Wednesday, May 20, 2015

[WSO2 AM] Access token related issues

Create an API with following details.

Name      : StockquoteAPI
Context   : stockquote
Version   : 1.0.0
Endpoint : http://www.webservicex.net/stockquote.asmx
Resource : GetQuote
Query      : symbol




1. Invoke with invalid token.

Client side errors:

401 Unauthorized

<ams:fault>
 <ams:code>900901</ams:code>
 <ams:message>Invalid Credentials</ams:message>
 <ams:description>Access failure for API: /stockquote, version: 1.0.0 with key: lI2XVmmRJ9_B_rbh1rwV7Pg3Pp8</ams:description>
</ams:fault>
Backend error :

[2015-05-16 22:22:14,630] ERROR - APIAuthenticationHandler API authentication failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /stockquote, version: 1.0.0 with key: lI2XVmmRJ9_B_rbh1rwV7Pg3Pp8
    at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:212)
    at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:94)
    at org.apache.synapse.rest.API.process(API.java:284)
    at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:83)
    at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:64)
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:220)
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:83)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:344)
    at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:168)
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)


Solution: Double check the token.

2. Invoke  API with invalid token type.

Eg: Invoke  API with application token , But resource is allowed only for the application user tokens.

Client Errors:

401 Unauthorized

<ams:fault>
   <ams:code>900905</ams:code>
   <ams:message>Incorrect Access Token Type is provided</ams:message>
   <ams:description>Access failure for API: /stockquote, version: 1.0.0 with key: lI2XVmmRJ9_B_rbh1rwV7Pg3Pp8a</ams:description>
 </ams:fault>
Back end Error:

[2015-05-16 22:29:05,262] ERROR - APIAuthenticationHandler API authentication failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /stockquote, version: 1.0.0 with key: lI2XVmmRJ9_B_rbh1rwV7Pg3Pp8a
    at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:212)
    at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:94)
    at org.apache.synapse.rest.API.process(API.java:284)
    at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:83)
    at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:64)
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:220)
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:83)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:344)
    at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:168)
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)

Solution: Edit  API from publisher and go to the manage wizard. Then check for the authentication type.


3. Invoke non-existing API resource.

Client Errors:

403 Forbidden

<ams:fault>
 <ams:code>900906</ams:code>
 <ams:message>No matching resource found in the API for the given request</ams:message>
 <ams:description>Access failure for API: /stockquote, version: 1.0.0 with key: lI2XVmmRJ9_B_rbh1rwV7Pg3Pp8a</ams:description>
</ams:fault>

Back end Error:

[2015-05-16 22:40:00,506] ERROR - APIKeyValidator Could not find matching resource for /GetQuote1?symbol=ibm
[2015-05-16 22:40:00,507] ERROR - APIKeyValidator Could not find matching resource for request
[2015-05-16 22:40:00,508] ERROR - APIAuthenticationHandler API authentication failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /stockquote, version: 1.0.0 with key: lI2XVmmRJ9_B_rbh1rwV7Pg3Pp8a
    at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:212)
    at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:94)
    at org.apache.synapse.rest.API.process(API.java:284)
    at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:83)
    at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:64)
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:220)
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:83)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:344)
    at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:168)
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745 

Solution: Edit  API from publisher (Design wizard) and double check the availability of the resource names.


4. Token has generated without scope (scope as default), But API resource configured with scope.

Client Errors:

403 Forbidden

<ams:fault>
 <ams:code>900910</ams:code>
 <ams:message>The access token does not allow you to access the requested resource</ams:message>
 <ams:description>Access failure for API: /stockquote, version: 1.0.0 with key: 1e1b6aa805d4bfd89b6e36ac48345a</ams:description>
</ams:fault>
Back end Error:

[2015-05-16 23:08:57,103] ERROR - APIAuthenticationHandler API authentication failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /stockquote, version: 1.0.0 with key: 1e1b6aa805d4bfd89b6e36ac48345a
    at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:212)
    at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:94)
    at org.apache.synapse.rest.API.process(API.java:284)
    at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:83)
    at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:64)
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:220)
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:83)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:344)
    at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:168)
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)


Solution: Generate new token with scope(s).
eg:
curl -k -d "grant_type=password&username=admin&password=admin&scope=stock" -H "Authorization: Basic THUwUVlFUUIxYVRKY3B6YTIxQnFxa0ZhU1I0YTo0ZE1FRUs3N1k4emZhSU56aVdGbTB1aFNBdjBh, Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token


5. Invoke with expired token.

Client Errors

401 Unauthorized

<ams:fault>
 <ams:code>900903</ams:code>
 <ams:message>Access Token Expired</ams:message>
 <ams:description>Access failure for API: /stockquote, version: 1.0.0 with key: 8d438b49d9b24c752ce2b89c24bc198</ams:description>
</ams:fault>

Back end error:

[2015-05-17 13:30:50,155] ERROR - APIAuthenticationHandler API authentication failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /stockquote, version: 1.0.0 with key: 8d438b49d9b24c752ce2b89c24bc198
    at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:212)
    at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:94)
    at org.apache.synapse.rest.API.process(API.java:284)
    at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:83)
    at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:64)
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:220)
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:83)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:344)
    at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:168)
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)

Solution : You need to re-generate a token. If it is user token , you can use the refresh token to generate new token.

curl -k -d "grant_type=refresh_token&refresh_token=<retoken>&scope=PRODUCTION" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh, Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token

6. Token generated with 60 seconds life span , but API can invoke with that token after 60 seconds.


Reason:

The default token validation time is 3600 seconds that is configured in identity.xml file.
<AccessTokenDefaultValidityPeriod>3600</AccessTokenDefaultValidityPeriod>
But there is another configuraion called "TimestampSkew"
<TimestampSkew>300</TimestampSkew>
You can find the usage of that configuration here https://docs.wso2.com/display/AM180/Token+API#TokenAPI-Configuringthetokenexpirationtime

According to that description, token will be valid until the TimestampSkew eventhough the generated time less than the TimestampSkew.

7. User can generate access token, but API is not subscribed to that application.

Client Errors

401 Unauthorized

<ams:fault>
 <ams:code>900901</ams:code>
 <ams:message>Invalid Credentials</ams:message>
 <ams:description>Access failure for API: /stockquote, version: 1.0.0 with key: b31077463e7e7856762234c5d0b599</ams:description>
</ams:fault>
Back end Error

[2015-05-17 22:32:44,609] ERROR - APIAuthenticationHandler API authentication failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /stockquote, version: 1.0.0 with key: b31077463e7e7856762234c5d0b599
    at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:212)
    at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:94)
    at org.apache.synapse.rest.API.process(API.java:284)
    at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:83)
    at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:64)
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:220)
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:83)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:344)
    at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:168)
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)  

Solution: Logged in to the store and subscribe API to application.




Monday, May 11, 2015

H2 database in WSO2 products.

H2 is open source and free to distribute. Therefore WSO2 product has selected H2 as the default embedded database. All WSO2 products use embedded H2  databases to store application data in default distribution.

Eg:  WSO2 Identity Server use WSO2CARBON_DB to store registry, user management and identity management related data (service providers, SSO configurations, tokens ..etc). WSO2 API Manager use WSO2AM_DB to store API related data.

You can browse those databases , please look at this post http://www.vitharana.org/2012/04/how-to-browse-h2-database-of-wso2.html

The H2 database can run in different modes including embedded mode, server mode and mixed mode. http://www.h2database.com/html/features.html#connection_modes

This embedded database can be corrupted due to various reasons including failed file locking at the concurrent access (http://www.h2database.com/html/features.html#database_file_locking), kill Java process to shut down the server, low disc space  ..etc.

WSO2 highly recommend to use standard production ready database like MySQL, Oracle, PostgreSQL ..etc for production/Dev/QA deployment rather using embedded H2 database(s).

The registry database has three logical partition called , local, config and governance. You can only use the default embedded H2 database only for the local registry.

In local registry we store mount configurations, if the local registry is corrupted we can simply delete default embedded H2 database and restart the server  with -Dsetup parameter. Then new database will be created and mount configuration will populate automatically.

Monday, May 4, 2015

Setup Canon MX450 series scanner in linux 14.04

The "Simple Scan" in linux doesn't work with  Canon MX450 series. But the  ScanGear driver provides a tool to use that scanner with linux .

1. Download the debian package archive from here.
2. Extract the archive.
>tar -xvf scangearmp-mx450series-2.10-1-deb.tar.gz
3. Go inside the scangearmp-mx450series-2.10-1-deb directory from command window.
4. Change permission to execute the install.sh
> sudo chmod a+x install.sh
5. Execute the install.sh
> ./install.sh 
6. Connect your scanner to machine (USB) and execute the following command to open the GUI.
> scangearmp & 

[WSO2 AM/IS] SAML2 bearer tokens with OAuth2



1. Download the latest version of WSO2 API Manager (AM)1.8.0 (http://wso2.com/api-management/).

2. Download the latest version of WSO2 Identity Server(IS) 5.0.0 and apply the Service Pack(http://wso2.com/products/identity-server/).

3. I'm going to run  AM in port off set 0 and IS in 1 (change <Offset>in carbon.xml).

Change the HostName and MgtHostName in the carbon.xml file of the IS.
<HostName>is.wso2.com</HostName>
<MgtHostName>is.wso2.com</MgtHostName>

4.Change the HostName and MgtHostName in the carbon.xml file of the AM
<HostName>am.wso2.com</HostName>
<MgtHostName>am.wso2.com</MgtHostName> 


Share the user stores and mount registry spaces.


i. In default product , AM has  JDBC user store manager and IS has embedded read write LDAP server. (check the user-mgt.xml file under the <HOME>/repository/conf)

ii. Open the user-mgt.xml file in IS and disable the default ReadWriteLDAPUserStoreManager.

iii.  Enable the JDBCUserStoreManager.

<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
            <Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
            <Property name="ReadOnly">false</Property>
            <Property name="MaxUserNameListLength">100</Property>
            <Property name="IsEmailUserName">false</Property>
            <Property name="DomainCalculation">default</Property>
            <Property name="PasswordDigest">SHA-256</Property>
            <Property name="StoreSaltedPassword">true</Property>
            <Property name="ReadGroups">true</Property>
            <Property name="WriteGroups">true</Property>
            <Property name="UserNameUniqueAcrossTenants">false</Property>
            <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
            <Property name="UsernameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\&lt;&gt;,\'\"]{3,30}$</Property>
            <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="RolenameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\&lt;&gt;,\'\"]{3,30}$</Property>
            <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="UserRolesCacheEnabled">true</Property>
            <Property name="MaxRoleNameListLength">100</Property>
            <Property name="MaxUserNameListLength">100</Property>
            <Property name="SharedGroupEnabled">false</Property>
            <Property name="SCIMEnabled">false</Property>
        </UserStoreManager>
iv)  Create database (shareddb) for user store and configure in master-datasource.xml file.
<datasource>
            <name>WSO2_UM_DB</name>
            <description>The datasource used for registry and user manager</description>
            <jndiConfig>
                <name>jdbc/WSO2CarbonDB_SHARE</name>
            </jndiConfig>
            <definition type="RDBMS">
                <configuration>
                    <url>jdbc:mysql://<host>:<port>/shareddb</url>
                    <username>root</username>
                    <password>root</password>
                    <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                    <maxActive>50</maxActive>
                    <maxWait>60000</maxWait>
                    <testOnBorrow>true</testOnBorrow>
                    <validationQuery>SELECT 1</validationQuery>
                    <validationInterval>30000</validationInterval>
                </configuration>
            </definition>
</datasource> 
v) Change the JNDI name in dataSource property in user-mgt.xml file.

<Property name="dataSource">jdbc/WSO2CarbonDB_SHARE</Property> 

vi) Do the  steps (iv) and (v) in AM.

vi) Open the registry.xml in IS and add the mount configurations.

<dbConfig name="wso2registry_shared">
        <dataSource>jdbc/WSO2CarbonDB_SHARE</dataSource>
</dbConfig>

<remoteInstance url="https://localhost:9443/registry">
        <id>instanceid</id>
        <dbConfig>wso2registry_shared</dbConfig>
        <readOnly>false</readOnly>
        <enableCache>true</enableCache>
        <registryRoot>/</registryRoot>
        <cacheId>root@jdbc:mysql://<host>:<port>/shareddb</cacheId>
</remoteInstance>
<mount path="/_system/config" overwrite="true">
        <instanceId>instanceid</instanceId>
        <targetPath>/_system/isnodes</targetPath>
</mount>
<mount path="/_system/governance" overwrite="true">
        <instanceId>instanceid</instanceId>
        <targetPath>/_system/governance</targetPath>
</mount>
vii) Open the registry.xml of the AM and add the mount configurations.

<dbConfig name="wso2registry_shared">
        <dataSource>jdbc/WSO2CarbonDB_SHARE</dataSource>
    </dbConfig>

<remoteInstance url="https://localhost:9443/registry">
        <id>instanceid</id>
        <dbConfig>wso2registry_shared</dbConfig>
        <readOnly>false</readOnly>
        <enableCache>true</enableCache>
        <registryRoot>/</registryRoot>
       <cacheId>root@jdbc:mysql://<host>:<port>/shareddb</cacheId>
</remoteInstance>
<mount path="/_system/config" overwrite="true">
        <instanceId>instanceid</instanceId>
        <targetPath>/_system/amnodes</targetPath>
</mount>
<mount path="/_system/governance" overwrite="true">
        <instanceId>instanceid</instanceId>
        <targetPath>/_system/governance</targetPath>
</mount>


(You need to start the servers with -Dsetup parameter to generate tables in shareddb.)

Configure Identity Provider 


1.  Logged in to the AM and add the WSO2 IS as an Identity provider.

i) You need the  public certificate of the Identity server. You can export that from default wso2carbon.jks file  using the following key tool command.

Go to the wso2is-5.0.0/repository/resources/security location from command window and execute the bellow command.
keytool -export -alias wso2carbon  -keystore wso2carbon.jks -storepass wso2carbon -file carbonjks.pem 
Identity provider Name*               = WSO2_IS
Identity Provider Public Certificate* = Browse and select the carbonjks.pem file
Enable SAML2 with SSO                 = checked
Identity Provider Entity Id           = WSO2_IDP
Service Provider Entity Id            = WSO2_AM
SSO URL                               = https://is.wso2.com:9444/samlsso
Alias                                 = https://am.wso2.com:9443/oauth2/token


Configure Service Providers

 


1. Open the identity.xml  in  IS (wso2is-5.0.0/repository/conf), and change the  following two parameters as bellow.
<EntityId>WSO2_IDP</EntityId>
<IdentityProviderURL>https://is.wso2.com:9444/samlsso</IdentityProviderURL>
2. Enable the DEBUG logs in IS to capture the SAML response. Open the log4j.properties file in wso2is-5.0.0/repository/conf and add the following DEBUG package.
log4j.logger.org.wso2.carbon.identity=DEBUG
3. Restart the IS server.

4. Logged in to the identity Server and add the store  as a service provider.
Service Provider Name = AM_STORE 


5. Configure the "SAML2 web SSO  Configuration".



Assertion Consumer URL                     = https://am.wso2.com:9443/store/jagg/jaggery_acs.jag
Use fully qualified username in the NameID = checked
Enable Response Signing                    = checked
Enable Assertion Signing                   = checked
Enable Single Logout                       = checked
Enable Audience Restriction                = checked 
Add the Audience                           = https://am.wso2.com:9443/oauth2/token
Enable Recipient Validation                = checked
Add the Recipient                          = https://am.wso2.com:9443/oauth2/token
 6. Logged in to the identity server and add the management console  as service provider.

Assertion Consumer URL                     = https://am.wso2.com:9443/acs
Use fully qualified username in the NameID = checked
Enable Response Signing                    = checked
Enable Assertion Signing                   = checked
Enable Single Logout                       = checked
Enable Audience Restriction                = checked 
Add the Audience                           = https://am.wso2.com:9443/oauth2/token
Enable Recipient Validation                = checked
Add the Recipient                          = https://am.wso2.com:9443/oauth2/token




Configure SAML2SSOAuthenticator in AM

 

1.  Open the authenticators.xml file under  wso2am-1.8.0/repository/conf/security and configure SAML2SSOAuthenticator as bellow.
<Authenticator name="SAML2SSOAuthenticator" disabled="false">
        <Priority>0</Priority>
        <Config>
            <Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
            <Parameter name="ServiceProviderID">WSO2_AM</Parameter>
            <Parameter name="IdentityProviderSSOServiceURL">https://is.wso2.com:9444/samlsso</Parameter>
            <Parameter name="NameIDPolicyFormat">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter>

            <!-- <Parameter name="IdPCertAlias">wso2carbon</Parameter> -->
            <!-- <Parameter name="ResponseSignatureValidationEnabled">false</Parameter> -->
            <!-- <Parameter name="LoginAttributeName"></Parameter> -->
            <!-- <Parameter name="RoleClaimAttribute"></Parameter> -->
            <!-- <Parameter name="AttributeValueSeparator">,</Parameter> -->

            <!-- <Parameter name="JITUserProvisioning">true</Parameter> -->
            <!-- <Parameter name="ProvisioningDefaultUserstore">PRIMARY</Parameter> -->
            <!-- <Parameter name="ProvisioningDefaultRole">admin</Parameter> -->
            <!-- <Parameter name="IsSuperAdminRoleRequired">true</Parameter> -->
        </Config>

        <!-- If this authenticator should skip any URI from authentication, specify it under "SkipAuthentication"
        <SkipAuthentication>
            <UrlContains></UrlContains>
        </SkipAuthentication> -->

        <!-- If this authenticator should skip any URI from session validation, specify it under "SkipAuthentication
        <SkipSessionValidation>
            <UrlContains></UrlContains>
        </SkipSessionValidation> -->
    </Authenticator> 

2. Open the site.json file under wso2am-1.8.0/repository/deployment/server/jaggeryapps/store/site/conf and configure the ssoConfiguration as bellow for store application.

        "enabled" : "true",
        "issuer" : "API_STORE",
        "identityProviderURL" : "https://is.wso2.com:9444/samlsso",
        "keyStorePassword" : "wso2carbon",
        "identityAlias" : "wso2carbon",
        "responseSigningEnabled":"true",
        "keyStoreName" :"/home/ajith/wso2am-1.8.0/repository/resources/security/wso2carbon.jks"

3. Restart the AM server.

Generate SAML Assertion

1. When you try to access   store (https://am.wso2.com:9443/store) url it will redirect to Identity Server.


2. When you logged in to the store you should see the SAML response (64bit encoded) print as debug log in Identity Server side (in wso2carbon.log file).


3. You can decode  that 64bit encoded text to get the SAML response. (https://www.base64decode.org/)

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://am.wso2.com:9443/store/jagg/jaggery_acs.jag" ID="kmiklfhjnmildgbdeaopcghdnkighhhplmlddffb" InResponseTo="dnhgclfhfjjlllnmjfboklkkeeeijcdomhacjgfc" IssueInstant="2015-05-03T04:08:24.643Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">WSO2_IDP</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#kmiklfhjnmildgbdeaopcghdnkighhhplmlddffb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>faIOp/bxRf9Qe2GcT1cMIps77n0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Jac8fOJKdb4UOxvYd8McjidNGmTH2HKMUiaPWN0551xvIFCTLCoR4iD3tYxLpdHJJpJGznKOZFN5NwHYA9d7S1oH7L4HDfhf4LqBww+538glSwCxGTpIA07sOsozCGCgP41QXcMugqJanP252rTUQJD+fUnJHpuxaPMxEJ5hy0E=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="fecbjhnbjladdihfokcopndojkpbaddhbofnmckd" IssueInstant="2015-05-03T04:08:24.643Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">WSO2_IDP</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#fecbjhnbjladdihfokcopndojkpbaddhbofnmckd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>nFwyKCsaek+M2IgXv6cBKhKkxl0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>QheQIxioLpDwMg5yQtjHT38eATc7ldte4vHCduNxw3fXNarRiaSAktZpRflPLbFYjaGt7wWu5LTypT54AsiKfGilbc25bkB6BKIBbxbfucpSIHKW1qYbUPmw4QYFccv4DCwj+PffbSR5MgqO94n/0LoF3ExqHa4+tb+kIO0sQb4=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="dnhgclfhfjjlllnmjfboklkkeeeijcdomhacjgfc" NotOnOrAfter="2015-05-03T04:13:24.643Z" Recipient="https://am.wso2.com:9443/store/jagg/jaggery_acs.jag"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="dnhgclfhfjjlllnmjfboklkkeeeijcdomhacjgfc" NotOnOrAfter="2015-05-03T04:13:24.643Z" Recipient="https://am.wso2.com:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2015-05-03T04:08:24.643Z" NotOnOrAfter="2015-05-03T04:13:24.643Z"><saml2:AudienceRestriction><saml2:Audience>API_STORE</saml2:Audience><saml2:Audience>https://am.wso2.com:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2015-05-03T04:08:24.644Z" SessionIndex="79e867d8-0aee-488e-b3e1-6c2db01a256d"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>


 

Create Application and  Generate Consumer Key/Secret


1. Create a new application (eg TestApp) and subscribed to that application.



 

 Generate OAuth Token -Type1



1.Now you can  generate OAuth token using the bellow command.

curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<Base 64 URL encoded SAML assertion>&scope=PRODUCTION" -H "Authorization: Basic <base64Encode(consumer Key:consumer Secret)>, Content-Type: application/x-www-form-urlencoded" https://am.wso2.com:9443/oauth2/token

<Base 64 URL encoded SAML assertion>

You can get the SAML response as mentioned in above steps . Then capture only the SAML assertion (<saml2:Assertion> element) and get the 64bit URL encoded text using that  SAML assertion http://kjur.github.io/jsjws/tool_b64uenc.html

<base64encode(consumer Key:consumer Secret)>

You can use this site (https://www.base64encode.org/) to encode  consumer Key:consumer Secret
eg

curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=PHNhbWwyOkFzc2VydGlvbiBJRD0iZHBvcG1qb3BoamlhY2hma29mZmhwb2htbG9uam9vZmNtanBmcHBibSIgSXNzdWVJbnN0YW50PSIyMDE1LTA1LTAzVDA0OjMxOjAxLjg5NFoiIFZlcnNpb249IjIuMCIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiPldTTzJfSURQPC9zYW1sMjpJc3N1ZXI-PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI-PGRzOlNpZ25lZEluZm8-PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8-PGRzOlJlZmVyZW5jZSBVUkk9IiNkcG9wbWpvcGhqaWFjaGZrb2ZmaHBvaG1sb25qb29mY21qcGZwcGJtIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8-PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5HcXdvWUJGVFZZL29zVEg0ZVV6cXM3dVFwZ2M9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8-PGRzOlNpZ25hdHVyZVZhbHVlPk1NdkNTOElUR205MDZGRzEzakdRdFNlb0h2VWlDb1I5SmYrTXBRMVlnQVk2WVdaVjhtY3p2M0dKdEx4N2xYRmtQdkFhZENlNU1xMTM1L29hWklydEhQL25TaFpnTDN1bkhLaWJWdU1odnZXbE9tN3hIM0ZRTFRCNFk5aTEyZmlrK1Ryc1lOeHhnT3JLQjkrTkJnTTgrY2J2cDFPR2x5K2dvcW04ZzNZVzJrVT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNOVENDQVo2Z0F3SUJBZ0lFUzM0M2dqQU5CZ2txaGtpRzl3MEJBUVVGQURCVk1Rc3dDUVlEVlFRR0V3SlZVekVMTUFrR0ExVUVDQXdDUTBFeEZqQVVCZ05WQkFjTURVMXZkVzUwWVdsdUlGWnBaWGN4RFRBTEJnTlZCQW9NQkZkVFR6SXhFakFRQmdOVkJBTU1DV3h2WTJGc2FHOXpkREFlRncweE1EQXlNVGt3TnpBeU1qWmFGdzB6TlRBeU1UTXdOekF5TWpaYU1GVXhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05UVzkxYm5SaGFXNGdWbWxsZHpFTk1Bc0dBMVVFQ2d3RVYxTlBNakVTTUJBR0ExVUVBd3dKYkc5allXeG9iM04wTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDVXAvb1YxdldjOC9Ua1FTaUF2VG91c016T000YXNCMmlsdHIyUUtvem5pNWFWRnU4MThNcE9MWklyOExNblR6V2xsSnZ2YUE1UkFBZHBiRUNiKzQ4RmpiQmUwaHNlVWRONUhwd3ZuSC9EVzhaY2NHdms1M0k2T3JxN2hMQ3YxWkh0dU9Db2tnaHovQVRyaHlQcStRa3RNZlhuUlM0SHJLR0pUenhhQ2NVN09RSURBUUFCb3hJd0VEQU9CZ05WSFE4QkFmOEVCQU1DQlBBd0RRWUpLb1pJaHZjTkFRRUZCUUFEZ1lFQVc1d1BSN2NyMUxBZHErSXJSNDRpUWxSRzVJVENaWFk5aEkwUHlnTFAyckhBTmgrUFlmVG14YnVPbnlrTkd5aE02RmpGTGJXMnVaSFFUWTFqTXJQcHJqT3JteUs1c2pKUk80ZDFEZUdIVC9ZbklqczlKb2dSS3Y0WEhFQ3dMdElWZEFiSWRXSEV0VlpKeU1Ta3RjeXlzRmN2dWhQUUs4UWMvRS9XcTh1SFNDbz08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj5hZG1pbjwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iZ2RkbmZsb2dpcGVscGVvaGdjYmVnZGlsZmRpaWtsZWlqZGZvb2hvaCIgTm90T25PckFmdGVyPSIyMDE1LTA1LTAzVDA0OjM2OjAxLjg5NFoiIFJlY2lwaWVudD0iaHR0cHM6Ly9hbS53c28yLmNvbTo5NDQzL3N0b3JlL2phZ2cvamFnZ2VyeV9hY3MuamFnIi8-PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iZ2RkbmZsb2dpcGVscGVvaGdjYmVnZGlsZmRpaWtsZWlqZGZvb2hvaCIgTm90T25PckFmdGVyPSIyMDE1LTA1LTAzVDA0OjM2OjAxLjg5NFoiIFJlY2lwaWVudD0iaHR0cHM6Ly9hbS53c28yLmNvbTo5NDQzL29hdXRoMi90b2tlbiIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q-PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE1LTA1LTAzVDA0OjMxOjAxLjg5NFoiIE5vdE9uT3JBZnRlcj0iMjAxNS0wNS0wM1QwNDozNjowMS44OTRaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U-QVBJX1NUT1JFPC9zYW1sMjpBdWRpZW5jZT48c2FtbDI6QXVkaWVuY2U-aHR0cHM6Ly9hbS53c28yLmNvbTo5NDQzL29hdXRoMi90b2tlbjwvc2FtbDI6QXVkaWVuY2U-PC9zYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDI6Q29uZGl0aW9ucz48c2FtbDI6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE1LTA1LTAzVDA0OjMxOjAxLjg5NFoiIFNlc3Npb25JbmRleD0iZGJhMTYwMDktYTA4Zi00MzQ5LWE1NzAtMDdjYzMzZDlkOWUwIj48c2FtbDI6QXV0aG5Db250ZXh0PjxzYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY-PC9zYW1sMjpBdXRobkNvbnRleHQ-PC9zYW1sMjpBdXRoblN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj4&scope=PRODUCTION" -H "Authorization: Basic RmdwUktWTnVMVmpRR2twWDNmZnNwazhNVllzYTo5ZUg0VmtiWXd4RkVqcjhKX25ra0k5dTR6TWNh, Content-Type: application/x-www-form-urlencoded" https://am.wso2.com:9443/oauth2/token


The output would be;

{"scope":"PRODUCTION","token_type":"Bearer","expires_in":3299,"refresh_token":"9b1354db82ce8a2eaf2b66ff965a3da","access_token":"74cac5b8259d15f39c4be9352655a969"}




 Generate OAuth Token -Type2

 

1. You can use the this tool to get the 64bit URL encoded SAML assertion and generate the OAuth token. (This is developed by WSO2 IS team)

2. Unzip the SAML2AssertionCreator.zip file and execute the following command inside that SAML2AssertionCreator directory.
java -jar SAML2AssertionCreator.jar <Identity_Provider_Entity_Id> <user_name> <recipient> <requested_audience> <Identity_Provider_JKS_file> <Identity_Provider_JKS_password> <Identity_Provider_certificate_alias>  <private_key_password>

eg:

java -jar SAML2AssertionCreator.jar WSO2_IDP admin https://am.wso2.com:9443/oauth2/token https://am.wso2.com:9443/oauth2/token /home/ajith/wso2/blog/wso2is-5.0.0/repository/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon

3. Now you will get  64bit url encoded SAML2 assertion.

4. Execute the following command to get OAuth token.

curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<64bit encoded SAML Assertion>&scope=PRODUCTION" -H "Authorization: Basic <base64Encode(ConsumerKey:Consumer:Secret)>, Content-Type: application/x-www-form-urlencoded" https://am.wso2.com:9443/oauth2/token