the files below but now I am on V2 :
/modules/distribution/src/repository/conf/axis2/axis2.xml
/modules/distribution/src/repository/conf/api-manager.xml
/modules/distribution/src/repository/conf/carbon.xml
/modules/distribution/src/repository/conf/axis2/axis2.xml
/modules/distribution/src/repository/conf/sso-idp-config.xml
I found a solution !
To resolve this automatic redirection problem I had to make the modifications below :
\modules\distribution\target\wso2mdm-2.0.0\repository\conf\carbon.xml
...
<HostName>your_server_ip</HostName>
...
<MgtHostName>your_server_ip</MgtHostName>
...
\modules\distribution\target\wso2mdm-2.0.0\repository\conf\app-manager.xml
<SSOConfiguration>
<!-- URL of the IDP use for SSO -->
<IdentityProviderUrl>https://your_server_ip:9443/samlsso</IdentityProviderUrl>
<Configurators>
<Configurator>
<name>wso2is</name>
<version>5.0.0</version>
<providerClass>org.wso2.carbon.appmgt.impl.idp.sso.configurator.IS500SAMLSSOConfigurator</providerClass>
<parameters>
<providerURL>https://your_server_ip:9443</providerURL>
<username>admin</username>
<password>admin</password>
</parameters>
</Configurator>
</Configurators>
</SSOConfiguration>
\modules\distribution\target\wso2mdm-2.0.0\repository\conf\api-manager.xml
Whenever you find ${carbon.local.ip} change it by your_server_ip
\modules\distribution\target\wso2mdm-2.0.0\repository\conf\identity\sso-idp-config.xml
Change every localhost by your_server_ip
\modules\distribution\target\wso2mdm-2.0.0\repository\conf\identity\identity.xml
<ThriftHostName>your_server_ip/ThriftHostName>
What would be the URL for the newly set up SAML SSO's metadata URL, or how could I download this in XML format from WSO2 Identity Server (version 4.6.0) acting as IdP?
Thanks,
Tamas
WSO2 Identity server now hosts IDPSSODesriptor metadata file on this URL.
https://localhost:9443/identity/metadata/saml2
This feature is available from Identity Server version 5.3 onward.
AFAIK there is no option to auto-generate metadata files for IS. You have to manually write the metadata file. An example is as follows, taken from this blog post.
<md:entitydescriptor entityid="https://localhost:9443/samlsso" validuntil="2023-09-23T06:57:15.396Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<md:idpssodescriptor protocolsupportenumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:keydescriptor use="signing">
<ds:keyinfo>
<ds:x509data>
<ds:x509certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE
AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou
sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:x509certificate>
</ds:x509data>
</ds:keyinfo>
</md:keydescriptor>
<md:singlelogoutservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="https://localhost:9443/samlsso" responselocation="https://localhost:9443/samlsso">
<md:singlesignonservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" location="https://localhost:9443/samlsso">
<md:singlesignonservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="https://localhost:9443/samlsso">
</md:singlesignonservice></md:singlesignonservice></md:singlelogoutservice></md:idpssodescriptor>
</md:entitydescriptor>
Yes.. Identity Server does not support to generate a IDP information as metadata file. You may need to create it manually. But I guess it would be available with a future release. There is an open public jira for this. You can find a generated SAML2 metadata file from here. However you may need to configure it according to your configurations. If you have changed your keystore, you need to change the X509 certificate data. And also urls of the samlsso endpoint. By default saml sso end point is located at https://localhost:9443/samlsso. In your service provider config, you need to configure this url as IDP url (both login and logout). You must provide the wso2carbon certificate in to service provider for validating the signature.