Hi Javier, In the Identity Server SP configs, under the 'Local & Outbound Authentication Configuration*'* section, there's a checkbox 'Use user store domain in local subject identifier*'*. Can you tick that checkbox and see whether the issue is getting resolved.
Regards, Omindu. On Thu, Jun 1, 2017 at 6:28 PM, Vazquez-Hidalgo, Javier < javier.vazquez-hida...@tdsecurities.com> wrote: > Hi Isura, > > > > Thanks for your response, I added the secondary user store to the API > manager and the problem goes away ONLY if I disable SSO on the store. With > SSO enabled I can only login with users from the primary store. > > > > Any ideas on how to get it working with SSO? > > > > Thanks, > > Javier > > > > *From:* Isura Karunaratne [mailto:is...@wso2.com] > *Sent:* Wednesday, May 31, 2017 6:26 AM > > *To:* Vazquez-Hidalgo, Javier > *Cc:* dev@wso2.org > *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0 > > > > HI Javier, > > > > It looks like you have not configured secondary user store in API Manager > instance. You can get rid of the authorization issue by configuring the > read-only secondary user store in APIM as well. > > > > Since the Authorization handles in APIM instance, user store should be > shared with APIM as well. > > > > Thanks > > Isura. > > > > On Tue, May 30, 2017 at 7:18 PM, Vazquez-Hidalgo, Javier < > javier.vazquez-hida...@tdsecurities.com> wrote: > > Hi Isura, > > > > In the log files, please search for “vazquj2”. That is the user who fails > to login. I’ll send the conf files shortly. After more research it seems > that APIM is looking user roles in UM_ROLES instead of UM_HYBRID_ROLES. > > > > Thanks, > > Javier > > > > *From:* Isura Karunaratne [mailto:is...@wso2.com] > *Sent:* Monday, May 29, 2017 1:24 AM > > > *To:* Vazquez-Hidalgo, Javier > *Cc:* dev@wso2.org > *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0 > > > > Hi Javier, > > > > According to the apim-wso2carbon.log file, only admin user tried login to > the APIM instance and it was a success login. Please attach the log, once > the store login failure occurs. Also, attach the conf folders in each > products. > > > > Thanks > > Isura. > > > > On Fri, May 26, 2017 at 8:56 PM, Vazquez-Hidalgo, Javier < > javier.vazquez-hida...@tdsecurities.com> wrote: > > Hi Isura, > > > > Thanks for your help! > > > > Attached to the email are both logs with “log4j.logger.org.wso2.carbon. > user.core=DEBUG” enabled. > > > > Regards, > > Javier > > > > *From:* Isura Karunaratne [mailto:is...@wso2.com] > *Sent:* Friday, May 26, 2017 3:10 AM > *To:* Vazquez-Hidalgo, Javier > *Cc:* dev@wso2.org > *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0 > > > > Hi Javier, > > > > We need additional information to analyze the issue. Attach the > wso2carbon.log file after enabling the debug logs for > org.wso2.carbon.user.core package as follows. > > > > Add following entry to /repository/conf/log4j.properties file > > > > log4j.logger.org.wso2.carbon.user.core=DEBUG > > > > > > Thanks > > Isura. > > > > On Fri, May 26, 2017 at 12:50 AM, Vazquez-Hidalgo, Javier < > javier.vazquez-hida...@tdsecurities.com> wrote: > > Hello, > > > > I’m trying to setup APIM 2.1.0 + Identity Server 5.3.0 on separate boxes, > at this point I have all configurations in place with shared databases and > I added a secondary User Store (Read-Only LDAP) on the Identity Server and > I’m able to assign permissions, etc.. > > > > The problem I’m having is that when I try to login to the API Store using > a user from the secondary user store I get the following error in the login > screen: > > > > “Error! Login failed. Insufficient Privileges.” > > > > APIM Logs: > > ------------- > > > > [2017-05-25 14:49:52,812] ERROR - JDBCAuthorizationManager Error occurred > while accessing Java Security Manager Privilege Block > > [2017-05-25 14:49:52,812] ERROR - APIStoreHostObject Login failed. > Insufficient Privileges. > > > > IS Log: > > ----------- > > [2017-05-25 14:49:52,498] INFO > {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} > - 'DOMAIN/xxx@carbon.super [-1234]' logged in at [2017-05-25 > 14:49:52,497-0400] > > > > So, it seems that the user is authenticated but something is happening. > > > > Just to be clear, the user from the secondary user store has > “Internal/subscriber” role which should be sufficient to login. > > > > I also created a test user in the IS primary store and assigned > “Internal/subscriber” role and that worked fine. > > > > > > Any help or pointers is appreciated. > > > > Thanks, > > Javier Vazquez > > > > > > > > If you wish to unsubscribe from receiving commercial electronic messages > from TD Bank Group, please click here <http://www.td.com/tdoptout> or go > to the following web address: www.td.com/tdoptout > Si vous souhaitez vous désabonner des messages électroniques de nature > commerciale envoyés par Groupe Banque TD veuillez cliquer ici > <http://www.td.com/tddesab> ou vous rendre à l'adresse www.td.com/tddesab > > > NOTICE: Confidential message which may be privileged. Unauthorized > use/disclosure prohibited. If received in error, please go to > www.td.com/legal for instructions. > AVIS : Message confidentiel dont le contenu peut être privilégié. > Utilisation/divulgation interdites sans permission. Si reçu par erreur, > prière d'aller au www.td.com/francais/avis_juridique pour des > instructions. > > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > > > > > -- > > *Isura Dilhara Karunaratne* > > Senior Software Engineer | WSO2 > > Email: is...@wso2.com > > Mob : +94 772 254 810 <+94%2077%20225%204810> > > Blog : http://isurad.blogspot.com/ > > > > > > > > > > > > -- > > *Isura Dilhara Karunaratne* > > Senior Software Engineer | WSO2 > > Email: is...@wso2.com > > Mob : +94 772 254 810 <+94%2077%20225%204810> > > Blog : http://isurad.blogspot.com/ > > > > > > > > > > > > -- > > *Isura Dilhara Karunaratne* > > Senior Software Engineer | WSO2 > > Email: is...@wso2.com > > Mob : +94 772 254 810 <+94%2077%20225%204810> > > Blog : http://isurad.blogspot.com/ > > > > > > > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Omindu Rathnaweera Senior Software Engineer, WSO2 Inc. Mobile: +94 771 197 211
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
