WSO2 IS: 5.0.0 with service pack
documentation: https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0
I added the travelocity.com service provider according the document.
run http://localhost:8080/travelocity.com and got authentication error. So I tried to check and modify inbound Authentication Configuration > SAML2 Web SSO Configuration, all I see is "Configure" link. Click the link, it shows "New Service Provider" page with "Register" and "Cancel" buttons. If I click Register button, I got duplicate service provider error. Does the UI support modifying SAML2 Web SSO Configuration?
I then deleted the Service Provider and add the travelocity.com service provider from scratch. However, I got duplicate service provider error too when I configure 'SAML2 Web SSO Configuration'
I am stuck. How can I get rid of duplicate service provider error?
Probably, you may have configured an another SAML2 SSO configuration with same issuer name. You can browse the registry and go to the /_system/config/repository/identity/SAMLSSO location and delete the SAML2 SSO configuration that can be found there. Then retry again.
If not, you can try with some other issuer name and see.. As in doc,then you need to provide a new issuer name in the travelocity.com application.
SAML.IssuerID=travelocitynew.com
Then in the SAML2 SSO configuration of the WSO2IS, you can create the configuration with new issuer name which is travelocitynew.com
If you try with fresh WSO2IS SP1, we can not see this issue.
The document missed one step: click 'Update' button to save whole configuration after clicking Register button new SAML2 Web SSO Configuration. Anyway, I believe it still a bug in the web console of WSO2IS.
What I did is to reinstall WSO2IS+service pack from scratch and configure it again.
Related
Good day. I need help with integration of RazerID into my app as custom OIDC provider in Cognito. I have done all the configurations in the user pool and when I try to log in through Hosted UI it redirects me to Razer page, then I log in, it redirects me back to localhost callback with an error message:
http://localhost:3000/?error_description=invalid_token_signature%3A+Could+not+match+the+desired+key+identifier+within+the+list+of+keys&error=invalid_request
I check the network section I am getting the code and state
Identity Provider Configuration
App Client Settings
RazerID manual: PDF
How can I get the RazerID working properly?
I am trying to setup this authentication (new method without cognito) but can't get it working.
I created a custom SAML app in AWS Single Sign on as documented here:https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html
And setup SAML on the Elasticsearch Service domain as documented here: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html
When following the Kibana URL from the Elasticsearch Service console I get redirected properly to AWS SSO but I hit an opendistro error message "SAML authentication error The SAML authentication failed. Please contact your administrator."
Am I missing a step with attribute mapping or something else that is not documented clearly? Has anyone else gotten this to work and what are your configuration settings?
You can "Shift+Click" on the AWS SSO Custom Application to see the assertion before it gets sent to OpenDistro. This helped me find what the username was that I was sending.
I added that username under the AWS ES "SAML master username (optional)" field and I was able to succesfully login using the AWS SSO.
I then went and added a hardcoded group value under the AWS SSO Mappings for that Custom App, added the same string under the AWS ES "SAML master backend role (optional)" and specified under the "Optional SAML Settings" the string I used to map this under "Roles key" so that it matches.
I checked the assertion using the "Shift+Click" and verified that things were looking ok and I had "group" authentication as well :)
I noticed that I did not require the "Application start URL".
All of this is once you have the rest of things correctly configured such as "Application ACS URL", "Application SAML audience" and the others.
I am trying to implement SAML Extension Grant by following the instructions in https://apim.docs.wso2.com/en/latest/Learn/APISecurity/OAuth2/GrantTypes/saml-extension-grant/ but got a blank screen when I tried to configure the service provider:
Sign into the Management Console
Select Service Providers > Add
After I registered the service provider, click Inbound Authentication Configuration > SAML2 Web SSO Configuration.
Click Configure. A blank screen appears.
There is already a similar issue reported in APIM 3.0.0. Please refer to the git issue here
Inbound SAML2 Web SSO Authentication will not work in APIM OOTB as the relevant Identity feature is not available. If you need to use this, you need to use WSO2 IS or WSO2 IS-KM.
I tried creating a service provider with issuer carbonServer in Identity server carbon console.
I tried enabling SAMLSSO Authenticator in authenticators.xml at /repository/conf/security/ directory
When I start the service and access the carbon console I get this error.
SAML 2.0 based Single Sign-On
Error when processing authentication request!
Please try login again!
In the logs I get this error
ERROR {org.wso2.carbon.identity.sso.saml.validators.SPInitSSOAuthnRequestValidator} - A SAML Service Provider with the Issuer 'IS_MGT_CONSOLE' is not registered. Service Provider should be registered in advance
The registered Service Provider name is IS_MGT_CONSOLE and issuer is carbonServer.
Any idea what could the reason for this error and the Issuer in the error getting listed as Service Provider?
Please check 'ServiceProviderID' in authenticators.xml -> SAML2SSOAuthenticator. By default it is 'carbonServer' and it should be same as Issuer value in (Inbound Authentication Configuration) --> (SAML SSO Configuration).
I suspect even though you registered SAML issuer as carbonSever, SAML auth request come as IS_MGT_CONSOLE. You should be able to correct it by modifying 'ServiceProviderID' to carbonSever
We are getting following error when we try to edit service provider: Could not add Service Provider. You might be entering a duplicate Service Provider
Steps Followed
Created service provider
Trying to update Inbound Authentication Configuration --> SAML2 Web SSO Configuration --> Configure
Update
We are using version wso2is-5.1.0.
Depending on the version of WSO2 you are using, this was a bug that infrequently came up when the entry for the SAML provider persisted after the Service Provider that used it was deleted. There's a URL that is not documented in the interface where you can fix this. After logging into the interface, go to this URL:
https://yourhost:yourport/carbon/sso-saml/manage_service_providers.jsp
and you should be able to delete the offending SAML provider and configure the service provider.