Hi,
I'm trying to configure SSO in wso2es 2.1.0 in our staging environment. I
configured the SAML2SSOAuthenticator in
<ES_HOME>/repository/conf/security/authenticators.xml as shown in [1]. I
get the exception [2] when I try to login the mgt console. The issuer
carbonServerSP is configured with the Assertion Consumer URL https://
<IP>:<PORT>/acs in staging IS.
I tried to prevent from this CSRF by configuring the CSRF Valve as
mentioned in the documentation [3]. But still experiencing the same. Could
you please advice me to resolve this?
[1]
<Authenticator name="SAML2SSOAuthenticator" disabled="false">
<Priority>10</Priority>
<Config>
<Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
<Parameter name="ServiceProviderID">carbonServerSP</Parameter>
<Parameter name="IdentityProviderSSOServiceURL">https://
<IS_URL>/samlsso</Parameter>
<Parameter
name="NameIDPolicyFormat">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter>
<Parameter name="IdPCertAlias">wso2carbon</Parameter>
</Config>
</Authenticator>
[2]
TID: [-1234] [] [2016-11-30 12:09:21,767] WARN
{org.owasp.csrfguard.log.JavaLogger} - potential cross-site request
forgery (CSRF) attack thwarted (user:<anonymous>, ip:xx.xxx.x.xxx,
method:POST, uri:/acs, error:required token is missing from the request)
[3]
https://docs.wso2.com/display/IS500/Mitigating+Cross+Site+Request+Forgery+(CSRF)+Attacks#MitigatingCrossSiteRequestForgery(CSRF)Attacks-MitigatingusingtheCSRFValve
Thank you
--
Shakila Sivagnanarajah
Software Engineer
Mobile :+94 (0) 768 856837
[email protected]
WSO2, Inc.
lean . enterprise . middleware
http://www.wso2.com/
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
