Code Monkey home page Code Monkey logo

identity-outbound-auth-samlsso's Introduction

Welcome to the WSO2 Identity Server (IS) identity-outbound-auth-samlsso.

WSO2 IS is one of the best Identity Servers, which enables you to offload your identity and user entitlement management burden totally from your application. It comes with many features, supports many industry standards and most importantly it allows you to extent it according to your security requirements. This repo contains Authenticators written to work with different third party systems.

With WSO2 IS, there are lot of provisioning capabilities available. There are 3 major concepts as Inbound, outbound provisioning and Just-In-Time provisioning. Inbound provisioning means , provisioning users and groups from an external system to IS. Outbound provisioning means , provisioning users from IS to other external systems. JIT provisioning means , once a user tries to login from an external IDP, a user can be created on the fly in IS with JIT. Repos under this account holds such components invlove in communicating with external systems.

Building from the source

If you want to build identity-outbound-auth-samlsso from the source code:

  1. Install Java 11 (or Java 17)
  2. Install Apache Maven 3.x.x (https://maven.apache.org/download.cgi#)
  3. Get a clone or download the source from this repository (https://github.com/wso2-extensions/identity-outbound-auth-samlsso)
  4. Run the Maven command mvn clean install from the identity-outbound-auth-samlsso directory.

identity-outbound-auth-samlsso's People

Contributors

achintha444 avatar ashensw avatar cdwijayarathna avatar darshanasbg avatar deshankoswatte avatar dinithi-hasanika avatar dmhp avatar emswbandara avatar godwinamila avatar hasinthaindrajee avatar hwupathum avatar indunilrathnayake avatar isankasr avatar isurad avatar janakamarasena avatar kasungayan avatar madurangasiriwardena avatar malithie avatar nilasini avatar piraveena avatar pulasthi7 avatar sachiniwettasinghe avatar sadilchamishka avatar senthalan avatar shanchathusanda93 avatar thanujalk avatar thumulaperera avatar vihanga-liyanage avatar wijith7 avatar wso2-jenkins-bot avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

godwinamila kasungayan pulasthi7 malithie nuwandi-is isurad pushpalanka indunilrathnayake mefarazath harsha1979 omindu cdwijayarathna hasinthaindrajee chamaraphilipsuom malintha darshanasbg gdrdabarera isharak johannnallathamby msmshariq ruwanta nilasini gayanm thanujalk azinneera muthulee emswbandara chamilaadhi kamidu test-coverage-enforce-bot ashensw tharindu-b-hewage isuruuy429 sameeragunarathne vihanga-liyanage raveenathapaththu wso2forks dilin993 fazlan-nazeem senthalan tharindu1st nipunibhagya deshankoswatte isurangaperera andypower wijith7 tharakawijekoon kanapriya pamodaaw ruks meruja vidurananayakkara abilashini janakamarasena shanchathusanda93 somindatommy dinikasen madurangasiriwardena chamathns anuradhask ayshsandu sathiyakugan sachiniwettasinghe ashendes dewnimw thumimku kalanika kanchanagodage dimalchandrasiri slawomirkisiel thisara-welmilla bhagyasakalanka isankasr sanjulamadurapperuma dinithi-hasanika dasuni-30 rakhitharr anandi-k yasara-y hisanhunais sadilchamishka sahandilshan sumedhe shanggeeth piyarathnalakmali wathsara achintha444 maliesha imalshag jeethjj rmsamitha lashinijay wasuradananjith vivekvinushanth hwupathum consurv malshan1998 thumulaperera yoshani indeewari

identity-outbound-auth-samlsso's Issues

Unable to decrypt SAML Assertion (from Okta IdP)

Description:
The following error is received when an encrypted SAML assertion is received via IdP POST from an Okta IdP to WSO2:

Caused by: org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: Unable to decrypt the SAML Assertion
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSSOResponse(DefaultSAML2SSOManager.java:518)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.executeSAMLReponse(DefaultSAML2SSOManager.java:383)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSAMLResponse(DefaultSAML2SSOManager.java:374)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processResponse(DefaultSAML2SSOManager.java:331)
at org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:252)
... 67 more
Caused by: java.lang.IndexOutOfBoundsException: Index: 0
at java.util.Collections$EmptyList.get(Collections.java:4454)
at org.opensaml.xml.util.LazyList.get(LazyList.java:90)
at org.opensaml.xml.util.ListView.get(IndexedXMLObjectChildrenList.java:312)
at org.opensaml.xml.util.ListView.get(IndexedXMLObjectChildrenList.java:238)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.getDecryptedAssertion(DefaultSAML2SSOManager.java:1151)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSSOResponse(DefaultSAML2SSOManager.java:516)

Looking at the XML, Okta is sending the EncryptedKey as a child of EncryptedAssertion:
<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" ...>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" ...
</saml2:EncryptedAssertion>

Looking at the DefaultSAMLSSOManager.java, WSO2 is expecting the EncryptedKeys as a child of KeyInfo, i.e. encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().

Shouldn't the code also check for keys using encryptedAssertion.getEncryptedKeys() to comply with xmlenc or am I missing something? I believe the xmlenc specification supports three different options for retrieving EncryptedKeys.

NOTE: I have verified that the SAML Assertion can be decrypted using WSO2's private key using other SAML libraries.

Suggested Labels:

Suggested Assignees:

Affected Product Version:
All? Demonstrable in WSO2IS 5.4.1 and 5.7.0

OS, DB, other environment details and versions:
Windows orLinux with H2 or SQL Server

Steps to reproduce:

  1. Configure WSO2 as a SAML application in Okta, specifying WSO2's certificate, consumer assertion URL and Enable SAML Assertion Encryption
  2. Configured Okta as an Identity Provider in WSO2 using metadata imported from Okta and enable SAML Assertion Encryption
  3. Click on the Okta tile to initiate a SAML POST
  4. Observe "Unable to decrypt SAML Assertion" error

Related Issues:
N/A

Adding IdP via metadata file

Description:
Setting up an external SAML identity provider would be a faster, simpler process if WSO2 were able to take in IDP metadata files, similar to those it can create (from the "Resident Identity Provider" menu -> "Inbound Authentication Configuration" -> "SAML2 Web SSO Configuration" -> "Download SAML Metadata")

Suggested Labels:
enhancement, Type/Improvement

Affected Product Version:
WSO2 IS 5.4.0

Steps to reproduce:
follow steps to link one WSO2 instance to another via SAML, do not see relevant option for upload metadata when configuring Secondary as an IdP of Primary

Generation of SP metadata file

Description:
When configuring an external IdP, automatic generation of the SP metadata file for WSO2 would simplify the process. WSO2 already supports reading these files in the inbound authenticator

Suggested Labels:
enhancement, Type/Improvement

Affected Product Version:
WSO2 IS 5.4.0 does not have this capability

Steps to reproduce:
go through the steps to connect one WSO2 instance to another via SAML, there is no apparent option to generate SP metadata in the menus involved

Unable to decrypt the SAML Assertion Illegal key size

Caused by: java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1039)
at javax.crypto.Cipher.init(Cipher.java:1393)
at javax.crypto.Cipher.init(Cipher.java:1327)
at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1754)
... 72 more
TID: [-1234] [] [2020-02-29 13:44:58,188] ERROR {org.opensaml.xml.encryption.Decrypter} - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
TID: [-1234] [] [2020-02-29 13:44:58,188] ERROR {org.opensaml.saml2.encryption.Decrypter} - SAML Decrypter encountered an error decrypting element content
org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData
at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:546)
at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:453)
at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:414)
at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.getDecryptedAssertion(DefaultSAML2SSOManager.java:1158)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSSOResponse(DefaultSAML2SSOManager.java:516)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.executeSAMLReponse(DefaultSAML2SSOManager.java:383)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSAMLResponse(DefaultSAML2SSOManager.java:374)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processResponse(DefaultSAML2SSOManager.java:331)
at org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:252)
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:77)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:497)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:471)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:174)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.