Hi Pavithra,
Yes, there are same, you can see both below.
<rp:RelyingParty id="store"
provider="https://idp.wso2.org/idp/shibboleth";
defaultSigningCredentialRef="IdPCredential"
defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
signResponses="always"
signAssertions="always"
encryptAssertions="never"
encryptNameIds="never"/>
</rp:RelyingParty>
<EntityDescriptor entityID="store"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
in /opt/shibboleth-idp/metadata/store.xml file
On Tue, Jul 28, 2015 at 3:57 PM, Pavithra Madurangi <pavit...@wso2.com>
wrote:
> Can you please double check whether the issuer name (store) exactly
> matches with shibboleth metadata configs (RelyingParty id in
> relying-party.xml and entityID specified in config file @ metadata folder)
>
> On Tue, Jul 28, 2015 at 3:52 PM, Abimaran Kugathasan <abima...@wso2.com>
> wrote:
>
>> Hi All,
>>
>>
>> I have configured API Manager 1.9.0 with Shibboleth 2.4.4 for SSO
>> functionality. I have used "
>> https://idp.wso2.org:443/idp/profile/SAML2/POST/SSO"; as the
>> "IdentityProviderSSOServiceURL" in store/site/conf/site.json file like below
>>
>> "ssoConfiguration" : {
>> "enabled" : "true",
>> "issuer" : "store",
>> "identityProviderURL" : "
>> https://idp.wso2.org:443/idp/profile/SAML2/POST/SSO";,
>> "keyStorePassword" : "wso2carbon",
>> "identityAlias" : "idp.wso2.org",
>> "responseSigningEnabled":"true",
>> "keyStoreName" :"repository/resources/security/wso2carbon.jks",
>> "passive" : "false",
>> "signRequests" : "false",
>> "acsURL" :"https://localhost:9443/store/jagg/jaggery_acs.jag";
>> }
>>
>> I'm getting below exception in APIM while log in to API Store
>>
>> [2015-07-28 13:52:26,658] WARN - AuthenticationHandler Illegal access
>> attempt at [2015-07-28 13:52:26,0658] from IP address 10.100.5.121 :
>> Service is RemoteAuthorizationManagerService
>> [2015-07-28 13:52:26,660] ERROR - AxisEngine Access Denied. Please login
>> first.
>> org.apache.axis2.AxisFault: Access Denied. Please login first.
>> at
>> org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.authenticate(AuthenticationHandler.java:97)
>> at
>> org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.invoke(AuthenticationHandler.java:66)
>> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
>> at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
>> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
>> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
>> at
>> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
>> at
>> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
>> at
>> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
>> at
>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
>> at
>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
>> at
>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
>> at
>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
>> at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
>> at
>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
>> at
>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
>> at
>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56)
>> at
>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
>> at
>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
>> at
>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
>> at
>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
>> at
>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
>> at
>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
>> at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1736)
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1695)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> And, getting below exception in shibboleth IDP
>>
>> 13:52:26.714 - ERROR
>> [edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:88]
>> - Error occurred while processing request
>> java.lang.ClassCastException:
>> org.opensaml.saml2.core.impl.LogoutRequestImpl cannot be cast to
>> org.opensaml.saml2.core.AuthnRequest
>> at
>> edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:390)
>> ~[shibboleth-identityprovider-2.4.4.jar:na]
>> at
>> edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:211)
>> ~[shibboleth-identityprovider-2.4.4.jar:na]
>> at
>> edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:189)
>> ~[shibboleth-identityprovider-2.4.4.jar:na]
>> at
>> edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:90)
>> ~[shibboleth-identityprovider-2.4.4.jar:na]
>> at
>> edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83)
>> ~[shibboleth-common-1.4.4.jar:na]
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
>> [servlet-api.jar:na]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
>> [catalina.jar:8.0.24]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> [catalina.jar:8.0.24]
>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>> [tomcat-websocket.jar:8.0.24]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
>> [catalina.jar:8.0.24]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> [catalina.jar:8.0.24]
>> at
>> edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50)
>> [shibboleth-identityprovider-2.4.4.jar:na]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
>> [catalina.jar:8.0.24]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> [catalina.jar:8.0.24]
>> at
>> edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87)
>> [shibboleth-identityprovider-2.4.4.jar:na]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
>> [catalina.jar:8.0.24]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> [catalina.jar:8.0.24]
>> at
>> edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52)
>> [shibboleth-common-1.4.4.jar:na]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
>> [catalina.jar:8.0.24]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> [catalina.jar:8.0.24]
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:203)
>> [catalina.jar:8.0.24]
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
>> [catalina.jar:8.0.24]
>> at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
>> [catalina.jar:8.0.24]
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>> [catalina.jar:8.0.24]
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>> [catalina.jar:8.0.24]
>> at
>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617)
>> [catalina.jar:8.0.24]
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>> [catalina.jar:8.0.24]
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
>> [catalina.jar:8.0.24]
>> at
>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
>> [tomcat-coyote.jar:8.0.24]
>> at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
>> [tomcat-coyote.jar:8.0.24]
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1527)
>> [tomcat-coyote.jar:8.0.24]
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1484)
>> [tomcat-coyote.jar:8.0.24]
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> [na:1.7.0_55]
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> [na:1.7.0_55]
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> [tomcat-util.jar:8.0.24]
>> at java.lang.Thread.run(Thread.java:745) [na:1.7.0_55]
>> 13:52:26.716 - DEBUG
>> [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] -
>> LoginContext key cookie was not present in request
>> 13:52:26.716 - DEBUG
>> [edu.internet2.middleware.shibboleth.idp.ui.ServiceContactTag:177] - No
>> relying party, nothing to display
>>
>> It seems, I'm sending the SAML logout request to wrong endpoint of
>> shibboleth. I check with mozzila SSO Tracer, APIM sends SAML logout request
>> right after the log in response from shibboleth IDP.
>>
>> Does any one worked in above scenario?
>>
>> --
>> Thanks
>> Abimaran Kugathasan
>>
>> Software Engineer | WSO2 Inc
>> Data & APIs Technologies Team
>> Mobile : +94 773922820
>>
>> <http://stackoverflow.com/users/515034>
>> <http://lk.linkedin.com/in/abimaran>
>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
>> <https://twitter.com/abimaran>
>>
>>
>
>
> --
> *Pavithra Madurangi*
> Associate Technical Lead - QA.
> WSO2 Inc.: http://wso2.com/
> Mobile: 0777207357 / 0112747089
>
--
Thanks
Abimaran Kugathasan
Software Engineer | WSO2 Inc
Data & APIs Technologies Team
Mobile : +94 773922820
<http://stackoverflow.com/users/515034>
<http://lk.linkedin.com/in/abimaran> <http://www.lkabimaran.blogspot.com/>
<https://github.com/abimarank> <https://twitter.com/abimaran>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
