I have followed this guide for customizing login pages: https://docs.wso2.com/display/IS500/Customizing+Login+Pages
This is all fine.
I have checked out the code from version 4.3.3 and made local changes to:
https://github.com/wso2/carbon-identity/tree/release-4.3.3/components/identity/org.wso2.carbon.identity.application.authentication.endpoint
When dealing with OpenIDConnect/OAuth2 , there are more pages than just the login.jsp involved e.g the page oauth2_authz.jsp. This is also not a problem when replacing the default authenticationendpoint.war with my modified authenticationendpoint.war.
Problems arise however when trying to separately host the custom authenticationendpoint.war under a different URL.
WSO2 Identity Server is configured with an absolute URL to the AuthenticationEndpoint:
<AuthenticationEndpointURL>http://localhost:9990/login.do</AuthenticationEndpointURL>
And the form of my login.jsp is altered to submit back to the absolute URL for WSO2 Identity Server, instead of the relative URL ../commonauth.
<form action="https://localhost:9443/commonauth"...
The problems I see is that I am correctly redirected to my custom login page, but the authz page (list of Claims and buttons for Approve | Approve Always | Deny) is still the default page hosted inside WSO2.
I want WSO2 Identity Server to use of all my customized pages, not just login.jsp.
These would typically be
oauth2_authz.jsp
oauth2_consent.jsp
oauth2_error.jsp
Can anyone suggest how to accomplish this or point to some documentation about this?
This was addressed in WSO2IS 5.1.0 with IDENTITY-2977. With relevant changes, you can customize samlsso_login, oauth2_authz, oauth2_error and oauth2_consent URLs using configuration available in web.xml file of authenticationendpoint.war. Please refer to relevant section of the web.xml for further details.
Related
I'm building an AspNet Core 2.1 website using Azure AD B2C authentication, based on the example code I found here.
I can authenticate against the Google identity provider. But instead of showing a custom page based on the attributes I selected for the signup/signin policy in the Azure AD B2C portal, all I get is the normal Google authentication page asking me which Google account I want to authenticate against.
I was able to display a custom page listing all the attributes I'd defined in an earlier version of my project, which used the deprecated microsoftonline.com domain. But now that I'm using the recommended b2clogin.com domain the page is no longer appearing. I don't know if that change has anything to do with the missing page, but I thought I'd mention it.
My appsettings.json file is:
{
"AzureADB2C": {
"ApiScopes": "https://ridemonitor.onmicrosoft.com/api/user.read",
"ApiUrl": "https://ridemonitor.azurewebsites.net/hello",
"CallbackPath": "/signin-oidc",
"ClientId": "**redacted**",
"Domain": "ridemonitor.onmicrosoft.com",
"EditProfilePolicyId": "b2c_1_ProfileEditing",
"Instance": "https://ridemonitor.b2clogin.com/tfp",
"RedirectUri": "https://localhost:44305/signin-oidc",
"ResetPasswordPolicyId": "b2c_1_PWReset",
"SignUpSignInPolicyId": "b2c_1_SignUpIn"
},
"Logging": {
"LogLevel": {
"Default": "Warning"
}
},
"AllowedHosts": "*"
}
Update
I've configured two identity providers for my app, Google and Microsoft Account. The Microsoft Account provider does, in fact, display a customized page listing all the attributes I set in the Azure AD B2C portal when I authenticate it. It's just the Google route which has stopped displaying the custom attribute page.
The redirect uri in Google Cloud Platform -> Credentials is:
https://ridemonitor.b2clogin.com/ridemonitor.onmicrosoft.com/oauth2/authresp
which is the url I should be sent to, and used to be sent to by the Google identity provider, and is the url the Microsoft Account identity provider sends me to when I try to log in.
It looks like I need to update something in my Google configuration, but I'm not sure what.
Update #2
Using the Chrome developer's console, and Link Redirect Trace, I tried to see how I ended up on the pages I ended up on after clicking both the Google and Microsoft Account signin/signup links.
The Google button lands me on the generic Google login page. The initial redirect (there are several subsequent ones) appears to be:
https://accounts.google.com/signin/oauth?client_id=769952297467-qhqd9brt7pl4sra1hnjhnnqchce2h6f1.apps.googleusercontent.com&as=c-8m6tr-h2tUDpRHqIApkQ&destination=https://ridemonitor.b2clogin.com&approval_state=!ChR4aFltdld5TGNwWUEyUlA1R0R6TRIfczBDdExlN01TRElYa013TWpqbVNUV1h5alREUVloWQ%E2%88%99ANKMe1QAAAAAW7K6uQbexonsHodkbBOebSymUYB1yufO&oauthgdpr=1&xsrfsig=AHgIfE8msp705-PG2II5uHWqjoODqYSLPg
The initial redirect for the Microsoft Account button is:
https://login.live.com/oauth20_authorize.srf?client_id=704398a8-908a-4512-9cc0-4453014b4714&redirect_uri=https%3a%2f%2fridemonitor.b2clogin.com%2fridemonitor.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=openid+profile+email&response_mode=form_post&nonce=TQsICDEyv245x1E4pkQynQ%3d%3d&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6ZjBlYmQ4OTUtNmVjYS00NzBhLWE4ZDYtY2U4NTgyYzFmZmNjIiwiVElEIjoiNzIwZDg5NDEtNmM2Zi00YzIzLWI5MWEtZDMyZjJjODA5Yjk4In0
Comparing the two initial redirects, what's interesting is that the one for Google does not contain a parameter for the redirect_uri. Which I presume is the place the browser should be sent after a successful authentication.
Yet my Google credentials page would appear to be set up correctly:
Or am I maybe not configuring stuff in the right part of the Google ecosystem? I thought I was following some Microsoft directions regarding Google credentials, but...
Do you get any error messages?
Try using your browser's dev tools to check any error logs and identify the CSS styling that took effect in your html elements. It's possible that your custom classes are being those overwritten by the Google default styling.
You can edit the CSS within your browser's dev tools and then update the CSS files in Azure Blob Storage when you are happy with them.
Refer also to this thread and this one to see if these issue might be similar to yours.
I was wondering if there is an option for users who want to use the store but have forgotten their password
Currently the WSO2 sign-in page looks like this:
I have set the following in < APIM_HOME >/repository/conf/identity/identity-mgt.properties:
Identity.Listener.Enable=true
Notification.Sending.Enable=true
Notification.Expire.Time=3
Notification.Sending.Internally.Managed=true
UserAccount.Recovery.Enable=true
Captcha.Verification.Internally.Managed=true
I'm assuming the email settings for the same are in < APIM_HOME >/repository/conf/email/email-admin-config.xml
Anyhow, after applying the above settings and restarting the server, the sign-in page remained the same.
Is there some configuration to enable an option on the sign-in page (eg. Forgot password/Reset password)?
Also, are there any additional settings that need to be configured for it to work as expected?
API Manager Store/Publisher UIs do not support this out-of-the-box. But you can achieve this with WSO2 Identity server. (You can use the same identity server, as key manager node of the APIM setup)
Please refer to IS docs. A sample webapp also available here.
I have upgraded a Sitecore to SC7.2. When I open the media browser I can't explore the media items because I am getting a 404 from the Web Item API. The configs seem correct but I am wondering if files/items didn't get installed.
The URL being requested is:
http://{domain}/-/item/v1/sitecore/shell?sc_itemid=%7B3D6658D8-A0BF-4E75-B3E2-D050FABCF4E1%7D&scope=c&sc_database=master&language=en&fields=__Hidden
Has anyone seen this before? Anyone know how I can check if the Web Item Api was installed correctly?
In order to check whether Item Web API is enabled or not.
1) Download Fiddler
2) Enter Query: http://sc8/-/item/v1/?scope=c&sc_database=master&query=/sitecore/content
[Note: sc8 will be replaced by your sitecore instance name]
3) If you have enabled Standard Security in Sitecore Item Web API -- Enter Login Credentials and Click Execute.
You will get the JSON response:
If you are getting the JSON response -- Your Sitecore Item Web API is enabled.
This was caused by a custom site resolver in the HttpBeginRequest pipeline that had been added as part of support fix.
I'm new to the SSO world and I've recently installed WSO2 Identity Server 5.0 and done my best to hook in a service provider but I just can't seem to figure out how to make SSO happen.
Here is my current situation and goal:
I have a MojoPortal website where a user can log in. From there, the user can click a link to our FTP site powered by GoAnywhere. We want the user to be logged into the FTP site just by clicking the link instead of having to log in to it as well. The FTP site is SAML2 enabled so I chose the WSO2 ID Server to give SSO capabality between my mojoPortal and goAnywhere sites.
Here is what I think needs to happen - sanity checks welcome:
1. User clicks to access the FTP website and my mojoPortal website needs to create a SAML request and send it to the ID server. I can't seem to get a grip on doing this from an ASP.NET page.
2. ID server gets the request and validates it (you can test the request in the "SAML Request Validator" tool in the WSO2 console, right?)
3. ID server sends a response to the GoAnywhere FTP site which can be simulated with the SAML Response Builder tool in the ID server console.
4. The FTP sites says either OK or NO to access.
5. Not sure what happens next - how does the user get redirected to the FTP site.
So I have big issues: I don't understand the flow in great enough detail and I'm also having difficulties in getting the technologies to work together.
Any comments / help at all are greatly apprciated!
MojoPortal website - is this SAML2 Web Browser based SSO supported? If yes, then the solutions is clear.
You just have to register your 2 sites in WSO2 IS as SPs.
Then what will happen is , once the user log-in to the MojoPortal website, he user will have a live login session, therefore once he clicks on the FTP site, he will be able to access it without having to log-in again.
Hope this clarifies your doubts.
I just have a question regarding to Identity Provider URL.Is it possible if i would like to modify|custom|extend the Identity Provider URL? (localhost:9443/samlsso)
I currently run two SSO (SAML2) enabled apps on my local tomcat on localhost and name app1 and app2. The behavior of the applications is to redirect to login panel when the user is trying to access the applications. Since it is SSO enabled, it redirect to WSO2IS login panel. If both application are not logged in and redirected to the SSO login page of WSO2IS. The first one to login works successfully. Because the first one already logged, the second one doesn't need to be sign on again. But i would like to make the second one must be sign on again because there are 2 different issue name and i intend to use the issue name for the filter or condition
I am using WSO2 identity server 4.6.0
Regards,
The question is bit unclear to me. Is it that you don't want SSO between webapps, but only between webapp and IDP? Then it seems, it's not complete SAML SSO scenario.
Still for the filtering, you may be able to write a 'custom authenticator', implementing the interface 'org.wso2.carbon.core.services.authentication.CarbonServerAuthenticator' and engage it in the flow.