I want to use WSO2 Identity Server as an IDP but partner would like the assertion to be returned as a cookie. Is this possible with WSO2 ID Server?
TIA
According to the SAML2 SSO web browser specification, IDP (WSO2IS) return SAML response as HTTP POST (body). if you want to return it as a cookie from WSOIS (It means assertion in the HTTP Header), it is not possible with default behavior. IMO, there may be work around that can be done... One is that, we can register a new servlet with WSO2IS (custom servlet). Then WSO2IS do post the SAML response to that custom servlet. Inside custom servlet, we can extract the SAML response from post request. And then SAML assertion can be extracted from response and we can add this assertion in to HTTP header using the custom servlet. Finally, WSO2IS would return a SAML assertion in HTTP header... likewise we can customize the default behavior easily. However, could you, please elaborate what is the actual use case?
Related
I have a requirement that I need to validate 3rd party Authorization Server access token in wso2 API manager. If token active and valid then allow resource
imho as the simplest solution you could build a custom inbound mediation flow for that (if you are familiar with wso2 esb mediations). For this option you will loose some apim capabilities (throttling, authorization, analytics)
you should aware the default authorization handler would clean the Authorization header (as far I know) , so you may need to add a custom handler to preserve the original header value
I'm using wso2am 2.0.0 and trying to configure SSO for access to the store and publisher application.
I'm not using wso2 IS but just configured the api manager directly to my IdP server(I have edited the site.json file to with my IdP setting)
I'm getting this exception after being authenticated to my IdP:
SAML Response contains invalid number of assertions. {org.wso2.carbon.hostobjects.sso.SAMLSSORelyingPartyObject}
It look like my SAML response isn't correct but i'm unable to find why?
There was no problem with my SAML response .
The problem was caused by a difference between my IdP server and the api manager timezone (they are deployed in two different environment), so the exception is thrown when comparing the current time in the gateway with the NotBefore/NotOnOrAfter
So may be a more significant error message could help
You can use an online SAML Response decoders like this and see what's wrong with you SAML response.
Another option is to use SAML Tracer in firefox.
I am trying to use Postman to make a SAML 2 Post. This imitates what the post request from http://stubidp.kentor.se/ sends to our Service Provider for SAML authentication. However, the Postman Request always returns an error. Is there any additional requirements in the Post?
I'm trying out the SimpleSAMLphp sample app with WSO2 Identity Server as the Identity Provider. I can successfully login and logout. The SAML assertion and the response is signed.
I want to know how to validate the (response and assertion) signature in the client application using SimpleSAMLphp.
When acting as Service Provider (SP), SimpleSAMLphp will always validate response signature by default, so you don't have to do it yourself. This is mandated by 'saml2int', so I guess it conforms to that (in SAML2Core it is only recommended).
You can check relevant SSP code which initiates the check and the
signature check itself.
The SAML2 request is sent to WSO2 Identity Server with HTTP-GET binding, but it still POSTs the response. Any idea to let WSO2IS respect the request?
[2014-03-06 17:52:25,961] DEBUG {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Request message <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_73d5b9c1-d448-4076-9e9d-98767f1e2a2d" Version="2.0" IssueInstant="2014-03-06T17:52:21" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-GET" AssertionConsumerServiceURL="http://host.tld/java-saml/consume.jsp"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://host.tld/java-saml/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" AllowCreate="true"></samlp:NameIDPolicy><samlp:RequestedAuthnContext Comparison="exact"></samlp:RequestedAuthnContext><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:AuthnRequest>
results in firefox:
You are now redirected back to http://host.tld/java-saml/consume.jsp If the redirection fails, please click the post button.
Any idea to fix it? In the request or in WSO2IS do I need to configure?
Yes.. It must be the expected behavior, SAML response must be sent as POST from IDP to the SP. (can not use HTTP Redirect) It is defined in the specification. Please check the saml-profile spec. WSO2 identity Server may not support for Artifact binding, therefore it does HTTP POST.
The identity provider issues a <Response> message to be delivered by the user agent to the service provider. Either the HTTP POST, or HTTP Artifact binding can be used to transfer the message to the service provider through the user agent. The message may indicate an error, or will include (at least) an authentication assertion. The HTTP Redirect binding MUST NOT be used, as the response will typically exceed the URL length permitted by most user agents.
I guess, POST button and the page that you shown can be changed and modified.