Question

我正在尝试配置我的WSO2身份服务器以通过.xml文件设置服务提供商。这是我正在采取的步骤：

将服务提供商.xml文件粘贴到$ WSO2_HOME / repository / conf / identity / service-providers文件夹中
在全新的WSO2环境中运行wso2server.sh脚本（从不设置，数据库为空表）

我在第1步中创建的.xml文件是使用控制台中的“导出”功能创建的，因此我非常确定它已正确设置。以防万一，这是代码（出于隐私考虑，删除了带有“ 已删除”的行）：

<?xml version="1.0" encoding="UTF-8"?><ServiceProvider>
  <ApplicationName>__REMOVED__</ApplicationName>
  <Description>__REMOVED__</Description>
  <InboundAuthenticationConfig>
    <InboundAuthenticationRequestConfigs>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>__REMOVED__</InboundAuthKey>
        <InboundAuthType>passivests</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <Properties/>
      </InboundAuthenticationRequestConfig>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>__REMOVED__</InboundAuthKey>
        <InboundAuthType>openid</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <Properties/>
      </InboundAuthenticationRequestConfig>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>__REMOVED__</InboundAuthKey>
        <InboundAuthType>oauth2</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <inboundConfiguration><![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<oAuthAppDO>
    <oauthConsumerKey>__REMOVED__</oauthConsumerKey>
    <oauthConsumerSecret>__REMOVED__</oauthConsumerSecret>
    <applicationName>__REMOVED__</applicationName>
    <callbackUrl></callbackUrl>
    <oauthVersion>OAuth-2.0</oauthVersion>
    <grantTypes>client_credentials </grantTypes>
    <scopeValidators/>
    <pkceSupportPlain>true</pkceSupportPlain>
    <pkceMandatory>false</pkceMandatory>
    <userAccessTokenExpiryTime>3600</userAccessTokenExpiryTime>
    <applicationAccessTokenExpiryTime>3600</applicationAccessTokenExpiryTime>
    <refreshTokenExpiryTime>84600</refreshTokenExpiryTime>
    <idTokenExpiryTime>3600</idTokenExpiryTime>
    <audiences/>
    <bypassClientCredentials>false</bypassClientCredentials>
    <requestObjectSignatureValidationEnabled>false</requestObjectSignatureValidationEnabled>
    <idTokenEncryptionEnabled>false</idTokenEncryptionEnabled>
    <idTokenEncryptionAlgorithm>null</idTokenEncryptionAlgorithm>
    <idTokenEncryptionMethod>null</idTokenEncryptionMethod>
    <backChannelLogoutUrl></backChannelLogoutUrl>
    <tokenType>JWT</tokenType>
</oAuthAppDO>
]]></inboundConfiguration>
        <Properties/>
      </InboundAuthenticationRequestConfig>
    </InboundAuthenticationRequestConfigs>
  </InboundAuthenticationConfig>
  <LocalAndOutBoundAuthenticationConfig>
    <AuthenticationSteps/>
    <AuthenticationType>default</AuthenticationType>
    <alwaysSendBackAuthenticatedListOfIdPs>false</alwaysSendBackAuthenticatedListOfIdPs>
    <UseTenantDomainInUsername>false</UseTenantDomainInUsername>
    <UseUserstoreDomainInRoles>true</UseUserstoreDomainInRoles>
    <UseUserstoreDomainInUsername>false</UseUserstoreDomainInUsername>
    <EnableAuthorization>false</EnableAuthorization>
  </LocalAndOutBoundAuthenticationConfig>
  <RequestPathAuthenticatorConfigs/>
  <InboundProvisioningConfig>
    <ProvisioningUserStore/>
    <IsProvisioningEnabled>false</IsProvisioningEnabled>
    <IsDumbModeEnabled>false</IsDumbModeEnabled>
  </InboundProvisioningConfig>
  <OutboundProvisioningConfig>
    <ProvisioningIdentityProviders/>
  </OutboundProvisioningConfig>
  <ClaimConfig>
    <RoleClaimURI/>
    <LocalClaimDialect>false</LocalClaimDialect>
    <IdpClaim/>
    <ClaimMappings>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/role</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>roles</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
    </ClaimMappings>
    <AlwaysSendMappedLocalSubjectId>false</AlwaysSendMappedLocalSubjectId>
    <SPClaimDialects/>
  </ClaimConfig>
  <PermissionAndRoleConfig>
    <Permissions/>
    <RoleMappings/>
    <IdpRoles/>
  </PermissionAndRoleConfig>
  <IsSaaSApp>false</IsSaaSApp>
</ServiceProvider>

启动脚本完成后，我在控制台中看不到服务提供者：

我注意到的一件奇怪的事情-如果尝试使用控制台手动导入服务提供商，则会在UI读取错误：

Error in importing provided service provider serviceprovider@carbon.super from file

我的控制台输出说：

Caused by: org.wso2.carbon.identity.application.common.IdentityApplicationManagementException: Application with the same name loaded from the file system.
        at org.wso2.carbon.identity.application.mgt.ApplicationManagementServiceImpl.doAddApplication(ApplicationManagementServiceImpl.java:1637)
        at org.wso2.carbon.identity.application.mgt.ApplicationManagementServiceImpl.createApplicationWithTemplate(ApplicationManagementServiceImpl.java:169)
        at org.wso2.carbon.identity.application.mgt.ApplicationManagementServiceImpl.importSPApplicationFromObject(ApplicationManagementServiceImpl.java:1025)
        ... 80 more

我发现此错误来自的源代码，它是ApplicationManagementServiceImpl.java文件

if (ApplicationManagementServiceComponent.getFileBasedSPs().containsKey(applicationName)) {
    throw new IdentityApplicationManagementException(
            "Application with the same name loaded from the file system.");
}

将调用ApplicationManagementServiceComponent.java。

private void buildFileBasedSPList() {
        String spConfigDirPath = CarbonUtils.getCarbonConfigDirPath() + File.separator + "identity"
                + File.separator + "service-providers";
        FileInputStream fileInputStream = null;
        File spConfigDir = new File(spConfigDirPath);
        OMElement documentElement;

        if (spConfigDir.exists()) {

            for (final File fileEntry : spConfigDir.listFiles()) {
                try {
                    if (!fileEntry.isDirectory()) {
                        fileInputStream = new FileInputStream(new File(fileEntry.getAbsolutePath()));
                        documentElement = new StAXOMBuilder(fileInputStream).getDocumentElement();
                        ServiceProvider sp = ServiceProvider.build(documentElement);
                        if (sp != null) {
                            fileBasedSPs.put(sp.getApplicationName(), sp);
                        }
                    }
                } catch (Exception e) {
                    log.error("Error while loading idp from file system.", e);
                } finally {
                    if (fileInputStream != null) {
                        try {
                            fileInputStream.close();
                        } catch (IOException e) {
                            log.error("Error occurred while closing file input stream for file " + spConfigDirPath, e);
                        }
                    }

引发此错误，因为我的服务提供商目录中包含一个试图通过控制台导入的具有相同服务提供商名称的文件。但是，我的文件系统中的服务提供商并不是最初导入的。

因此，在配置服务器后，我无法导入服务提供商，这使我以后无法通过控制台导入文件。

感谢您的帮助。

Answer 1

部署为文件$ WSO2_HOME / repository / conf / identity / service-providers文件夹的服务提供商将在UI中不可见。但是它将在系统中处于活动状态。当前不支持已部署文件中的InboundAuthenticationConfig。但是，您可以在$ WSO2_HOME / repository / conf / identity / sso-idp-config.xml文件中拥有SAML配置。

<SSOIdentityProviderConfig>
  <ServiceProviders>
    .......
    .......
    <ServiceProvider>
       <Issuer>_InboundAuthKey_</Issuer>
       <AssertionConsumerServiceURLs>
           <AssertionConsumerServiceURL>_url_</AssertionConsumerServiceURL>
       </AssertionConsumerServiceURLs>
      ......
       ......
   </ServiceProvider>
  </ServiceProviders>
</SSOIdentityProviderConfig>

此处 InboundAuthKey 是saml InboundAuthenticationRequestConfig的值

Answer 2

I've failed to setup service provider by storing file to $WSO2_HOME/repository/conf/identity/service-providers. OAuth2/token request always fails with error that the particular client_id is not found.

What works for me is to create python script to load XML using SOAP interface.

import zeep
from requests import Session
import os

session = Session()
#uncomment in case you use HTTPS without valid certificates
session.verify = False
transport = zeep.Transport(session=session)


def get_client(service):
    base_url = 'https://{IS_SERVICE_NAME}:{IS_PORT}/services/{SERVICE}?wsdl'.format(
        IS_SERVICE_NAME=os.environ["IS_SERVICE_NAME"],
        IS_PORT=os.environ["IS_PORT"],
        SERVICE=service)
    print("Getting client %s" % base_url)
    return zeep.Client(base_url, transport=transport)


def init_session():
    client = get_client('AuthenticationAdmin')

    client.service.login(username=os.environ["IS_USERNAME"],
                         password=os.environ["IS_PASSWORD"],
                         remoteAddress=os.environ["IS_SERVICE_NAME"])


def import_config(path):
    print("Calling IdentityApplicationManagementService")
    client_iam = get_client('IdentityApplicationManagementService')

    with open(path) as f:
        contents = f.read()

    # list of available namespaces
    # print client_iam.client_iam.namespaces
    sp_file_content_type = client_iam.get_type('ns2:SpFileContent')
    sp_file_content = sp_file_content_type(content=contents,
                                           fileName='service-provider.xml')
    client_iam.service.importApplication(sp_file_content)


if __name__ == '__main__':
    assert "IS_USERNAME" in os.environ, "Define IS_USERNAME env variable"
    assert "IS_PASSWORD" in os.environ, "Define IS_PASSWORD env variable"
    assert "IS_SERVICE_NAME" in os.environ, "Define IS_SERVICE_NAME env variable"
    assert "IS_PORT" in os.environ, "Define IS_PORT env variable"

    init_session()
    import_config('/conf/service-provider.xml')

This SOAP interface is enabled by setting in carbon.xml.

<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>

通过代码WSO2 Identity Server配置服务提供商

2 个答案: