Hi Angelo, Thanks for troubleshooting and identifying the issue. I have created a GitHub issue <https://github.com/wso2/product-is/issues/6666>[1] to track this. At a glance, your fix seems to be correct. We will further validate the fix to see the impact of this in other flows and incorporate into the codebase. Meanwhile, if you can send a PR to our code repository [2] with your suggested fix, we can review and merge it from there.
Also, regarding the configurations in IS-5.9.0, WSO2 has introduced a new configuration model[3] where the majority of the configurations are now managed via a single file; [Home]/repository/conf/deployment.toml if it is available in the location [Home]/repository/conf/. You may fall back to old .xml based config model by removing this file from the location. It is expected to reset changes in .xml configuration files unless these configurations are now represented in deployment.toml file, if the file is present. I have added some sample mappings in [4] that I've used sometimes back to identify the corresponding deployment.toml configurations, for .xml configs, in case you find it interesting. [1] https://github.com/wso2/product-is/issues/6666 [2] https://github.com/wso2-extensions/identity-outbound-auth-samlsso/blob/master/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/X509CredentialImpl.java [3] https://wso2.com/blogs/thesource/2019/10/simplifying-configuration-with-WSO2-identity-server [4] https://github.com/ayshsandu/samples/tree/master/config-mapping Thanks! -Ayesha On Wed, Oct 16, 2019 at 9:02 PM Angelo Immediata <[email protected]> wrote: > Hi there > > I downloaded WSO2 IS version 5.9.0. I configured an external IDP as > suggested here > https://is.docs.wso2.com/en/5.9.0/learn/adding-and-configuring-an-identity-provider/ > and then I configured the claims and a Service Provider where I want to use > SAML2 SSO. > > I configured my Service Provider in order to use and advanced > configuration for the login process where step one is basic authentication > and step 2 is done by using my external IdP. > > The same identical configuration works pretty good in my WSO2 5.8.0 while > I'm facing a lot of issues in WSO2 IS 5.9.0. > > In 5.9.0 version, when I try to log to my application, WSO2 shows to me > the login interface but when I click the login by external IdP the popup is > empty as showed in this image Federated Authentication > > Moreover I noticed that when I try so modify the > application-authentication.xml located in > ${WSO2_IS_HOME}/repository/conf/identity my modifications are lost and the > file returns to the default state. I tried to insert modification in the > deployment.toml but I can't figure how to configure correctly the SAMLSSO. > > Then I tried to configure my Service Provider only by showing the external > login interface. I get an error. The stack trace is the following: > > TID: [-1234] [] [2019-10-14 19:34:50,523] >> [a7721bfd-6c47-48f2-b31d-d30a0fbb7e06] DEBUG >> {org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager} >> - SAML Request : <?xml version="1.0" encoding="UTF-8"?> >> <samlp:AuthnRequest AssertionConsumerServiceURL=" >> https://localhost:9443/commonauth"; AttributeConsumingServiceIndex="0" >> Destination="http://localhost:8088/sso"; ForceAuthn="true" >> ID="_84b2f91a208bc6b3ee12383e2cf26652" >> IssueInstant="2019-10-14T17:34:50.505Z" >> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >> Version="2.0" >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><samlp:Issuer >> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier=" >> http://wso2_590_ai"; xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion"> >> http://wso2_590_ai</samlp:Issuer><saml2p:NameIDPolicy >> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" >> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"/><saml2p:RequestedAuthnContext >> Comparison="exact" >> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:AuthnContextClassRef >> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >> https://www.spid.gov.it/SpidL2 >> </saml2:AuthnContextClassRef></saml2p:RequestedAuthnContext></samlp:AuthnRequest> >> TID: [-1234] [] [2019-10-14 19:34:50,524] >> [a7721bfd-6c47-48f2-b31d-d30a0fbb7e06] DEBUG >> {org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager} >> - Parameter Map {} tenantDomain carbon.super >> TID: [-1234] [] [2019-10-14 19:34:50,524] >> [a7721bfd-6c47-48f2-b31d-d30a0fbb7e06] DEBUG >> {org.wso2.carbon.identity.application.authenticator.samlsso.manager.X509CredentialImpl} >> - tenantID -1234 >> TID: [-1234] [] [2019-10-14 19:34:50,525] >> [a7721bfd-6c47-48f2-b31d-d30a0fbb7e06] ERROR >> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >> - Exception in Authentication Framework java.util.EmptyStackException >> at java.util.Stack.peek(Stack.java:102) >> at java.util.Stack.pop(Stack.java:84) >> at >> org.wso2.carbon.context.internal.CarbonContextDataHolder.endTenantFlow(CarbonContextDataHolder.java:1295) >> at >> org.wso2.carbon.context.PrivilegedCarbonContext.endTenantFlow(PrivilegedCarbonContext.java:75) >> at >> org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils.endTenantFlow(FrameworkUtils.java:1505) >> at >> org.wso2.carbon.identity.application.authenticator.samlsso.manager.X509CredentialImpl.<init>(X509CredentialImpl.java:202) >> at >> org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.buildRequest(DefaultSAML2SSOManager.java:267) >> at >> org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.initiateAuthenticationRequest(SAMLSSOAuthenticator.java:123) >> at >> org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:71) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:502) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:267) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:185) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler.handle(GraphBasedSequenceHandler.java:111) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:155) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:239) >> at >> org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler.doPost(CommonAuthenticationHandler.java:46) >> at >> org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler.doGet(CommonAuthenticationHandler.java:37) >> at >> org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.sendRequestToFramework(SAMLSSOProviderServlet.java:1592) >> at >> org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.sendToFrameworkForAuthentication(SAMLSSOProviderServlet.java:827) >> at >> org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleSPInitSSO(SAMLSSOProviderServlet.java:719) >> at >> org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:270) >> at >> org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doPost(SAMLSSOProviderServlet.java:156) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:660) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) >> at >> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) >> at >> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) >> at >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) >> at >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) >> at >> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) >> at >> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) >> at >> org.wso2.carbon.identity.captcha.filter.CaptchaFilter.doFilter(CaptchaFilter.java:66) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) >> at >> org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:72) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) >> at >> org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) >> at >> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:65) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) >> at >> org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) >> at >> org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80) >> at >> org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:100) >> at >> org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:74) >> at >> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) >> at >> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49) >> at >> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) >> at >> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:146) >> at >> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) >> at >> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) >> at >> org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:116) >> at >> org.wso2.carbon.tomcat.ext.valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) >> at >> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) >> at >> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) >> at >> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:853) >> at >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1587) >> at >> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >> at >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >> at java.lang.Thread.run(Thread.java:748) > > By debugging it seems that in the class > org.wso2.carbon.context.internal.CarbonContextDataHolder in the method > endTenantFlow() we try to pop from an empty stack as you can see in this > code: > > public void endTenantFlow() { >> Stack<CarbonContextDataHolder> carbonContextDataHolders = >> parentContextHolderStack.get(); >> if (carbonContextDataHolders != null) { >> currentContextHolder.set(carbonContextDataHolders.pop()); >> } >> } > > This code is taken from jar org.wso2.carbon.utils-4.5.1.jar > So I focused my attention on the > org.wso2.carbon.identity.application.authenticator.samlsso project and I > found a possibile bug in the class > > >> org.wso2.carbon.identity.application.authenticator.samlsso.manager.X509CredentialImpl > > > Basically in the constructor there is this piece of code: > > try { >> /** >> * Get the private key and the cert for the respective tenant domain. >> */ >> if >> (!tenantDomain.equals(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME)) { >> FrameworkUtils.startTenantFlow(tenantDomain); >> //Do some stuffs >> } else { >> //Do other stuffs >> } >> } catch (Exception e) { >> //Handle exception >> } finally { >> FrameworkUtils.endTenantFlow(); >> } > > As you can see the FrameworkUtils.startTenantFlow(tenantDomain); is called > only if the first if is true. This means that in the finally we have to > handle the endTenantFlow() properly. I modified the code in this way: > > try { >> /** >> * Get the private key and the cert for the respective tenant domain. >> */ >> if >> (!tenantDomain.equals(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME)) { >> FrameworkUtils.startTenantFlow(tenantDomain); >> //Do some stuffs >> } else { >> //Do other stuffs >> } >> } catch (Exception e) { >> //Handle exception >> } finally { >> if >> (!tenantDomain.equals(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME)) { >> if (log.isDebugEnabled()) { >> log.debug("finalizzo il tenant flow per tenant domain " + >> tenantDomain); >> } >> FrameworkUtils.endTenantFlow(); >> } else { >> if (log.isDebugEnabled()) { >> log.debug("Tenant domain " + tenantDomain + " nessun flow da >> finalizzare"); >> } >> } >> } > > > It seems to work now but I don't know if my modification is correct... > > I hope this can be useful > Angelo > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- *Ayesha Dissanayaka* Associate Technical Lead WSO2, Inc : http://wso2.com <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> 20, Palm grove Avenue, Colombo 3 E-Mail: [email protected] <[email protected]> Mobile: +94713580922
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
