I installed v5.1.0 of wso2 identity server and executed an OpenID Connect flow. Finally, I wanted user profile information to be retrieved from the server (via /oauth2/userinfo endpoint).
In contrast to other mailings, I only receive a one-item-answer { "sub":"admin }. By default, there should also be phone_number, email and others. It used the playground2 application to verify and yes, only { "sub":"admin" } is returned.
I used scope=openid for the authz code request as well as schema=openid in the /userinfo query as in the descriptions.
I tried to set various claims in http://wso2.org/oidc/claim to supported, required, etc. but no change.
How to I configure the server to return more details?
Any ideas?
This seems to be a known issue in Identity Server 5.1.0 and this is reported here. You can follow the discussion and try applying the fixes as patches to identity server. Other wise you can try 5.2.0-M1 or a later version which this issue has been fixed.
Related
Able to get only,
{"sub":"u003#tenant.com#carbon.super"}
Things done :
Not able to choose dialect in claim configuration in Wso2-IS 530
WSO2 IS 5.1.0 as OAuth/OIDC IdP response with different claims on UserInfo endpoint
Issue : https://wso2.org/jira/browse/IDENTITY-4463
Tried mapping claims & oidc etc .. nothing seems working : ref
Can some one help me out ?
Update:
call is made to
https://localhost:9443/oauth2/token?scope=openid
Environment is "milti-tenant", I am basically trying to getUserInfo who resides within a domain, not a user from admin.
For a valid token, even the claims are not being fetched under service calls..: reference Oauth2 validation
After login successfully in WSO2 IS. the system will return a cookie (session) and I don't know We can have api to check valid/invalid session( cookie) or not in WSO2 IS?
As of now (IS 5.1.0), there is no API in the IS side to validate a cookie. But, there are set of session related configurations you can do in the client side such as configuring remember me period, clean up tasks, caching which might be useful to meet your requirement.
If you are using IS 5.0.0 + SP1 refer here for more information.
If you are using IS 5.1.0 refer here.
I'm currently working with WSO2 suite and I've been trying to do an example from wso2 official documentation server, that you can find here. I already configure everything step by step and when i run travelocity application in my localhost it looks like the example says, i click in the link and it redirects me to Identity Server login. I type in user and password, and then it redirects me to travelocity home page, but then i run into this error: SAML 2.0 based Single Sign-On
Error when processing the authentication request!
I check out the debuging log and it says that authentication succeeded and Identity Server sent the response to travelocity.
I have no idea what could be happening, please help me out.
I shared the log files here. My English is bad and i'm new working with WSO2, please be patient with me.
The logs at WSO2 IS side says Signature validation for Authentication Request failed. The possible reason could be that you have not selected the correct certificate alias at WSO2 IS.
To do that, edit your service provider's SAML configuration and update the Certificate Alias with the correct value. In default case it should have the value wso2carbon. In case you have configured it to something else, select the one you have configured.
While trying out the new version of WSO2 Identity Server 5.1.0 I'm having problems returning claims in the SAML response. While this worked in WSO2 IS 5.0.0 SP1. I've mapped the required claims and added them to my SP, also I configured the SP to always return the user attributes.
I've configured the SP claim mapping:
My SAML configuration:
Any help is greatly appreciated. I'm getting the feeling this might be a bug.
EDIT: In WSO2 5.1.0 it is required to add the Attribute Consuming Service Index to the SAML Request. In WSO2 5.0.0 SP1 it worked even without setting this value in the SAML Request.
If I got you correctly, You can authenticate from IS without any errors, but didn't get claims on SAML response.
I have tried this with Travelocity sample. It is working as expected. I got the user claims in the SAML response. According to the screen shots that you have attached, you have done the configurations correctly.
Please check & verify that you have values on these mapped claims. If there is no values in user's profile, claims will not be in SAML response.
You can check this with SSO Tracer or SAML Tracer.
I'm trying to integrate WSO2 IS with Liferay as service provider, but I haven't been successful so far. Some modifications were made to the code, as per three JIRA issues raised and patches contributed by Benjamin Schmeling on WSO2 oxygen tank:
https://wso2.org/jira/browse/IDENTITY-2856
The SAML settings on WSO2 IS are as follows:
Assertion Consumer URL: liferayserver:8080/c/portal/saml/acs
NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Use fully Qualified username on NameID
Enable Response Signing
Enable Assertion Signing
Enable Single logout
-> ConsumerURL: liferayserver:8080/c/portal/saml/slo_redirect
Enable attribute profile
Yet Liferay returns the following exception:
Liferay returns the following exception:
[code]23:00:50,071 ERROR [http-thread-pool-8080(4)][BaseSamlStrutsAction:45] com.liferay.saml.UnsupportedBindingException
com.liferay.saml.UnsupportedBindingException
at com.liferay.saml.profile.SingleLogoutProfileImpl.processSingleLogout(SingleLogoutProfileImpl.java:216)
at com.liferay.saml.profile.SingleLogoutProfileUtil.processSingleLogout(SingleLogoutProfileUtil.java:54)
at com.liferay.saml.hook.action.SingleLogoutAction.doExecute(SingleLogoutAction.java:39)
at com.liferay.saml.hook.action.BaseSamlStrutsAction.execute(BaseSamlStrutsAction.java:42)
at com.liferay.portal.kernel.struts.BaseStrutsAction.execute(BaseStrutsAction.java:39)
I also tried changing the single log-out endpoint to liferayserver:8080/c/portal/saml/slo to no avail. In both cases the session is closed on the Identity Server (WSO2), but not on the service provider (Liferay).
Any ideas of what the issue might be?
It turns out there are two additional modifications that are needed in order to make the Single log-out work. I'll leave these here in case they help someone else until these patches are integrated into their respective products. Special thanks to Benjamin Schmeling.
For SAML-based SLO you should use the /c/portal/saml/slo_redirect
endpoint, however, Liferay is not able to handle post requests (at
least in the newest version of the SAML portlet). You have to adapt
the Liferay SAML portlet as follows:
In SingleLogoutProfileImpl.processSingleLogout(HttpServletRequest
request, HttpServletesponse response) add a new else if branch:
else if(requestPath.endsWith("/slo_redirect") &&
method.equalsIgnoreCase(HttpMethods.POST)){
samlBinding = getSamlBinding(
SAMLConstants.SAML2_POST_BINDING_URI); }
Furthermore, in
SingleLogoutProfileImpl.sendSpLogoutRequest(HttpServletRequest
request, HttpServletResponse response) after logoutRequest.setVersion
add the SessionIndex required by Wso2 by calling:
addSessionIndex(logoutRequest, samlSpSession.getSessionIndex());