I had tried WSO2 Identity Server integrated with QlikSense by SAML 2 Protocol .
The Statckoverflow doesn't allow embed image,Sorry.
I had setted WSO2 SP Configuration and Qliksense Server SAML2 Configuration ,but logs of Qliksense display "Exists SAML Attribute statement : 0".
The SAML authenticate process has Failed in SAML Response to Qliksense。
Also, I just found WSO2 SAML Response missing the tag of "attribute statement " 。
SAML Response(SP:QlikSense):
miss attribure statement
WSO2 Log Screnshot
I think the key point is "Invalid AttributeConsumingServiceIndex in AuthnRequest "
Is it any possible edit AttributeConsumingServiceindex in WSO2 Configuration?
It seems you are not sending the correct AttributeConsumingServiceIndex value in your SAML request which is correspond to the WSO2 SP.
You can find the AttributeConsumingServiceIndex from the Issuer list view of your SP.
Click on your SP
Expand Inbound Authentication Configuration -> SAML2 Web SSO Configuration
Here the Issuer list view shows the "Attribute Consuming Service Index" value.
Either you have to include this value in the SAML authentication request's AttributeConsumingServiceIndex attribute or you have to omit this attribute in the SAML request.
You can change the Attribute Consuming Service Index from WSO2 IS and get Qlik working.
Click Browse under Registry in Main tab in IS Management Console.
Navigate to _system >config >repository >identity >SAMLSSO
Under this directory, you will find one file for each SAML SSO service provider you have configured in IS. File name does not have any resemblance to the SP, so you will have to check each to find what it is.
Once you click on the file it will go to the Detail view, (Originally it is in Tree View by default)
In detailed view, you can check Properties for that SP by clicking the "+" icon on the right side of Properties tab. (With the properties identify the correct file for Qlik )
You will see AttributeConsumingServiceIndex property in the list.
Change this value to 1 and save property.
Restart the server and try Qlik login again
Related
I am running WSO2 Identity Server 5.7.0 and using OpenID Connect. I currently receive an invalid redirect error when I navigate to https://MY_DOMAIN/oidc/logout, when I think I should be redirected to a page under the /authenticationendpoint resource. I noticed in the "Logout Endpoint URL" under Resident Identity Provider > Inbound Authentication Configuration > OAuth2/OpenID Connect Configuration is set to "https://MY_DOMAIN:-1/oidc/logout".
I am assuming the Logout Endpoint URL is configured based on the OIDCLogoutEPUrl config value in identity.xml. In my identity.xml file this value is set to ${carbon.protocol}://${carbon.host}:${carbon.management.port}/oidc/logout.
My first question: Is the Logout Endpoint URL value only copied to the database when WSO2 is first run and the databases are initialized?
Followup question: If the answer to that is no, how can I configure that value without re-seeding the database?
Thanks for your help.
Answering to your first question:
Logout Endpoint URL will not be added to database during first run. Value is being read from identity.xml -> OAuth -> OIDCLogoutEPUrl always during server start up. However its important to have path "oidc/logout" in order to deliver logout request to "OIDCLogoutServlet" [1].
Once OIDCLogoutServlet receive the logout request further redirection customization you can do by changing OIDCLogoutConsentPage, OIDCLogoutPage.
Reference
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/internal/OIDCSessionManagementComponent.java#L65
Could you please explain why the WSO2 Travelocity test application requests a "Domain Name" input field in the sign-in screen, when the WSO2 is configured to use, beside basic auth, also a federated authentication mode (WS Release 5.1 - Advanced Configuration). What is the reason to request the domain name part, as for external authentication, for example by use of SAML protocol, I expect to see a redirect onto the external IdP login screen. Apparently the Login redirect is rejected due to this missing input field at the Domain Name. Is there a sample configuration and use case available for setup of outgoing IdP federation?
Further Details from Testings
I've updated the IdP configuration following the WSo2 setting which describes the federation effort with help of Shibboleth products (see below). After this change now I see a login screen from the external IdP ("zee") as well as an interchange of messages between the browser and the external IdP. I also see a SAML POST message in the SSO protocol tracer plugin of the Browser, displaying a long list of claim assertion data, which signals that Login was successfully processed, returning the profile data of my account.
At the Travelocity service provider (SP), now I see the following error message at the screen:
"The entity name must immediately follow the '&' in the entity reference."
I've validated the SAML feedback data and its XML format consistency using an online XML validator, which passed successfully for SAML response XSD format. Such type of XML parser errors are often caused by use of special characters, but its not the case at the current assertions and tests.
The issue happens inside the Travelocity which has difficulties to read the SAML assertion data.
Suggestions from the community how to parse the SAML feedback data using the Travelocity tool, are welcome.
Refer https://docs.wso2.com/display/IS510/Configuring+Single+Sign-On for configuring Basic scenario with travelocity app
To configure federated authenticators:
https://docs.wso2.com/display/IS510/Federated+Authentication
For Advanced Configuration with Multiple Authenticators
https://docs.wso2.com/display/IS510/Configuring+Local+and+Outbound+Authentication+for+a+Service+Provider
Refer https://docs.wso2.com/display/IS510/How+To%3A+Configure+Shibboleth+IdP+as+a+Trusted+Identity+Provider as an example use case.
It seems that you have custom authentication since you have domain name filed at the login prompt.
I'm currently working with WSO2 suite and I've been trying to do an example from wso2 official documentation server, that you can find here. I already configure everything step by step and when i run travelocity application in my localhost it looks like the example says, i click in the link and it redirects me to Identity Server login. I type in user and password, and then it redirects me to travelocity home page, but then i run into this error: SAML 2.0 based Single Sign-On
Error when processing the authentication request!
I check out the debuging log and it says that authentication succeeded and Identity Server sent the response to travelocity.
I have no idea what could be happening, please help me out.
I shared the log files here. My English is bad and i'm new working with WSO2, please be patient with me.
The logs at WSO2 IS side says Signature validation for Authentication Request failed. The possible reason could be that you have not selected the correct certificate alias at WSO2 IS.
To do that, edit your service provider's SAML configuration and update the Certificate Alias with the correct value. In default case it should have the value wso2carbon. In case you have configured it to something else, select the one you have configured.
I am using Data Analytics Server (DAS) and Identity Server (IS) of wso2. I want login in DAS and other products of wso2 in the future with the single sign on (SSO) in the Identity Server. I follow this instructions https://docs.wso2.com/display/IS500/Enabling+SSO+for+WSO2+Servers. When I try to login in DAS, the system redirect me to authentication windows in IS, but after write correctly user and password, the system send me to DAS, but with this result (view image)
Solution Steps:
Go to WSO2 IS, in the "Service Providers" configuration and uncheck the
"Enable Assertion Encryption" option.
Go to WSO2 IS, in the "Service Provider" configuration and select in "Certificate Alias" the wso2carbon value, not wso2carbon.cert.
In WSO2 DAS 3.0.0, go to the authenticators.xml file, and uncommented the line with IdPCertAlias parameter value "wso2carbon"
Restart the server an try again.!!!!
I want to know if it possible to map attibutes between salesforce and wso2.
I can create my custom attributes on salesforce, but i want to map attirbutes with my WSO2 IDP configuration i.e salesforce configured as IDP within WSO2.
For eg:
If i choose to login with my salesforce account to my web app with my user of salesforce say abc#salesforce.com login must be successful only if same user exists in WSO2 IDP. Though the credentials for abc#salesforce.com user are correct w.r.t to salesforce account ,user must login only if same username exists in wso2 idp.
I tried with claim mapping but no luck.
Please suggest.
I believe the claim mapping is the correct way.
You need to define whole data path
SP claim->IdP dialect claim->user attribute->local dialect claim->SP claim
If you use a federation IdP (SF), you may want to set 'provisioning' of the user, storing their identity and attributes localy (so you can see what attributes are passed and recognized.
Have fun