The SAML2 request is sent to WSO2 Identity Server with HTTP-GET binding, but it still POSTs the response. Any idea to let WSO2IS respect the request?
[2014-03-06 17:52:25,961] DEBUG {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Request message <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_73d5b9c1-d448-4076-9e9d-98767f1e2a2d" Version="2.0" IssueInstant="2014-03-06T17:52:21" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-GET" AssertionConsumerServiceURL="http://host.tld/java-saml/consume.jsp"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://host.tld/java-saml/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" AllowCreate="true"></samlp:NameIDPolicy><samlp:RequestedAuthnContext Comparison="exact"></samlp:RequestedAuthnContext><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:AuthnRequest>
results in firefox:
You are now redirected back to http://host.tld/java-saml/consume.jsp If the redirection fails, please click the post button.
Any idea to fix it? In the request or in WSO2IS do I need to configure?
Yes.. It must be the expected behavior, SAML response must be sent as POST from IDP to the SP. (can not use HTTP Redirect) It is defined in the specification. Please check the saml-profile spec. WSO2 identity Server may not support for Artifact binding, therefore it does HTTP POST.
The identity provider issues a <Response> message to be delivered by the user agent to the service provider. Either the HTTP POST, or HTTP Artifact binding can be used to transfer the message to the service provider through the user agent. The message may indicate an error, or will include (at least) an authentication assertion. The HTTP Redirect binding MUST NOT be used, as the response will typically exceed the URL length permitted by most user agents.
I guess, POST button and the page that you shown can be changed and modified.
Related
I have question on wso2 EI 6.6.0 and preemptive/non-preemptive authentication. Can I check which incoming calls to wso2 use preemptive and nonpreemtive authentication in Synapse handler? Some systems don't send the HTTP authorization header on the first call and generate error logs in wso2. Is there an attribute in wso2 to determine what kind of authentication it is?
Thank you
In a non-preemptive scenario, the client sends a request without the Authorization header and the server responds to the client with a WWW_Authenticate header indicating that the server requires Authentication details. So the client will read this header and send another request with the required authentication headers.
To answer your question the only way the server can identify whether the request is a non-preemptive request is to check the existence of the Authorization header. So in your Authentication Handler you can check the existence of the Authorization header and respond the client accordingly. You can refer this Authorization Handler implementation where the non-preemptive scenario is handled.
I have create a service provide use OIDC. When I login to this.'invalid_grant, Invalid authorization code received from token request' Occured. How can I change my configuration on service provide so that I can login?
Thanks
This should not be a configuration issue in most of the cases and might be an issue with the token request which you send to exchange the authorization code into an access token.
Tip: You may validate whether the client id used in the /oauth2/authorize request is matching with the one sent in the /oauth2/token request.
I am trying to setup a service provider that uses WSO2 IS for authentication via SAML2. Now, wehave a use-case in which the user is a machine (i.e. an external program) that needs to access the service provider. Since the user is a machine, there is no browser and cannot use the WSO2 login form to complete the authentication steps, though it has been given a username and password since it is still a user.
My question is how can this non-GUI user participate in the SAML2 workflow (specifically pass credentials to WSO2 to obtain a SAMLV2 Assertion message) and access the service provider?
I tried to do the following as a simulation but I failed
1) curl -v -k http://localhost:8000/service_provider/login
2) Extracting the SAML message from the response:
curl --user username:password -v -k https://localhost:9443/samlsso?SAMLRequest=<ENCODED_REQUEST>
Basically, I was expecting to get a redirect response from WSO2 back to the service provider with SAML assertion message, but instead I got the following:
https://localhost:9443/authenticationendpoint/login.do;jsessionid=7QON18982323HWIH?commonAuthCallerPath=%2Fsamlsso&forceAuth=false&passiveAuth=false&tenantDomain=carbon.super&sessionDataKey=122JhQ-JQOJ-H8123&relyingParty=test-saml2&type=samlsso&sp=test&isSaaSApp=false&authenticators=BasicAuthenticator:LOCAL, which is the same url that is used when a human user authenticates using a browser.
I also tried using HTTP-POST Binding with "sectoken" form param as suggested in this article: http://xacmlinfo.org/2015/02/12/sso-without-identity-provider-login-page/ . But it didn't work either.
I also tried making SOAP requests to WSO2's AuthenticationAdminHttpsSoap12Endpoint service, specifically the "login" method. I used the JSESSIONID I got from the SOAP response to the above steps but the effect was the same. This is not a surprise to me since WSO2 does not use JSESSIONID to check if you are authenticated already (at least not for trying to grab SAML responses).
1.Get login form
Request
curl -v http://localhost:8000/service_provider/login
Response
Extract SAMLRequest and SSOAuthSessionID (if RelayState presents extract it too)
2.Send saml request to IDP using extracted valuses in step1(In browser this will happen through redirection)
Request
Endpoint : https://<is_host>:9443/samlsso
Verb :post
Content-Type:application/x-www-form-urlencoded
Parameters:[
SAMLRequest:<value from previous step>,
SSOAuthSessionID:<value from previous step>,
RelayState :<value from previous step>]
Response
This will give IS login page.Extract sessionDataKey from that.
3. Login by providing user name password
Reqeust
Endpoint:https://<is_host>:9443/commonauth
Content-Type:application/x-www-form-urlencoded
Verb :post
Parameters: [tocommonauth:true,username:xxxx,password:xxx,sessionDataKey:<extracted from previous step>]
Response
Extract SAML response
5.Post the saml resposne to ACS url of service provider
I have configured the sample travelocity.com webapp to work with saml2 SSO following link configure SSO web app
But when i try to login using account i get following error message on browser
Here is what i get in logs:
TID: [0] [IS] [2015-03-10 21:06:26,835] WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - Signature validation for Authentication Request failed. {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}
After again i tried without restart of server i got this error:
TID: [0] [IS] [2015-03-10 20:30:51,261] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
I am not sure what is wrong. I have also installed latest service pack . I am using wso2is-5.0.0
Please help.
This same web application is working fine with WSO2IS. I have already tried out it..Details can be found from here as well
According to the error, it says Signature validation for Authentication Request failed it means that SAML2 Auth request that is sent by Web application has been signed and WSO2IS tries to validate the signature of it. WSO2IS does not validate the signature by default, you may have probably tick on following configuration in the SAML2 SSO configuration.
Enable Signature Validation in Authentication Requests and Logout Requests
Please verify it and un-tick it and see.
If you want to really validate the signature of SAML2 Auth requests, you need to tick it. Then you must chose the proper Certificate Alias value from the combo box. Please note proper value is NOT the wso2carbon.cert. Proper value is wso2carbon. Then it would work for you.
Second error may be related to browser cache, just clear the browser cache and try out.. (or open new browser)
Most probably this is a mismatch in the keystores.
Just copy
$WSO2IS/repository/resources/security/keystore.jks
To
$TOMCAT/saml2-web-app-pickup-dispatch.com/WEB-INF/classes
This way, both keystores are the same. Restart Tomcat and it should work fine.
I want to use WSO2 Identity Server as an IDP but partner would like the assertion to be returned as a cookie. Is this possible with WSO2 ID Server?
TIA
According to the SAML2 SSO web browser specification, IDP (WSO2IS) return SAML response as HTTP POST (body). if you want to return it as a cookie from WSOIS (It means assertion in the HTTP Header), it is not possible with default behavior. IMO, there may be work around that can be done... One is that, we can register a new servlet with WSO2IS (custom servlet). Then WSO2IS do post the SAML response to that custom servlet. Inside custom servlet, we can extract the SAML response from post request. And then SAML assertion can be extracted from response and we can add this assertion in to HTTP header using the custom servlet. Finally, WSO2IS would return a SAML assertion in HTTP header... likewise we can customize the default behavior easily. However, could you, please elaborate what is the actual use case?