I am trying to do an OIDC federated authentication for a service provider in wso2 IS(local). The external identity provider which I am using is also a wso2 IS(external). I have configured inbound auth configuration as below in my external identity provider(external): And in local wso2 I have configured identity provider as below and also done role mapping and claim mappings: Update the federated authentication for a service provider in local when I try to access to the application which is federated, It redirects well to the external provider for authentication and after entering the credentials, I get the below error in headers and payload of browser. Headers : Request URL: Request URL: https://test-vm.com/?error_description=Authentication+required&error=login_required payload : error_description: Authentication required error: login_required when I look at the logs of local wso2, I see the below error: ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Authentication failed exception! javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

wso2openid-connectwso2-identity-serverfederated-identity

Reputation: 65

OIDC federated authentication issue in wso2 IS

I am trying to do an OIDC federated authentication for a service provider in wso2 IS(local). The external identity provider which I am using is also a wso2 IS(external).

I have configured inbound auth configuration as below in my external identity provider(external):
And in local wso2 I have configured identity provider as below and also done role mapping and claim mappings:
Update the federated authentication for a service provider in local
when I try to access to the application which is federated, It redirects well to the external provider for authentication and after entering the credentials, I get the below error in headers and payload of browser.
Headers:
Request URL: Request URL: https://test-vm.com/?error_description=Authentication+required&error=login_required
payload: error_description: Authentication required error: login_required
when I look at the logs of local wso2, I see the below error:

ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Authentication failed exception! javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Upvotes: 0

Answers (2)

MooRpHe

Reputation: 76

The problem for me was that the wso2 environment was not resolving the host of the identity provider. Therefore, the request to idp/token was failing and generating the error you described: error_description=Authentication+required&error=login_required

Upvotes: 0

Anuradha Karunarathna

Reputation: 3057

It seems SSL/TLS certificate presented by federated IDP can't be validated by local WSO2 IS. You have to import the SSL/TLS certificate of federated IDP to the trust store of the local IS.

Export the public certificate from federated IDP's keystore

keytool -export -alias <alias_name> -keystore <keystore_name>.jks -file <public_key_name>.pem

Import the public key you extracted in the previous step to the client-truststore.jks file in local IS.

keytool -import -alias <alias_name> -file <public_key_name>.pem -keystore client-truststore.jks -storepass <keystore_password>

Upvotes: 0

OIDC federated authentication issue in wso2 IS

Answers (2)

Related Questions