Can you please double check whether the issuer name (store) exactly matches with shibboleth metadata configs (RelyingParty id in relying-party.xml and entityID specified in config file @ metadata folder)
On Tue, Jul 28, 2015 at 3:52 PM, Abimaran Kugathasan <abima...@wso2.com> wrote: > Hi All, > > > I have configured API Manager 1.9.0 with Shibboleth 2.4.4 for SSO > functionality. I have used " > https://idp.wso2.org:443/idp/profile/SAML2/POST/SSO" as the > "IdentityProviderSSOServiceURL" in store/site/conf/site.json file like below > > "ssoConfiguration" : { > "enabled" : "true", > "issuer" : "store", > "identityProviderURL" : " > https://idp.wso2.org:443/idp/profile/SAML2/POST/SSO", > "keyStorePassword" : "wso2carbon", > "identityAlias" : "idp.wso2.org", > "responseSigningEnabled":"true", > "keyStoreName" :"repository/resources/security/wso2carbon.jks", > "passive" : "false", > "signRequests" : "false", > "acsURL" :"https://localhost:9443/store/jagg/jaggery_acs.jag" > } > > I'm getting below exception in APIM while log in to API Store > > [2015-07-28 13:52:26,658] WARN - AuthenticationHandler Illegal access > attempt at [2015-07-28 13:52:26,0658] from IP address 10.100.5.121 : > Service is RemoteAuthorizationManagerService > [2015-07-28 13:52:26,660] ERROR - AxisEngine Access Denied. Please login > first. > org.apache.axis2.AxisFault: Access Denied. Please login first. > at > org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.authenticate(AuthenticationHandler.java:97) > at > org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.invoke(AuthenticationHandler.java:66) > at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) > at org.apache.axis2.engine.Phase.invoke(Phase.java:313) > at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261) > at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167) > at > org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) > at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) > at > org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) > at > org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) > at > org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) > at > org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) > at > org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at > org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178) > at > org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) > at > org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) > at > org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) > at > org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141) > at > org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at > org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1736) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1695) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > > And, getting below exception in shibboleth IDP > > 13:52:26.714 - ERROR > [edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:88] > - Error occurred while processing request > java.lang.ClassCastException: > org.opensaml.saml2.core.impl.LogoutRequestImpl cannot be cast to > org.opensaml.saml2.core.AuthnRequest > at > edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:390) > ~[shibboleth-identityprovider-2.4.4.jar:na] > at > edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:211) > ~[shibboleth-identityprovider-2.4.4.jar:na] > at > edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:189) > ~[shibboleth-identityprovider-2.4.4.jar:na] > at > edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:90) > ~[shibboleth-identityprovider-2.4.4.jar:na] > at > edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83) > ~[shibboleth-common-1.4.4.jar:na] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) > [servlet-api.jar:na] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) > [catalina.jar:8.0.24] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > [catalina.jar:8.0.24] > at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > [tomcat-websocket.jar:8.0.24] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) > [catalina.jar:8.0.24] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > [catalina.jar:8.0.24] > at > edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) > [shibboleth-identityprovider-2.4.4.jar:na] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) > [catalina.jar:8.0.24] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > [catalina.jar:8.0.24] > at > edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87) > [shibboleth-identityprovider-2.4.4.jar:na] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) > [catalina.jar:8.0.24] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > [catalina.jar:8.0.24] > at > edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) > [shibboleth-common-1.4.4.jar:na] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) > [catalina.jar:8.0.24] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > [catalina.jar:8.0.24] > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:203) > [catalina.jar:8.0.24] > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) > [catalina.jar:8.0.24] > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) > [catalina.jar:8.0.24] > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) > [catalina.jar:8.0.24] > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) > [catalina.jar:8.0.24] > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617) > [catalina.jar:8.0.24] > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) > [catalina.jar:8.0.24] > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) > [catalina.jar:8.0.24] > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) > [tomcat-coyote.jar:8.0.24] > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668) > [tomcat-coyote.jar:8.0.24] > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1527) > [tomcat-coyote.jar:8.0.24] > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1484) > [tomcat-coyote.jar:8.0.24] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > [na:1.7.0_55] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > [na:1.7.0_55] > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > [tomcat-util.jar:8.0.24] > at java.lang.Thread.run(Thread.java:745) [na:1.7.0_55] > 13:52:26.716 - DEBUG > [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - > LoginContext key cookie was not present in request > 13:52:26.716 - DEBUG > [edu.internet2.middleware.shibboleth.idp.ui.ServiceContactTag:177] - No > relying party, nothing to display > > It seems, I'm sending the SAML logout request to wrong endpoint of > shibboleth. I check with mozzila SSO Tracer, APIM sends SAML logout request > right after the log in response from shibboleth IDP. > > Does any one worked in above scenario? > > -- > Thanks > Abimaran Kugathasan > > Software Engineer | WSO2 Inc > Data & APIs Technologies Team > Mobile : +94 773922820 > > <http://stackoverflow.com/users/515034> > <http://lk.linkedin.com/in/abimaran> > <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> > <https://twitter.com/abimaran> > > -- *Pavithra Madurangi* Associate Technical Lead - QA. WSO2 Inc.: http://wso2.com/ Mobile: 0777207357 / 0112747089
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev