I'm trying to integrate WSO2 IS with Liferay as service provider, but I haven't been successful so far. Some modifications were made to the code, as per three JIRA issues raised and patches contributed by Benjamin Schmeling on WSO2 oxygen tank:
https://wso2.org/jira/browse/IDENTITY-2856
The SAML settings on WSO2 IS are as follows:
Assertion Consumer URL: liferayserver:8080/c/portal/saml/acs
NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Use fully Qualified username on NameID
Enable Response Signing
Enable Assertion Signing
Enable Single logout
-> ConsumerURL: liferayserver:8080/c/portal/saml/slo_redirect
Enable attribute profile
Yet Liferay returns the following exception:
Liferay returns the following exception:
[code]23:00:50,071 ERROR [http-thread-pool-8080(4)][BaseSamlStrutsAction:45] com.liferay.saml.UnsupportedBindingException
com.liferay.saml.UnsupportedBindingException
at com.liferay.saml.profile.SingleLogoutProfileImpl.processSingleLogout(SingleLogoutProfileImpl.java:216)
at com.liferay.saml.profile.SingleLogoutProfileUtil.processSingleLogout(SingleLogoutProfileUtil.java:54)
at com.liferay.saml.hook.action.SingleLogoutAction.doExecute(SingleLogoutAction.java:39)
at com.liferay.saml.hook.action.BaseSamlStrutsAction.execute(BaseSamlStrutsAction.java:42)
at com.liferay.portal.kernel.struts.BaseStrutsAction.execute(BaseStrutsAction.java:39)
I also tried changing the single log-out endpoint to liferayserver:8080/c/portal/saml/slo to no avail. In both cases the session is closed on the Identity Server (WSO2), but not on the service provider (Liferay).
Any ideas of what the issue might be?
It turns out there are two additional modifications that are needed in order to make the Single log-out work. I'll leave these here in case they help someone else until these patches are integrated into their respective products. Special thanks to Benjamin Schmeling.
For SAML-based SLO you should use the /c/portal/saml/slo_redirect
endpoint, however, Liferay is not able to handle post requests (at
least in the newest version of the SAML portlet). You have to adapt
the Liferay SAML portlet as follows:
In SingleLogoutProfileImpl.processSingleLogout(HttpServletRequest
request, HttpServletesponse response) add a new else if branch:
else if(requestPath.endsWith("/slo_redirect") &&
method.equalsIgnoreCase(HttpMethods.POST)){
samlBinding = getSamlBinding(
SAMLConstants.SAML2_POST_BINDING_URI); }
Furthermore, in
SingleLogoutProfileImpl.sendSpLogoutRequest(HttpServletRequest
request, HttpServletResponse response) after logoutRequest.setVersion
add the SessionIndex required by Wso2 by calling:
addSessionIndex(logoutRequest, samlSpSession.getSessionIndex());
Related
I am trying to set up a custom client authenticator in WSO2 Identity Server, I would like to retrieve an access token with client_credentials specifying a specific scope and have a jwt token returned with custom claims inserted. I've tried writing my own Client Authenticator but I'm having some trouble getting the OSGi bundle to pick up correctly during WSO2 startup and all other attempts at customizing the auth flow have failed.
Is there anyone who would be able to point me in the right direction as to where I might find useful information on how to achieve what I'm trying to achieve? TIA.
Using WSO2 Identity Server, you are able to extend the client authentication implementation. You can write your own client authentication mechanism following a specification or any other standard.
Please follow the below doc link to create the custom client Authenticator:
https://is.docs.wso2.com/en/latest/learn/writing-a-new-oauth-client-authenticator/
I'm using wso2am 2.0.0 and trying to configure SSO for access to the store and publisher application.
I'm not using wso2 IS but just configured the api manager directly to my IdP server(I have edited the site.json file to with my IdP setting)
I'm getting this exception after being authenticated to my IdP:
SAML Response contains invalid number of assertions. {org.wso2.carbon.hostobjects.sso.SAMLSSORelyingPartyObject}
It look like my SAML response isn't correct but i'm unable to find why?
There was no problem with my SAML response .
The problem was caused by a difference between my IdP server and the api manager timezone (they are deployed in two different environment), so the exception is thrown when comparing the current time in the gateway with the NotBefore/NotOnOrAfter
So may be a more significant error message could help
You can use an online SAML Response decoders like this and see what's wrong with you SAML response.
Another option is to use SAML Tracer in firefox.
I installed v5.1.0 of wso2 identity server and executed an OpenID Connect flow. Finally, I wanted user profile information to be retrieved from the server (via /oauth2/userinfo endpoint).
In contrast to other mailings, I only receive a one-item-answer { "sub":"admin }. By default, there should also be phone_number, email and others. It used the playground2 application to verify and yes, only { "sub":"admin" } is returned.
I used scope=openid for the authz code request as well as schema=openid in the /userinfo query as in the descriptions.
I tried to set various claims in http://wso2.org/oidc/claim to supported, required, etc. but no change.
How to I configure the server to return more details?
Any ideas?
This seems to be a known issue in Identity Server 5.1.0 and this is reported here. You can follow the discussion and try applying the fixes as patches to identity server. Other wise you can try 5.2.0-M1 or a later version which this issue has been fixed.
I'm currently working with WSO2 suite and I've been trying to do an example from wso2 official documentation server, that you can find here. I already configure everything step by step and when i run travelocity application in my localhost it looks like the example says, i click in the link and it redirects me to Identity Server login. I type in user and password, and then it redirects me to travelocity home page, but then i run into this error: SAML 2.0 based Single Sign-On
Error when processing the authentication request!
I check out the debuging log and it says that authentication succeeded and Identity Server sent the response to travelocity.
I have no idea what could be happening, please help me out.
I shared the log files here. My English is bad and i'm new working with WSO2, please be patient with me.
The logs at WSO2 IS side says Signature validation for Authentication Request failed. The possible reason could be that you have not selected the correct certificate alias at WSO2 IS.
To do that, edit your service provider's SAML configuration and update the Certificate Alias with the correct value. In default case it should have the value wso2carbon. In case you have configured it to something else, select the one you have configured.
We've Installed Pre-Packaged Identity Server 5.1.0 with API Manager 1.10.0 and use sqlserver as a data store.
We use OAUTH2 to authorize our API's and we want to map our local claims to a service provider (an application?). Behind the API we have a .Net Wcf Service with some logging where we read the header with WebOperationContext.Current.IncomingRequest.Headers["assertion"] and print the claims which are present.
The Claims which are returned are:
{"iss":"wso2.org/products/am"
"exp":1462357259751
"wso2url/claims/subscriber":"Sjaak"
"wso2url/claims/applicationid":"1003"
"wso2url/claims/applicationname":"DefaultApplication"
"wso2url/claims/applicationtier":"Medium"
"wso2url/claims/apicontext":"/Test/v1.0"
"wso2url/claims/version":"v1.0"
"wso2url/claims/tier":"Silver"
"wso2url/claims/keytype":"PRODUCTION"
"wso2url/claims/usertype":"APPLICATION"
"wso2url/claims/enduser":"Sjaak#carbon.super"
"wso2url/claims/enduserTenantId":"-1234"
"wso2url/claims/emailaddress":"sjakie#chocola.nl"
"wso2url/claims/givenname":"Sjakie"
"wso2url/claims/lastname":"van de Chocoladefabriek"
"wso2url/claims/role":"Internal/subscriber
Internal/everyone
Application/Sjaak_DefaultApplication_PRODUCTION"}
Where wso2url is http://wso2.org, but we cannot post this, because I don't have 10 reputation points...:(
The information in these claims is good, but only we want to use our own uri, so not wso2.org, but myorg.com. And we want to add other claims, with for example our own userId and some other stuff.
Among other things we have followed the guide for configuring claims for a service provider but had no success with this. We have made the assumption that an application is a service provider for which we can use the claims.
Has anyone got an idea what we are doing wrong? What do we need to do to add custom claims?
Thanks in advance!
[Added on 9th may]
Maybe this can point us in the right direction?
When we add a subscription to an application and we generate a new key than there is no new Service provider in the list:
The list of service provider without a new one for user Sjaak, so there is missing: Sjaak_CalculatorApp_PRODUCTION
But even when we do this for user admin the claims are not coming through. We have the following claim configuration and in my logging still the same claims as described above are there, no new ones, so no claim named accountnaam and no voogd.com uri:
Service Provider(SP) - It provides services to some end users and relies on a trusted Identity provider(IDP) to handle authentication and authorization for them. SP may use multiple protocols(Oauth2, SAML2, etc.) to communicate with IDP.
Claims are defined for SP, since same claims can be send over different protocols. In the default case, Identity server uses wso2 claim dialect(start with wos2.com) for claims. If you want a different claim dialect than this, use "Define Custom Claim Dialect" option in the service provider configuration. In there you can map wso2 claims(Local Claim) to your own claims(Service Provider Claim).