WSO2AM with SAML SSO - unable to create application keys

0
votes

Trying to configure WSO2 AM (3.1.0) to authenticate / authorize purely with SAML SSO. As the SAML IdP we use the Azure AD.

While it's working to configure the Publisher or Store (Dev Portal) to use SAML SSO (https://apim.docs.wso2.com/en/latest/install-and-setup/setup/sso/okta-as-an-external-idp-using-saml/), the underlying primary userstore is still LDAP (with start tls) for admin console. Our goal is to get rid of the LDAP connection.

When we configure the admin console to use SAML SSO (https://is.docs.wso2.com/en/5.9.0/learn/configuring-saml2-single-sign-on-across-different-wso2-products/), we could login into the admin console.

Issue: when the admin console is configured to use SAML SSO, then when a user in the dev portal tries to create application credentials, we get following error

Caused by: org.apache.axis2.AxisFault: Access Denied. Please login first.
        at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:531) ~[axis2_1.6.1.wso2v41.jar:?]
        at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v41.jar:?]
        at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:457) ~[axis2_1.6.1.wso2v41.jar:?]
        at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228) ~[axis2_1.6.1.wso2v41.jar:?]
        at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) ~[axis2_1.6.1.wso2v41.jar:?]
        at org.wso2.carbon.apimgt.keymgt.stub.subscriber.APIKeyMgtSubscriberServiceStub.createOAuthApplicationByApplicationInfo(APIKeyMgtSubscriberServiceStub.java:1348) ~[org.wso2.carbon.apimgt.keymgt.stub_6.6.163.jar:?]
        at org.wso2.carbon.apimgt.keymgt.client.SubscriberKeyMgtClient.createOAuthApplicationbyApplicationInfo(SubscriberKeyMgtClient.java:64) ~[org.wso2.carbon.apimgt.keymgt.client_6.6.163.jar:?]
        at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.createOAuthApplicationbyApplicationInfo_aroundBody42(AMDefaultKeyManagerImpl.java:720) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
        at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.createOAuthApplicationbyApplicationInfo(AMDefaultKeyManagerImpl.java:715) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
        at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.createApplication_aroundBody0(AMDefaultKeyManagerImpl.java:125) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
        at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.createApplication(AMDefaultKeyManagerImpl.java:91) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
        at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication_aroundBody8(AbstractApplicationRegistrationWorkflowExecutor.java:145) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
        at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication(AbstractApplicationRegistrationWorkflowExecutor.java:123) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
        at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.generateKeysForApplication_aroundBody6(AbstractApplicationRegistrationWorkflowExecutor.java:119) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
        at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.generateKeysForApplication(AbstractApplicationRegistrationWorkflowExecutor.java:116) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
        at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.complete_aroundBody2(ApplicationRegistrationSimpleWorkflowExecutor.java:78) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
        at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.complete(ApplicationRegistrationSimpleWorkflowExecutor.java:66) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
        at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.execute_aroundBody0(ApplicationRegistrationSimpleWorkflowExecutor.java:54) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
        at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.execute(ApplicationRegistrationSimpleWorkflowExecutor.java:47) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]
        at org.wso2.carbon.apimgt.impl.APIConsumerImpl.requestApprovalForApplicationRegistration_aroundBody144(APIConsumerImpl.java:3876) ~[org.wso2.carbon.apimgt.impl_6.6.163.jar:?]

First I assumed that the issue is with the different authenticator for the admin services, but the user can create and publish APIs, create an application in the dev portal. The exception occurs when generating the application credentials.

Any ideas?

1
wso2wso2-am

1 Answers

0
votes

Do you have multiple key managers? If yes, Please make sure you have enabled the stickiness in the LB level.