Why WebSphere SAML SSO IDAssertion looks into UserRegistry?

Question

Why WebSphere SAML SSO IDAssertion looks into UserRegistry?

383 views Asked by Muhammed Rafneesh FM At 11 December 2020 at 06:57

I am using WebSphere Portal Server 8.5.5.14 and trying to integrate SAML SSO to the application. I have configured the ACS interceptor like this,

<trustAssociation xmi:id="TrustAssociation_1" enabled="true">
  <interceptors xmi:id="TAInterceptor_1603957530229" interceptorClassName="com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor">
    <trustProperties xmi:id="Property_1603957530314" name="sso_1.sp.acsUrl" value="https://localhost:10041/samlsps/ciam"/>
    <trustProperties xmi:id="Property_1603057530732" name="sso_1.sp.idMap" value="idAssertion"/>
    <trustProperties xmi:id="Property_1603957530732" name="sso_1.sp.principalName" value="uid"/>
    <trustProperties xmi:id="Property_1603950530859" name="sso_1.sp.groupName" value="group"/>
    <trustProperties xmi:id="Property_1603951530859" name="sso_1.sp.useRealm" value="onelogin"/>
    <trustProperties xmi:id="Property_1603952531859" name="sso_1.sp.SingleSignOnUrl" value="https://samlpoctest.onelogin.com/trust/saml2/http-redirect/sso/19c6d240-d71c-4e9b-af4a-14993ef4cefb"/>
    <trustProperties xmi:id="Property_1603953531859" name="sso_1.sp.groupMap" value="localRealm"/>
    <trustProperties xmi:id="Property_1603954530847" name="sso_1.sp.includeToken" value="true"/>
    <trustProperties xmi:id="Property_1603955530339" name="sso_1.sp.filter" value="request-url%=sml"/>
    <trustProperties xmi:id="Property_1603959530333" name="sso_1.sp.login.error.page" value="com.ibm.wsspi.security.web.saml.CustomAuthnRequestProvider"/>
    <trustProperties xmi:id="Property_1603957530444" name="sso_1.sp.redirectToIdPonServerSide" value="true"/>
    <trustProperties xmi:id="Property_1603957530446" name="sso_1.sp.targetUrl" value="https://localhost:10041/wps/myportal"/>
    <trustProperties xmi:id="Property_1603957530850" name="sso_1.sp.uniqueId" value="uid"/>
  </interceptors>
</trustAssociation>

Even though its configured to do an IDAssertion, I am getting an error like the below,

[12/10/20 8:20:35:247 BRT] 0000045b ContextManage < runAs(System) -> Exception occurred. Exit com.ibm.websphere.wim.exception.EntityNotFoundException: CWWIM4001E The 'uid=qqqq,o=onelogin' entity was not found. at com.ibm.ws.wim.adapter.file.was.FileData.getByDN(FileData.java:1029) at com.ibm.ws.wim.adapter.file.was.FileAdapter.get(FileAdapter.java:1209) at com.ibm.ws.wim.ProfileManager.getImpl(ProfileManager.java:1757) at com.ibm.ws.wim.ProfileManager.genericProfileManagerMethod(ProfileManager.java:375) at com.ibm.ws.wim.ProfileManager.get(ProfileManager.java:428) at com.ibm.websphere.wim.ServiceProvider.get(ServiceProvider.java:385) at com.ibm.websphere.wim.client.LocalServiceProvider.get(LocalServiceProvider.java:364) at com.ibm.wps.um.VMMFilter$3.run(VMMFilter.java:171) at com.ibm.wps.um.VMMFilter$3.run(VMMFilter.java:168) at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:5572) at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:5698) at com.ibm.wps.um.VMMFilter.get(VMMFilter.java:182) at com.ibm.wps.um.VMMFilter.filter(VMMFilter.java:398) at com.ibm.wps.um.PrincipalFilter.filter(PrincipalFilter.java:186) at com.ibm.wps.um.RealmFilter.filter(RealmFilter.java:151) at com.ibm.wps.um.PrincipalFilterChain.invokeFiltering(PrincipalFilterChain.java:120) at com.ibm.wps.um.FilterAdapter.get(FilterAdapter.java:162) at com.ibm.wps.um.PumaEngineHelper.reload(PumaEngineHelper.java:880) at com.ibm.wps.um.PumaEngineHelper.loadWithBaseAttributes(PumaEngineHelper.java:773) at com.ibm.wps.um.PumaLocatorImpl.findUserByIdentifier(PumaLocatorImpl.java:136) at com.ibm.wps.puma.util.PumaSubjectHelper.getUserForSubject(PumaSubjectHelper.java:161) at com.ibm.wps.um.UserLookupAbstract$1$1.run(UserLookupAbstract.java:68) at com.ibm.wps.um.UserLookupAbstract$1$1.run(UserLookupAbstract.java:65) at com.ibm.wps.um.PumaEngineHelper.runUnrestricted(PumaEngineHelper.java:1387) at com.ibm.wps.um.PumaEnvironmentImpl.runUnrestricted(PumaEnvironmentImpl.java:176) at com.ibm.wps.um.UserLookupAbstract$1.run(UserLookupAbstract.java:63) at com.ibm.wps.um.UserLookupAbstract$1.run(UserLookupAbstract.java:60) at com.ibm.wps.um.RealmManager.executeUnderRealm(RealmManager.java:195) at com.ibm.wps.um.UserLookupAbstract.getCurrentUserFromWSSubject(UserLookupAbstract.java:59) at com.ibm.wps.um.UserLookupWSSubjectImpl.getCurrentUser(UserLookupWSSubjectImpl.java:34) at com.ibm.wps.um.PumaProfileImpl.getCurrentUser(PumaProfileImpl.java:494) at com.ibm.wps.engine.ExtendedLocaleFilter.getUserPreferredLocale(ExtendedLocaleFilter.java:304) at com.ibm.wps.engine.ExtendedLocaleFilter.getAcceptLanguageHeader(ExtendedLocaleFilter.java:250) at com.ibm.wps.engine.ExtendedLocaleFilter.doFilter(ExtendedLocaleFilter.java:115) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91) at com.ibm.wps.resolver.friendly.servlet.FriendlySelectionFilter.doFilter(FriendlySelectionFilter.java:191) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91) at com.ibm.wps.project.filter.ProjectIdFilter.doFilterWithoutProjectID(ProjectIdFilter.java:405) at com.ibm.wps.project.filter.ProjectIdFilter.doFilter(ProjectIdFilter.java:319) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91) at com.ibm.wps.services.preview.PreviewFilterImpl.doFilter(PreviewFilterImpl.java:356) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91) at com.ibm.wps.mappingurl.impl.URLAnalyzer.doFilter(URLAnalyzer.java:442) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91) at com.ibm.wps.engine.VirtualPortalFilter.doFilter(VirtualPortalFilter.java:89) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91) at com.ibm.wps.resolver.servlet.ContentHandlerGzip.internalDoFilter(ContentHandlerGzip.java:730) at com.ibm.wps.resolver.servlet.ContentHandlerGzip.doFilter(ContentHandlerGzip.java:471) at com.ibm.wps.resolver.servlet.AbstractFilter.doFilter(AbstractFilter.java:103) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91) at com.ibm.wps.state.filter.StateCleanup.doFilter(StateCleanup.java:103) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91) at com.ibm.wps.devicesupport.WorklightFilter.doFilter(WorklightFilter.java:166) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91) at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:967) at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1107) at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:87) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:949) at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817) at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:213) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:463) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:530) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:316) at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:88) at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1833) at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175) at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217) at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161) at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138) at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204) at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775) at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1892)

But the thing is, by this config, WebSphere is not even supposed to look into the user registry.

Thanks in advance. :)

Original Q&A

There are 1 answers

**Chunlong** · Answer 1 · 2020-12-11T15:35:16+00:00

Chunlong On 11 December 2020 at 15:35

Please remove sso_1.sp.groupMap from TAI configuration

TechQA.

Why WebSphere SAML SSO IDAssertion looks into UserRegistry?

There are 1 answers

Related Questions in JAVA

Related Questions in WEBSPHERE

Related Questions in SAML

Related Questions in WEBSPHERE-PORTAL

Related Questions in USER-REGISTRY

Popular Questions

Popular Tags

Trending Questions