OpenWIS MetaData Portal SSO Authentication Error

[mgiannoni]

Followed installation guide IG-OpenWIS-3.16-v0.1 section 3, but failed to access the openwis-admin-portal

Portal: Authentication Error

Access denied. You don't have enough credentials to perform this action.

tomcat/logs/openwis.log:

2023-01-11 17:41:06,838 INFO [jeeves.request] - ========================================================== 2023-01-11 17:41:06,838 INFO [jeeves.request] - HTML Request (from 127.0.0.1) : /openwis-admin-portal/srv/en/user.loginCaptcha.get 2023-01-11 17:41:06,838 DEBUG [jeeves.request] - Method : GET 2023-01-11 17:41:06,838 DEBUG [jeeves.request] - Content type : null 2023-01-11 17:41:06,838 DEBUG [jeeves.request] - Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 2023-01-11 17:41:06,838 DEBUG [jeeves.request] - Session id is B157CD898E8714A555F2885C3215EFA0 2023-01-11 17:41:06,839 INFO [jeeves.service] - Dispatching : user.loginCaptcha.get 2023-01-11 17:41:06,839 DEBUG [jeeves.service] - -> no input parameters 2023-01-11 17:41:06,839 INFO [jeeves.service] - -> dispatching to output for : user.loginCaptcha.get 2023-01-11 17:41:06,860 INFO [jeeves.service] - -> output ended for : user.loginCaptcha.get 2023-01-11 17:41:06,860 INFO [jeeves.service] - -> dispatch ended for : user.loginCaptcha.get 2023-01-11 17:41:31,432 DEBUG [Login] - setting Fedlet attributes{OpenWISProfile=[Administrator], mail=[marc.giannoni@noaa.gov], givenname=[Marc], isMemberOf=[cn=DEFAULT,ou=giscdev,ou=groups,dc=opensso,dc=java,dc=net], OpenWISNeedUserAccount=[true], cn=[admin], sn=[Giannoni]} 2023-01-11 17:41:31,433 DEBUG [Login] - setFedletAttributes - username=admin 2023-01-11 17:41:31,433 DEBUG [Login] - setFedletAttributes - sSurname=Giannoni 2023-01-11 17:41:31,433 DEBUG [Login] - setFedletAttributes - sName=Marc 2023-01-11 17:41:31,433 DEBUG [Login] - setFedletAttributes - sProfile=Administrator 2023-01-11 17:41:31,433 DEBUG [Login] - setFedletAttributes - isMemberOf=[cn=DEFAULT,ou=giscdev,ou=groups,dc=opensso,dc=java,dc=net] 2023-01-11 17:41:31,433 DEBUG [Login] - setFedletAttributes - need User Account=true 2023-01-11 17:41:31,433 DEBUG [Login] - setFedletAttributes - email =marc.giannoni@noaa.gov 2023-01-11 17:41:31,433 DEBUG [Login] - Session id is 7B7B66500A87DF3FDAC09316DD6DD8DC 2023-01-11 17:41:31,476 INFO [jeeves.request] - ========================================================== 2023-01-11 17:41:31,476 INFO [jeeves.request] - HTML Request (from 127.0.0.1) : /openwis-admin-portal/srv/en/show.error 2023-01-11 17:41:31,476 DEBUG [jeeves.request] - Method : GET 2023-01-11 17:41:31,476 DEBUG [jeeves.request] - Content type : null 2023-01-11 17:41:31,476 DEBUG [jeeves.request] - Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 2023-01-11 17:41:31,476 DEBUG [jeeves.request] - Session id is 7B7B66500A87DF3FDAC09316DD6DD8DC 2023-01-11 17:41:31,476 INFO [jeeves.service] - User: admin. Dispatching : show.error 2023-01-11 17:41:31,485 DEBUG [jeeves.service] - User: admin. -> parameters are :

Access denied. You don't have enough credentials to perform this action. true

2023-01-11 17:41:31,485 ERROR [jeeves.service] - User: admin. Exception when executing service 2023-01-11 17:41:31,487 ERROR [jeeves.service] - User: admin. (C) Exc : OperationAbortedEx : Access denied. You don't have enough credentials to perform this action. OperationAbortedEx : Access denied. You don't have enough credentials to perform this action. at org.openwis.metadataportal.services.error.ShowError.exec(ShowError.java:31) at jeeves.server.dispatchers.ServiceInfo.execService(ServiceInfo.java:243) at jeeves.server.dispatchers.ServiceInfo.execServices(ServiceInfo.java:148) ....... at org.openwis.metadataportal.services.login.OpenWisGetToken.forwardError(OpenWisGetToken.java:95) at org.openwis.metadataportal.services.login.OpenWisGetToken.service(OpenWisGetToken.java:85) ....... at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:750) 2023-01-11 17:41:31,488 INFO [jeeves.service] - User: admin. -> dispatching to error for : show.error 2023-01-11 17:41:31,995 INFO [jeeves.service] - User: admin. -> end error transformation for : show.error 2023-01-11 17:41:31,995 INFO [jeeves.service] - User: admin. -> error ended for : show.error

LDAP DataStore: "dc=opensso,dc=java,dc=net"

ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w E99.Qu1ch --baseDN "dc=opensso,dc=java,dc=net" "(objectclass=)" '' SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. dn: dc=opensso,dc=java,dc=net dc: opensso objectClass: domain objectClass: top

dn: ou=people,dc=opensso,dc=java,dc=net objectClass: organizationalUnit objectClass: top ou: people

dn: ou=groups,dc=opensso,dc=java,dc=net objectClass: organizationalUnit objectClass: top ou: groups

dn: ou=giscdev,ou=groups,dc=opensso,dc=java,dc=net objectClass: organizationalUnit objectClass: top ou: giscdev

dn: cn=DEFAULT,ou=giscdev,ou=groups,dc=opensso,dc=java,dc=net cn: DEFAULT objectClass: groupofuniquenames objectClass: top uniqueMember: uid=admin,ou=people,dc=opensso,dc=java,dc=net

dn: ou=GLOBAL,ou=groups,dc=opensso,dc=java,dc=net objectClass: organizationalUnit objectClass: top ou: GLOBAL

dn: cn=Institutional,ou=GLOBAL,ou=groups,dc=opensso,dc=java,dc=net cn: Institutional objectClass: groupofuniquenames objectClass: top

dn: uid=admin,ou=people,dc=opensso,dc=java,dc=net OpenWISLastLoginTimestamp: 1673452559 OpenWISNeedUserAccount: true OpenWISProfile: Administrator OpenWISSecretKey: ATTRIBUTE_NOT_USED cn: admin givenName: Marc inetUserStatus: Active mail: marc.giannoni@noaa.gov objectClass: OpenWisUser objectClass: iPlanetPreferences objectClass: inetOrgPerson objectClass: inetuser objectClass: iplanet-am-auth-configuration-service objectClass: iplanet-am-managed-person objectClass: iplanet-am-user-service objectClass: organizationalPerson objectClass: person objectClass: sunAMAuthAccountLockout objectClass: sunFMSAML2NameIdentifier objectClass: sunFederationManagerDataStore objectClass: sunIdentityServerLibertyPPService objectClass: top sn: Giannoni uid: admin userPassword: {SSHA}5pf9LmwLPeoQVF3/X07NYaDqf8WeFjmwfZlvKA==

PostgrSQL User Table

psql -h giscdev-1.czbts4gd2wm2.us-east-1.rds.amazonaws.com -d openwis postgres openwis=> select * from users; id | username | password | surname | name | profile | address | city | state | zip | country | email | organisation | kind | lastlogin | lastpasswordchange ----+----------+---------------------------------------+---------+-------+---------------+---------+------+-------+-----+---------+-------+--------------+------+----------------------- -----+---------------------------- 1 | admin | d033e22ae348aeb566fc214aec3585c4da997 | admin | admin | Administrator | | | | | | | | | 2023-01-10 20:19:54.39 6677 | 2023-01-10 20:19:54.396677 (1 row)

Problem Java Class

/**

• @member: IS_APPLY_GROUP_EMPTY */ public static final String IS_APPLY_GROUP_EMPTY = "APPLYGROUPEMPTY";

  at org.openwis.metadataportal.services.login.OpenWisGetToken.forwardError(OpenWisGetToken.java:95)
  at org.openwis.metadataportal.services.login.OpenWisGetToken.service(OpenWisGetToken.java:85)

Portal: Choose Domain ERROR

2023-01-12 17:10:16,478 ERROR [Login] - Error sending AuthnRequest : No sessionInitToken present

2023-01-12 17:09:49,474 DEBUG [jeeves.request] - Session id is 838EC5810AE132695D26D545702B1EEA 2023-01-12 17:09:49,474 DEBUG [jeeves.request] - Session created for client : 205.156.8.71 2023-01-12 17:09:49,502 INFO [jeeves.service] - Dispatching : main.home 2023-01-12 17:09:49,502 DEBUG [jeeves.service] - -> no input parameters 2023-01-12 17:09:49,504 INFO [jeeves.service] - -> dispatching to output for : main.home 2023-01-12 17:09:49,517 INFO [jeeves.service] - -> output ended for : main.home 2023-01-12 17:09:49,517 INFO [jeeves.service] - -> dispatch ended for : main.home 2023-01-12 17:09:55,667 INFO [jeeves.request] - ========================================================== 2023-01-12 17:09:55,667 INFO [jeeves.request] - HTML Request (from 205.156.8.71) : /openwis-admin-portal/srv/en/user.choose.domain 2023-01-12 17:09:55,667 DEBUG [jeeves.request] - Method : GET 2023-01-12 17:09:55,667 DEBUG [jeeves.request] - Content type : null 2023-01-12 17:09:55,667 DEBUG [jeeves.request] - Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 2023-01-12 17:09:55,667 DEBUG [jeeves.request] - Session id is 838EC5810AE132695D26D545702B1EEA 2023-01-12 17:09:55,667 INFO [jeeves.service] - Dispatching : user.choose.domain 2023-01-12 17:09:55,667 DEBUG [jeeves.service] - -> no input parameters 2023-01-12 17:09:55,668 INFO [jeeves.service] - -> dispatching to output for : user.choose.domain 2023-01-12 17:09:56,044 INFO [jeeves.service] - -> output ended for : user.choose.domain 2023-01-12 17:09:56,044 INFO [jeeves.service] - -> dispatch ended for : user.choose.domain 2023-01-12 17:10:16,478 ERROR [Login] - Error sending AuthnRequest : No sessionInitToken present 2023-01-12 17:10:16,479 INFO [jeeves.request] - ========================================================== 2023-01-12 17:10:16,479 INFO [jeeves.request] - HTML Request (from 205.156.8.71) : /openwis-admin-portal/srv/en/show.error 2023-01-12 17:10:16,479 DEBUG [jeeves.request] - Method : GET 2023-01-12 17:10:16,479 DEBUG [jeeves.request] - Content type : null 2023-01-12 17:10:16,479 DEBUG [jeeves.request] - Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 2023-01-12 17:10:16,479 DEBUG [jeeves.request] - Session id is 838EC5810AE132695D26D545702B1EEA 2023-01-12 17:10:16,480 INFO [jeeves.service] - Dispatching : show.error 2023-01-12 17:10:16,502 DEBUG [jeeves.service] - -> parameters are :

IDP1 en Error during login init process

2023-01-12 17:10:16,502 ERROR [jeeves.service] - Exception when executing service 2023-01-12 17:10:16,504 ERROR [jeeves.service] - (C) Exc : OperationAbortedEx : Error during login init process OperationAbortedEx : Error during login init process at org.openwis.metadataportal.services.error.ShowError.exec(ShowError.java:31) at jeeves.server.dispatchers.ServiceInfo.execService(ServiceInfo.java:243) at jeeves.server.dispatchers.ServiceInfo.execServices(ServiceInfo.java:148) ...... at org.openwis.metadataportal.services.login.OpenWisInit.forwardError(OpenWisInit.java:233) at org.openwis.metadataportal.services.login.OpenWisInit.service(OpenWisInit.java:53) ...... 2023-01-12 17:10:16,505 ERROR [jeeves.service] - Raised exception while executing service OperationAbortedEx : Error during login init process ....... at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:750) 2023-01-12 17:10:16,506 INFO [jeeves.service] - -> dispatching to error for : show.error 2023-01-12 17:10:17,123 INFO [jeeves.service] - -> end error transformation for : show.error 2023-01-12 17:10:17,123 INFO [jeeves.service] - -> error ended for : show.error

[mgiannoni]

[abrmh]

When INITIALIZE CENTRE IN LDAP

We define a Centre name (name of the deployment for example : GiscAws ).

The deployment name is the one defined in the user and admin portals openwis-metadataportal.properties:

Deployment name.

openwis.metadataportal.deploy.name=GiscAws

This center name is also defined in file openwis-deployments.properties

The list of referenced deployment logical names.

openwis.cots=GiscAws

The list of back-up deployment logical names.

openwis.backups=

For each deployment listed above, the URL.

The format must be the following : openwis.deployment.url.

openwis.deployment.url.GiscAws=http://user-portal.example:8080/openwis-user-portal/ openwis.deployment.url.GiscAws.admin=http://openam.example:8080/openwis-admin-portal/

Warn rate : the rate of available function (in %) bellow which we consider that the deployment is in error

openwis.backup.warn.rate=50

first action to chack is to be sure that the name is defined in properties files openwis-metadataportal.properties and openwis-deployments.properties

[mgiannoni]

Thanks for all your help. Resolved by ensuring the "public.groups" table in Postgres was populated with the initial default groups. The DEFAULT group was missing:

"insert into public.groups(id,name,description,email,referrer,reserved,isglobal) VALUES (2,'DEFAULT','','',NULL,'n','y');