search

wso2 / kubernetes-is

Kubernetes and Helm resources for WSO2 Identity Server
Apache License 2.0
65 stars 115 forks source link

samlsso Error 405 - Method Not Allowed #114

Closed TwinsDestiny closed 4 years ago

TwinsDestiny commented 5 years ago

This is my profile APIM2.6.0 authenticators.xml `

0 
    <Config>
        <Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
        <Parameter name="ServiceProviderID">APIMServer</Parameter>
        <Parameter name="IdentityProviderSSOServiceURL">https://wso2is/samlsso</Parameter>
        <Parameter name="NameIDPolicyFormat">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter>
        <Parameter name="AssertionConsumerServiceURL">https://wso2apim/acs</Parameter>
        <Parameter name="AssertionSignatureValidationEnabled">true</Parameter>`

IS5.8.0 Issuer APIMServer Default Assertion Consumer URL https://wso2apim/acs Enable Response Signing Enable Single Logout

I am accessing "https://wso2apim/carbon" is directed to "https://wso2is/authenticationendpoint/login.do?RelayState=d32d089d-489f-4ab1-aeff-4aab4945b2fe&SSOAuthSessionID=F8ECADECED9FD3633693E0B96119A2DE&commonAuthCallerPath=%2Fsamlsso&forceAuth=false&passiveAuth=false&tenantDomain=carbon.super&sessionDataKey=4318ca6a-0832-438b-a832-3eca7d461945&relyingParty=APIMServer&type=samlsso&sp=APIM&isSaaSApp=true&authenticators=BasicAuthenticator%3ALOCAL",but an 405 error "Error 405 - Method Not Allowe".

TwinsDestiny commented 5 years ago

I changed images by IS5.7.0

received:https://wso2apim/carbon/sso-acs/authFailure.jsp Authentication/Authorization Failure This might be due to different reasons.

This Authentication Request is malformed or is not issued by an valid issuer.

You are not autherized to sign-in to this service. Please contact the administrator of your organization.

This service is not enabled for your organization. Please contact the administrator of your organization.

darshanasbg commented 5 years ago

Hi @TwinsDestiny,

I suppose you got following error in the APIM Management console. error

This is a generic error and to get any clue on the relevant cause it needs to check the wso2carbon.log file. Do you have any ERROR, WARN logs on api manager wso2carbon.log file? (You can refer log file from /repository/logs/wso2carbon.log location)

I have found following thread on the wso2 dev mailing list, which discusses on a similar case, where the culprit was the signature validation. http://mail.wso2.org/mailarchive/dev/2018-August/077950.html

Another common case is, the user you are trying might not have login permission to log in to the management console.

Anyhow, please check the wso2carbon.log for a clue.

TwinsDestiny commented 5 years ago

@darshanasbg I login APIM used by "admin". image

This is APIM2.6.0 wso2carbon.log

[2019-06-14 05:40:11,275] ERROR - SAML2SSOAuthenticator Authentication Request is rejected. Failed to meet SAML Assertion Condition 'Not Before'
[2019-06-14 05:40:11,279]  WARN - CarbonAuthenticationUtil Failed Administrator login attempt 'admin[-1]' at [2019-06-14 05:40:11,278+0000]
[2019-06-14 05:40:11,287] ERROR - SAML2SSOUIAuthenticator Error when creating SAML2SSOAuthenticationClient.
java.lang.IllegalStateException: Tenant ID cannot be -1
        at org.wso2.carbon.caching.impl.CarbonCacheManager.<init>(CarbonCacheManager.java:65)
        at org.wso2.carbon.caching.impl.CacheManagerFactoryImpl.getCacheManager(CacheManagerFactoryImpl.java:94)
        at org.wso2.carbon.security.pox.POXSecurityHandler.getPOXCache(POXSecurityHandler.java:523)
        at org.wso2.carbon.security.pox.POXSecurityHandler.invoke(POXSecurityHandler.java:150)
        at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
        at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
        at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
        at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:370)
        at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:456)
        at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:227)
        at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
        at org.wso2.carbon.identity.authenticator.saml2.sso.stub.SAML2SSOAuthenticationServiceStub.login(SAML2SSOAuthenticationServiceStub.java:248)
        at org.wso2.carbon.identity.authenticator.saml2.sso.ui.client.SAML2SSOAuthenticationClient.login(SAML2SSOAuthenticationClient.java:60)
        at org.wso2.carbon.identity.authenticator.saml2.sso.ui.authenticator.SAML2SSOUIAuthenticator.authenticate(SAML2SSOUIAuthenticator.java:101)
        at org.wso2.carbon.ui.CarbonUILoginUtil.handleLogin(CarbonUILoginUtil.java:400)
        at org.wso2.carbon.ui.CarbonSecuredHttpContext.handleSecurity(CarbonSecuredHttpContext.java:246)
        at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:60)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:743)
        at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:485)
        at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:410)
        at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:337)
        at org.eclipse.equinox.http.servlet.internal.RequestDispatcherAdaptor.forward(RequestDispatcherAdaptor.java:30)
        at org.wso2.carbon.identity.authenticator.saml2.sso.ui.SSOAssertionConsumerService.handleSAMLResponses(SSOAssertionConsumerService.java:275)
        at org.wso2.carbon.identity.authenticator.saml2.sso.ui.SSOAssertionConsumerService.doPost(SSOAssertionConsumerService.java:137)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:65)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
        at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
        at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:65)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
        at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
        at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
        at org.wso2.carbon.event.receiver.core.internal.tenantmgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:48)
        at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
        at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
        at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)

fixed this problem k8s nodes system date is different

but can't resolve "Error 405 - Method Not Allowe" from IS5.8.0