I have configured SAML for my AWS Opensearch Service Dashboard and keep getting 'Internal Server Error' after succesfully logging in to Okta and getting redirected to the sso endpoint (https://*****.eu-west-1.es.amazonaws.com/_dashboards/_opendistro/_security/saml/acs). I am using the service provider initiated login flow.
The SAML request looks like:
Host: *****
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://***.okta.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 10427
Origin: https://***.okta.com
Connection: keep-alive
Cookie: security_authentication=Fe26.2**a179694d11de140222bccdb1b628732ad44371158089d49e851960cdfa74e711*rMo5VnNKA2FukJOaGT4zlw*9I-VJlFm20BlqKCAu7Sg9IUqtnLkPjVb-SBBMrEoSr9qX8NU24K6d7hiK6Q4ONPYo0cUbiGy25qudhs2DfYFrkRYTA1a0zf8fHRdxuQ6FNYXrkqWZ1s__kZVo-sAcwhcA6PbAXjFK3J-Mjy3-2N-VA**f25a0b1ddd9d36f949193a49ea74d88ff8fdb29fc2c0fc6d23102748a645a239*hL7oHPYT2TRQlaFw81ptxtKSFmXhzmcPkFkpF4U0j9U; STATE-TOKEN=fed6e87a-a743-4b36-a0e9-b62a579635a5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
HTTP/2.0 500 Internal Server Error
date: Mon, 18 Oct 2021 10:06:18 GMT
content-type: application/json; charset=utf-8
content-length: 77
x-amzn-requestid: 7c0a8527-c780-4bc9-b55a-4b8e0e468923
cache-control: private, no-cache, no-store, must-revalidate
osd-name: ip-10-212-37-230.eu-west-1.compute.internal
X-Firefox-Spdy: h2
<saml2p:Response Destination="****/_dashboards/_opendistro/_security/saml/acs"
ID="id12441206744048667167559313"
InResponseTo="ONELOGIN_e54a9652-c4b3-46b1-a9af-192b7892982e"
IssueInstant="2021-10-18T10:15:48.540Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.okta.com/exk4crh6pK2EwG3xz696</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id12441206744048667167559313">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>wb2AqxWez2/KbOC81HYKxMoHDgxku2lXWXqrURo0k7k=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>fSB69UWpOukV0hfX7gtoOd5lRU9Z7wKjWiYEfiAXi9eNLJGdzWA35eR5kxL/aSWp3r6TPj0ArcfgVOXgSKQfERWLsNaHuGFd2/vfEPsvb49NruitDgEmCVB+YMxTHZ3DujPlgf2/ADFI5hKV5nJfNkfFaJP/Y6cgnimDlBsXaV+E3wOrs2tfph5WbDYXIjKRlHb24cDJh7SRKK7WEmJR6HRPzlwCOkXGnc/UN1yqFHze+EMw+6buxPq04IoVA2waxNtsKwmm/LBSh5Up+UJdpvZ1ULF3GrTAbSiIbfxHHEQQWXTkwWJufdO+p24SOjcdgyMHqhtPO9Hs5Xa3lSISjg==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDljCCAn6gAwIBAgIGAXyPqbX/MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxDDAKBgNVBAMMA3Z1YjEcMBoGCSqGSIb3DQEJARYNaW5mb0Bv
a3RhLmNvbTAeFw0yMTEwMTcxOTA5MzZaFw0zMTEwMTcxOTEwMzZaMIGLMQswCQYDVQQGEwJVUzET
MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0
YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxDDAKBgNVBAMMA3Z1YjEcMBoGCSqGSIb3DQEJARYNaW5m
b0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJIbVHXi6RpEpOpM3JIj
0kZV4zw54qUVXNPbS8epUGAekHvpDqoCKGbWTG8vUBhLFQehhrBSzopLsVY2jzJIa+FKqviKWchv
5772IsVIn8/KAcTnW2lS8zs86mWbklL39/chIXT19m338E9goN0BhJEW0Hh1JmGzss4juE+WBhu0
7NTVVa2xSE5ELe1dyzwQrfbtn2HEBXe3PRnX1n7Mp8LGdUb3YQGQSzy90vc0D0rx24cCtnkaxWHn
c9vKj6U7unf1c+mJyihXVgGcRl89tc0CqYX41+TgH+Z6ygqNq+EKvx+94+4BvjHnDJMCLzKUAcS3
yiyyzTIra0Hj07hCux8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAhYATs51fcjglJZcob4nwFRvt
X8WWOxB3jyBweGgYdKKbkJuC8mmtINCaEMkCyPQNqxdEK0xRKqDZOD4Ay9s+1TKKn9L8FTCBIw9H
sYPBpjPLaU1+9Z1B47qHSXw/wgmSbVOCmr6ryLvj+rmaVEZRu38BS4E8EFUT1Bl8vGsKG2vbeT4j
1KUTNNh0v4N3Fe763EGvj0lbOLTWfTWu4/4cRcB5oZs6ybaZAfQ9DejYumFxf1dADxPqjjWEi4ay
gZZpQHNdRWd0mdBjFwnf9alxi7Kx69qqu6PRvQK0BZSI8teX+XnsihoV9D+QJPaTlXzjCqIUCRZD
hNwmmISRthgHsw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="id124412067441340881963049510"
IssueInstant="2021-10-18T10:15:48.540Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.okta.com/exk4crh6pK2EwG3xz696</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id124412067441340881963049510">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>3XV/aXHpIRIXjJob312hhWsHbdoo5cqXCgoVM6MakEA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>TgN3QlXBHPumS7wrixp6R7oX30kyWWeT+dfu/raqBsqBOGb/iyvliPl3FX8AWkTRBjWou4Kbwfo6ashoUq0WvYNWwYZiEPwJVao8WPSzyHWLL8B0NCOoa68sQojWkVsTqGUQPDHqDq08Kxm0GZEudQuOf9SYwE4d+znmoUaBOorgZbFojbPD2AqnunAR9e9VCQYOsinoURVxrGqjIUnxwDpxvBcDl+i5CVcTCYmrG3VbPiLNaAdUXYAyyie4z3wa19reLk+O9NJ0EgqNxOnhEKc2SyJ7YxgA+UWTDjPIkqcww8AJl/LAmx6WY+KRu7nrlcwA4UWoNRuqgUaw2JoB7Q==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDljCCAn6gAwIBAgIGAXyPqbX/MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxDDAKBgNVBAMMA3Z1YjEcMBoGCSqGSIb3DQEJARYNaW5mb0Bv
a3RhLmNvbTAeFw0yMTEwMTcxOTA5MzZaFw0zMTEwMTcxOTEwMzZaMIGLMQswCQYDVQQGEwJVUzET
MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0
YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxDDAKBgNVBAMMA3Z1YjEcMBoGCSqGSIb3DQEJARYNaW5m
b0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJIbVHXi6RpEpOpM3JIj
0kZV4zw54qUVXNPbS8epUGAekHvpDqoCKGbWTG8vUBhLFQehhrBSzopLsVY2jzJIa+FKqviKWchv
5772IsVIn8/KAcTnW2lS8zs86mWbklL39/chIXT19m338E9goN0BhJEW0Hh1JmGzss4juE+WBhu0
7NTVVa2xSE5ELe1dyzwQrfbtn2HEBXe3PRnX1n7Mp8LGdUb3YQGQSzy90vc0D0rx24cCtnkaxWHn
c9vKj6U7unf1c+mJyihXVgGcRl89tc0CqYX41+TgH+Z6ygqNq+EKvx+94+4BvjHnDJMCLzKUAcS3
yiyyzTIra0Hj07hCux8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAhYATs51fcjglJZcob4nwFRvt
X8WWOxB3jyBweGgYdKKbkJuC8mmtINCaEMkCyPQNqxdEK0xRKqDZOD4Ay9s+1TKKn9L8FTCBIw9H
sYPBpjPLaU1+9Z1B47qHSXw/wgmSbVOCmr6ryLvj+rmaVEZRu38BS4E8EFUT1Bl8vGsKG2vbeT4j
1KUTNNh0v4N3Fe763EGvj0lbOLTWfTWu4/4cRcB5oZs6ybaZAfQ9DejYumFxf1dADxPqjjWEi4ay
gZZpQHNdRWd0mdBjFwnf9alxi7Kx69qqu6PRvQK0BZSI8teX+XnsihoV9D+QJPaTlXzjCqIUCRZD
hNwmmISRthgHsw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">jeroenvanpelt#hotmail.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="ONELOGIN_e54a9652-c4b3-46b1-a9af-192b7892982e"
NotOnOrAfter="2021-10-18T10:20:48.540Z"
Recipient="****/_dashboards/_opendistro/_security/saml/acs"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-10-18T10:10:48.540Z"
NotOnOrAfter="2021-10-18T10:20:48.540Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AudienceRestriction>
<saml2:Audience>opensearch-saml</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-10-18T10:15:47.768Z"
SessionIndex="ONELOGIN_e54a9652-c4b3-46b1-a9af-192b7892982e"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="roles"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>all_access</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
The error response in the browser is: {"statusCode":500,"error":"Internal Server Error","message":"Internal Error"}.
In the error logs (Cloudwatch), I have found the following messages:
[2021-10-18T01:45:40,286][WARN ][c.a.d.a.h.s.AuthTokenProcessorHandler] [ba6ca9920d4df640d8973f488f4c11c3] Error while validating SAML response in __PATH__
[2021-10-18T00:52:39,445][WARN ][r.suppressed ] [ba6ca9920d4df640d8973f488f4c11c3] path: __PATH__ params: {settings_filter=plugins.security.ssl.transport.pemkey_filepath,plugins.security.cert.oid,plugins.security.enable_snapshot_restore_privilege,plugins.security.audit.config.pemtrustedcas_filepath,reindex.ssl.supported_protocols,opendistro_security.compliance.history.external_config_enabled,plugins.security.ssl.transport.truststore_password,plugins.security.ssl.transport.keystore_alias,plugins.security.ssl.transport.keystore_type,plugins.security.check_snapshot_restore_write_privileges,plugins.security.advanced_modules_enabled,reindex.ssl.truststore.password,opendistro_security.*,plugins.security.ssl.transport.truststore_alias,plugins.security.unsupported.accept_invalid_config,plugins.security.audit.config.webhook.format,plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath,plugins.security.audit.config.pemkey_password,plugins.security.background_init_if_securityindex_not_exist,plugins.security.ssl.transport.enabled,plugins.security.audit.config.webhook.ssl.verify,plugins.security.ssl.transport.keystore_keypassword,plugins.security.protected_indices.roles,plugins.security.audit.config.index,plugins.security.ssl.http.keystore_alias,plugins.security.audit.config.webhook.url,plugins.security.allow_unsafe_democertificates,plugins.security.unsupported.restapi.allow_securityconfig_modification,plugins.security.allow_default_init_securityindex,plugins.security.ssl.http.truststore_type,plugins.security.ssl.transport.keystore_password,plugins.security.audit.config.log4j.logger_name,reindex.ssl.keystore.key_password,reindex.ssl.truststore.type,plugins.security.ssl.http.keystore_filepath,plugins.security.kerberos.krb5_filepath,plugins.security.ssl.transport.keystore_filepath,plugins.security.ssl.client.external_context_id,plugins.security.ssl.transport.pemcert_filepath,plugins.security.unsupported.inject_user.enabled,plugins.security.ssl.http.pemkey_password,opendistro_security.audit.enable_rest,reindex.ssl.key_passphrase,opendistro_security.audit.resolve_bulk_requests,plugins.security.restapi.password_validation_regex,plugins.security.unsupported.allow_now_in_dls,plugins.security.audit.config.type,plugins.security.ssl.transport.truststore_type,plugins.security.audit.threadpool.max_queue_len,plugins.security.audit.config.pemcert_filepath,plugins.security.audit.config.password,plugins.security.ssl.transport.enforce_hostname_verification,plugins.security.unsupported.restore.securityindex.enabled,plugins.security.*,plugins.security.config_index_name,plugins.security.audit.config.pemtrustedcas_content,plugins.security.ssl.transport.pemtrustedcas_filepath,reindex.ssl.truststore.path,plugins.security.ssl.http.pemcert_filepath,reindex.ssl.keystore.password,reindex.ssl.certificate_authorities,plugins.security.compliance.disable_anonymous_authentication,opendistro_security.audit.resolve_indices,plugins.security.audit.config.pemcert_content,plugins.security.ssl.http.truststore_password,plugins.security.ssl.http.crl.prefer_crlfile_over_ocsp,plugins.security.audit.config.pemkey_filepath,opendistro_security.compliance.history.read.metadata_only,opendistro_security.compliance.history.write.log_diffs,plugins.security.ssl.transport.extended_key_usage_enabled,plugins.security.unsupported.load_static_resources,plugins.security.compliance.salt,plugins.security.filter_securityindex_from_all_requests,reindex.ssl.certificate,plugins.security.ssl.http.crl.validate,reindex.ssl.verification_mode,opendistro_security.audit.enable_transport,plugins.security.ssl.http.crl.validation_date,plugins.security.audit.config.enable_ssl_client_auth,plugins.security.ssl.http.pemtrustedcas_filepath,plugins.security.ssl.http.keystore_keypassword,plugins.security.ssl_only,opendistro_security.compliance.history.write.metadata_only,opendistro_security.audit.log_request_body,plugins.security.unsupported.inject_user.admin.enabled,plugins.security.audit.config.webhook.ssl.pemtrustedcas_content,plugins.security.ssl.http.pemkey_filepath,plugins.security.ssl_cert_reload_enabled,plugins.security.audit.config.username,plugins.security.ssl.http.crl.disable_crldp,plugins.security.audit.threadpool.size,plugins.security.roles_mapping_resolution,plugins.security.audit.config.pemkey_content,reindex.ssl.keystore.path,plugins.security.ssl.http.enabled,plugins.security.kerberos.acceptor_keytab_filepath,plugins.security.system_indices.enabled,plugins.security.audit.config.cert_alias,reindex.ssl.client_authentication,reindex.ssl.keystore.type,plugins.security.audit.config.log4j.level,plugins.security.ssl.transport.truststore_filepath,plugins.security.audit.type,plugins.security.disabled,reindex.ssl.cipher_suites,plugins.security.disable_envvar_replacement,plugins.security.restapi.password_validation_error_message,plugins.security.ssl.http.crl.check_only_end_entities,opendistro_security.compliance.history.internal_config_enabled,opendistro_security.audit.exclude_sensitive_headers,secret_key,plugins.security.ssl.http.enable_openssl_if_available,plugins.security.ssl.http.clientauth_mode,plugins.security.protected_indices.enabled,plugins.security.unsupported.disable_rest_auth_initially,reindex.ssl.key,plugins.security.ssl.http.crl.file_path,plugins.security.audit.config.enable_ssl,plugins.security.kerberos.acceptor_principal,plugins.security.cert.intercluster_request_evaluator_class,reindex.ssl.keystore.algorithm,plugins.security.audit.config.verify_hostnames,plugins.security.ssl.http.keystore_type,plugins.security.ssl.http.truststore_filepath,plugins.security.cache.ttl_minutes,plugins.security.ssl.transport.pemkey_password,plugins.security.system_indices.indices,plugins.security.ssl.transport.enable_openssl_if_available,access_key,plugins.security.ssl.http.keystore_password,plugins.security.ssl.http.crl.disable_ocsp,plugins.security.ssl.http.truststore_alias,plugins.security.ssl.transport.principal_extractor_class,plugins.security.protected_indices.indices,plugins.security.ssl.transport.resolve_hostname,plugins.security.unsupported.disable_intertransport_auth_initially, filter_path=nodes.*.attributes.di_number}
OpenSearchSecurityException[OpenSearch Security not initialized for __PATH__]
at org.opensearch.security.filter.SecurityFilter.apply0(SecurityFilter.java:296)
at org.opensearch.security.filter.SecurityFilter.apply(SecurityFilter.java:154)
at org.opensearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:191)
at org.opensearch.action.support.TransportAction.execute(TransportAction.java:169)
at org.opensearch.action.support.TransportAction.execute(TransportAction.java:97)
at org.opensearch.client.node.NodeClient.executeLocally(NodeClient.java:99)
at org.opensearch.client.node.NodeClient.doExecute(NodeClient.java:88)
at org.opensearch.client.support.AbstractClient.execute(AbstractClient.java:428)
at org.opensearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:717)
at org.opensearch.client.support.AbstractClient$ClusterAdmin.state(AbstractClient.java:747)
at org.opensearch.rest.action.admin.cluster.RestClusterStateAction.lambda$prepareRequest$0(RestClusterStateAction.java:125)
at org.opensearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:128)
at org.opensearch.security.filter.SecurityRestFilter$1.handleRequest(SecurityRestFilter.java:128)
at org.opensearch.rest.RestController.dispatchRequest(RestController.java:271)
at org.opensearch.rest.RestController.tryAllHandlers(RestController.java:353)
at org.opensearch.rest.RestController.dispatchRequest(RestController.java:204)
__AMAZON_INTERNAL__
__AMAZON_INTERNAL__
__AMAZON_INTERNAL__
__AMAZON_INTERNAL__
__AMAZON_INTERNAL__
__AMAZON_INTERNAL__
__AMAZON_INTERNAL__
__AMAZON_INTERNAL__
at org.eclipse.jetty.server.handler.GzipHandler.handle(GzipHandler.java:301)
__AMAZON_INTERNAL__
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
__AMAZON_INTERNAL__
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at __PATH__(Thread.java:834)
I started a new Opensearch cluster after users started to complain they could no longer log in to an older ES Cluster that was recently updated to Opensearch. Instead of SAML authentication, it was using Cognito authentication. As it was working before, and I followed the instructions (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/saml.html) carefully again for both Cognito authentication and SAML authentication, it feels like something is wrong with Opensearch itself.
Check the SAML URLs configured in your IdP Broker as they changed from ES 7.x to OpenSearch 1.x. Also, try switching between using either the IdP or SP URL.
I've got exactly the same issue as you and I've managed to fix it by changing the SubjectKey to a custom SAML attribute:
I've added an attribute named email to my IdP configuration (Okta in your case, AWS SSO in my case).
Then I've set it up as the SubjectKey in AWS Opensearch. Here is my configuration for comparision:
SAML_METADATA=$(cat saml.xml | sed 's/"/\\\"/g' | sed ':a;N;$!ba;s/\n/\\n/g')
SAML_ENTITY_ID=$(grep entityID saml.xml | sed -r 's:.*entityID="(.*)".*:\1:')
aws opensearch update-domain-config \
--domain-name <name of the OpenSearch domain> \
--advanced-security-options '{"SAMLOptions":{"Enabled":true,"MasterUserName":"my-email#example.com", "Idp":{"EntityId":"'$SAML_ENTITY_ID'","MetadataContent":"'"$SAML_METADATA"'"}, "SessionTimeoutMinutes":180, "SubjectKey":"email"}}'
Here's what I did to solve the 500 internal server error with OpenSearch SSO login.
Note: Only if you are using AWS SSO
Log into AWS SSO console > Applications > Add New Application > search for OpenSearch (or select add custom SAML application)
Enter Display Name and Description and download AWS SSO SAML Metadata File
Go to the Application metadata section and add the Application ACS URL (Copy SSO URL (IdP initiated) from OpenSearch domain security configuration) > Save Changes
Go to Attribute mappings and add an attribute in the 1st column e.g email > value as ${user:email} > Save changes and Assignee required users.
Go to OpenSearch domain security configuration > upload the metadata file downloaded during step 2
Go to Additional Settings and add email (attribute name in step 4) to Subject key - optional
Go to your AWS SSO Start page you should see OpenSearch there.
Hope this helps
I'm currently having an issue with the federation between WSO2 Identity Server 5.7.0 and ADFS, when unauthorized users try to access a application registered in WSO2.
As I have described in this question #58123989, on our organization there are some users belonging to a Active Directory Organizational Unit (OU), that cannot use some Relying Parties (RP) of ADFS. This has been successful implemented with a Issuance Authorization Rule, and when the RP is configured with WS-Federation an error is shown on ADFS page, explaining that the user has no permission to access the application/RP
But, when the RP is federated with a SAML config (like our WSO2 solution), no error is shown on ADFS, and from what I have read, the SAML protocol encourages that the responsibility of presenting authentication errors fall to the Service Providers that request the authentication.
For my understanding, in our scenario WSO2 IS is simultaneously an RP and SP, and no error page is shown.
So, when a user that belongs to an unallowed OU tries to login, the SAML response that is returned goes like this:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_8e68c63c-6fb4-4dec-8d6d-2c4d885ea36f"
Version="2.0"
IssueInstant="2019-10-30T09:11:10.159Z"
Destination="https://km.apim.ipleiria.pt/commonauth"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_c48ab89ffc9dabae2294416785a7c701"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.ipleiria.pt/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_8e68c63c-6fb4-4dec-8d6d-2c4d885ea36f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>i2O6tpoM9sv9W7T5J99VENpfSplM0xcs4ocGgdFYwXw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>CoU7XShDtzjVciFP1zvHe5+kXpQ5gsI1XMiEcskqbDvzdAcH4woGYrAGHge9wY2+Nw6aJVfzm6YyKiWRfp83Rl7kny/cVhttApKXQskci/mtOk5BKKm/AMGXbYu82baS8mdJN1M9QDRtQQoDyeoxCv15T1zwKJhMGmweOGpYAXOqO3QKl7QMAPcggwwdp0/j8MRfqN8rqSyQGfbnPdS0Qz8fYWjou6C9T0hbQhfkPJwXHfpNmw4Ar8t7jL2b5K1nkHl4QLw5IHfpbTO9a06AU6j1WSmboAd7/zHs3CxxKYL4YQNpJuUXmac0GK9dkhptc8XWZZ4XUQb7wbvsZ8Hzvg==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC3jCCAcagAwIBAgIQE3nSS2FEuKFJ+zFvEamRMjANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIFNpZ25pbmcgLSBsb2dpbi5pcGxlaXJpYS5wdDAeFw0xOTA5MDYxNDA2MTZaFw0yMDA5MDUxNDA2MTZaMCsxKTAnBgNVBAMTIEFERlMgU2lnbmluZyAtIGxvZ2luLmlwbGVpcmlhLnB0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkNWCUJTODaV3kfUwLPo60WTdDY7DPxG2cfEni1KRk41tU/3c6xripBSe4ZtPO0mpfPa9iTKrYEXI1yZUZqUvCFV1rVOurKs0/TuRUNOJyViP2z5M1y5XokvY4nCKRHdkGGrp5pfnFcxXb7vl9U8WxsHGKF/3u0qdPHfS8bMkC+9E5Ocq6xlKlGLFEie4V7p7vc/euKTNDfha6Inhpm9oAguZVC2vBlTAPWuUsVjgBeYxreOThsFGAZHISOi+fJd/V6TSMhf4eeR2IfZikvyCUfrP6t7yR9ukBdnrXkRo3g3Nw9la9h4jvPhh9DXGwyek6pZJIusSbCraImHkCvOIawIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAiMCIMnXpuu9K3ZvojTPcsP7Yeafp9KCudfSTs/EaA3aHSH2oWiS4RpwBzynufTxYaNJpQazUc+xCndcr5rovghVt/z+ui3hdok/ZT4E0TBezYvZWovc0dB2vao8S5wbDLxa/6fnTmVu71UtrlAarThpBD8t14bwHoh1P89yDYrWlOHG726/sLJAb0B1NxtlvXErVXjH7OQcr5jRZj9ZHegKs1rfBugmUovVEQXVTl2Fhasdjfy4FIweo7bghWwU7rQN+QQK8WjbPF6wuH7pDdNgs6CBaOVqlCkjE5Sk8lGDqWd27FKqjBIdOMASQoVQJQj76JG3UnViAUG1M0ClY+</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" />
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>
As you can see the StatusCode is urn:oasis:names:tc:SAML:2.0:status:RequestDenied.
When the response is processed by WSO2IS, there is an exception thrown with the following message and stack trace: SAML Assertion is not found in the Response
TID: [-1234] [] [2019-10-30 09:11:08,797] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - SAML Assertion is not found in the Response
org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: SAML Assertion is not found in the Response
at org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:325)
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:77)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:497)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:471)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:174)
at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:185)
at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler.handle(GraphBasedSequenceHandler.java:102)
at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:135)
at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:162)
at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:53)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.identity.captcha.filter.CaptchaFilter.doFilter(CaptchaFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:72)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:65)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:65)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: SAML Assertion is not found in the Response
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSSOResponse(DefaultSAML2SSOManager.java:538)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.executeSAMLReponse(DefaultSAML2SSOManager.java:383)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSAMLResponse(DefaultSAML2SSOManager.java:374)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processResponse(DefaultSAML2SSOManager.java:331)
at org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:252)
... 59 more
But no error page is presented to the user, and the connection is returned to the application (usually a Single Page Application, registered in WSO2 Api Manager), with no auth info.
Since ADFS is somewhat scarse in documentation, and of course the SAML protocol rules (that encourages the presentation of errors to fall to the SP), my approach has been to capture the exception thrown by WSO2IS and presenting an error page, although with no success.
How can I capture the error and presenting a page?
Is there a different approach?
Can this be configured in ADFS?
What I wanna do is:
1.SSO with wso2 Identity server 5.1.0 and wso2 API manager 1.10.0 (done)
reference : https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2
2.Login wso2 API manager 1.10.0 via Facebook credential (fail)
reference : https://docs.wso2.com/display/IS510/How+To%3A+Login+to+the+Identity+Server+using+Facebook+Credentials
The situation is :
1.When I go to the login page of APIM , it will redirect to Facebook login page via Identity server.
2.I login to Facebook and then it redirect to APIM via Identity server.
3.APIM shows Error 401 : Authorization Required.
The server couldn't verify that you are authorized to access the requested resource.
Identity server logs
==> audit.log <==
[2016-05-03 01:34:56,770] INFO {AUDIT_LOG}- Initiator : sbyangtw#yahoo.com.tw | Action : Login | Target : ApplicationAuthenticationFramework | Data : { "ContextIdentifier" : "c2474e20-3b83-4007-b34e-a6c461f7b9fa","AuthenticatedUser" : "sbyangtw#yahoo.com.tw","AuthenticatedUserTenantDomain" : "null","ServiceProviderName" : "APIM_PUBLISHER","RequestType" : "samlsso","RelyingParty" : "API_PUBLISHER_ISSUER","AuthenticatedIdPs" : "eyJ0eXAiOiJKV1QiLCAiYWxnIjoibm9uZSJ9.eyJpc3MiOiJ3c28yIiwiZXhwIjoxNDYyMjM5Mjk2NzY1MzAwMCwiaWF0IjoxNDYyMjM5Mjk2NzY1LCJpZHBzIjpbeyJpZHAiOiJmYWNlYm9vayIsImF1dGhlbnRpY2F0b3IiOiJGYWNlYm9va0F1dGhlbnRpY2F0b3IifV19." } | Result : Success
==> http_access_2016-05-03.log <==
122.147.238.98 - - [03/May/2016:01:34:56 +0000] "GET /commonauth?code=AQBs01GQq0m76-z1ilUNzgIF-8qgBq7ES9MxIE_as5-EwoUg9kROlrKNQynM0xdZ7ZkdAMAxDq5wa8WRAZHoU8AHNTEHj_eEDzix5KKKyNTFkzqE0bRd4DXMaDwQg2r1WW9BTqVwAJYeJGuySE7aabNYfBaSyasqSOH0_kaow6-68MbDt6oAxCNBYUocn-JIDmS3-TUS6bYJsLMwYo8mcib22ZOl7pJWIhCPtx6mbIvcJmzIopdNqQwQkDMK741PN4jfNGfqkwkyRi1AQikgzomYSvqHt1slVV8KnHVDj-OTM2EwkDdVzWGiiyfKbT9P9MPZ7vxLYlkS6JgWdntzXDM7&state=c2474e20-3b83-4007-b34e-a6c461f7b9fa%2Cfacebook HTTP/1.1" 302 - "https://www.facebook.com/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
122.147.238.98 - - [03/May/2016:01:34:58 +0000] "GET /samlsso?sessionDataKey=a492a7af-202f-4370-af83-f96d8240f526 HTTP/1.1" 200 3632 "https://www.facebook.com/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
APIM logs
==> wso2carbon.log <==
TID: [-1234] [] [2016-05-03 01:34:43,373] ERROR {org.wso2.carbon.registry.core.jdbc.realm.RegistryRealm} - Realm service is not available. Make sure that the required version of the User Manager component is properly installed. {org.wso2.carbon.registry.core.jdbc.realm.RegistryRealm}
==> wso2-apigw-errors.log <==
2016-05-03 01:34:43,373 [-] [http-nio-9443-exec-28] ERROR RegistryRealm Realm service is not available. Make sure that the required version of the User Manager component is properly installed.
==> wso2carbon.log <==
TID: [-1234] [] [2016-05-03 01:34:43,374] ERROR {org.wso2.carbon.core.internal.permission.update.PermissionUpdater} - Error when updating the permission cache for tenant : -1 {org.wso2.carbon.core.internal.permission.update.PermissionUpdater}
org.wso2.carbon.user.core.UserStoreException: Realm service is not available. Make sure that the required version of the User Manager component is properly installed.
at org.wso2.carbon.registry.core.jdbc.realm.RegistryRealm.getRealm(RegistryRealm.java:149)
at org.wso2.carbon.core.internal.permission.update.PermissionUpdater.getAuthzManager(PermissionUpdater.java:90)
at org.wso2.carbon.core.internal.permission.update.PermissionUpdater.update(PermissionUpdater.java:60)
at org.wso2.carbon.core.util.PermissionUpdateUtil.updatePermissionTree(PermissionUpdateUtil.java:46)
at org.wso2.carbon.apimgt.impl.utils.APIUtil.updatePermissionCache(APIUtil.java:4554)
at org.wso2.carbon.apimgt.hostobjects.APIProviderHostObject.jsFunction_updatePermissionCache(APIProviderHostObject.java:284)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
at org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386)
at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
at org.jaggeryjs.rhino.publisher.modules.api.c1._c_anonymous_7(/publisher/modules/api/check-permissions.jag:169)
at org.jaggeryjs.rhino.publisher.modules.api.c1.call(/publisher/modules/api/check-permissions.jag)
at org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430)
at org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269)
at org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:97)
at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42)
at org.jaggeryjs.rhino.publisher.modules.api.c0._c_anonymous_25(/publisher/modules/api/module.jag:83)
at org.jaggeryjs.rhino.publisher.modules.api.c0.call(/publisher/modules/api/module.jag)
at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
at org.jaggeryjs.rhino.publisher.jagg.c1._c_anonymous_1(/publisher/jagg/jaggery_acs.jag:59)
at org.jaggeryjs.rhino.publisher.jagg.c1.call(/publisher/jagg/jaggery_acs.jag)
at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23)
at org.jaggeryjs.rhino.publisher.jagg.c1._c_script_0(/publisher/jagg/jaggery_acs.jag:5)
at org.jaggeryjs.rhino.publisher.jagg.c1.call(/publisher/jagg/jaggery_acs.jag)
at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394)
at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091)
at org.jaggeryjs.rhino.publisher.jagg.c1.call(/publisher/jagg/jaggery_acs.jag)
at org.jaggeryjs.rhino.publisher.jagg.c1.exec(/publisher/jagg/jaggery_acs.jag)
at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567)
at org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273)
at org.jaggeryjs.jaggery.core.manager.WebAppManager.exec(WebAppManager.java:587)
at org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:507)
at org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:378)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338)
at org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
==> wso2-apigw-errors.log <==
2016-05-03 01:34:43,374 [-] [http-nio-9443-exec-28] ERROR PermissionUpdater Error when updating the permission cache for tenant : -1
org.wso2.carbon.user.core.UserStoreException: Realm service is not available. Make sure that the required version of the User Manager component is properly installed.
at org.wso2.carbon.registry.core.jdbc.realm.RegistryRealm.getRealm(RegistryRealm.java:149)
at org.wso2.carbon.core.internal.permission.update.PermissionUpdater.getAuthzManager(PermissionUpdater.java:90)
at org.wso2.carbon.core.internal.permission.update.PermissionUpdater.update(PermissionUpdater.java:60)
at org.wso2.carbon.core.util.PermissionUpdateUtil.updatePermissionTree(PermissionUpdateUtil.java:46)
at org.wso2.carbon.apimgt.impl.utils.APIUtil.updatePermissionCache(APIUtil.java:4554)
at org.wso2.carbon.apimgt.hostobjects.APIProviderHostObject.jsFunction_updatePermissionCache(APIProviderHostObject.java:284)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
at org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386)
at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
at org.jaggeryjs.rhino.publisher.modules.api.c1._c_anonymous_7(/publisher/modules/api/check-permissions.jag:169)
at org.jaggeryjs.rhino.publisher.modules.api.c1.call(/publisher/modules/api/check-permissions.jag)
at org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430)
at org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269)
at org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:97)
at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42)
at org.jaggeryjs.rhino.publisher.modules.api.c0._c_anonymous_25(/publisher/modules/api/module.jag:83)
at org.jaggeryjs.rhino.publisher.modules.api.c0.call(/publisher/modules/api/module.jag)
at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
at org.jaggeryjs.rhino.publisher.jagg.c1._c_anonymous_1(/publisher/jagg/jaggery_acs.jag:59)
at org.jaggeryjs.rhino.publisher.jagg.c1.call(/publisher/jagg/jaggery_acs.jag)
at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23)
at org.jaggeryjs.rhino.publisher.jagg.c1._c_script_0(/publisher/jagg/jaggery_acs.jag:5)
at org.jaggeryjs.rhino.publisher.jagg.c1.call(/publisher/jagg/jaggery_acs.jag)
at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394)
at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091)
at org.jaggeryjs.rhino.publisher.jagg.c1.call(/publisher/jagg/jaggery_acs.jag)
at org.jaggeryjs.rhino.publisher.jagg.c1.exec(/publisher/jagg/jaggery_acs.jag)
at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567)
at org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273)
at org.jaggeryjs.jaggery.core.manager.WebAppManager.exec(WebAppManager.java:587)
at org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:507)
at org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:378)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338)
at org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Identity.xml
<JDBCPersistenceManager>
<DataSource>
<!-- Include a data source name (jndiConfigName) from the set of data
sources defined in master-datasources.xml -->
<Name>jdbc/WSO2CarbonDB</Name>
</DataSource>
<!-- If the identity database is created from another place and if it is
required to skip schema initialization during the server start up, set the
following property to "true". -->
<!-- <SkipDBSchemaCreation>false</SkipDBSchemaCreation> -->
<!--SessionDataPersist>
<Enable>true</Enable>
<Temporary>false</Temporary>
<SessionDataCleanUp>
<Enable>true</Enable>
<CleanUpTimeout>20160</CleanUpTimeout>
<CleanUpPeriod>1140</CleanUpPeriod>
</SessionDataCleanUp>
<OperationDataCleanUp>
<Enable>true</Enable>
<CleanUpPeriod>720</CleanUpPeriod>
</OperationDataCleanUp>
</SessionDataPersist-->
</JDBCPersistenceManager>
saml response from facebook
<saml2p:Response Destination="https://52.38.21.105:9443/publisher/jagg/jaggery_acs.jag"
ID="nfbjmnijblahmijdkcjolekcjnodibpjicoebece"
InResponseTo="ahnmgghndidhnoefdghpcdjiipifggdddnhiblej"
IssueInstant="2016-05-03T12:18:05.854Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>localhost</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#nfbjmnijblahmijdkcjolekcjnodibpjicoebece">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>ggxLiK1EmD+McPcZeg1N83Fv9gg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>CP2lIDldQ982Ipdr2L+lbX/heU170cY6mhmhxGNbPs80gn0dxLq/GjFSXiF8jPHjGgPVgnRR0YcpTtCLK9R0ApSyND+P4PgR7/diylqWJMx7t+U5317WYQF3eHabH2NgFvnSzKthjv1Pj3hjyBsobX3Y9gV76mH1yt5n5XZFaY0=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="eadlilbmecplfedkihojbidmefiekgpihihgngbd"
IssueInstant="2016-05-03T12:18:05.854Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#eadlilbmecplfedkihojbidmefiekgpihihgngbd">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>ooEBywjtlX+KP3skLWU+Ug66gjQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>G5KWqTchrtk4XSsAhDfhocIAguNVJdT25btnD4/OtFMBJ0jYYL/MnQO14eAdniPQ163ijPmgbh6GZWhI8FzpkXi73zPxVkiOLCO9LP7VJK4fjwEH+hrs5ukjKRfu1t5/aE08HwGjZXOJg6sKs00oXrWdm+a5UluyMndbuappbT8=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">sbyangtw#yahoo.com.tw</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="ahnmgghndidhnoefdghpcdjiipifggdddnhiblej"
NotOnOrAfter="2016-05-03T12:23:05.854Z"
Recipient="https://52.38.21.105:9443/publisher/jagg/jaggery_acs.jag"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2016-05-03T12:18:05.854Z"
NotOnOrAfter="2016-05-03T12:23:05.854Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>API_PUBLISHER_ISSUER</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2016-05-03T12:18:05.858Z"
SessionIndex="f6348dd6-0c44-48c9-8d23-becbb07f61de"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="http://wso2.org/claims/emailaddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>sbyangtw#yahoo.com.tw</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
I guess the error is related with tenant id and I found Identity server log shows "AuthenticatedUserTenantDomain" : "null" , but I don't know how to fix it.
Thanks
Tom
This would work once you enable email username in your IS and APIM as mentioned here.
It seems like the reason for the issue is, in your identity.xml of Identity Server is pointing to a different database than the AM_DB defined in the master-datasources.xml of your API manager. Then your API-M is pointing to a different set of tables and IS is pointing to another.
To fix this, you need to add the AM_DB as a data source in the master-datasource.xml of your Identity Server and in your identity.xml, include AM_DB as pointing data source.
Refer to Configuring Identity Server at this for more details on how to do this.
I was able to reproduce the error "Error 401 : Authorization Required. The server couldn't verify that you are authorized to access the requested resource." by following the provided instructions in the documents. I have raised the ticket [1] to address/ get feedback regarding this issue.
[1] https://wso2.org/jira/browse/IDENTITY-4566
Regards,
Pubudu.
I need to create a proxy in the WSO2 ESB (4.9.0) to expose a secured backend webservice as an in-secured webservice, just like this image:
Exposing WS-Security secured backend WS as a plain WS
I want to use "Sign & Encrypt with X.509 authentication" WS-Security Policy.
This is my proxy "source view":
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="OutgoingSecurityProxy"
transports="http,https"
statistics="enable"
trace="enable"
startOnLoad="true">
<target>
<inSequence>
<send>
<endpoint>
<address uri="http://mylocalIP:80/mock_serverTest">
<enableAddressing/>
<enableSec policy="SecurityPolicyOut"/>
</address>
</endpoint>
</send>
</inSequence>
<outSequence>
<header xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
name="wsse:Security"
action="remove"/>
<send/>
</outSequence>
</target>
<publishWSDL uri="http://mylocalIP:80/mock_serverTest?WSDL"/>
<description/>
</proxy>
and this is the used security policy loaded as a "Local Entry" (It's the default policy for a sign & encrypt - x.509 auth scenario, only changed the info relative to keystores).
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SigEncr">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:user>service</rampart:user>
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:timestampStrict>false</rampart:timestampStrict>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore
</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">client</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">mykeystore.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">mykeystore.jks</rampart:property>
<rampart:property name="rampart.config.user">service</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">service</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">mykeystore.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">mykeystore.jks</rampart:property>
<rampart:property name="rampart.config.user">service</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
</wsp:Policy>
The backend "secured" WS (http://mylocalIP:80/mock_serverTest) is a ws-security enabled "mock" service of a plain WS created with SoapUI running in my desktop machine.
When I try to invoke the ESB service with SOAPUI I get the error "org.apache.axis2.AxisFault: Password CallbackHandler not specified in rampart configuration policy or the CallbackHandler instance not available in the MessageContext" :
16:17:45,465 [-] [PassThroughMessageProcessor-1] WARN TRACE_LOGGER Executing fault handler due to exception encountered
16:17:45,466 [-] [PassThroughMessageProcessor-1] WARN TRACE_LOGGER ERROR_CODE : 0
16:17:45,466 [-] [PassThroughMessageProcessor-1] WARN TRACE_LOGGER ERROR_MESSAGE : Unexpected error during sending message out
16:17:45,471 [-] [PassThroughMessageProcessor-1] WARN TRACE_LOGGER ERROR_DETAIL : org.apache.synapse.SynapseException: Unexpected error during sending message out
at org.apache.synapse.core.axis2.Axis2Sender.handleException(Axis2Sender.java:247)
at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:91)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:461)
at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:372)
at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:65)
at org.apache.synapse.mediators.builtin.SendMediator.mediate(SendMediator.java:105)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:81)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:48)
at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:149)
at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:185)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:395)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:142)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.axis2.AxisFault: Password CallbackHandler not specified in rampart configuration policy or the CallbackHandler instance not available in the MessageContext
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426)
at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185)
at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:542)
at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:79)
... 15 more
Caused by: org.apache.rampart.RampartException: Password CallbackHandler not specified in rampart configuration policy or the CallbackHandler instance not available in the MessageContext
at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:312)
at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:265)
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:761)
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:457)
at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:97)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
... 24 more
Any clues?
Thanks in advance!
The link above (sample 100 of WSO2 ESB) doesn't implement a password callback handler. You need to create a required password callback handler for your sign and encrypt policy. Here information how to create a PWCB http://pathberiya.blogspot.co.uk/2010/02/how-to-create-password-callback-class.html
Regards.