Hi Tharindi, Thank you for the explanation. I will change the mentioned configuration and check the scenario again.
On Fri, 3 Aug 2018, 17:34 Tharindu Edirisinghe, <[email protected]> wrote: > Hi Achini, > > If you are trying this flow just for testing purpose, a quick solution is > to turn off signature validation in SAML response and assertion using > following two properties in the SAML2SSOAuthenticator configuration in > authenticators.xml file. > > <Parameter > name="ResponseSignatureValidationEnabled">false</Parameter> > <Parameter > name="AssertionSignatureValidationEnabled">false</Parameter> > > By default above are commented out. > > If you need to enable the response and assertion signature validation and > get it to working, then set the above two properties to true and add the > following property as well. > > <Parameter name="IdPCertAlias">wso2carbon</Parameter> > > Here you need to give the certificate alias of the public certificate of > the signing entity, which should be IS itself in this case. (If it is a > different entity, then we need to import the certificate to the > wso2carbon.jks with some alias and provide that alias in above property. > > Thanks, > TharinduE > > On Thu, Aug 2, 2018 at 7:25 AM Achini Jayasena <[email protected]> wrote: > >> Hi All, >> >> Signature validation failed, occurred in following scenario. >> >> *Scenario:* IAM it self enable multi factor authentication (scenario 05) >> and sp creation from metadata url configurations. >> >> *Test steps:* >> Step 01: Create user >> Step 02: Create IDP (twitter) >> Step 03: Create SP for carbon server from metadata file url >> configurations (please find the metadata file attached here with) >> Step 04: Update Sp for enable MFA >> >> <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope >> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; >> xmlns:xsd="http://org.apache.axis2/xsd"; >> xmlns:xsd1="http://model.common.application.identity.carbon.wso2.org/xsd";> >> <soapenv:Header /> >> <soapenv:Body> >> <xsd:updateApplication> >> <!--Optional:--> >> <xsd:serviceProvider> >> <!--Optional:--> >> <xsd1:applicationID>${appID}</xsd1:applicationID> >> <xsd1:applicationName>${spname}</xsd1:applicationName> >> <xsd1:description>${spdescription}</xsd1:description> >> <xsd1:inboundAuthenticationConfig> >> <xsd1:inboundAuthenticationRequestConfigs> >> <xsd1:inboundAuthKey>${carbonServer}</xsd1:inboundAuthKey> >> <xsd1:inboundAuthType>samlsso</xsd1:inboundAuthType> >> >> <xsd1:inboundConfigType>standardAPP</xsd1:inboundConfigType> >> <xsd1:properties> >> <xsd1:confidential>false</xsd1:confidential> >> <xsd1:defaultValue xsd:nil="true" /> >> <xsd1:description xsd:nil="true" /> >> <xsd1:displayName xsd:nil="true" /> >> <xsd1:displayOrder>0</xsd1:displayOrder> >> <xsd1:name>attrConsumServiceIndex</xsd1:name> >> <xsd1:required>false</xsd1:required> >> <xsd1:type xsd:nil="true" /> >> <xsd1:value>${serviceIndex}</xsd1:value> >> </xsd1:properties> >> </xsd1:inboundAuthenticationRequestConfigs> >> <xsd1:inboundAuthenticationRequestConfigs> >> <xsd1:friendlyName xsd:nil="true" /> >> <xsd1:inboundAuthKey>${carbonServer}</xsd1:inboundAuthKey> >> <xsd1:inboundAuthType>openid</xsd1:inboundAuthType> >> >> <xsd1:inboundConfigType>standardAPP</xsd1:inboundConfigType> >> </xsd1:inboundAuthenticationRequestConfigs> >> <xsd1:inboundAuthenticationRequestConfigs> >> <xsd1:friendlyName xsd:nil="true" /> >> <xsd1:inboundAuthKey>${carbonServer}</xsd1:inboundAuthKey> >> <xsd1:inboundAuthType>passivests</xsd1:inboundAuthType> >> >> <xsd1:inboundConfigType>standardAPP</xsd1:inboundConfigType> >> </xsd1:inboundAuthenticationRequestConfigs> >> </xsd1:inboundAuthenticationConfig> >> <xsd1:inboundProvisioningConfig> >> <xsd1:provisioningEnabled>false</xsd1:provisioningEnabled> >> <xsd1:provisioningUserStore /> >> </xsd1:inboundProvisioningConfig> >> /** Configure Multi Steps */ >> <xsd1:localAndOutBoundAuthenticationConfig> >> <!--Optional:--> >> >> <xsd1:alwaysSendBackAuthenticatedListOfIdPs>false</xsd1:alwaysSendBackAuthenticatedListOfIdPs> >> <!--Zero or more repetitions:--> >> <xsd1:authenticationSteps> >> <!--Optional:--> >> <xsd1:attributeStep>true</xsd1:attributeStep> >> <xsd1:subjectStep>true</xsd1:subjectStep> >> <!--Zero or more repetitions:--> >> <!--Zero or more repetitions:--> >> <xsd1:localAuthenticatorConfigs> >> <!--Optional:--> >> <xsd1:displayName>basic</xsd1:displayName> >> <!--Optional:--> >> <xsd1:enabled>false</xsd1:enabled> >> <!--Optional:--> >> <xsd1:name>BasicAuthenticator</xsd1:name> >> <!--Zero or more repetitions:--> >> <!--Optional:--> >> <xsd1:valid>true</xsd1:valid> >> </xsd1:localAuthenticatorConfigs> >> <!--Optional:--> >> <xsd1:stepOrder>1</xsd1:stepOrder> >> <!--Optional:--> >> </xsd1:authenticationSteps> >> <xsd1:authenticationSteps> >> <!--Optional:--> >> <xsd1:attributeStep>false</xsd1:attributeStep> >> <xsd1:subjectStep>false</xsd1:subjectStep> >> <!--Zero or more repetitions:--> >> <xsd1:federatedIdentityProviders> >> <xsd1:defaultAuthenticatorConfig> >> <xsd1:alais /> >> <xsd1:certificate /> >> <xsd1:claimConfig /> >> <xsd1:displayName>${idpname}</xsd1:displayName> >> <xsd1:enabled>false</xsd1:enabled> >> <xsd1:name>TwitterAuthenticator</xsd1:name> >> <xsd1:valid>true</xsd1:valid> >> </xsd1:defaultAuthenticatorConfig> >> <!--Zero or more repetitions:--> >> <xsd1:federatedAuthenticatorConfigs> >> <xsd1:displayName>${idpname}</xsd1:displayName> >> <xsd1:enabled>false</xsd1:enabled> >> <xsd1:name>TwitterAuthenticator</xsd1:name> >> <xsd1:valid>true</xsd1:valid> >> </xsd1:federatedAuthenticatorConfigs> >> <!--Optional:--> >> >> <xsd1:identityProviderName>${idpname}</xsd1:identityProviderName> >> <xsd1:enable>false</xsd1:enable> >> <xsd1:primary>false</xsd1:primary> >> <xsd1:federationHub>false</xsd1:federationHub> >> </xsd1:federatedIdentityProviders> >> <!--Optional:--> >> <xsd1:stepOrder>2</xsd1:stepOrder> >> <!--Optional:--> >> </xsd1:authenticationSteps> >> <!--Optional:--> >> <xsd1:authenticationType>flow</xsd1:authenticationType> >> <xsd1:subjectClaimUri>id</xsd1:subjectClaimUri> >> </xsd1:localAndOutBoundAuthenticationConfig> >> <xsd1:outboundProvisioningConfig> >> <xsd1:provisionByRoleList xsd:nil="true" /> >> </xsd1:outboundProvisioningConfig> >> <xsd1:permissionAndRoleConfig> >> <xsd1:idpRoles /> >> </xsd1:permissionAndRoleConfig> >> <xsd1:saasApp>false</xsd1:saasApp> >> </xsd:serviceProvider> >> </xsd:updateApplication> >> </soapenv:Body></soapenv:Envelope> >> >> Step 04: Change <isHome>/repository/conf/security/authenticators.xml >> file, following tags as below. >> <Authenticator name="SAML2SSOAuthenticator" disabled="false"> >> <Priority>1</Priority> >> Step 05:Restart the carbon server >> Step 06: Do basic authenticate >> Step 07: Do twitter authenticate >> >> *Expected result:* >> Navigate to the IS home >> >> *Actual result:* >> >> Error log: >> >> [2018-08-02 06:35:45,738] WARN >> {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} >> - Subject claim could not be found amongst service provider mapped >> unfiltered local claims >> [2018-08-02 06:35:45,739] WARN >> {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} >> - Subject claim could not be found. Defaulting to Name Identifier. >> [2018-08-02 06:35:49,612] ERROR >> {org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator} - >> SAML Response is not signed or response not available. Authentication >> process will be terminated. >> [2018-08-02 06:35:49,613] ERROR >> {org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator} - >> Authentication Request is rejected. Signature validation failed. >> [2018-08-02 06:35:49,615] WARN >> {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed >> Administrator login attempt 'admin[-1234]' at [2018-08-02 06:35:49,615+0530] >> [2018-08-02 06:35:49,637] ERROR >> {org.wso2.carbon.identity.authenticator.saml2.sso.ui.authenticator.SAML2SSOUIAuthenticator} >> - Authentication failed. >> >> >> >> >> >> >> It seems like the certificate is not valid. Please find the certificate >> .jks file attached here with which available in the >> <ishome>/repository/resources/sceurity. >> >> Anyone have an idea what would be the reason for the issue. >> >> >> *Thanks & Best Regards!* >> >> *Achini Jayasena* >> *Software Engineer - QA | WSO2* >> >> Email: [email protected] >> Mobile: +943 882 897 >> >> [image: http://wso2.com/signature] <http://wso2.com/signature> >> > > > -- > > Tharindu Edirisinghe > Associate Technical Lead | WSO2 Inc > Platform Security Team > Blog : http://tharindue.blogspot.com > mobile : +94 775181586 >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
