That works!!! Is it possible for you to explain what does 'Use user store domain in local subject identifier' option do?
Thanks, Javier From: Omindu Rathnaweera [mailto:omi...@wso2.com] Sent: Saturday, June 03, 2017 3:21 AM To: Vazquez-Hidalgo, Javier Cc: Isura Karunaratne; dev@wso2.org Subject: Re: [Dev] API 2.1.0 + Identity Server 5.3.0 Hi Javier, In the Identity Server SP configs, under the 'Local & Outbound Authentication Configuration' section, there's a checkbox 'Use user store domain in local subject identifier'. Can you tick that checkbox and see whether the issue is getting resolved. Regards, Omindu. On Thu, Jun 1, 2017 at 6:28 PM, Vazquez-Hidalgo, Javier <javier.vazquez-hida...@tdsecurities.com<mailto:javier.vazquez-hida...@tdsecurities.com>> wrote: Hi Isura, Thanks for your response, I added the secondary user store to the API manager and the problem goes away ONLY if I disable SSO on the store. With SSO enabled I can only login with users from the primary store. Any ideas on how to get it working with SSO? Thanks, Javier From: Isura Karunaratne [mailto:is...@wso2.com<mailto:is...@wso2.com>] Sent: Wednesday, May 31, 2017 6:26 AM To: Vazquez-Hidalgo, Javier Cc: dev@wso2.org<mailto:dev@wso2.org> Subject: Re: [Dev] API 2.1.0 + Identity Server 5.3.0 HI Javier, It looks like you have not configured secondary user store in API Manager instance. You can get rid of the authorization issue by configuring the read-only secondary user store in APIM as well. Since the Authorization handles in APIM instance, user store should be shared with APIM as well. Thanks Isura. On Tue, May 30, 2017 at 7:18 PM, Vazquez-Hidalgo, Javier <javier.vazquez-hida...@tdsecurities.com<mailto:javier.vazquez-hida...@tdsecurities.com>> wrote: Hi Isura, In the log files, please search for “vazquj2”. That is the user who fails to login. I’ll send the conf files shortly. After more research it seems that APIM is looking user roles in UM_ROLES instead of UM_HYBRID_ROLES. Thanks, Javier From: Isura Karunaratne [mailto:is...@wso2.com<mailto:is...@wso2.com>] Sent: Monday, May 29, 2017 1:24 AM To: Vazquez-Hidalgo, Javier Cc: dev@wso2.org<mailto:dev@wso2.org> Subject: Re: [Dev] API 2.1.0 + Identity Server 5.3.0 Hi Javier, According to the apim-wso2carbon.log file, only admin user tried login to the APIM instance and it was a success login. Please attach the log, once the store login failure occurs. Also, attach the conf folders in each products. Thanks Isura. On Fri, May 26, 2017 at 8:56 PM, Vazquez-Hidalgo, Javier <javier.vazquez-hida...@tdsecurities.com<mailto:javier.vazquez-hida...@tdsecurities.com>> wrote: Hi Isura, Thanks for your help! Attached to the email are both logs with “log4j.logger.org.wso2.carbon.user.core=DEBUG” enabled. Regards, Javier From: Isura Karunaratne [mailto:is...@wso2.com<mailto:is...@wso2.com>] Sent: Friday, May 26, 2017 3:10 AM To: Vazquez-Hidalgo, Javier Cc: dev@wso2.org<mailto:dev@wso2.org> Subject: Re: [Dev] API 2.1.0 + Identity Server 5.3.0 Hi Javier, We need additional information to analyze the issue. Attach the wso2carbon.log file after enabling the debug logs for org.wso2.carbon.user.core package as follows. Add following entry to /repository/conf/log4j.properties file log4j.logger.org.wso2.carbon.user.core=DEBUG Thanks Isura. On Fri, May 26, 2017 at 12:50 AM, Vazquez-Hidalgo, Javier <javier.vazquez-hida...@tdsecurities.com<mailto:javier.vazquez-hida...@tdsecurities.com>> wrote: Hello, I’m trying to setup APIM 2.1.0 + Identity Server 5.3.0 on separate boxes, at this point I have all configurations in place with shared databases and I added a secondary User Store (Read-Only LDAP) on the Identity Server and I’m able to assign permissions, etc.. The problem I’m having is that when I try to login to the API Store using a user from the secondary user store I get the following error in the login screen: “Error! Login failed. Insufficient Privileges.” APIM Logs: ------------- [2017-05-25 14:49:52,812] ERROR - JDBCAuthorizationManager Error occurred while accessing Java Security Manager Privilege Block [2017-05-25 14:49:52,812] ERROR - APIStoreHostObject Login failed. Insufficient Privileges. IS Log: ----------- [2017-05-25 14:49:52,498] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'DOMAIN/xxx@carbon.super [-1234]' logged in at [2017-05-25 14:49:52,497-0400] So, it seems that the user is authenticated but something is happening. Just to be clear, the user from the secondary user store has “Internal/subscriber” role which should be sufficient to login. I also created a test user in the IS primary store and assigned “Internal/subscriber” role and that worked fine. Any help or pointers is appreciated. Thanks, Javier Vazquez If you wish to unsubscribe from receiving commercial electronic messages from TD Bank Group, please click here<http://www.td.com/tdoptout> or go to the following web address: www.td.com/tdoptout<http://www.td.com/tdoptout> Si vous souhaitez vous désabonner des messages électroniques de nature commerciale envoyés par Groupe Banque TD veuillez cliquer ici<http://www.td.com/tddesab> ou vous rendre à l'adresse www.td.com/tddesab<http://www.td.com/tddesab> NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal<http://www.td.com/legal> for instructions. AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller au www.td.com/francais/avis_juridique<http://www.td.com/francais/avis_juridique> pour des instructions. _______________________________________________ Dev mailing list Dev@wso2.org<mailto:Dev@wso2.org> http://wso2.org/cgi-bin/mailman/listinfo/dev -- Isura Dilhara Karunaratne Senior Software Engineer | WSO2 Email: is...@wso2.com<mailto:is...@wso2.com> Mob : +94 772 254 810<tel:+94%2077%20225%204810> Blog : http://isurad.blogspot.com/ -- Isura Dilhara Karunaratne Senior Software Engineer | WSO2 Email: is...@wso2.com<mailto:is...@wso2.com> Mob : +94 772 254 810<tel:+94%2077%20225%204810> Blog : http://isurad.blogspot.com/ -- Isura Dilhara Karunaratne Senior Software Engineer | WSO2 Email: is...@wso2.com<mailto:is...@wso2.com> Mob : +94 772 254 810<tel:+94%2077%20225%204810> Blog : http://isurad.blogspot.com/ _______________________________________________ Dev mailing list Dev@wso2.org<mailto:Dev@wso2.org> http://wso2.org/cgi-bin/mailman/listinfo/dev -- Omindu Rathnaweera Senior Software Engineer, WSO2 Inc. Mobile: +94 771 197 211
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
