Login to the Identity Server Using Another Identity Server - SAML2 - wso2

I'm currently working with WSO2 suite and I've been trying to do an example from wso2 official documentation server, that you can find here. I already configure everything step by step and when i run travelocity application in my localhost it looks like the example says, i click in the link and it redirects me to Identity Server login. I type in user and password, and then it redirects me to travelocity home page, but then i run into this error: SAML 2.0 based Single Sign-On
Error when processing the authentication request!
I check out the debuging log and it says that authentication succeeded and Identity Server sent the response to travelocity.
I have no idea what could be happening, please help me out.
I shared the log files here. My English is bad and i'm new working with WSO2, please be patient with me.

The logs at WSO2 IS side says Signature validation for Authentication Request failed. The possible reason could be that you have not selected the correct certificate alias at WSO2 IS.
To do that, edit your service provider's SAML configuration and update the Certificate Alias with the correct value. In default case it should have the value wso2carbon. In case you have configured it to something else, select the one you have configured.

Related

WSO2 Identity Server using photo-editor UMA webapp

I am using WSO2 5.9.0
I deployed the photo-edit and photo-view samples as described here and Service providers created successfully. I also setup the three users following the notes.
I start Tomcat Server and I reach photo-edit app. I login with Lily's credentials (admin user) and the next step is to approve username sharing.
I choose approve once and continue and here is my issue. Nothing happen until session expires. I tried to check tomcat logs but i can't find any helpful information.
I had deployed the Playground2 in the past and authentication point works fine. I also try to change callback URL throw WSO2 dashboard (photo-edit service provider) but i get the same callback URL error.
Any thoughts?

How to authenticate with third party system using RestAssured

I'm trying to hit a web service using RestAssured. I'm struggling with authentication which is actually performed by a third party system. Details are given below:
My web service requires session ID & Cookie in the request header. Otherwise the service call will be failed.
For that I need to fetch Session Id & Cookie after the authentication.
Authentication is done by third party service and it takes the windows credentials for authentication.
When I launch my app URL on browser, say: 'XYZ.com/dim' it will be redirected to authentication service using a URL like:
http://hantweb.DOMAIN.com/authenticate/encdefault.asp?location=XYZ.com/dim
After the authentication it will again be redirected to actual application back.
I tried below code but it says: "401 - Unauthorized: Access is denied due to invalid credentials." even though my credentials are correct.
RestAssured.given().auth().basic("userID", "password").get("http://hantweb.DOMAIN.com/authenticate/encdefault.asp?location=XYZ.com/dim")
I'm confused no idea what I've missed here..
I did some trial and error and finally understood that I need to use .auth().ntlm(userId, password,"","") as the authentication. Here I'm using windows credentials as basic or any other auth type won't work in this case.
This answer can help someone in need.

WSO2 Identity Server - Federated Mode with SAML, Domain Name?

Could you please explain why the WSO2 Travelocity test application requests a "Domain Name" input field in the sign-in screen, when the WSO2 is configured to use, beside basic auth, also a federated authentication mode (WS Release 5.1 - Advanced Configuration). What is the reason to request the domain name part, as for external authentication, for example by use of SAML protocol, I expect to see a redirect onto the external IdP login screen. Apparently the Login redirect is rejected due to this missing input field at the Domain Name. Is there a sample configuration and use case available for setup of outgoing IdP federation?
Further Details from Testings
I've updated the IdP configuration following the WSo2 setting which describes the federation effort with help of Shibboleth products (see below). After this change now I see a login screen from the external IdP ("zee") as well as an interchange of messages between the browser and the external IdP. I also see a SAML POST message in the SSO protocol tracer plugin of the Browser, displaying a long list of claim assertion data, which signals that Login was successfully processed, returning the profile data of my account.
At the Travelocity service provider (SP), now I see the following error message at the screen:
"The entity name must immediately follow the '&' in the entity reference."
I've validated the SAML feedback data and its XML format consistency using an online XML validator, which passed successfully for SAML response XSD format. Such type of XML parser errors are often caused by use of special characters, but its not the case at the current assertions and tests.
The issue happens inside the Travelocity which has difficulties to read the SAML assertion data.
Suggestions from the community how to parse the SAML feedback data using the Travelocity tool, are welcome.
Refer https://docs.wso2.com/display/IS510/Configuring+Single+Sign-On for configuring Basic scenario with travelocity app
To configure federated authenticators:
https://docs.wso2.com/display/IS510/Federated+Authentication
For Advanced Configuration with Multiple Authenticators
https://docs.wso2.com/display/IS510/Configuring+Local+and+Outbound+Authentication+for+a+Service+Provider
Refer https://docs.wso2.com/display/IS510/How+To%3A+Configure+Shibboleth+IdP+as+a+Trusted+Identity+Provider as an example use case.
It seems that you have custom authentication since you have domain name filed at the login prompt.

Sample SSO webapplication does not work in wso2

I have configured the sample travelocity.com webapp to work with saml2 SSO following link configure SSO web app
But when i try to login using account i get following error message on browser
Here is what i get in logs:
TID: [0] [IS] [2015-03-10 21:06:26,835] WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - Signature validation for Authentication Request failed. {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}
After again i tried without restart of server i got this error:
TID: [0] [IS] [2015-03-10 20:30:51,261] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
I am not sure what is wrong. I have also installed latest service pack . I am using wso2is-5.0.0
Please help.
This same web application is working fine with WSO2IS. I have already tried out it..Details can be found from here as well
According to the error, it says Signature validation for Authentication Request failed it means that SAML2 Auth request that is sent by Web application has been signed and WSO2IS tries to validate the signature of it. WSO2IS does not validate the signature by default, you may have probably tick on following configuration in the SAML2 SSO configuration.
Enable Signature Validation in Authentication Requests and Logout Requests
Please verify it and un-tick it and see.
If you want to really validate the signature of SAML2 Auth requests, you need to tick it. Then you must chose the proper Certificate Alias value from the combo box. Please note proper value is NOT the wso2carbon.cert. Proper value is wso2carbon. Then it would work for you.
Second error may be related to browser cache, just clear the browser cache and try out.. (or open new browser)
Most probably this is a mismatch in the keystores.
Just copy
$WSO2IS/repository/resources/security/keystore.jks
To
$TOMCAT/saml2-web-app-pickup-dispatch.com/WEB-INF/classes
This way, both keystores are the same. Restart Tomcat and it should work fine.

Configuring Single Sign-On Across Stratos

I have a situation where I need to setup a standalone version of wso2 Identity Server and have that act as the SSO provider into all of the products in Stratos.
Currently I have Stratos Identity Server configured so that I can login via the standalone Identity Server, using admin.
However, if I use another user I either
get a "Authorization Failure"
or cannot login.
First Question
1) I have the same user created in both Identity Server (that is not admin). Why would I get the "Authorization Failure" ?
Second Question
2) Why is it I can not even get to the "Authorization Failure" problem if I have a user created with username in format of user#domain.com ?
UPDATE:
I figured out that if I remove the property tags in user-mgt.xml that reference the usernames with regular expressions I am able to create usernames in the format of name#domain.com. But I am still unable to use that username to login, the error log says that the account has not been activated.
I also created two instances of wso2 identity server and configured them in such a way to test being able to use one to login to the other. I was able to do this by making sure that the same username and password was in both servers list of users. This way I do not get the "Authorization Failure"
The answers I came up with.
1. I need to have the same username and password in each Identity Server.
2. I cannot have format name#domain.com unless I have Multi-tenancy configured. Otherwise wso2 will try to find the ACTIVATE field in the Tenant table and not find it.
UPDATE: I got this installed and configured and it turned out that I now get another error about
Issuer details are not valid. Issuer details should be registered in advance
So my answer turned out not to to be valid.
I wonder why I get this new login failure?
UPDATE RESOLVED!!:
I resolved this problem by downloading just the wso2 stratos IS 1.5.2 package. I installed it. Configured with same configuration I was using before. Now I can login without problems across domains.