I've been working with WSO2 Identity Server, and I can't get the authorized apps to appear in the dashboard. Everything else seems to be working.
There's a user with login permission
There's a service provider configured with OAuth2.0
Using curl, I get a valid token for that user (password grant) for that service provider
After all this, if I log into the dashboard with that user, the 'Authorized Apps' is empty, even though the token is still active. Any pointers to what I might be missing here?
Thank you.
I have followed these steps and I could see autherized apps in the dashboard
Register a Service Provider using IS console.
Add an oauth2 client to the service provider (Inbound Authentication Configuration -> OAuth/OpenID Connect Configuration -> configure )
just tick the grant type.select the version as 2.
You'll get a OAuth Client Key and a OAuth Client Secret after you click update button.
Now, you can get a oauth2 token using key-secret for a registered user. Use this curl command.
Registered user is user1:user1
curl -v -X POST --basic -u <clientKey>:<clientSecret> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=password&username=user1&password=user1&scope=openid" https://localhost:9443/oauth2/token
Then you can get the auth token and if you log in to dashboard, you can see the list of authorized apps.
Related
I am trying to setup this authentication (new method without cognito) but can't get it working.
I created a custom SAML app in AWS Single Sign on as documented here:https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html
And setup SAML on the Elasticsearch Service domain as documented here: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html
When following the Kibana URL from the Elasticsearch Service console I get redirected properly to AWS SSO but I hit an opendistro error message "SAML authentication error The SAML authentication failed. Please contact your administrator."
Am I missing a step with attribute mapping or something else that is not documented clearly? Has anyone else gotten this to work and what are your configuration settings?
You can "Shift+Click" on the AWS SSO Custom Application to see the assertion before it gets sent to OpenDistro. This helped me find what the username was that I was sending.
I added that username under the AWS ES "SAML master username (optional)" field and I was able to succesfully login using the AWS SSO.
I then went and added a hardcoded group value under the AWS SSO Mappings for that Custom App, added the same string under the AWS ES "SAML master backend role (optional)" and specified under the "Optional SAML Settings" the string I used to map this under "Roles key" so that it matches.
I checked the assertion using the "Shift+Click" and verified that things were looking ok and I had "group" authentication as well :)
I noticed that I did not require the "Application start URL".
All of this is once you have the rest of things correctly configured such as "Application ACS URL", "Application SAML audience" and the others.
When trying to login via my AWS Cognito's login page via Azure AD with email#live.com credentials, I'm being redirected to https://login.live.com/oauth20_authorize.srf?response_type=code&client_id=51483342-xxx-xxx-xxx-xxxx... and the page is throwing a 404 error.
Steps:
Created an Azure AD Enterprise Non Gallery Application.
Added identifier to enterprise application: urn:amazon:cognito:sp:ap-southeast-1_xxxxx
Added reply url as: https://xxxxx.auth.ap-southeast-1.amazoncognito.com/saml2/idpresponse
Downloaded the SAML Signing Certificate > Federation Metadata XML and uploaded it on Cognito by adding a new SAML identity provider.
Mapped SAML attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to Email under Cognito Attribute Mapping.
Enabled the AzureAd identity provider under App Client Settings on Cognito.
Allowed OAuth Flows: Authorization code grant, Implicit grant.
Invited an existing xxx#live.com user to Azure Active Directory and assigned a role to the user in the newly created Enterprise application.
Validated SSO from Enterprise Application > SSO > Validate. It's working as correctly, without any errors.
Problem:
When trying to login via Cognito's login url: https://xxxxx.auth.ap-southeast-1.amazoncognito.com/login?response_type=token&client_id=Cognito-App-Client-ID&redirect_uri=Callback-url-specified-in-cognito-app-client-settings --> AzureAd, I'm being redirected to https://login.microsoftonline.com/... where I enter the added user's email Id: xxx#live.com, after clicking next, instead of a password prompt the page throws a 404 error.
Also tried with inviting another user with email: xxx#mydomain.com, this also results in the same 404 error.
Tried in different browsers: chrome, firefox, safari. All result in the exact same error.
Azure AD SSO SAML2.0 integration doesn't work well with personal accounts.
Integrating with OIDC on the other hand works really well.
Azure AD integration with AWS Cognito.
We have a custom PHP app, and from within that there is a link that allows users to get to our tableau server. We use SSO with SAML for authentications. When a user logs into the PHP app they are authenticated with our IdP, auth0. Then when they want to go to the tableau server that sends a SAML request to auth0.
We are having 2 issues:
1) If you go directly to the tableau server (i.e. from a browser, not from the PHP app) it sends a auth request to auth0 for the Tabadmin user. If tabadmin had previously authorized with auth0 and their session has not timed out they are granted access. How can I control what username is used by tableau when none is specified?
2) When tableau gets an access request from the PHP app it checks to see if there already is a cookie and if so, logs the user in as that cookie's user (without going to auth0) even if the request is from a different user. Is there a way to fix or control that?
The Problem
Right now when a user tries to login to the default wso2 API Store/Publisher. It wont authorize the user so it tries to login in then will log out right away, in the store. In the publisher it will throw a 401 Unauthorized error. I found a quick fix which was in the carbon I added a user to the role application/API Store and application/API Publisher and now that user can login. I'm guessing either the SP or the IdP isn't getting the roles right on the user.
There are no errors to find, but logging in causes the logs in API Manager to say this
INFO {org.wso2.carbon.hostobjects.sso.SAMLSSORelyingPartyObject} - invalidate: Session already invalidated {org.wso2.carbon.hostobjects.sso.SAMLSSORelyingPartyObject}
Environment
Our environment is a cluster environment with the identity server 5.2 as the key manager. Also we got the API manager 2.0 and some gateway workers. We use federated authentication SAML2 over to shibboleth, all of that seems to be working fine.
Any ideas on how to trouble shoot this problem or maybe help me understand the user roles and permissions better within wso2 would be a big help.
I got login in to work by adding the permissions login and API(subscribe, create, publish) to the internal/everyone role.
I use wso2 identity server to be the key manager of wso2 API-M cluster.
Now user can log in API-M via Google account(OpenID) or Facebook(OAuth2.0) account.
What my question is:
Whatever user log in the system via OAuth2.0 or OpenID, I'll get the token which is verified via identity server.
Now I wanna get the user info (id, from which social service...etc) via their token but I don't know how to do it.
Thanks
Tom
You can by accessing the userinfo endpoint with the received access token.
The curl command is as follows:
curl -k -H "Authorization: Bearer 4164157d677a6cd3a22e26e24c30135d" https://localhost:9443/oauth2/userinfo?schema=openid
As the response, the WSO2 Identity Server returns a JSON with user claims.
Refer [OpenID Connect Basic Client Profile with WSO2 Identity Server] for more information.