Custom Query Param in WSO2 SAML 2.0 Request - wso2

Can add custom query param with wso2 SAML 2.0 request rather than SAMLRequest,RelayState?
I want to make SAML request with target URL query param to make redirection to target URL after authentication success.
Example :9443/samlsso?SAMLRequest=jZPRb9owE.........&targetURL=home.jsp

You can add custom query parameters in to SAML Request... But only the "RelayState" would be redirected back to the service provider by WSO2IS. If you want to redirect to a target URL after authentication success, You must configure it as ACS in the service provider configurations of the WSO2IS.

You can use any parameter. But only Relaystate will be redirected back to SP.

Related

Enable Single Logout in WSO2 Identity server and redirect to custom login page

I am using WSO2-IS 5.3.0. I have configured many service provider and SAML SSO is working as expected. But when it comes to Logout, One functionality is working fine. It means it redirects me to a common logout page after an invaliding session.
Here, I have one case, I have one service provider for it, I need to perform single logout but it should redirect to my custom login page. Though IS providing the option to configure return URL(SLO Response URL) you can see in the below screenshot. I have done that but still its redirects to the common logout page.
Do I need any other configuration too?
You are performing an IdP initiated SLO as per the given request URL. In that case, you can use the returnTo parameter in that request to redirect the response.
So set the SLO response URL to return to URL of the Enable IdP initiated SLO config. Sample request would be as follow.
https://localhost:9443/samlsso?slo=true&spEntityID=travelocity.com&returnTo=https://localhost:8080/avs.com/slo
But, you might have to define the SP specific parameters in the request.
Reference : http://daytodayjava.blogspot.com/2015/08/saml2-idp-initiated-single-logout-with.html

Disable Case sensitive URLs for wso2 am

I created an api in wso2 api manager 2.0 publisher. When I publish this api, I have some resource /Some/things In the wso2 store. If I keep the case as is in the URL, then my api works. If I use any other tool to call and change the case in url to then I get a 202 error.
I know the WSO2 API Manager is handling the API URL correctly but i want to disable these feature.
how can i do this??
There is no option to disable case-sensitive in api manager. But you can rewrite the request url by any reverse proxy and send the request to apim.
e.g nginx url redirect[1]
[1] https://www.nginx.com/blog/creating-nginx-rewrite-rules/

Authenticate against WSO2 Identity Server with no browser and get SAML2 assertion message

I am trying to setup a service provider that uses WSO2 IS for authentication via SAML2. Now, wehave a use-case in which the user is a machine (i.e. an external program) that needs to access the service provider. Since the user is a machine, there is no browser and cannot use the WSO2 login form to complete the authentication steps, though it has been given a username and password since it is still a user.
My question is how can this non-GUI user participate in the SAML2 workflow (specifically pass credentials to WSO2 to obtain a SAMLV2 Assertion message) and access the service provider?
I tried to do the following as a simulation but I failed
1) curl -v -k http://localhost:8000/service_provider/login
2) Extracting the SAML message from the response:
curl --user username:password -v -k https://localhost:9443/samlsso?SAMLRequest=<ENCODED_REQUEST>
Basically, I was expecting to get a redirect response from WSO2 back to the service provider with SAML assertion message, but instead I got the following:
https://localhost:9443/authenticationendpoint/login.do;jsessionid=7QON18982323HWIH?commonAuthCallerPath=%2Fsamlsso&forceAuth=false&passiveAuth=false&tenantDomain=carbon.super&sessionDataKey=122JhQ-JQOJ-H8123&relyingParty=test-saml2&type=samlsso&sp=test&isSaaSApp=false&authenticators=BasicAuthenticator:LOCAL, which is the same url that is used when a human user authenticates using a browser.
I also tried using HTTP-POST Binding with "sectoken" form param as suggested in this article: http://xacmlinfo.org/2015/02/12/sso-without-identity-provider-login-page/ . But it didn't work either.
I also tried making SOAP requests to WSO2's AuthenticationAdminHttpsSoap12Endpoint service, specifically the "login" method. I used the JSESSIONID I got from the SOAP response to the above steps but the effect was the same. This is not a surprise to me since WSO2 does not use JSESSIONID to check if you are authenticated already (at least not for trying to grab SAML responses).
1.Get login form
Request
curl -v http://localhost:8000/service_provider/login
Response
Extract SAMLRequest and SSOAuthSessionID (if RelayState presents extract it too)
2.Send saml request to IDP using extracted valuses in step1(In browser this will happen through redirection)
Request
Endpoint : https://<is_host>:9443/samlsso
Verb :post
Content-Type:application/x-www-form-urlencoded
Parameters:[
SAMLRequest:<value from previous step>,
SSOAuthSessionID:<value from previous step>,
RelayState :<value from previous step>]
Response
This will give IS login page.Extract sessionDataKey from that.
3. Login by providing user name password
Reqeust
Endpoint:https://<is_host>:9443/commonauth
Content-Type:application/x-www-form-urlencoded
Verb :post
Parameters: [tocommonauth:true,username:xxxx,password:xxx,sessionDataKey:<extracted from previous step>]
Response
Extract SAML response
5.Post the saml resposne to ACS url of service provider

Send SAML assertion from IDP as acookie

I want to use WSO2 Identity Server as an IDP but partner would like the assertion to be returned as a cookie. Is this possible with WSO2 ID Server?
TIA
According to the SAML2 SSO web browser specification, IDP (WSO2IS) return SAML response as HTTP POST (body). if you want to return it as a cookie from WSOIS (It means assertion in the HTTP Header), it is not possible with default behavior. IMO, there may be work around that can be done... One is that, we can register a new servlet with WSO2IS (custom servlet). Then WSO2IS do post the SAML response to that custom servlet. Inside custom servlet, we can extract the SAML response from post request. And then SAML assertion can be extracted from response and we can add this assertion in to HTTP header using the custom servlet. Finally, WSO2IS would return a SAML assertion in HTTP header... likewise we can customize the default behavior easily. However, could you, please elaborate what is the actual use case?

WSO2 Identity Server SAML SSO return url

Is it possible somehow to pass a return url to the Identity Server when performing a SAML SSO and have that url posted back to my assertion url when the user authenticates successfully?
The RelayState (described here) parameter that is sent to the IdP can be used to post the return URL to the IdP and have it back when the Authentication Response is send back from the IdP. Of course as this is an HTTP POST parameter, if you store a URL there it has to be propertly encoded/decoded.
However keep in mind that this might be used by an attacker to trick the use to open a trusted URL (this of the identity server) and redirect it to a malicious site. To prevent this the redirect URL should be validated.