Hi Milinda, If we select "Use Local Claim Dialect" in claim configuration section of the IDP, role claim URI will be set to "http://wso2.org/claims/role"; by default in the current implementation. So if second IS doesn't return a value for role claim, adding user to LDAP will fail as role has no value (Although stack trace doesn't show the actual cause).
Possible workarounds, 1. In the SP configuration of the second IS, add " http://wso2.org/claims/role"; as a requested claim. So first IS will receive a value for role claim. 2. Define a custom claim dialect between the two IS servers. This way role claim URI value doesn't get saved unless you select it from the drop-down. Option 1 is better in my opinion. Also we should add this to the documentation. Thanks, Thanuja. On Fri, Nov 21, 2014 at 6:09 PM, Dulanja Liyanage <[email protected]> wrote: > Hi Milinda, > > Seems this user is already provisioned - probably in a previous login > attempt. Could you please confirm that? If that's the case, I don't think > we have to worry about this. > > Thanks, > Dulanja > > On Fri, Nov 21, 2014 at 4:47 PM, Milinda Perera <[email protected]> wrote: > >> Hi, >> >> I was able to set up successfully SAML SSO with federated authentication >> using two Identity Servers [1] and SSO works fine (with travelocity >> sample). But when I enable JIT provisioning, I'm getting following >> provisioning failure error (Note : SSO works fine even after enabling JIT >> provisioning). >> >> Back-end error trace: >> >> [2014-11-21 15:21:30,053] ERROR >> {org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager} >> - >> org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: >> Error when decoding the SAML Request. >> [2014-11-21 15:21:44,790] ERROR >> {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} >> - User provisioning failed! >> org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: >> Error while provisioning user : IS2User1 >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:177) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handleJitProvisioning(DefaultStepBasedSequenceHandler.java:636) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handlePostAuthentication(DefaultStepBasedSequenceHandler.java:354) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:133) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:109) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:90) >> at >> org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:54) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) >> at >> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) >> at >> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) >> at >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) >> at >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) >> at >> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >> at >> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) >> at >> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178) >> at >> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >> at >> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) >> at >> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >> at >> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141) >> at >> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156) >> at >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) >> at >> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) >> at >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) >> at >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) >> at >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) >> at java.lang.Thread.run(Thread.java:662) >> Caused by: org.wso2.carbon.user.core.UserStoreException: Can not access >> the directory context or user already exists in the system >> at >> org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.doAddUser(ReadWriteLDAPUserStoreManager.java:266) >> at >> org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:1141) >> at >> org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:1164) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:160) >> ... 40 more >> >> Any idea about this? >> >> [1] >> https://docs.wso2.com/display/IS500/Connecting+Two+Identity+Servers+with+SAML+SSO >> >> Thanks, >> Milinda >> >> -- >> Milinda Perera >> Software Engineer; >> WSO2 Inc. http://wso2.com , >> Mobile: (+94) 714 115 032 >> >> > > > -- > Dulanja Liyanage > WSO2 Inc. > M: +94776764717 > -- *Thanuja Lakmal* Software Engineer WSO2 Inc. http://wso2.com/ *lean.enterprise.middleware* Mobile: +94715979891 +94758009992
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
