I have followed this link to configure Microsoft Windows Live login
https://docs.wso2.com/display/IS510/Configuring+Microsoft+Windows+Live
In WSO2 log, I can see the Remote Claim that I received from IDP
[2016-05-03 15:47:14,027] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Executing c
laim handler. isFederatedClaims = true and remote claims = [emails:{"business":null,"personal":null,"preferred":"xyz#gmail.com","account":"xyz#gmail.com"},gender:null,name:,last_name:,id:048ea1532ffb8000,locale:en_US,first_name:,
]
I am just wondering how to map the email to local claim URI http://wso2.org/claims/emailaddress because the remote claim contains nested tag (emails:{ business: ..., personal: ... }).
Thanks
Since the remote claim contains a nested tag, you have to extend DefaultClaimHandler and write a claim handler to support nested tag.
You can configure new claim hanlder in
IS_HOME/repository/conf/identity/application-authentication.xml
(in 'ApplicationAuthentication.Extensions.ClaimHandler' element.)
<ClaimHandler>com.wso2.sample.claim.handler.CustomClaimHandler</ClaimHandler>
Thanks
Isura
Related
We are using APEX_MAIL.send procedure to send the mails. IT was working fine till now. Recently we have changed its hostaddress and after that it has stopped sending the mails.
My database version is 11.2.0.3 and APEX version is APEX 4.2.6
Can you please let me know what could be the reason and how can i resolve that.
Thanks
Oracle database has internal access control lists that limit which network resources can be accessed by PL/SQL packages like APEX_MAIL. It also relies on an initialization parameter to define the default SMTP host. If you changed your mail host, then it is very likely that one or both of these needs to be updated.
See here for details about setting up ACLs in Oracle 11g: https://oracle-base.com/articles/11g/fine-grained-access-to-network-services-11gr1
And see here for details about the SMTP_OUT_SERVER parameter: https://docs.oracle.com/cd/E18283_01/server.112/e17110/initparams239.htm
I am trying to set up WSO2 Identity Server behind a reverse proxy for SSL offloading. For example, let's say if WSO2 IS is available at say https://<some-ip>:9443/, I am trying to put it behind reverse proxy with address such as https://<domain name>/is/. Note the context path /is and SSL port 443. I thought that this will be trivial enough but sadly I am unable to find any conclusive documentation for achieving the same.
My applications are using OIDC to connect to WSO2 IS and using Azure Application Gateway as reverse proxy - typically all API calls works well but neither of UI (or flows involving redirections) works due to context. I can also fix redirects by URL rewriting at reverse proxy but that still doesn't solve problems. For example, login page will appear but XHR call from the same will go to /logincontext instead of /is/logincontext. Where can I set up the proxy context path in WSO2 IS? I already tried setting the same in .toml file (equivalent of setting it in carbon.xml) but it seems to be affecting only Management Portal.
WSo2 IS documentation talks about setting it up behind ngnix but that documentation is not using any path context. I could find reverse proxy documentation for other WSO2 product such as WSO2 API Manager but it only involves updating carbon.xml and that doesn't work for WSO2 IS. I am not a java person and hence, finding it difficult to figure out web app organization of WSO2.
Any help/link to documentation/guide to set up with proxy context will be useful.
I know that this answer comes a little bit late but recently I had a similar issue and here it is how I made it work, maybe it could be helpful for someone. I was using WSO2 IS 5.11.0.
Note:
I checked similar questions on stackoverflow and found a few but none was enough by itself for my case.
Maybe the solution I came up with is not the best or the most correct but it is the only one I could make work.
Here's how I did, assuming the context path is is:
Open Carbon Management Console and go to Identity Providers -> Resident. Then, go to Inbound Authentication Configuration -> OAuth2/OpenID Connect Configuration. Here, change the hostname under Identity Provider Entity ID to https://domain_name:443/is/<remaining path>.
Make sure that the port number is present or absent both here and in the client application. If there is a mismatch between the two, for some reason, it won't work (or at least it didn't for me).
Open the file deployment.toml and modify it as follows:
under the [server] section, add your proxy context at the end of the base_path url, e.g. base_path = "https://$ref{server.hostname}:${carbon.management.port}/is";
of course, also add proxy_context_path = "is" (actually, this last line should be enough but for some reason in my case it wasn't, so I had to modify the base path too);
under [transport.https.properties] add proxyPort="443".
For the record, I also turned off compression, by adding:
[transport.http.properties]
compression="off"
[transport.https.properties]
...
compression="off"
and set the token issuer URL equal to the entity id set up in Carbon, with:
[oauth]
use_entityid_as_issuer_in_oidc_discovery = true
but found out that these last two steps (turning off compression and setting the entity id as issuer) weren't needed.
Disable the csrf guard by setting org.owasp.csrfguard.Enabled = false
in the file /repository/resources/conf/templates/repository/conf/security/Owasp.CsrfGuard.Carbon.properties.j2.
This step was necessary for me to avoid the 403 Error after logging in on the Carbon Console (turning off compression didn't work).
Lastly, if you use nginx as reverse proxy (as I did), add these two lines in the location used for wso2:
proxy_redirect https://domain_name/oauth2/ https://domain_name/is/oauth2/;
proxy_redirect https://domain_name/carbon/ https://domain_name/is/carbon/;
These are needed (or at least were for me) because some URLs are not under the context path. In particular, the last one allows you to open the Carbon Console at https://domain_name/is/carbon/.
References:
wso2 api manger carbon page gives 403 Forbidden
WSO2 Identity Server login returns a 403
WSO2 Identity Server port configuration
To understand the template-based configuration model adopted from version 5.9.0 onwards, see:
https://apim.docs.wso2.com/en/latest/reference/understanding-the-new-configuration-model/
https://mcvidanagama.medium.com/understand-wso2-api-managers-new-configuration-model-6425a2710faa
Here are some useful configuration mappings from the old xml to the new toml based model:
https://github.com/ayshsandu/samples/tree/master/config-mapping
I have added AppTransportSecurity key in info.plist , and
added a Subkey called AllowsArbitraryLoads as boolean and set its value to YES as like following image.
But still showing this error:
{Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"},
NSErrorFailingURLKey=http://dtcws.azurewebsites.net/ShowImg.aspx?params=dtc_376_0_True_False_22,
NSLocalizedDescription=The resource could not be loaded because the
App Transport Security policy requires the use of a secure
connection.})
Can anybody help?
Can you add "Exception Domains" under App Transport Security and specify the domains.
The best solution is to use a secure connection (https instead of http) as Apple will begin to reject apps that do not support this in the future, if they haven't begun already. WWDC 2015 session 703, “Privacy and Your App” is a great session to watch if you haven't already.
The good news is that the website you are requesting natively supports https so all you have to do is add an s to the link.
I have an application that calls a Https web service (as it seems created with java, not sure though). I get an error as response:
"Error on verifying message against security policy Error code:1000"
Now I don't exactly understand the error code and currently cannot find any responsible to answer me correctly. I don't ask for the error ofcourse cause this could be something about certificates, security from server etc.
Though I would like to catch the request client call I make, and see the whole envelope message to compare with a couple of samples I have so I might catch something.
How can I do this....I remember there is a tool that u can do such things when debugging a WCF service call, can this tool be used in this situation? Can someone rember me the name of the tool :)
I created the client using Add Service Reference, from VS 2010 and it created some custom bindings. On these bindings it created this a tag with an attribute decompressionEnabled="true" but I deleted because VS was complaining attribute is not allowed!!!
The documentation I have for these services says about authentication credential inside the message transport object that serialized in the request (requestObject) but refers to another couple of password and username properties I cannot seem to find them. Tried to add the in client.ClientCredentials.UserName.UserName and Password properties, but I get a read only error there (strange not always).
They also mention in the specifications about Connect with SOAP Security Extensions (WS-Security) which I don't understand if me, the client, has to do something from it's side, aren't these supposed to extract in the config file when generated?
Any hints and tips are welcome.
Thank you.
OpenID, using delegation, seems to be returning openid1_claimed_id instead of openid.claimed_id
That looks like “an OpenID 1 version of claimed_id” but I can't find it documented anywhere.
Miscellaneous details:
OpenID URL: http://www.zellyn.com/
Delegated to: http://zellyn.myopenid.com/
Using django-socialregistration
# Another query parameter that gets added to the return_to for
# OpenID 1; if the user's session state is lost, use this claimed
# identifier to do discovery when verifying the response.
openid1_return_to_identifier_name = 'openid1_claimed_id'
-- from the python-openid source.