When using WSO2 IS 5.0.0 and setting a user account to locked, http://wso2.org/claims/identity/accountLocked, we get this error below when the login page posts back.
Authentication Error !
Something went wrong during the authentication process. Please try signing in again.
If the user is unlocked and login is re-attempted they will login successfully.
When looking at the wso2carbon.log on the IS we only see this error message recorded.
WARN {org.wso2.carbon.identity.mgt.IdentityMgtEventListener} - User account is locked for user : <user>. cannot login until the account is unlocked {org.wso2.carbon.identity.mgt.IdentityMgtEventListener}
Is there a way to prevent this exception or to catch it so that the login page is not replaced with an exception message?
Identity Server Login page resides in authentication-endpoint web app[1]. Login fail can be occurred due to reasons such as invalid credentials, invalid user and account Lock. It can be configured Identity server to send exact reason of login failure [2].
So, web app can be customized based on the login failure. (In your case account locking)
[1]https://docs.wso2.com/display/IS500/Customizing+Login+Pages
[2]https://docs.wso2.com/display/IS500/Customizing+Error+Messages
Related
We are using angular-oauth2-oidc (5.0.2) on the frontend with WSO2 API Manager (4.0) on backend for authentication. We are able to complete the login work flow. But when we trigger silentRefresh() on oauthService to extend the session, it is returning error as "Authentication required".
On some debugging we found out that some of the cookies saved at login are not being sent at refresh request, but not sure if that is the issue.
Any insights are helpful, thanks.
Wso2 identity server version : 5.11.0
After changing the admin password , I am getting below error during username recovery.
Error!
Callback URL validation failed. org.wso2.carbon.identity.mgt.endpoint.util.client.IdentityRecoveryException: Error while instantiating IdentityProviderMgtServiceStub
Error logged in Wso2 identity server wso2carbon.log:
[2021-09-06 03:29:02,012] [efd866e3-0236-46d7-bcc1-be378dfbcac8] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Login failed. Unauthorized login attempt 'admin[-1234]' at [2021-09-06 03:29:02,012+0000]
[2021-09-06 03:29:02,012] [efd866e3-0236-46d7-bcc1-be378dfbcac8] WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} - Illegal access attempt at [2021-09-06 03:29:02,0012] from IP address 127.0.0.1 while trying to authenticate access to service IdentityProviderMgtService
Can someone please advise.
I changed admin password from WSO2 console, and login is working fine with updated password.
However during username recovery, it throws illegal access attempt in logs.
What am I missing here?
I already updated the new password in cipher-text.properties and user-mgt.xml file too.
You can do config overriding in the RecoveryEndpointConfig.properties file which located in
<IS_HOME>/repository/deployment/server/webapps/accountrecoveryendpoint/WEB-INF/classes
Change the
identity.server.service.access.password=admin
to the one that you updated in the admin console.
We have a Java based web application which uses SAML 2.0 for SSO. As part of the SSO we have also implemented Single Logout. Can anyone please share info on how to fix the below issue
User logs into IDP(app1)
User clicks on the link to the SP(app2)
User logs out of IDP. A logout request is received by SP and the session is invalidated
User refreshes the browser that has SP(app2) open and the the original IDP request is resubmitted. The SP processes this request as if it came from the IDP. With this the user is still able to navigate/use app2 even though he has logged out of the IDP.
I think the best solution is to go back to IDP and check if the session(based on SAML SessionIndex is valid) but not sure on how we can do it. Note the browser refresh only works within the window specified NotBefore and NotOnOrAfter. If the user tries to refresh out of this window we have logic that rejects the request/response.
The SP should also check for SAML assertion replay.
Every SAML assertion includes a unique ID.
Your SP should keep track of these until they expire (ie until NotOnOrAfter). When you receive a SAML assertion, if the ID has already been seen by your SP, the SAML assertion should be rejected.
We are using WSO2 Identity Server 5.3.0. I configured trust between WSO2 IDP (symbolic name "IDP1") and the Service provider (symbolic name "SP1"). Then I configured second trust between WSO2 acting as a service provider ("SP2") and federated IDP (symbolic name "IDP2", some public/gov service). SP1 protects some resources, access to them is granted only when users are authenticated to IDP2. Everything is based on SAML protocol.
Login works fine - login requests are redirected from WSO2(=IDP1) to IDP2.
IDP1 initiated logout works fine too.
But IDP2 initiated logout fails with message (in a browser): "Attention: Something went wrong during the authentication process. Please try signing in again." It generates the record to the WSO2 log: "{...DefaultRequestCoordinator} Context does not exist. Probably due to invalidated cache".
During the IDP2 initiated logout correct LogoutRequest is sent to WSO2 (https://amsrv.mydomain.org:9443/commonauth).
Does WSO2 support such scenario (IDP2 initiated logout)?
SLO is working based session ID. You cannot invalidate a session that is not recognized by the IDP.
Your log seens to indicate that the context [pointed by the session id provided in the SLO request] does not exist so cannot be terminated.
Please deactivate Ciphering on the flow, put a Wireshark and look at it. WSO2IS is providing a screen in user dahsboard to see which session are open and with which ids.
I suspect that IdP2 is sending the session ID of the session between Client and IdP2... not the session ID of session between Client and IdP1.
Jeff
I am unable to implement Multifactor Authentication .
The error i am getting is
TID: [0] [WSO2 Identity Server] [2012-10-30 10:31:38,620] ERROR {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider} - login failed. Trying again.. {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider}
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate (SASLAuthentication.java:209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:301)
This is for wso2 Identity Server 3.2.3 . Straight out of the box. No additional configuration performed to run this instance of Identity Server.
It appears that signing in as admin , the ldap authentication is completed and then authentication with gtalk is attempted when the error occurs.
Should I be setting my own configuration in the identity.xml where gtalk is being set?
<MultifactorAuthentication>
<XMPPSettings>
<XMPPConfig>
<XMPPProvider>gtalk</XMPPProvider>
<XMPPServer>talk.google.com</XMPPServer>
<XMPPPort>5222</XMPPPort>
<XMPPExt>gmail.com</XMPPExt>
<XMPPUserName>multifactor1#gmail.com</XMPPUserName>
<XMPPPassword>wso2carbon</XMPPPassword>
</XMPPConfig>
</XMPPSettings>
</MultifactorAuthentication>
I found out that I do need to set up a Google talk account.
I added the new settings to the MultifactorAuthentication configuration.
I restarted the server.
I edited the user account with another new Google talk account.
I logged out.
Logged back in via relyingparty URL with openid,
received communication over gtalk requesting pin.
I entered the pin and got logged in.
It would have been nice if wso2 had I their documentation the need to setup the settings for this configuration to get multifactor authentication to work out of the box.