【发布时间】:2020-06-18 20:58:24
【问题描述】:
尝试将 WSO2 AM (3.1.0) 配置为纯粹使用 SAML SSO 进行身份验证/授权。作为 SAML IdP,我们使用 Azure AD。
虽然它正在将发布者或商店(开发门户)配置为使用 SAML SSO (https://apim.docs.wso2.com/en/latest/install-and-setup/setup/sso/okta-as-an-external-idp-using-saml/),但底层的主要用户存储仍然是用于管理控制台的 LDAP(带有启动 tls)。我们的目标是摆脱 LDAP 连接。
当我们将管理控制台配置为使用 SAML SSO (https://is.docs.wso2.com/en/5.9.0/learn/configuring-saml2-single-sign-on-across-different-wso2-products/) 时,我们可以登录到管理控制台。
问题:当管理控制台配置为使用 SAML SSO 时,当开发门户中的用户尝试创建应用程序凭据时,我们会收到以下错误
Caused by: org.apache.axis2.AxisFault: Access Denied. Please login first.
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:531) ~[axis2_1.6.1.wso2v41.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v41.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:457) ~[axis2_1.6.1.wso2v41.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228) ~[axis2_1.6.1.wso2v41.jar:?]
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) ~[axis2_1.6.1.wso2v41.jar:?]
at org.wso2.carbon.apimgt.keymgt.stub.subscriber.APIKeyMgtSubscriberServiceStub.createOAuthApplicationByApplicationInfo(APIKeyMgtSubscriberServiceStub.java:1348) ~[org.wso2.carbon.apimgt.keymgt.stub_6.6.163.jar:?]
at org.wso2.carbon.apimgt.keymgt.client.SubscriberKeyMgtClient.createOAuthApplicationbyApplicationInfo(SubscriberKeyMgtClient.java:64) ~[org.wso2.carbon.apimgt.keymgt.client_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.createOAuthApplicationbyApplicationInfo_aroundBody42(AMDefaultKeyManagerImpl.java:720) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.createOAuthApplicationbyApplicationInfo(AMDefaultKeyManagerImpl.java:715) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.createApplication_aroundBody0(AMDefaultKeyManagerImpl.java:125) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.createApplication(AMDefaultKeyManagerImpl.java:91) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication_aroundBody8(AbstractApplicationRegistrationWorkflowExecutor.java:145) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication(AbstractApplicationRegistrationWorkflowExecutor.java:123) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.generateKeysForApplication_aroundBody6(AbstractApplicationRegistrationWorkflowExecutor.java:119) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.generateKeysForApplication(AbstractApplicationRegistrationWorkflowExecutor.java:116) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.complete_aroundBody2(ApplicationRegistrationSimpleWorkflowExecutor.java:78) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.complete(ApplicationRegistrationSimpleWorkflowExecutor.java:66) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.execute_aroundBody0(ApplicationRegistrationSimpleWorkflowExecutor.java:54) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.execute(ApplicationRegistrationSimpleWorkflowExecutor.java:47) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
at org.wso2.carbon.apimgt.impl.APIConsumerImpl.requestApprovalForApplicationRegistration_aroundBody144(APIConsumerImpl.java:3876) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
首先我假设问题在于管理服务的身份验证器不同,但用户可以创建和发布 API,在开发门户中创建应用程序。生成应用程序凭据时发生异常。
有什么想法吗?
【问题讨论】: