SimpleSaml and WSO2 Identity Provider 5 - wso2

Perhaps someone can assist.
I've setup Simplesaml on a server and i am attempting to use it to auth off wso2 (which is using a facebook authenticator) and its running on a different server.
When i test the simplesaml i get the following error
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /var/simplesamlphp/simplesamlphp/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: Could not find the metadata of an IdP with entity ID 'localhost'
Backtrace:
2 /var/simplesamlphp/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:134 (sspmod_saml_Auth_Source_SP::getIdPMetadata)
1 /var/simplesamlphp/simplesamlphp/modules/saml/www/sp/saml2-acs.php:74 (require)
0 /var/simplesamlphp/simplesamlphp/www/module.php:135 (N/A)
`
As you can see its complaining about localhost idp. I really cannot find any reference to localhost in any of my configurations files. Has anyone seen this before.
Thanks in advance for the assistance

I think in SAML Assertion that is sent by Identity Server, contains localhost value. Could you please verify. If you can edit this value using the management console of identity server.
You need to configure the issuer name in the Identity Server side. By default, it has been configured as localhost. You can login to management console of Identity Server and configure the Resident Identity Provider which can be seen under Identity Provider -> List menu.
I have attached a screen shot on configuring it.

Related

Login to the Identity Server Using Another Identity Server - SAML2

I'm currently working with WSO2 suite and I've been trying to do an example from wso2 official documentation server, that you can find here. I already configure everything step by step and when i run travelocity application in my localhost it looks like the example says, i click in the link and it redirects me to Identity Server login. I type in user and password, and then it redirects me to travelocity home page, but then i run into this error: SAML 2.0 based Single Sign-On
Error when processing the authentication request!
I check out the debuging log and it says that authentication succeeded and Identity Server sent the response to travelocity.
I have no idea what could be happening, please help me out.
I shared the log files here. My English is bad and i'm new working with WSO2, please be patient with me.
The logs at WSO2 IS side says Signature validation for Authentication Request failed. The possible reason could be that you have not selected the correct certificate alias at WSO2 IS.
To do that, edit your service provider's SAML configuration and update the Certificate Alias with the correct value. In default case it should have the value wso2carbon. In case you have configured it to something else, select the one you have configured.

wso2 IS 5 with SP1 - No Established Sessions corresponding to Session Indexes provided

I have configured my application as service provider and configured as saml sso for authentication. Login is working fine but failing logout functionality (SLO).
Error:
No Established Sessions corresponding to Session Indexes provided.
Here is my configuration:
<SessionDataPersist>
<Enable>true</Enable>
<RememberMePeriod>20060</RememberMePeriod>
<CleanUp>
<Enable>true</Enable>
<Period>480</Period>
<TimeOut>20160</TimeOut>
</CleanUp>
<Temporary>false</Temporary>
</SessionDataPersist>
The samlp:LogoutRequest contains
**< samlp:SessionIndex>ba164b2e-fed5-4c0c-98c2-01542d854df < /samlp:SessionIndex>**
problem:
the above mentioned sessionIndex is present in idn_auth_session_store table as SAMLSSOParticipantCache. But I am getting the above mentioned exception.
Could someone help me out resolving the issue.
Thanks in advance.

Sample SSO webapplication does not work in wso2

I have configured the sample travelocity.com webapp to work with saml2 SSO following link configure SSO web app
But when i try to login using account i get following error message on browser
Here is what i get in logs:
TID: [0] [IS] [2015-03-10 21:06:26,835] WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - Signature validation for Authentication Request failed. {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}
After again i tried without restart of server i got this error:
TID: [0] [IS] [2015-03-10 20:30:51,261] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
I am not sure what is wrong. I have also installed latest service pack . I am using wso2is-5.0.0
Please help.
This same web application is working fine with WSO2IS. I have already tried out it..Details can be found from here as well
According to the error, it says Signature validation for Authentication Request failed it means that SAML2 Auth request that is sent by Web application has been signed and WSO2IS tries to validate the signature of it. WSO2IS does not validate the signature by default, you may have probably tick on following configuration in the SAML2 SSO configuration.
Enable Signature Validation in Authentication Requests and Logout Requests
Please verify it and un-tick it and see.
If you want to really validate the signature of SAML2 Auth requests, you need to tick it. Then you must chose the proper Certificate Alias value from the combo box. Please note proper value is NOT the wso2carbon.cert. Proper value is wso2carbon. Then it would work for you.
Second error may be related to browser cache, just clear the browser cache and try out.. (or open new browser)
Most probably this is a mismatch in the keystores.
Just copy
$WSO2IS/repository/resources/security/keystore.jks
To
$TOMCAT/saml2-web-app-pickup-dispatch.com/WEB-INF/classes
This way, both keystores are the same. Restart Tomcat and it should work fine.

WSO2 Identity Server "Illegal Access attempt" (but only from different hosts)

I have two instances of WSO2 on two different machines, with the same policy published to both instances. Both WSO2 instances have admin/admin.
I use SOAPUI (running on 192.168.0.9) to try to test against the EntitlementService webservice and:
If I use SOAPUI to test against the EntitlementService webservice on the same machine that SOAPUI is running on (192.168.0.9), using either localhost or IP address, I get a XACML response with a Permit. However,
If I used SOAPUI to test against the EntitlementService webservice on the other machine (192.168.0.210), I get a XACML response with a Deny, and an "Illegal access attempt" error in the 192.168.0.210 WSO2 log:
Illegal access attempt at [2014-05-12 15:26:47,0563] from IP address
192.168.0.9 while trying to authenticate access to service EntitlementService
In both cases above, I have BASIC authentication and the 'admin' username and password setup in SOAPUI.
If I run Tryit on the 192.168.0.210 WSO2 admin to test against the 192.168.0.210 WSO2, I get a Permit, i.e., this shows that the policy on the 192.168.0.210 should return a Permit.
Finally, I'm pretty sure that this is something with WSO2, and not with SOAPUI, as I also tested from the 192.168.0.9 machine using Firefox and a plugin called RESTclient, to test doing the POST of the XACML request in the content body.
Is there something in WSO2 Identity Server that would cause it to return a Deny if the requests are coming from a different machine?
Thanks,
Jim
P.S. I'm seeing the following in the WSO2 wso2carbon.log file:
TID: [0] [IS] [2014-05-12 15:59:40,798] ERROR {org.wso2.carbon.core.services.authentication.AbstractAuthenticator} - Invalid remote address detected. {org.wso2.carbon.core.services.authentication.AbstractAuthenticator}
org.wso2.carbon.core.common.AuthenticationException: Authentication Failed : Invalid remote address passed - 0:0:0:0:0:0:0:1
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.validateRemoteAddress(AuthenticationUtil.java:178)
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.getRemoteAddress(AuthenticationUtil.java:156)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.getRemoteAddress(AbstractAuthenticator.java:304)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:136)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.isAuthenticated(AuthenticationHandler.java:171)
{org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
Is there some way to turn off the remote address validation?

wso2 identity server Multifactor Authentication error

I am unable to implement Multifactor Authentication .
The error i am getting is
TID: [0] [WSO2 Identity Server] [2012-10-30 10:31:38,620] ERROR {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider} - login failed. Trying again.. {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider}
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate (SASLAuthentication.java:209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:301)
This is for wso2 Identity Server 3.2.3 . Straight out of the box. No additional configuration performed to run this instance of Identity Server.
It appears that signing in as admin , the ldap authentication is completed and then authentication with gtalk is attempted when the error occurs.
Should I be setting my own configuration in the identity.xml where gtalk is being set?
<MultifactorAuthentication>
<XMPPSettings>
<XMPPConfig>
<XMPPProvider>gtalk</XMPPProvider>
<XMPPServer>talk.google.com</XMPPServer>
<XMPPPort>5222</XMPPPort>
<XMPPExt>gmail.com</XMPPExt>
<XMPPUserName>multifactor1#gmail.com</XMPPUserName>
<XMPPPassword>wso2carbon</XMPPPassword>
</XMPPConfig>
</XMPPSettings>
</MultifactorAuthentication>
I found out that I do need to set up a Google talk account.
I added the new settings to the MultifactorAuthentication configuration.
I restarted the server.
I edited the user account with another new Google talk account.
I logged out.
Logged back in via relyingparty URL with openid,
received communication over gtalk requesting pin.
I entered the pin and got logged in.
It would have been nice if wso2 had I their documentation the need to setup the settings for this configuration to get multifactor authentication to work out of the box.