Also check whether role value comes with SAML response. On 24 Nov 2014 07:55, "Thanuja Jayasinghe" <than...@wso2.com> wrote:
> Hi Milinda, > > What are the reqested claims you added in second IS? Did you add the given > name also? If not please add and check. This worked for me in a fresh pack. > > Thanks, > Thanuja. > On 24 Nov 2014 00:29, "Milinda Perera" <milin...@wso2.com> wrote: > >> Hi Thanuja & Dulanja, >> >> @Dulanja : I checked that the user does not get provisioned in primary IS. >> @Thanuja : I tried workaround 1, but didn't work. >> >> It's confusing because JIT provisioning with SAML SSO works successfully >> in our test cases. >> >> Thanks, >> Milinda >> >> On Sat, Nov 22, 2014 at 7:06 PM, Thanuja Jayasinghe <than...@wso2.com> >> wrote: >> >>> Hi Milinda, >>> >>> If we select "Use Local Claim Dialect" in claim configuration section of >>> the IDP, role claim URI will be set to "http://wso2.org/claims/role" by >>> default in the current implementation. So if second IS doesn't return a >>> value for role claim, adding user to LDAP will fail as role has no value >>> (Although stack trace doesn't show the actual cause). >>> >>> Possible workarounds, >>> >>> 1. In the SP configuration of the second IS, add " >>> http://wso2.org/claims/role" as a requested claim. So first IS will >>> receive a value for role claim. >>> >>> 2. Define a custom claim dialect between the two IS servers. This way >>> role claim URI value doesn't get saved unless you select it from the >>> drop-down. >>> >>> Option 1 is better in my opinion. Also we should add this to the >>> documentation. >>> >>> Thanks, >>> Thanuja. >>> >>> On Fri, Nov 21, 2014 at 6:09 PM, Dulanja Liyanage <dula...@wso2.com> >>> wrote: >>> >>>> Hi Milinda, >>>> >>>> Seems this user is already provisioned - probably in a previous login >>>> attempt. Could you please confirm that? If that's the case, I don't think >>>> we have to worry about this. >>>> >>>> Thanks, >>>> Dulanja >>>> >>>> On Fri, Nov 21, 2014 at 4:47 PM, Milinda Perera <milin...@wso2.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I was able to set up successfully SAML SSO with federated >>>>> authentication using two Identity Servers [1] and SSO works fine (with >>>>> travelocity sample). But when I enable JIT provisioning, I'm getting >>>>> following provisioning failure error (Note : SSO works fine even after >>>>> enabling JIT provisioning). >>>>> >>>>> Back-end error trace: >>>>> >>>>> [2014-11-21 15:21:30,053] ERROR >>>>> {org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager} >>>>> - >>>>> org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: >>>>> Error when decoding the SAML Request. >>>>> [2014-11-21 15:21:44,790] ERROR >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} >>>>> - User provisioning failed! >>>>> org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: >>>>> Error while provisioning user : IS2User1 >>>>> at >>>>> org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:177) >>>>> at >>>>> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handleJitProvisioning(DefaultStepBasedSequenceHandler.java:636) >>>>> at >>>>> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handlePostAuthentication(DefaultStepBasedSequenceHandler.java:354) >>>>> at >>>>> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:133) >>>>> at >>>>> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:109) >>>>> at >>>>> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:90) >>>>> at >>>>> org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:54) >>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) >>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) >>>>> at >>>>> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) >>>>> at >>>>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) >>>>> at >>>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) >>>>> at >>>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) >>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) >>>>> at >>>>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >>>>> at >>>>> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >>>>> at >>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) >>>>> at >>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) >>>>> at >>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) >>>>> at >>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) >>>>> at >>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) >>>>> at >>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178) >>>>> at >>>>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >>>>> at >>>>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) >>>>> at >>>>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >>>>> at >>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141) >>>>> at >>>>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156) >>>>> at >>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) >>>>> at >>>>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52) >>>>> at >>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) >>>>> at >>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) >>>>> at >>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) >>>>> at >>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) >>>>> at >>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653) >>>>> at >>>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) >>>>> at >>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) >>>>> at java.lang.Thread.run(Thread.java:662) >>>>> Caused by: org.wso2.carbon.user.core.UserStoreException: Can not >>>>> access the directory context or user already exists in the system >>>>> at >>>>> org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.doAddUser(ReadWriteLDAPUserStoreManager.java:266) >>>>> at >>>>> org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:1141) >>>>> at >>>>> org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:1164) >>>>> at >>>>> org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:160) >>>>> ... 40 more >>>>> >>>>> Any idea about this? >>>>> >>>>> [1] >>>>> https://docs.wso2.com/display/IS500/Connecting+Two+Identity+Servers+with+SAML+SSO >>>>> >>>>> Thanks, >>>>> Milinda >>>>> >>>>> -- >>>>> Milinda Perera >>>>> Software Engineer; >>>>> WSO2 Inc. http://wso2.com , >>>>> Mobile: (+94) 714 115 032 >>>>> >>>>> >>>> >>>> >>>> -- >>>> Dulanja Liyanage >>>> WSO2 Inc. >>>> M: +94776764717 >>>> >>> >>> >>> >>> -- >>> *Thanuja Lakmal* >>> Software Engineer >>> WSO2 Inc. http://wso2.com/ >>> *lean.enterprise.middleware* >>> Mobile: +94715979891 +94758009992 >>> >> >> >> >> -- >> Milinda Perera >> Software Engineer; >> WSO2 Inc. http://wso2.com , >> Mobile: (+94) 714 115 032 >> >>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev