We are using the ResetPassword API from UserInformationRecoveryService WSDL (https://localhost:9443/services/UserInformationRecoveryService), to request a password reset without captcha for the user 'dummy' with the following body, providing the admin/admin user.
<x:Envelope xmlns:x="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://services.mgt.identity.carbon.wso2.org" xmlns:xsd="http://beans.mgt.captcha.carbon.wso2.org/xsd">
<x:Header/>
<x:Body>
<ser:verifyUser>
<ser:username>dummy</ser:username>
</ser:verifyUser>
</x:Body>
</x:Envelope>
The request returns a 200 status code with the token but when checking the console, it reports the following error:
Invalid remote address detected.
org.wso2.carbon.core.common.AuthenticationException: Authentication Failed : Invalid remote address passed - 0:0:0:0:0:0:0:1
Am I missing any configuration? The WSDL doesn't show any remote address field to send like the login API, so it should be something else.
Or is this log error expected?
UPDATE:
Here are the requested DEBUG logs of multiple wso2 components: http://hastebin.com/ubasixagev.coffee
log4j.logger.org.wso2.carbon.user.core=DEBUG
log4j.logger.org.wso2.carbon.identity=DEBUG
log4j.logger.org.wso2.carbon.identity.sso.saml=DEBUG
log4j.logger.org.wso2.carbon.identity.application=DEBUG
log4j.logger.org.wso2.carbon.identity.application.authentication.framework=DEBUG
log4j.logger.org.wso2.carbon.core=DEBUG
log4j.logger.org.wso2.carbon.identity.core=DEBUG
Related
Wso2 identity server version : 5.11.0
After changing the admin password , I am getting below error during username recovery.
Error!
Callback URL validation failed. org.wso2.carbon.identity.mgt.endpoint.util.client.IdentityRecoveryException: Error while instantiating IdentityProviderMgtServiceStub
Error logged in Wso2 identity server wso2carbon.log:
[2021-09-06 03:29:02,012] [efd866e3-0236-46d7-bcc1-be378dfbcac8] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Login failed. Unauthorized login attempt 'admin[-1234]' at [2021-09-06 03:29:02,012+0000]
[2021-09-06 03:29:02,012] [efd866e3-0236-46d7-bcc1-be378dfbcac8] WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} - Illegal access attempt at [2021-09-06 03:29:02,0012] from IP address 127.0.0.1 while trying to authenticate access to service IdentityProviderMgtService
Can someone please advise.
I changed admin password from WSO2 console, and login is working fine with updated password.
However during username recovery, it throws illegal access attempt in logs.
What am I missing here?
I already updated the new password in cipher-text.properties and user-mgt.xml file too.
You can do config overriding in the RecoveryEndpointConfig.properties file which located in
<IS_HOME>/repository/deployment/server/webapps/accountrecoveryendpoint/WEB-INF/classes
Change the
identity.server.service.access.password=admin
to the one that you updated in the admin console.
We are using wso2 authentication endpoint.When user account is locked or if the user doesnt exist or any other error in endpoint we are just getting username password invalid , while in wso2 logs i am getting the exact end point.I tried
<Parameter name="showAuthFailureReason">true</Parameter>
but it still throws the default error messsage . Is there any configuration to handle this.
when you enable showAuthFailureReason to true, it sends exact error code as query param authentication endpoint webApp. You have to customize the webApp to show custom error messages based on the error codes [1].
Thanks
Isura
[1] https://docs.wso2.com/display/IS500/Customizing+Error+Messages
I've been trying to configure WSO2is to accept a SAML auth request from Spring Security and pass it along to an external IDP for authentication. I've configured the SP and IDP on WSO2 correctly enough to have my request be redirected to SSOCircle, but when Circle sends the SAML response back to WSO2 it gives a "Not a valid SAML 2.0 Request Message!" error page. Which this makes sense as it's not a request being sent to the server.
I think my problem revolves around the AssertionConsumerService in the metadata I've uploaded to Circle "https://MyLocalHost:8080/samlsso" which is the url for the Resident Identity Provider. I've been hunting around different end point to use for, but have not been find anything.
The closest I've been able to get was following the example here https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0 but this appears to be used for just logging into the WSO2 server itself.
EDIT after changing the endpoint to commonauth
Here are the logs after the request lands on the server.
DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - SAMLSSOAuthenticator returned: INCOMPLETE {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler}
DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - SAMLSSOAuthenticator is redirecting {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler}
DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Step is not complete yet. Redirecting to outside. {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler}
DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Session data key is null in the request {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
I have configured the sample travelocity.com webapp to work with saml2 SSO following link configure SSO web app
But when i try to login using account i get following error message on browser
Here is what i get in logs:
TID: [0] [IS] [2015-03-10 21:06:26,835] WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - Signature validation for Authentication Request failed. {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}
After again i tried without restart of server i got this error:
TID: [0] [IS] [2015-03-10 20:30:51,261] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
I am not sure what is wrong. I have also installed latest service pack . I am using wso2is-5.0.0
Please help.
This same web application is working fine with WSO2IS. I have already tried out it..Details can be found from here as well
According to the error, it says Signature validation for Authentication Request failed it means that SAML2 Auth request that is sent by Web application has been signed and WSO2IS tries to validate the signature of it. WSO2IS does not validate the signature by default, you may have probably tick on following configuration in the SAML2 SSO configuration.
Enable Signature Validation in Authentication Requests and Logout Requests
Please verify it and un-tick it and see.
If you want to really validate the signature of SAML2 Auth requests, you need to tick it. Then you must chose the proper Certificate Alias value from the combo box. Please note proper value is NOT the wso2carbon.cert. Proper value is wso2carbon. Then it would work for you.
Second error may be related to browser cache, just clear the browser cache and try out.. (or open new browser)
Most probably this is a mismatch in the keystores.
Just copy
$WSO2IS/repository/resources/security/keystore.jks
To
$TOMCAT/saml2-web-app-pickup-dispatch.com/WEB-INF/classes
This way, both keystores are the same. Restart Tomcat and it should work fine.
I have two instances of WSO2 on two different machines, with the same policy published to both instances. Both WSO2 instances have admin/admin.
I use SOAPUI (running on 192.168.0.9) to try to test against the EntitlementService webservice and:
If I use SOAPUI to test against the EntitlementService webservice on the same machine that SOAPUI is running on (192.168.0.9), using either localhost or IP address, I get a XACML response with a Permit. However,
If I used SOAPUI to test against the EntitlementService webservice on the other machine (192.168.0.210), I get a XACML response with a Deny, and an "Illegal access attempt" error in the 192.168.0.210 WSO2 log:
Illegal access attempt at [2014-05-12 15:26:47,0563] from IP address
192.168.0.9 while trying to authenticate access to service EntitlementService
In both cases above, I have BASIC authentication and the 'admin' username and password setup in SOAPUI.
If I run Tryit on the 192.168.0.210 WSO2 admin to test against the 192.168.0.210 WSO2, I get a Permit, i.e., this shows that the policy on the 192.168.0.210 should return a Permit.
Finally, I'm pretty sure that this is something with WSO2, and not with SOAPUI, as I also tested from the 192.168.0.9 machine using Firefox and a plugin called RESTclient, to test doing the POST of the XACML request in the content body.
Is there something in WSO2 Identity Server that would cause it to return a Deny if the requests are coming from a different machine?
Thanks,
Jim
P.S. I'm seeing the following in the WSO2 wso2carbon.log file:
TID: [0] [IS] [2014-05-12 15:59:40,798] ERROR {org.wso2.carbon.core.services.authentication.AbstractAuthenticator} - Invalid remote address detected. {org.wso2.carbon.core.services.authentication.AbstractAuthenticator}
org.wso2.carbon.core.common.AuthenticationException: Authentication Failed : Invalid remote address passed - 0:0:0:0:0:0:0:1
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.validateRemoteAddress(AuthenticationUtil.java:178)
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.getRemoteAddress(AuthenticationUtil.java:156)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.getRemoteAddress(AbstractAuthenticator.java:304)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:136)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.isAuthenticated(AuthenticationHandler.java:171)
{org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
Is there some way to turn off the remote address validation?