Hi Milinda, What are the reqested claims you added in second IS? Did you add the given name also? If not please add and check. This worked for me in a fresh pack.
Thanks, Thanuja. On 24 Nov 2014 00:29, "Milinda Perera" <[email protected]> wrote: > Hi Thanuja & Dulanja, > > @Dulanja : I checked that the user does not get provisioned in primary IS. > @Thanuja : I tried workaround 1, but didn't work. > > It's confusing because JIT provisioning with SAML SSO works successfully > in our test cases. > > Thanks, > Milinda > > On Sat, Nov 22, 2014 at 7:06 PM, Thanuja Jayasinghe <[email protected]> > wrote: > >> Hi Milinda, >> >> If we select "Use Local Claim Dialect" in claim configuration section of >> the IDP, role claim URI will be set to "http://wso2.org/claims/role"; by >> default in the current implementation. So if second IS doesn't return a >> value for role claim, adding user to LDAP will fail as role has no value >> (Although stack trace doesn't show the actual cause). >> >> Possible workarounds, >> >> 1. In the SP configuration of the second IS, add " >> http://wso2.org/claims/role"; as a requested claim. So first IS will >> receive a value for role claim. >> >> 2. Define a custom claim dialect between the two IS servers. This way >> role claim URI value doesn't get saved unless you select it from the >> drop-down. >> >> Option 1 is better in my opinion. Also we should add this to the >> documentation. >> >> Thanks, >> Thanuja. >> >> On Fri, Nov 21, 2014 at 6:09 PM, Dulanja Liyanage <[email protected]> >> wrote: >> >>> Hi Milinda, >>> >>> Seems this user is already provisioned - probably in a previous login >>> attempt. Could you please confirm that? If that's the case, I don't think >>> we have to worry about this. >>> >>> Thanks, >>> Dulanja >>> >>> On Fri, Nov 21, 2014 at 4:47 PM, Milinda Perera <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> I was able to set up successfully SAML SSO with federated >>>> authentication using two Identity Servers [1] and SSO works fine (with >>>> travelocity sample). But when I enable JIT provisioning, I'm getting >>>> following provisioning failure error (Note : SSO works fine even after >>>> enabling JIT provisioning). >>>> >>>> Back-end error trace: >>>> >>>> [2014-11-21 15:21:30,053] ERROR >>>> {org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager} >>>> - >>>> org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: >>>> Error when decoding the SAML Request. >>>> [2014-11-21 15:21:44,790] ERROR >>>> {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} >>>> - User provisioning failed! >>>> org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: >>>> Error while provisioning user : IS2User1 >>>> at >>>> org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:177) >>>> at >>>> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handleJitProvisioning(DefaultStepBasedSequenceHandler.java:636) >>>> at >>>> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handlePostAuthentication(DefaultStepBasedSequenceHandler.java:354) >>>> at >>>> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:133) >>>> at >>>> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:109) >>>> at >>>> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:90) >>>> at >>>> org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:54) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) >>>> at >>>> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) >>>> at >>>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) >>>> at >>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) >>>> at >>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) >>>> at >>>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >>>> at >>>> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >>>> at >>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) >>>> at >>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) >>>> at >>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) >>>> at >>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) >>>> at >>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) >>>> at >>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178) >>>> at >>>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >>>> at >>>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) >>>> at >>>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >>>> at >>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141) >>>> at >>>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156) >>>> at >>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) >>>> at >>>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52) >>>> at >>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) >>>> at >>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) >>>> at >>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) >>>> at >>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) >>>> at >>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653) >>>> at >>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) >>>> at >>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) >>>> at java.lang.Thread.run(Thread.java:662) >>>> Caused by: org.wso2.carbon.user.core.UserStoreException: Can not access >>>> the directory context or user already exists in the system >>>> at >>>> org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.doAddUser(ReadWriteLDAPUserStoreManager.java:266) >>>> at >>>> org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:1141) >>>> at >>>> org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:1164) >>>> at >>>> org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:160) >>>> ... 40 more >>>> >>>> Any idea about this? >>>> >>>> [1] >>>> https://docs.wso2.com/display/IS500/Connecting+Two+Identity+Servers+with+SAML+SSO >>>> >>>> Thanks, >>>> Milinda >>>> >>>> -- >>>> Milinda Perera >>>> Software Engineer; >>>> WSO2 Inc. http://wso2.com , >>>> Mobile: (+94) 714 115 032 >>>> >>>> >>> >>> >>> -- >>> Dulanja Liyanage >>> WSO2 Inc. >>> M: +94776764717 >>> >> >> >> >> -- >> *Thanuja Lakmal* >> Software Engineer >> WSO2 Inc. http://wso2.com/ >> *lean.enterprise.middleware* >> Mobile: +94715979891 +94758009992 >> > > > > -- > Milinda Perera > Software Engineer; > WSO2 Inc. http://wso2.com , > Mobile: (+94) 714 115 032 > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
