Hi Thanuja & Dulanja, @Dulanja : I checked that the user does not get provisioned in primary IS. @Thanuja : I tried workaround 1, but didn't work.
It's confusing because JIT provisioning with SAML SSO works successfully in our test cases. Thanks, Milinda On Sat, Nov 22, 2014 at 7:06 PM, Thanuja Jayasinghe <[email protected]> wrote: > Hi Milinda, > > If we select "Use Local Claim Dialect" in claim configuration section of > the IDP, role claim URI will be set to "http://wso2.org/claims/role"; by > default in the current implementation. So if second IS doesn't return a > value for role claim, adding user to LDAP will fail as role has no value > (Although stack trace doesn't show the actual cause). > > Possible workarounds, > > 1. In the SP configuration of the second IS, add " > http://wso2.org/claims/role"; as a requested claim. So first IS will > receive a value for role claim. > > 2. Define a custom claim dialect between the two IS servers. This way role > claim URI value doesn't get saved unless you select it from the drop-down. > > Option 1 is better in my opinion. Also we should add this to the > documentation. > > Thanks, > Thanuja. > > On Fri, Nov 21, 2014 at 6:09 PM, Dulanja Liyanage <[email protected]> > wrote: > >> Hi Milinda, >> >> Seems this user is already provisioned - probably in a previous login >> attempt. Could you please confirm that? If that's the case, I don't think >> we have to worry about this. >> >> Thanks, >> Dulanja >> >> On Fri, Nov 21, 2014 at 4:47 PM, Milinda Perera <[email protected]> >> wrote: >> >>> Hi, >>> >>> I was able to set up successfully SAML SSO with federated authentication >>> using two Identity Servers [1] and SSO works fine (with travelocity >>> sample). But when I enable JIT provisioning, I'm getting following >>> provisioning failure error (Note : SSO works fine even after enabling JIT >>> provisioning). >>> >>> Back-end error trace: >>> >>> [2014-11-21 15:21:30,053] ERROR >>> {org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager} >>> - >>> org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: >>> Error when decoding the SAML Request. >>> [2014-11-21 15:21:44,790] ERROR >>> {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} >>> - User provisioning failed! >>> org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: >>> Error while provisioning user : IS2User1 >>> at >>> org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:177) >>> at >>> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handleJitProvisioning(DefaultStepBasedSequenceHandler.java:636) >>> at >>> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handlePostAuthentication(DefaultStepBasedSequenceHandler.java:354) >>> at >>> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:133) >>> at >>> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:109) >>> at >>> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:90) >>> at >>> org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:54) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) >>> at >>> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) >>> at >>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) >>> at >>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) >>> at >>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) >>> at >>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >>> at >>> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >>> at >>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) >>> at >>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) >>> at >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) >>> at >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) >>> at >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >>> at >>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) >>> at >>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156) >>> at >>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52) >>> at >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) >>> at >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) >>> at >>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) >>> at >>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) >>> at >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) >>> at java.lang.Thread.run(Thread.java:662) >>> Caused by: org.wso2.carbon.user.core.UserStoreException: Can not access >>> the directory context or user already exists in the system >>> at >>> org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.doAddUser(ReadWriteLDAPUserStoreManager.java:266) >>> at >>> org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:1141) >>> at >>> org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:1164) >>> at >>> org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:160) >>> ... 40 more >>> >>> Any idea about this? >>> >>> [1] >>> https://docs.wso2.com/display/IS500/Connecting+Two+Identity+Servers+with+SAML+SSO >>> >>> Thanks, >>> Milinda >>> >>> -- >>> Milinda Perera >>> Software Engineer; >>> WSO2 Inc. http://wso2.com , >>> Mobile: (+94) 714 115 032 >>> >>> >> >> >> -- >> Dulanja Liyanage >> WSO2 Inc. >> M: +94776764717 >> > > > > -- > *Thanuja Lakmal* > Software Engineer > WSO2 Inc. http://wso2.com/ > *lean.enterprise.middleware* > Mobile: +94715979891 +94758009992 > -- Milinda Perera Software Engineer; WSO2 Inc. http://wso2.com , Mobile: (+94) 714 115 032
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
