I have attached my Active Directory as a secondary user store and can see the list of users when i select "Users" however when accessing an APP through tomcat that is linked to SAML SSO i cannot login using an AD Account
can anyone suggest what i am missing?
the error in the system logs is
TID[-1234] [IS] [2014-02-13 13:49:02,321] DEBUG {org.wso2.carbon.identity.application.authenticator.basicauth.BasicAuthenticator} - user authentication failed due to invalid credentials.
however my login credentials are correct...
Because i was using email address as a login that was causing the issue!
the steps i took are as follows:
IS_HOME/repository/conf/carbon.xml file.
Open carbon.xml
Locate EnableEmailUserName element and uncomment it.
Finally, it should be similar to the following
true
Now, restart IS
You should be able to login using your user name
Could you check whether you can login to WSO2 management console using above credentials. If you can not, please go to Management Console -> Configure -> Users and Roles -> Roles and you can see the internal\everyone role. And configure "login" permission for everyone role. Then please try to login...
Also, if you enable the debug logs in org.wso2.carbon.user.core, you can see more debug logs about authentication failure.
I think your configuration is not ok.same login issue already solved here.cannot login to wso2 Identity server with the ldap credentials.
Make sure UserDNPattern property is correct
Related
We are running WSO2 IDS, ESB, BPS in Docker containers. All components are using Identity Server and all works great, but when I'm trying to login to bpmn-explorer I'm getting "Username or password invalid!" I tried with default admin credentials, and also I have created new user directly in BPS but nothing works. Could you please tell me where can I find bpmn-explorer logs or what files I need to modify.
Had the same problem, and the solution is allowing more privileges to the admin account role on the carbon console of the BPS.
Adding more permissions on BPS to the associated admin role
And the internal exception throwed with the problem was registered on the BPS carbon.log file:
Caused by: org.wso2.carbon.user.core.UserStoreException: Invalid Permission root
path provided
Now you can enter to the bpmn-explorer console.
I am using AWS Cognito API, I trying to login using the code provided on this URL https://github.com/pmill/aws-cognito/blob/master/examples/login.php, and getting exception "Auth flow not enabled for this client" "InvalidParameterException", please let me know if I am missing something or doing something wrong, user was signed up and confirmed successfully but not able to login? If help would be appreciated.
Thanks
Sounds like there is some issue with your Userpool settings. In Cognito Userpool console, select your Userpool. Go to App Integration --> App client Settings . Select your App Client. Under OAuth2 --> Allowed OAuth flows, select the first 2 options (Authorization code grant & Implicit grant. Also, under Allowed scopes select the ones you want to allow. You can select all of them for testing. Save the changes. This should fix the error (atleast the first one - "Auth flow not enabled for this client). See if you get any errors.
If you still get the error, then may be ADMIN_NO_SRP_AUTH is not enabled for your client. In your Userpool settings, go to App Clients (and not App Client Settings). Click on Show Details for your app client. Select the ADMIN_NO_SRP_AUTH option i.e. Enable sign-in API for server-based authentication and save. See if this fixes your issue.
I published one article on fixing this error on Linkedin. Here's the link: https://www.linkedin.com/pulse/amazon-cognito-how-fix-error-auth-flow-enabled-client-malik/
My brief answer is: please check "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" as shown in below picture.
When I try to log into the Store with the Admin account, it displays the following message:
No Privileges to login
You do not have permission to login to this application. Please contact your administrator and request permission.
I have checked and made sure the Admin account does indeed have the permissions it needs to log into the Store. I even created a new account and gave it all permissions, and it won't allow that account to log in either.
I even went as far as to dig into the database itself through MySQL, and best I can tell the proper permissions are there.
The last time this happened to me, I ended up unzipping a fresh copy of the EMM product and creating a brand new database for it because I couldn't figure out a solution. I tried unzipping a fresh copy of the EMM product, but running on the same database, it had no change in behavior. I have a database full of data I don't want to lose now, so I'd much rather find a fix than have to wipe it all out again!
WSo2 EMM 2.0.0
Windows Server 2012 R2
MySQL 5.5
EDIT: relevant logs:
TID: [-1234] [] [2016-03-25 05:21:19,862] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed Administrator login attempt 'admin[-1234]' at [2016-03-25 05:21:19,862-0500]
TID: [-1234] [] [2016-03-25 05:21:19,862] WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} - Illegal access attempt at [2016-03-25 05:21:19,0862] from IP address 10.200.201.108 while trying to authenticate access to service RemoteAuthorizationManagerService
TID: [-1234] [] [2016-03-25 05:21:19,909] WARN {JAGGERY.controllers.acs:jag} - User admin#carbon.super does not have permission to access the store application. Make sure the user has the store role.
I figured it out!
The issue is specifically triggered by changing the password on the admin account to anything but "admin". Changing it back appears to rectify the issue.
Obviously this is a bug, as the admin account should be able to have its password changed and still be able to log into the Store. To be clear, there was never any issue logging into the Publisher; just the Store. Additionally, if the admin password was changed, no accounts could log into the Store at all, regardless of their permissions level.
I tested this with a fresh EMM pack, version 2.0.0 and 2.0.1, using the H2 and MySQL 5.5. In all cases the issue occurred.
A bug report has been filed on WSo2's JIRA board here.
Is there are any configuration changes in your side.I got EMM 2.0.0 fresh pack and configure mysql 5.5.I tried to login emm store but It is working properly.
This issue is raised in once we are trying change the password from the EMM console. But We can change the admin password from the /repository/conf/user-mgt.xml
<AdminUser>
<UserName>admin</UserName>
<Password>admin</Password>
</AdminUser>
and /repository/conf/app-manager.xml admin credintials.
I am very new to wso2. I try to integrate wso2 identity server 5.0 with an external ldap. I configured it according to this : https://docs.wso2.com/display/IS500/Configuring+a+Read-only+LDAP+User+Store
At the end of the link, it says that try to sign in with admin user but how can I authenticate an another user which is available in LDAP? Is it possible to login to the identity server with another ldap user (other than admin).
Thanks
according the configuration how it is described, a new user 'admin' with 'admin' role is added after startup. I assume you want to log on another user. You should be able to authenticate other users as well for other service providers (applications), but not in the management console. For that the admin role is required.
What you can try is to use the 'dashboard' application ( https://your-is-server-hostname:9443/dashboard/ )
Have fun
g.
Since you are configuring a read-only LDAP as the primary user store,
The user that should have admin permissions is required to be stored in the user store when you start the system for the first time. After that you have to give the login permission for all users in the LDAP user store. Login permission defined under admin permissions, which allows users to login to the management console.
Configure----->Users and Roles----->Roles----->Select "Permissions" of "Internal/everyone" or "Internal/your configured application" that you would like to give the permission.
Select "Login".
Update.
For the more details you can refer [1].
[1] https://docs.wso2.com/display/IS500/Role-based+Permissions
I use WSO2 5.0.0 as IdP and the user store is an Active Directory (AD). User and Roles are listed in WSO2 Management console and I'am also being able to login in WSO2 with User/PW stored in AD.
Therefore everything works fine.
The only problem I have is that if I request roles of users (e.g. over RemoteUserStoreManagement- WebService with method getUserClaimValues) than I get the WSO2 roles and not the Active Directory Roles assigned to the users in the AD. Also only the WSO2- Roles are mapped to users in WSO2.
Actually I have only basic knowledge in AD (I haven't adjust the current connection between WSO2 and AD) - therefore I have no idea where I should have a look at in order to resolve this problem.
Has anybody a hint concerning this issue (user-mgt.xml or WSO2 console or ...)
Thanks a lot for help!
So, you need to retrieve the roles of the user? According what you have mentioned, Please do following to resolve this issue.
Please add following attributes under user store manager configuration in user-mgt.xml file, if there are not with the configuration.
<Property name="BackLinksEnabled">true</Property>
<Property name="MemberOfAttribute">memberOf</Property>
Please restart the server and verify.
Please enable the debug logs in the user kernel and verify where is the issue has been generated.
To enable logs,
Locate log4j.properties file which can be found at /repository/conf directory.
Add following entry in to the file
log4j.logger.org.wso2.carbon.identity.sso.saml=DEBUG
Restart the server and try to invoke the server. You would see LDAP related logs where it would help to identify the issue.