hauntingEcho
commented
5 years ago to clarify, as the linked issue is not publicly accessible:
use case:
- customers have their own identity systems, provisioning to different user stores in wso2is. These customers have dashboards within their systems from which they can select applications (examples in several different systems: onelogin, F5, WSO2IS)
- those customers use the IdP-initiated flow between their system & our SaaS WSO2IS instance, then use the IdP-initiated flow between WSO2IS & the dashboard, to reach the dashboard in a single click from their home system
current behavior: The dashboard app fails with cryptic errors when using IdP-initiated SSO, until the first time after a reboot it has used SP-initiated SSO. To reproduce:
- unzip a fresh copy of wso2is 5.6.0 update 1547465372852
- delete
repository/conf/identity/service-providers/sp_dashboard.xml - edit
repository/conf/identity/sso-idp-config.xmlto remove thewso2.my.dashboardServiceProvider - start the server
- add a new service provider from the admin UI
- name = dashboard
- inbound/SAML2 config
- issuer =
wso2.my.dashboard - assertion consumer url & default =
https://localhost:9443/dashboard/acs - enable audience restriction, audience =
carbonServer - enable IdP Initiated SSO
- disable Signature Validation in Authentication Requests and Logout Requests
- leave everything else as the defaults
- go to
https://localhost:9443/samlsso?spEntityID=wso2.my.dashboard
This displays in the browser:
HTTP Status 500 - org.mozilla.javascript.EcmaError: TypeError: Cannot read property "SAML.KeyStore" from null (/dashboard//acs.jag#23) and prints to the log:
[2019-01-17 17:06:09,797] ERROR {org.jaggeryjs.jaggery.core.manager.WebAppManager} - org.mozilla.javascript.EcmaError: TypeError: Cannot read property "SAML.KeyStore" from null (/dashboard//acs.jag#23)
org.jaggeryjs.scriptengine.exceptions.ScriptException: org.mozilla.javascript.EcmaError: TypeError: Cannot read property "SAML.KeyStore" from null (/dashboard//acs.jag#23)
at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:571)
at org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273)
at org.jaggeryjs.jaggery.core.manager.WebAppManager.exec(WebAppManager.java:588)
at org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:508)
at org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:743)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:485)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:377)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:337)
at org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:60)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.mozilla.javascript.EcmaError: TypeError: Cannot read property "SAML.KeyStore" from null (/dashboard//acs.jag#23)
at org.mozilla.javascript.ScriptRuntime.constructError(ScriptRuntime.java:3687)
at org.mozilla.javascript.ScriptRuntime.constructError(ScriptRuntime.java:3665)
at org.mozilla.javascript.ScriptRuntime.typeError(ScriptRuntime.java:3693)
at org.mozilla.javascript.ScriptRuntime.typeError2(ScriptRuntime.java:3712)
at org.mozilla.javascript.ScriptRuntime.undefReadError(ScriptRuntime.java:3725)
at org.mozilla.javascript.ScriptRuntime.getObjectElem(ScriptRuntime.java:1432)
at org.jaggeryjs.rhino.dashboard.c1._c_script_0(/dashboard//acs.jag:23)
at org.jaggeryjs.rhino.dashboard.c1.call(/dashboard//acs.jag)
at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394)
at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091)
at org.jaggeryjs.rhino.dashboard.c1.call(/dashboard//acs.jag)
at org.jaggeryjs.rhino.dashboard.c1.exec(/dashboard//acs.jag)
at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567)
... 47 more- go to
https://localhost:9443/dashboard. It works as expected. - open a private browsing window and go to
https://localhost:9443/samlsso?spEntityID=wso2.my.dashboard. It works now. - reboot the server
- go to
https://localhost:9443/samlsso?spEntityID=wso2.my.dashboard. It doesn't work now. - go to
https://localhost:9443/dashboard. It works as expected. - open a private browsing window and go to
https://localhost:9443/samlsso?spEntityID=wso2.my.dashboard. It works now.
The dashboard in the WSO2 IS only supports SP-initiated SSO flow in the current implementation. There can be usecases to use the dashboard with the IDP initiated SSO flow