This question is based on this other.
After installing IS and APIM with the process described here, and trying the answers for the other question, the header is not added to the request.
The debug log output, says that the properties are set, but after the authentication is complete (also a misleading log message), and with the supertenant domain.
The API I'm exposing is a simple flask app that prints out the headers, and the calls are all done using the tokens provided by the API store, If I hardcode the value of the header value it is added correctly.
[2015-09-09 14:48:01,229] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2015-09-09 14:48:03,257] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2015-09-09 14:48:04,872] DEBUG - PrivilegedCarbonContext Resolving tenant id from tenant domain
[2015-09-09 14:48:04,873] DEBUG - PrivilegedCarbonContext Resolving tenant id from tenant domain
[2015-09-09 14:48:04,873] DEBUG - OAuthAuthenticator Received Token 9d2224bd96a4b6245bcb272415515a2
[2015-09-09 14:48:04,873] DEBUG - OAuthAuthenticator Default Version API invoked
[2015-09-09 14:48:04,873] DEBUG - OAuthAuthenticator Removing Authorization header from headers
[2015-09-09 14:48:04,874] DEBUG - OAuthAuthenticator Full Request Path = /callback
[2015-09-09 14:48:04,874] DEBUG - APIKeyValidator Found resource in Cache for key: /t/test.com/test/v1/v1/callback:GET
[2015-09-09 14:48:04,874] DEBUG - OAuthAuthenticator Matching resource is: /callback
[2015-09-09 14:48:04,874] DEBUG - OAuthAuthenticator User is authorized to access the Resource
[2015-09-09 14:48:04,874] DEBUG - APIAuthenticationHandler Authenticated API, authentication response relieved: API call failed reason=API_authentication_failure transactionId=urn:uuid:bbad9a1d-be19-47a7-8676-6e85f7463113 with userAgent=curl/7.43.0 with accessToken=Bearer 9d2224bd96a4b6245bcb272415515a2 for requestURI=/t/test.com/test/v1/ callback at time=Wed Sep 09 14:48:04 UTC 2015 from clientIP=192.168.99.1, elapsedTimeInMilliseconds=0
[2015-09-09 14:48:04,874] DEBUG - APIThrottleHandler The IP Address of the caller is :192.168.99.1
[2015-09-09 14:48:04,874] INFO - LogMediator To: local://axis2services/test/v1/callback, MessageID: urn:uuid:bbad9a1d-be19-47a7-8676-6e85f7463113, Direction: request
[2015-09-09 14:48:04,875] DEBUG - WSO2Registry ==> Repository fetch of resource with key : tenant
[2015-09-09 14:48:04,875] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2015-09-09 14:48:04,877] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2015-09-09 14:48:04,878] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2015-09-09 14:48:04,880] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2015-09-09 14:48:04,881] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2015-09-09 14:48:04,883] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2015-09-09 14:48:04,886] DEBUG - WSO2Registry ==> Repository fetch of resource with key : tenant
[2015-09-09 14:48:04,887] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2015-09-09 14:48:04,888] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2015-09-09 14:48:04,888] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2015-09-09 14:48:04,892] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2015-09-09 14:48:04,893] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2015-09-09 14:48:04,894] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2015-09-09 14:48:04,921] INFO - CarbonTenantInfoConfigurator >>>>>>>>>>>>>Applying Tenant Info...
[2015-09-09 14:48:04,921] INFO - CarbonTenantInfoConfigurator tenant domain: carbon.super
[2015-09-09 14:48:04,922] INFO - CarbonTenantInfoConfigurator tenant id: -1234
[2015-09-09 14:48:04,922] INFO - CarbonTenantInfoConfigurator <<<<<<<<<<<<<<<
[2015-09-09 14:48:05,283] DEBUG - RealmCache created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
Checking the sources it appears that at the point mediators are called, only a token verification is performed, so, is there a way to get the actual tenant of the api caller from a mediator in the API gateway?
If you have class mediator then all that will execute after handlers(authentication, throttling, usage metering perform through handlers). If you run following code block within mediator you will see user id of actual API user(user information derived from access token sent with API call). If you are sending requests with access token generated from API console then you will see application owner name as API user. Otherwise it will show actual end user.
synCtx.getProperty(APIMgtGatewayConstants.USER_ID);
Related
I am using APIM 3.1.0 with IS-KM 5.10.0 as a key manager for the APIM. I created the tenants via the APIM carbon console. To create the XACML policies for newly created tenants I am trying to login to the carbon console of the IS using the credentials of the newly created tenant. But I am getting login failed error. At the same time, I can log in to the carbon console of the APIM using the credentials of the newly created tenant. Why newly created tenants via APIM carbon console are not able to login to the carbon console of the IS, any configurations I am missing?
At the same time If I create the new tenant via the carbon console of the IS, tenants can log in to the carbon console of the IS but not to the carbon console of APIM. Is such a restriction a design intent? But ultimately I need the tenants to be created and require tenants to create the APIs, subscribe and should be able to create XACML policies
I am getting below error in the IS logs when tenant created via APIM tries to login to the IS carbon console
[2020-06-23 16:53:46,796] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.tenant.TenantIdCache} - TENANT_ID_CACHE which is under TENANT_ID_CACHE_MANAGER, found the entry : org.wso2.carbon.user.core.tenant.TenantIdEntry#4da389f0 for the key : org.wso2.carbon.user.core.tenant.TenantDomainKey#d03947ad successfully
[2020-06-23 16:53:46,888] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.common.RealmCache} - created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2020-06-23 16:53:46,889] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.common.RealmCache} - created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2020-06-23 16:53:46,889] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.common.RealmCache} - created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2020-06-23 16:53:46,889] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.common.RealmCache} - created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2020-06-23 16:53:46,890] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.tenant.TenantIdCache} - TENANT_ID_CACHE which is under TENANT_ID_CACHE_MANAGER, found the entry : org.wso2.carbon.user.core.tenant.TenantIdEntry#4da389f0 for the key : org.wso2.carbon.user.core.tenant.TenantDomainKey#d03947ad successfully
[2020-06-23 16:53:46,890] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.tenant.TenantCache} - TENANT_CACHE which is under TENANT_CACHE_MANAGER, found the entry : org.wso2.carbon.user.core.tenant.TenantCacheEntry#3080dc47 for the key : org.wso2.carbon.user.core.tenant.TenantIdKey#9 successfully
[2020-06-23 16:53:46,890] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.common.RealmCache} - created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2020-06-23 16:53:46,890] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.common.RealmCache} - created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2020-06-23 16:53:46,890] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.tenant.TenantDomainCache} - TENANT_DOMAIN_CACHE which is under TENANT_DOMAIN_CACHE_MANAGER, found the entry : org.wso2.carbon.user.core.tenant.TenantDomainEntry#38942044 for the key : org.wso2.carbon.user.core.tenant.TenantIdKey#9 successfully
[2020-06-23 16:53:46,891] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.tenant.TenantManager} - Tenant domain from cache: {api.com}
[2020-06-23 16:53:46,891] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.common.UserIdResolverCache} - Cache: user_id_from_user_name_cache which is under USER_ID_RESOLVER_CACHE_MANAGER, found the entry: 6160fac5-11d5-4061-a677-f8eb416ecf52 for the key: vinayak successfully.
[2020-06-23 16:53:46,891] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.tenant.TenantDomainCache} - TENANT_DOMAIN_CACHE which is under TENANT_DOMAIN_CACHE_MANAGER, found the entry : org.wso2.carbon.user.core.tenant.TenantDomainEntry#38942044 for the key : org.wso2.carbon.user.core.tenant.TenantIdKey#9 successfully
[2020-06-23 16:53:46,891] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.tenant.TenantManager} - Tenant domain from cache: {api.com}
[2020-06-23 16:53:46,891] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.tenant.TenantDomainCache} - TENANT_DOMAIN_CACHE which is under TENANT_DOMAIN_CACHE_MANAGER, found the entry : org.wso2.carbon.user.core.tenant.TenantDomainEntry#38942044 for the key : org.wso2.carbon.user.core.tenant.TenantIdKey#9 successfully
[2020-06-23 16:53:46,891] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.tenant.TenantManager} - Tenant domain from cache: {api.com}
[2020-06-23 16:53:46,892] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.tenant.TenantIdCache} - TENANT_ID_CACHE which is under TENANT_ID_CACHE_MANAGER, found the entry : org.wso2.carbon.user.core.tenant.TenantIdEntry#4da389f0 for the key : org.wso2.carbon.user.core.tenant.TenantDomainKey#d03947ad successfully
[2020-06-23 16:53:46,892] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.tenant.TenantIdCache} - TENANT_ID_CACHE which is under TENANT_ID_CACHE_MANAGER, found the entry : org.wso2.carbon.user.core.tenant.TenantIdEntry#4da389f0 for the key : org.wso2.carbon.user.core.tenant.TenantDomainKey#d03947ad successfully
[2020-06-23 16:53:46,892] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.tenant.TenantDomainCache} - TENANT_DOMAIN_CACHE which is under TENANT_DOMAIN_CACHE_MANAGER, found the entry : org.wso2.carbon.user.core.tenant.TenantDomainEntry#38942044 for the key : org.wso2.carbon.user.core.tenant.TenantIdKey#9 successfully
[2020-06-23 16:53:46,892] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.tenant.TenantManager} - Tenant domain from cache: {api.com}
[2020-06-23 16:53:46,893] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.tenant.TenantIdCache} - TENANT_ID_CACHE which is under TENANT_ID_CACHE_MANAGER, found the entry : org.wso2.carbon.user.core.tenant.TenantIdEntry#4da389f0 for the key : org.wso2.carbon.user.core.tenant.TenantDomainKey#d03947ad successfully
[2020-06-23 16:53:46,893] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.common.RealmCache} - created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2020-06-23 16:53:46,893] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.common.RealmCache} - created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2020-06-23 16:53:46,893] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.common.RealmCache} - created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2020-06-23 16:53:46,893] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.common.RealmCache} - created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2020-06-23 16:53:46,894] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] DEBUG {org.wso2.carbon.user.core.common.RealmCache} - created authorization cache : org.wso2.carbon.caching.impl.CacheImpl#922bea56
[2020-06-23 16:53:46,897] [ee58cfbc-ccc7-497d-b51e-0f3eb941fa8a] ERROR {org.wso2.carbon.core.services.authentication.AuthenticationAdmin} - System error while Authenticating/Authorizing User : Error when handling event : PRE_AUTHENTICATION
I have following datasources configured in the APIM. why there are two registry data bases? (one is wso2_shareddb, another is wso2_carbondb)
If this is a multi tenant setup, you need to share the Registry database (shared_db) between API Manager and Key Manager components. Please check whether they are shared.
I have deployed extension bundle in component/lib folder. WSO2IS still uses JWTTokenIssuer to generate the token. I don't see any error in extension bundle.
I have override OauthTokenIssuerImpl lets say customTokenIssuer to obtain custom created tokens. but when i debug the log, It is instantiating both customTokenIssuer and JWTTokenIssuer but framework do not use customTokenIssuer to generate token.
I have updated identity.xml with customTokenIssuer class.
Is it something I am missing in the POM or missing some entries in any of the XML ?
[2019-05-23 10:53:59,900] INFO {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - An instance of abc.xxx.xxx.xx.customTokenIssuer is created for Identity OAuth token generation.
..........
[2019-05-23 10:54:00,084] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthTokenReqMessageContext to threadlocal
[2019-05-23 10:54:00,086] DEBUG {org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer} - JWT Access token builder is initiated
[2019-05-23 10:54:00,086] INFO {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - An instance of org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer is created for Identity OAuth token generation.
...................
[2019-05-23 10:54:00,092] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - OAuth application id: XXxXXXXXXXXXXXXX, user access token validity time 3600000ms
[2019-05-23 10:54:00,092] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - OAuth application id : XXxXXXXXXXXXXXXX, access token validity time in milliseconds : 3600000
[2019-05-23 10:54:00,096] DEBUG {org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer} - Access token request with token request message context. Authorized user XXxXX#carbon.super
[2019-05-23 10:54:00,096] DEBUG {org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer} - User Access Token Life time set to : 3600000ms.
[2019-05-23 10:54:00,097] DEBUG {org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer} - JWT Self Signed Access Token Life time set to : 3600000ms.
[2019-05-23 10:54:00,098] DEBUG {org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer} - Scope exist for the jwt access token with subject XXxXX#carbon.super and the scope is openid
[2019-05-23 10:54:00,154] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Existing access token has expired, but refresh token is still valid for client: XXxXXXXXXXXXXXXX. Remaining time: 17420133ms. Using existing refresh token.
As per me only customTokenIssuer should be instantiated and used to generate the token.
Once the custom OAuthTokenGenerator added in the identity.xml file, we need to configure the relevant token Issuer in identity inbound Authentication configurations under service provider configs.
So now we have to go to the Service provider> Inbound Authentication Configuration > OAuth/OpenID Connect Configuration > Token Issuer and select the Token Issuer configured.
Without adding that configs in service provider, the changes in the token issuer will not be reflected for the service provider.
Forgot to select token issuer in service provider, Once you deploy the custom token generator jar and update identity.xml file you have to select the Token issuer from the service provider.
I use independent wso2 API manager 1.10.0 and wso2 DAS 3.0.0 on AWS ec2 to gather statistics of my API usage and I use postgresql to be external RDBMS to store summary data.
APIM configurations on Admin-Dashboard
Event Receiver Configurations :
tcp://DAS-IP:7611
Data Analyzer Configurations :
https://DAS-IP:9443
Statistics Summary Datasource :
My-postgresql-url
APIM configuration in api-manager.xml
Disable rest client and enable RDBMS client
DAS configuration
Set datasource WSO2AM_STATS_DB in master-datasources.xml
Scenario
Login to APIM publisher
Deploy sample API
Go to APIM store
Subscribe sample API
Go to APIM publisher
Click statistics > API usage
Only show example statistics page.
APIM Logs
[2016-04-22 06:12:47,787] INFO - EmbeddedRegistryService Configured Registry in 0ms
[2016-04-22 06:12:48,015] INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2016-04-22 06:12:48,015+0000]
[2016-04-22 06:12:48,360] INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2016-04-22 06:12:48,359+0000]
[2016-04-22 06:12:48,605] INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2016-04-22 06:12:48,605+0000]
[2016-04-22 06:12:48,664] INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2016-04-22 06:12:48,664+0000]
[2016-04-22 06:12:48,920] INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2016-04-22 06:12:48,920+0000]
[2016-04-22 06:12:49,296] INFO - API Initializing API: admin--CalculatorAPI:v1.0
[2016-04-22 06:13:05,384] INFO - **ReceiverGroup Resending the failed published data...**
DAS Logs
[2016-04-22 04:09:00,218] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
[2016-04-22 04:09:32,439] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
[2016-04-22 04:09:47,474] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
[2016-04-22 04:33:10,239] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
[2016-04-22 04:35:28,672] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
[2016-04-22 06:05:18,848] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
[2016-04-22 06:12:53,017] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
[2016-04-22 06:13:09,173] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
DAS WSO2_STATS_DB status
From DAS dashboard > configure > data sources,I've checked the status of all DB is active and tested connection is healthy.
I don't know if WSO2AM_STATS_DB doesn't support postgresql or my configuration gets something wrong.
thanks
I raised a public jira for the APIM Stat scripts folder does not have the PostgreSQL script.
APIM does not publish subscription events to the DAS. Subscription details are kept in the WSO2AM_DB database and we used AM_SUBSCRIBER and AM_SUBSCRIPTION table for that purpose.
Hope you followed this documentation.
I have setup a WSO2 Identity Server 5.0.0 and I was able to login to carbon managment console with the user "admin". But when I try to login to dashboard, it failed.
Been troubleshooting and reading the documentation and stackoverflow for clue but couldn't find one and I am not sure which part of the configuration I did wrong.
Following are the things that I set for my WSO2IS:
I change the host name from localhost to my server ip in the following files:
repository/conf/carbon.xml
repository/conf/identity.xml
repository/conf/security/sso-idp-config.xml
repository/conf/security/saml2.federation.properties
repository/conf/security/authenticators.xml
repository/conf/tomcat/catalina-server.xml
I also did the same steps indicated in this Cannot see any option in WSO2 Identity Server dashboard
Following are the server log produced from the server where I setup the WSO2IS
[2015-08-10 11:47:48,530] INFO {org.wso2.carbon.core.init.CarbonServerManager} - Repository : /opt/WSO2/wso2is-5.0.0/repository/deployment/server/
[2015-08-10 11:47:49,038] INFO {org.wso2.carbon.core.internal.permission.update.PermissionUpdater} - Permission cache updated for tenant -1234
[2015-08-10 11:47:49,774] INFO {org.wso2.carbon.identity.application.mgt.ui.internal.ApplicationMgtUIServiceComponent} - Application Management UI bundle acticated!
[2015-08-10 11:47:49,944] INFO {org.wso2.carbon.identity.sso.saml.admin.FileBasedConfigManager} - A SSO Service Provider is registered for : wso2.my.dashboard
[2015-08-10 11:47:50,039] INFO {org.wso2.carbon.idp.mgt.internal.IdPManagementServiceComponent} - Identity Application Management Database initialization not attempted since 'setup' variable was not provided during startup
[2015-08-10 11:47:50,299] INFO {org.wso2.carbon.identity.core.internal.IdentityCoreServiceComponent} - Identity Database schema initialization check was skipped since 'setup' variable was not given during startup
[2015-08-10 11:47:51,868] INFO {org.wso2.carbon.core.transports.http.HttpsTransportListener} - HTTPS port : 9443
[2015-08-10 11:47:51,868] INFO {org.wso2.carbon.core.transports.http.HttpTransportListener} - HTTP port : 9763
[2015-08-10 11:47:53,001] INFO {org.wso2.carbon.core.init.JMXServerManager} - JMX Service URL : service:jmx:rmi://172.18.64.178:11111/jndi/rmi://172.18.64.178:9999/jmxrmi
[2015-08-10 11:47:53,001] INFO {org.wso2.carbon.core.internal.StartupFinalizerServiceComponent} - Server : WSO2 Identity Server-5.0.0
[2015-08-10 11:47:53,002] INFO {org.wso2.carbon.core.internal.StartupFinalizerServiceComponent} - WSO2 Carbon started in 109 sec
[2015-08-10 11:47:53,410] INFO {org.wso2.carbon.ui.internal.CarbonUIServiceComponent} - Mgt Console URL : https://172.18.64.178:9443/carbon/
[2015-08-10 11:47:54,205] INFO {org.wso2.carbon.identity.entitlement.internal.EntitlementServiceComponent} - Started thrift entitlement service at port:10500
[2015-08-10 11:48:09,003] INFO {org.wso2.carbon.identity.entitlement.internal.SchemaBuilder} - XACML policy schema loaded successfully.
[2015-08-10 11:49:08,437] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'WSO2/admin#carbon.super [-1234]' logged in at [2015-08-10 11:49:08,437+0800]
[2015-08-10 11:49:24,528] INFO {JAGGERY.login:jag} - connecting to https://172.18.64.178:9443/services
[2015-08-10 11:49:43,806] INFO {org.wso2.carbon.core.internal.permission.update.PermissionUpdater} - Permission cache updated for tenant -1234
[2015-08-10 11:49:43,847] ERROR {org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator} - Authentication Request is rejected. Authorization Failure.
[2015-08-10 11:49:43,848] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed Administrator login attempt 'admin[-1234]' at [2015-08-10 11:49:43,848+0800]
A reason for this issue can be the user you try to login does not have log permission. Therefore Can you please check the user has login permission
You can view roles and users from the Identity Server management console.
I have wso2is 5+SP1 setup to persist sessions per https://docs.wso2.com/display/IS500/Enabling+Authentication+Session+Persistence
However, users that have not selected 'Remember Me' will be forced to re-authenticate by wso2is after 15 minutes. These users have their commonAuthId cookie set w/ no expiration time (end of browsing session). Users that have selected 'Remember Me' will get their commonAuthId cookie set with the configured 24 hour expiration time and won't be prompted for re-authorization after 15 minutes.
In both scenarios it appears that session serialization / caching is working correctly, since both commonAuthId values will be stored in the IDN_AUTH_SESSION_STORE table of the backing database.
For the non-RememberMe, the log looks like this:
[2015-07-17 08:16:00,257] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - retrieving authentication request from cache.. {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-17 08:16:00,258] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Initializing the flow {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-17 08:16:00,258] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Framework contextId: 07084e16-7dd9-4726-bf9c-a9a42b06dfe1 {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-17 08:16:00,258] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Starting an authentication flow {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-17 08:16:00,259] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Loading Basic Application Data of default {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl}
[2015-07-17 08:16:00,260] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - commonAuthId cookie is available with the value: 4536ad78-26f5-44cb-97bb-080dfc319d13 {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-17 08:16:00,260] DEBUG {org.wso2.carbon.caching.impl.CacheImpl} - Using local cache {org.wso2.carbon.caching.impl.CacheImpl}
[2015-07-17 08:16:00,285] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Failed to find the SessionContext from the cache. Possible cache timeout. {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
That last line is the failure of
SessionContext sessionContext = FrameworkUtils.getSessionContextFromCache(cookie
.getValue());
in DefaultRequestCoordinator. I'm just not sure why it returns null for non-RememberMe users. In contrast, here's the log from a RememberMe user:
[2015-07-20 12:37:47,123] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - retrieving authentication request from cache.. {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-20 12:37:47,123] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Initializing the flow {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-20 12:37:47,123] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Framework contextId: a6bb7032-e089-4e8f-8ca4-c2f790a767f4 {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-20 12:37:47,123] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Starting an authentication flow {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-20 12:37:47,127] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - commonAuthId cookie is available with the value: c2b28178-ddcb-4156-b258-4e0fb5ffcdb8 {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-20 12:37:47,127] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Service Provider is: default {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-20 12:37:47,127] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - A previously authenticated sequence found for the SP: default {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-20 12:37:47,127] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Already authenticated by username: dillon {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
Here's the relevant sections of our identity.xml and web.xml that have the timeouts set. Our datastore is an Oracle db.
identity.xml:
<SessionDataPersist>
<PoolSize>0</PoolSize>
<Enable>true</Enable>
<RememberMePeriod>1440</RememberMePeriod>
<CleanUp>
<Enable>true</Enable>
<Period>30</Period>
<TimeOut>720</TimeOut>
</CleanUp>
<Temporary>false</Temporary>
</SessionDataPersist>
...
<SessionContextCache>
<Enable>true</Enable>
<Capacity>100000</Capacity>
</SessionContextCache>
web.xml
<session-config>
<session-timeout>720</session-timeout>
</session-config>
In WSO2 IS, you can set the SSO session cookie timeout value in /repository/conf/identity/identity.xml file
you can find the below config.
<TimeConfig>
<SessionIdleTimeout>15</SessionIdleTimeout>
................