Re: [Dev] [IS] Getting error after enabling JIT provisioning in SAML SSO federated authentication setup
Hi Thanuja, I made a mistake when trying your previous suggestion, I have added http://wso2.org/claims/role; as a requested claim in first IS which you told to add it to second IS. After adding requested role claim to second IS, JIT provisioning works fine. But when I debug JIT provisioning test case I see user get provisioned in first IS without setting http://wso2.org/claims/role; as a requested claim in second IS. Thanks all for help / suggestions to solve my configuration mistake :). If we must add http://wso2.org/claims/role; as a requested claim in second IS, as Thanuja suggested it's better if we update documentation :) Thanks, Milinda On Mon, Nov 24, 2014 at 11:50 AM, Gayan Gunawardana ga...@wso2.com wrote: Hi Dulanja, On Fri, Nov 21, 2014 at 6:09 PM, Dulanja Liyanage dula...@wso2.com wrote: Hi Milinda, Seems this user is already provisioned - probably in a previous login attempt. Could you please confirm that? If that's the case, I don't think we have to worry about this. Thanks, Dulanja I have experienced this scenario, according to my observations we do not throw any exceptions. If user is already provisioned simple ignore provisioning. -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933 -- Milinda Perera Software Engineer; WSO2 Inc. http://wso2.com , Mobile: (+94) 714 115 032 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] Getting error after enabling JIT provisioning in SAML SSO federated authentication setup
Noted. Thanks, *Samuel Gnaniah* Senior Technical Writer WSO2 (pvt.) Ltd. Colombo, Sri Lanka (+94) 773131798 On Mon, Nov 24, 2014 at 3:13 PM, Milinda Perera milin...@wso2.com wrote: Hi Thanuja, I made a mistake when trying your previous suggestion, I have added http://wso2.org/claims/role; as a requested claim in first IS which you told to add it to second IS. After adding requested role claim to second IS, JIT provisioning works fine. But when I debug JIT provisioning test case I see user get provisioned in first IS without setting http://wso2.org/claims/role; as a requested claim in second IS. Thanks all for help / suggestions to solve my configuration mistake :). If we must add http://wso2.org/claims/role; as a requested claim in second IS, as Thanuja suggested it's better if we update documentation :) Thanks, Milinda On Mon, Nov 24, 2014 at 11:50 AM, Gayan Gunawardana ga...@wso2.com wrote: Hi Dulanja, On Fri, Nov 21, 2014 at 6:09 PM, Dulanja Liyanage dula...@wso2.com wrote: Hi Milinda, Seems this user is already provisioned - probably in a previous login attempt. Could you please confirm that? If that's the case, I don't think we have to worry about this. Thanks, Dulanja I have experienced this scenario, according to my observations we do not throw any exceptions. If user is already provisioned simple ignore provisioning. -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933 -- Milinda Perera Software Engineer; WSO2 Inc. http://wso2.com , Mobile: (+94) 714 115 032 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] Getting error after enabling JIT provisioning in SAML SSO federated authentication setup
Hi all, This seems a bug, and already reported in jira [1]. No need to update documentation. [1] https://wso2.org/jira/browse/IDENTITY-2642 Thanks, Milinda On Mon, Nov 24, 2014 at 3:27 PM, Samuel Gnaniah sam...@wso2.com wrote: Noted. Thanks, *Samuel Gnaniah* Senior Technical Writer WSO2 (pvt.) Ltd. Colombo, Sri Lanka (+94) 773131798 On Mon, Nov 24, 2014 at 3:13 PM, Milinda Perera milin...@wso2.com wrote: Hi Thanuja, I made a mistake when trying your previous suggestion, I have added http://wso2.org/claims/role; as a requested claim in first IS which you told to add it to second IS. After adding requested role claim to second IS, JIT provisioning works fine. But when I debug JIT provisioning test case I see user get provisioned in first IS without setting http://wso2.org/claims/role; as a requested claim in second IS. Thanks all for help / suggestions to solve my configuration mistake :). If we must add http://wso2.org/claims/role; as a requested claim in second IS, as Thanuja suggested it's better if we update documentation :) Thanks, Milinda On Mon, Nov 24, 2014 at 11:50 AM, Gayan Gunawardana ga...@wso2.com wrote: Hi Dulanja, On Fri, Nov 21, 2014 at 6:09 PM, Dulanja Liyanage dula...@wso2.com wrote: Hi Milinda, Seems this user is already provisioned - probably in a previous login attempt. Could you please confirm that? If that's the case, I don't think we have to worry about this. Thanks, Dulanja I have experienced this scenario, according to my observations we do not throw any exceptions. If user is already provisioned simple ignore provisioning. -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933 -- Milinda Perera Software Engineer; WSO2 Inc. http://wso2.com , Mobile: (+94) 714 115 032 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Milinda Perera Software Engineer; WSO2 Inc. http://wso2.com , Mobile: (+94) 714 115 032 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] Getting error after enabling JIT provisioning in SAML SSO federated authentication setup
Hi Thanuja Dulanja, @Dulanja : I checked that the user does not get provisioned in primary IS. @Thanuja : I tried workaround 1, but didn't work. It's confusing because JIT provisioning with SAML SSO works successfully in our test cases. Thanks, Milinda On Sat, Nov 22, 2014 at 7:06 PM, Thanuja Jayasinghe than...@wso2.com wrote: Hi Milinda, If we select Use Local Claim Dialect in claim configuration section of the IDP, role claim URI will be set to http://wso2.org/claims/role; by default in the current implementation. So if second IS doesn't return a value for role claim, adding user to LDAP will fail as role has no value (Although stack trace doesn't show the actual cause). Possible workarounds, 1. In the SP configuration of the second IS, add http://wso2.org/claims/role; as a requested claim. So first IS will receive a value for role claim. 2. Define a custom claim dialect between the two IS servers. This way role claim URI value doesn't get saved unless you select it from the drop-down. Option 1 is better in my opinion. Also we should add this to the documentation. Thanks, Thanuja. On Fri, Nov 21, 2014 at 6:09 PM, Dulanja Liyanage dula...@wso2.com wrote: Hi Milinda, Seems this user is already provisioned - probably in a previous login attempt. Could you please confirm that? If that's the case, I don't think we have to worry about this. Thanks, Dulanja On Fri, Nov 21, 2014 at 4:47 PM, Milinda Perera milin...@wso2.com wrote: Hi, I was able to set up successfully SAML SSO with federated authentication using two Identity Servers [1] and SSO works fine (with travelocity sample). But when I enable JIT provisioning, I'm getting following provisioning failure error (Note : SSO works fine even after enabling JIT provisioning). Back-end error trace: [2014-11-21 15:21:30,053] ERROR {org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager} - org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: Error when decoding the SAML Request. [2014-11-21 15:21:44,790] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - User provisioning failed! org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: Error while provisioning user : IS2User1 at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:177) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handleJitProvisioning(DefaultStepBasedSequenceHandler.java:636) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handlePostAuthentication(DefaultStepBasedSequenceHandler.java:354) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:133) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:109) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:90) at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:54) at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at
Re: [Dev] [IS] Getting error after enabling JIT provisioning in SAML SSO federated authentication setup
Also check whether role value comes with SAML response. On 24 Nov 2014 07:55, Thanuja Jayasinghe than...@wso2.com wrote: Hi Milinda, What are the reqested claims you added in second IS? Did you add the given name also? If not please add and check. This worked for me in a fresh pack. Thanks, Thanuja. On 24 Nov 2014 00:29, Milinda Perera milin...@wso2.com wrote: Hi Thanuja Dulanja, @Dulanja : I checked that the user does not get provisioned in primary IS. @Thanuja : I tried workaround 1, but didn't work. It's confusing because JIT provisioning with SAML SSO works successfully in our test cases. Thanks, Milinda On Sat, Nov 22, 2014 at 7:06 PM, Thanuja Jayasinghe than...@wso2.com wrote: Hi Milinda, If we select Use Local Claim Dialect in claim configuration section of the IDP, role claim URI will be set to http://wso2.org/claims/role; by default in the current implementation. So if second IS doesn't return a value for role claim, adding user to LDAP will fail as role has no value (Although stack trace doesn't show the actual cause). Possible workarounds, 1. In the SP configuration of the second IS, add http://wso2.org/claims/role; as a requested claim. So first IS will receive a value for role claim. 2. Define a custom claim dialect between the two IS servers. This way role claim URI value doesn't get saved unless you select it from the drop-down. Option 1 is better in my opinion. Also we should add this to the documentation. Thanks, Thanuja. On Fri, Nov 21, 2014 at 6:09 PM, Dulanja Liyanage dula...@wso2.com wrote: Hi Milinda, Seems this user is already provisioned - probably in a previous login attempt. Could you please confirm that? If that's the case, I don't think we have to worry about this. Thanks, Dulanja On Fri, Nov 21, 2014 at 4:47 PM, Milinda Perera milin...@wso2.com wrote: Hi, I was able to set up successfully SAML SSO with federated authentication using two Identity Servers [1] and SSO works fine (with travelocity sample). But when I enable JIT provisioning, I'm getting following provisioning failure error (Note : SSO works fine even after enabling JIT provisioning). Back-end error trace: [2014-11-21 15:21:30,053] ERROR {org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager} - org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: Error when decoding the SAML Request. [2014-11-21 15:21:44,790] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - User provisioning failed! org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: Error while provisioning user : IS2User1 at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:177) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handleJitProvisioning(DefaultStepBasedSequenceHandler.java:636) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handlePostAuthentication(DefaultStepBasedSequenceHandler.java:354) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:133) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:109) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:90) at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:54) at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at
Re: [Dev] [IS] Getting error after enabling JIT provisioning in SAML SSO federated authentication setup
Hi Milinda, If we select Use Local Claim Dialect in claim configuration section of the IDP, role claim URI will be set to http://wso2.org/claims/role; by default in the current implementation. So if second IS doesn't return a value for role claim, adding user to LDAP will fail as role has no value (Although stack trace doesn't show the actual cause). Possible workarounds, 1. In the SP configuration of the second IS, add http://wso2.org/claims/role; as a requested claim. So first IS will receive a value for role claim. 2. Define a custom claim dialect between the two IS servers. This way role claim URI value doesn't get saved unless you select it from the drop-down. Option 1 is better in my opinion. Also we should add this to the documentation. Thanks, Thanuja. On Fri, Nov 21, 2014 at 6:09 PM, Dulanja Liyanage dula...@wso2.com wrote: Hi Milinda, Seems this user is already provisioned - probably in a previous login attempt. Could you please confirm that? If that's the case, I don't think we have to worry about this. Thanks, Dulanja On Fri, Nov 21, 2014 at 4:47 PM, Milinda Perera milin...@wso2.com wrote: Hi, I was able to set up successfully SAML SSO with federated authentication using two Identity Servers [1] and SSO works fine (with travelocity sample). But when I enable JIT provisioning, I'm getting following provisioning failure error (Note : SSO works fine even after enabling JIT provisioning). Back-end error trace: [2014-11-21 15:21:30,053] ERROR {org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager} - org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: Error when decoding the SAML Request. [2014-11-21 15:21:44,790] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - User provisioning failed! org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: Error while provisioning user : IS2User1 at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:177) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handleJitProvisioning(DefaultStepBasedSequenceHandler.java:636) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handlePostAuthentication(DefaultStepBasedSequenceHandler.java:354) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:133) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:109) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:90) at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:54) at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at
[Dev] [IS] Getting error after enabling JIT provisioning in SAML SSO federated authentication setup
Hi, I was able to set up successfully SAML SSO with federated authentication using two Identity Servers [1] and SSO works fine (with travelocity sample). But when I enable JIT provisioning, I'm getting following provisioning failure error (Note : SSO works fine even after enabling JIT provisioning). Back-end error trace: [2014-11-21 15:21:30,053] ERROR {org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager} - org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: Error when decoding the SAML Request. [2014-11-21 15:21:44,790] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - User provisioning failed! org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: Error while provisioning user : IS2User1 at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:177) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handleJitProvisioning(DefaultStepBasedSequenceHandler.java:636) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handlePostAuthentication(DefaultStepBasedSequenceHandler.java:354) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:133) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:109) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:90) at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:54) at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178) at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141) at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
Re: [Dev] [IS] Getting error after enabling JIT provisioning in SAML SSO federated authentication setup
Hi Milinda, Seems this user is already provisioned - probably in a previous login attempt. Could you please confirm that? If that's the case, I don't think we have to worry about this. Thanks, Dulanja On Fri, Nov 21, 2014 at 4:47 PM, Milinda Perera milin...@wso2.com wrote: Hi, I was able to set up successfully SAML SSO with federated authentication using two Identity Servers [1] and SSO works fine (with travelocity sample). But when I enable JIT provisioning, I'm getting following provisioning failure error (Note : SSO works fine even after enabling JIT provisioning). Back-end error trace: [2014-11-21 15:21:30,053] ERROR {org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager} - org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: Error when decoding the SAML Request. [2014-11-21 15:21:44,790] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - User provisioning failed! org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: Error while provisioning user : IS2User1 at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:177) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handleJitProvisioning(DefaultStepBasedSequenceHandler.java:636) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handlePostAuthentication(DefaultStepBasedSequenceHandler.java:354) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:133) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:109) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:90) at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:54) at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178) at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141) at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at