I have enable SSO in wso2 esb page ,it used to work fine previously but since we have changed the certificated in IS and ESB. now while trying to login to ESB via IS i get : Signature Validation Failed for the SAML Assertion : Signature is invalid.
I have added both Esb and IS cert to both wso2is and wso2esb keystore as well.
Still the error persists .
2015-05-28 09:59:17,281 log_level=WARN thread=http-nio-9443-exec-24 logger=org.apache.xml.security.signature.XMLSignature [Signature verification failed.]
2015-05-28 09:59:17,281 log_level=WARN thread=http-nio-9443-exec-24 logger=org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil [Signature Validation Failed for the SAML Assertion : Signature is invalid.]
2015-05-28 09:59:17,281 log_level=DEBUG thread=http-nio-9443-exec-24 logger=org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil [org.wso2.carbon.identity.base.IdentityException: Signature Validation Failed for the SAML Assertion : Signature is invalid.]
2015-05-28 09:59:17,281 log_level=WARN thread=http-nio-9443-exec-24 logger=org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor [Signature validation for Authentication Request failed.]
2015-05-28 09:59:33,747 log_level=DEBUG thread=pool-29-thread-1 logger=org.wso2.carbon.identity.application.authentication.framework.store.SessionCleanUpService [Start running the Session Data cleanup task.]
2015-05-28 09:59:33,759 log_level=DEBUG thread=pool-29-thread-1 logger=org.wso2.carbon.identity.application.authentication.framework.store.SessionCleanUpService [Stop running the Session Data cleanup task.]
If you change the keystore of both WSO2IS and WSO2ESB, then you need to export the certificate of the primary keystore of the WSO2IS and import it to WSO2ESB's primary keystore. Then you need specify the alias name that you used to import the certificate in to WSO2ESB's primary keystore. This must be configured in the /repository/conf/security/authenticators.xml file under following property.
<Parameter name="IdPCertAlias">wso2carbon</Parameter>
Related
I have wso2is v5.10.0 and when I created a service provider with the travelocity.com app, I found an error when accessing the application
Error log :
Config Service Provider :
This seems to be a signature validation error.
Workaround1
You can either remove the signature validation option in the Application configuration.
Workaround2:
Replace the Keystore in the travelocity sample app(<TOMCAT_HOME>/WEB-INF/classes/wso2carbon.jks) with the keystore of the WSO2 Identity Server <is-home>/repository/resources/security/wso2carbon.jks
Solution:
To fix it properly, you have to add the public key of the identity server (<is-home>/repository/resources/security/wso2carbon.jks) to the keystore in the saml2-web-app-pickup-dispatch.com app (<TOMCAT_HOME>/WEB-INF/classes/wso2carbon.jks)
Export the public certificate of IS from
<IS_HOME>/repository/resources/security/wso2carbon.jks
You can export the cert using key tool command
The default certificate alias is wso2carbon and the key store password is wso2carbon.
Then import the exported certificate to <TOMCAT_HOME>/WEB-INF/classes/wso2carbon.jks .
Finally update the IdPPublicCertAlias parameter in <TOMCAT_HOME>/WEB-INF/classes/sso.properties file with newly imported certificate alias
while using wso2is-5.6.0
"travelocity.com" application is configure with wso2 identity server to authentication from Facebook am getting this error
org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Signature validation failed for SAML Response
after google search there some mention that upload certificate file but am not getting this point which certificate file and from where i will get certificate file to upload in identity provider in wso2 identity server
This happens because, your travelocity sample doesn't have the certificate which is corresponding to the key used by Identity server to sign the SAML response. One of the easiest options is to replace the key stores of your travelocity sample with the ones inside WSO2 identity server (Assuming you are using out of the box setup). You can find the key stores in your identity server distribution /repository/resources/security directory. Copy two key stores (wso2carbon.jks and client truststore.jks) to your /WEB-INF/classes. (yes you need to replace existing ones).
Or else if you have changed keys in your wso2 IS, the proper way to do fix this is, export the public key from Identity Server (from wso2carbon.jks) and import it to both (wso2carbon.jks and clinttrustore.jks) in travelocity sample. You can use keytool commands to achieve this.
We are using WSO2 EI 6.1.1 and WSO2 Identity server of version 5.5.0. We have a requirement of using Oauth Mediator to validate the access token. I have a service provider registered with the identity server and generated the oauth2.0 bearer access token using curl command. I tried the Oauth2webservice to validate the authorization which was succeed and request going to identity server. But if I use the Oauth Mediator of WSO2 Integrator getting the below error message and the request is not going to identity server which was confirmed from the logs of identity server.Please help on it.Is there any other jar files or configuration settings needed for the same.
<oauthService remoteServiceUrl="https://localhost:9444/services/" username="admin" password="admin"/>
ERROR - OAuthMediator Error occured while validating oauth access token.java.lang.Exception: Error while validating OAuth2 request. at org.wso2.carbon.identity.oauth.mediator.OAuth2TokenValidationServiceClient.validateAuthenticationRequest(OAuth2TokenValidationServiceClient.java:61).
Caused by: org.apache.axis2.AxisFault: SSL peer failed hostname validation for name: null.at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
I have the same issue and can't resolve, This bug has not been corrected yet
https://wso2.org/jira/browse/IDENTITY-5243
I have configured the sample travelocity.com webapp to work with saml2 SSO following link configure SSO web app
But when i try to login using account i get following error message on browser
Here is what i get in logs:
TID: [0] [IS] [2015-03-10 21:06:26,835] WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - Signature validation for Authentication Request failed. {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}
After again i tried without restart of server i got this error:
TID: [0] [IS] [2015-03-10 20:30:51,261] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
I am not sure what is wrong. I have also installed latest service pack . I am using wso2is-5.0.0
Please help.
This same web application is working fine with WSO2IS. I have already tried out it..Details can be found from here as well
According to the error, it says Signature validation for Authentication Request failed it means that SAML2 Auth request that is sent by Web application has been signed and WSO2IS tries to validate the signature of it. WSO2IS does not validate the signature by default, you may have probably tick on following configuration in the SAML2 SSO configuration.
Enable Signature Validation in Authentication Requests and Logout Requests
Please verify it and un-tick it and see.
If you want to really validate the signature of SAML2 Auth requests, you need to tick it. Then you must chose the proper Certificate Alias value from the combo box. Please note proper value is NOT the wso2carbon.cert. Proper value is wso2carbon. Then it would work for you.
Second error may be related to browser cache, just clear the browser cache and try out.. (or open new browser)
Most probably this is a mismatch in the keystores.
Just copy
$WSO2IS/repository/resources/security/keystore.jks
To
$TOMCAT/saml2-web-app-pickup-dispatch.com/WEB-INF/classes
This way, both keystores are the same. Restart Tomcat and it should work fine.
I am unable to implement Multifactor Authentication .
The error i am getting is
TID: [0] [WSO2 Identity Server] [2012-10-30 10:31:38,620] ERROR {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider} - login failed. Trying again.. {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider}
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate (SASLAuthentication.java:209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:301)
This is for wso2 Identity Server 3.2.3 . Straight out of the box. No additional configuration performed to run this instance of Identity Server.
It appears that signing in as admin , the ldap authentication is completed and then authentication with gtalk is attempted when the error occurs.
Should I be setting my own configuration in the identity.xml where gtalk is being set?
<MultifactorAuthentication>
<XMPPSettings>
<XMPPConfig>
<XMPPProvider>gtalk</XMPPProvider>
<XMPPServer>talk.google.com</XMPPServer>
<XMPPPort>5222</XMPPPort>
<XMPPExt>gmail.com</XMPPExt>
<XMPPUserName>multifactor1#gmail.com</XMPPUserName>
<XMPPPassword>wso2carbon</XMPPPassword>
</XMPPConfig>
</XMPPSettings>
</MultifactorAuthentication>
I found out that I do need to set up a Google talk account.
I added the new settings to the MultifactorAuthentication configuration.
I restarted the server.
I edited the user account with another new Google talk account.
I logged out.
Logged back in via relyingparty URL with openid,
received communication over gtalk requesting pin.
I entered the pin and got logged in.
It would have been nice if wso2 had I their documentation the need to setup the settings for this configuration to get multifactor authentication to work out of the box.