By: Dan Seibert user 16 May 2016 at 7:46 p.m. CDT

10 Responses

Hello, I would like to provision new Gluu users from my application. I am attempting to use the SCIM-Client, but am having trouble, and hope you can help. I'm attempting to test SCIM access as described in this article: https://gluu.org/docs/integrate/scimuma-howto/ And also following this support ticket: https://support.gluu.org/integrations/difficulty-to-understand-scim-uma-how-to-2589 I was having similar issues that the user mentioned in the above ticket. And upgraded from gluu version 2.4.1 to 2.4.3. (to avoid the issue described in that ticket) From my output/oxtrust-config.json: "umaIssuer":"https://iotdev05.bi.local", "umaClientId":"@!0EEC.F661.FD8C.F399!0001!3F6F.B403!0008!B88C.EF9A", "umaClientKeyId":"", "umaResourceId":"1447184268430", "umaScope":"https://iotdev05.bi.local/oxauth/seam/resource/restv1/uma/scopes/scim_access", triton@iotdev05:/opt/gluu-server-2.4.3/install/community-edition-setup$ cat setup.properties.last | grep "scim_rs_client_id\|scim_rp_client_id" scim_rp_client_id=@!0EEC.F661.FD8C.F399!0001!3F6F.B403!0008!C1E6.C16E scim_rs_client_id=@!0EEC.F661.FD8C.F399!0001!3F6F.B403!0008!B88C.EF9A I modified my local version of TestScimClient.java to have use my server host and clientID with the value for scim_rp_client_id above, and set client key = "" final String domain = "https://iotdev05.bi.local/identity/seam/resource/restv1"; final String umaMetaDataUrl = "https://iotdev05.bi.local/.well-known/uma-configuration"; final String umaAatClientId = "@!0EEC.F661.FD8C.F399!0001!3F6F.B403!0008!C1E6.C16E"; final String umaAatClientJwks = FileUtils.readFileToString(new File("/Users/triton/Documents/workspaces/iot-services/rest/src/test/resources/scim-rp-openid-keys.json")); final String umaAatClientKeyId = ""; testScim1Uma(domain, umaMetaDataUrl, umaAatClientId, umaAatClientJwks, umaAatClientKeyId); testScim2Uma(domain, umaMetaDataUrl, umaAatClientId, umaAatClientJwks, umaAatClientKeyId); } The test fails with exception: Exception in thread "main" gluu.scim.client.exception.ScimInitializationException: Could not get accessToken at gluu.scim.client.auth.UmaScimClientImpl.initUmaAuthentication(UmaScimClientImpl.java:95) at gluu.scim.client.auth.UmaScimClientImpl.init(UmaScimClientImpl.java:74) at gluu.scim.client.BaseScimClientImpl.personSearch(BaseScimClientImpl.java:783) at gluu.scim.client.auth.UmaScimClientImpl.personSearch(UmaScimClientImpl.java:385) at gluu.scim.client.ScimClient.personSearch(ScimClient.java:189) at TestScimClient.testScim1Uma(TestScimClient.java:22) at TestScimClient.main(TestScimClient.java:42) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144) Caused by: gluu.scim.client.exception.ScimInitializationException: Failed to get RPT token. Error: {"error":"server_error","error_description":"The AM server encountered an unexpected condition which prevented it from fulfilling the request."} at gluu.scim.client.auth.UmaScimClientImpl.initUmaRpt(UmaScimClientImpl.java:164) at gluu.scim.client.auth.UmaScimClientImpl.initUmaAuthentication(UmaScimClientImpl.java:91) ... 11 more Caused by: org.jboss.resteasy.client.ClientResponseFailure: Error status 500 Internal Server Error returned at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:523) at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:514) at org.jboss.resteasy.client.core.BaseClientResponse.checkFailureStatus(BaseClientResponse.java:508) Checking the oxauth.log file on the gluu server, i find: 2016-05-16 23:33:09,201 INFO [org.xdi.oxauth.auth.Authenticator] Authentication success for Client: '@!0EEC.F661.FD8C.F399!0001!3F6F.B403!0008!C1E6.C16E' 2016-05-16 23:33:09,544 ERROR [xdi.oxauth.uma.ws.rs.CreateRptWS] Exception happened java.security.SignatureException: The shared secret is null at org.xdi.oxauth.model.jws.HMACSigner.generateSignature(HMACSigner.java:41) at org.xdi.oxauth.model.jws.AbstractJwsSigner.sign(AbstractJwsSigner.java:41) at org.xdi.oxauth.model.token.JwtSigner.sign(JwtSigner.java:80) at org.xdi.oxauth.uma.ws.rs.CreateRptWS.createJwr(CreateRptWS.java:127) at org.xdi.oxauth.uma.ws.rs.CreateRptWS.getRpt(CreateRptWS.java:97) Have we missed some required setup in our configuration? Any advice or help is appreciated. Regards, Dan

U1404

closed

By Dan Seibert user 16 May 2016 at 8:02 p.m. CDT

Copy

On a whim, I tried using the scim_rs_client_id as the value for umaAatClientId (instead of scim_rp_client_id), because it matches the "umaClientId" in /output/oxtrust-config.json Result on client: Exception in thread "main" gluu.scim.client.exception.ScimInitializationException: Could not get accessToken at gluu.scim.client.auth.UmaScimClientImpl.initUmaAuthentication(UmaScimClientImpl.java:95) at gluu.scim.client.auth.UmaScimClientImpl.init(UmaScimClientImpl.java:74) at gluu.scim.client.BaseScimClientImpl.personSearch(BaseScimClientImpl.java:783) at gluu.scim.client.auth.UmaScimClientImpl.personSearch(UmaScimClientImpl.java:385) at gluu.scim.client.ScimClient.personSearch(ScimClient.java:189) at TestScimClient.testScim1Uma(TestScimClient.java:22) at TestScimClient.main(TestScimClient.java:42) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144) Caused by: gluu.scim.client.exception.ScimInitializationException: Failed to get UMA AAT token at gluu.scim.client.auth.UmaScimClientImpl.initUmaRpt(UmaScimClientImpl.java:153) at gluu.scim.client.auth.UmaScimClientImpl.initUmaAuthentication(UmaScimClientImpl.java:91) in server oxauth.log: 2016-05-17 00:49:56,740 INFO [org.xdi.oxauth.auth.AuthenticationFilter] JWT authentication failed: Invalid cryptographic segment org.xdi.oxauth.model.exception.InvalidJwtException: Invalid cryptographic segment at org.xdi.oxauth.model.token.ClientAssertion.load(ClientAssertion.java:106) at org.xdi.oxauth.model.token.ClientAssertion.<init>(ClientAssertion.java:39) at org.xdi.oxauth.auth.AuthenticationFilter.processJwtAuth(AuthenticationFilter.java:324)

By Valentino Pecaoco user 17 May 2016 at 12:38 a.m. CDT

Copy

Hi Dan, `scim-rp-openid-keys.json` must only be used with `scim_rp_client_id` (they are both for "`rp`" = Requesting Party). Right after installation you just need to get the value of `scim_rp_client_id` and the file `scim-rp-openid-keys.json` to use with SCIM-Client. Also, make sure you also using SCIM-Client v2.4.3.Final if you are using CE v2.4.3. Other checks: 1. If you changed parameter values you may also need to clear/clean your client's `target` or `tmp` folder. 2. Enable "SCIM Support" in oxTrust ("Configuration" -> "Organization Configuration" -> "System Configuration"). 3. Import the SSL cert of `https://iotdev05.bi.local` to your client's JVM `cacerts` certificate store. Regards, Val

By Dan Seibert user 25 May 2016 at 4:34 p.m. CDT

Copy

Hello Again, we are still having problems trying to use the Gluu SCIM client. We have upgraded to CE v2.4.3 and are using SCIM-Clinet v2.4.3Final. Also tried Val's suggestions above. I have some more details on the problem: - We are using the example TestScimClient (Link to .zip of the project provided below. - umaAatClientId is set to the value for scim_rp_client in setup.properties.last - umaAatClientJwks reads scim.rp-openid-keys.json from the /output directory to a string. - umaAatClientKeyId = ""; Running the client fails trying to get an umaAat token. In UmaScimClientImpl.initUmaRpt() this.umaAat = UmaClient.request(this.metadataConfiguration.getTokenEndpoint(), rptService); (line 120) returns null. So client throws exception at (line 129) throws new ScimInitializationException("Failed to get UMA AAT token"); On the server side, in oxauth.log we see an InvalidJWTException: 2016-05-25 21:03:38,827 INFO [org.xdi.oxauth.auth.AuthenticationFilter] JWT authentication failed: Invalid cryptographic segment org.xdi.oxauth.model.exception.InvalidJwtException: Invalid cryptographic segment at org.xdi.oxauth.model.token.ClientAssertion.load(ClientAssertion.java:106) at org.xdi.oxauth.model.token.ClientAssertion.<init>(ClientAssertion.java:39) at org.xdi.oxauth.auth.AuthenticationFilter.processJwtAuth(AuthenticationFilter.java:324) at org.xdi.oxauth.auth.AuthenticationFilter.access$100(AuthenticationFilter.java:62) at org.xdi.oxauth.auth.AuthenticationFilter$1.process(AuthenticationFilter.java:85) at org.jboss.seam.servlet.ContextualHttpServletRequest.run(ContextualHttpServletRequest.java:65) at org.xdi.oxauth.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:76) ...

Video or screenshot link

By Dan Seibert user 25 May 2016 at 4:39 p.m. CDT

Copy

Calling the UmaClient.request() method, the rptService TokenRequest object looks like this: (see screenshot link) Any guess as to why we are unable to obtain the Aat token (or why the crypto exception is being thrown on the server?)

Video or screenshot link

By Dan Seibert user 25 May 2016 at 4:45 p.m. CDT

Copy

Additional Info: here is a copy of our setup.properties.last if this helps:

Video or screenshot link

By Valentino Pecaoco user 25 May 2016 at 10:21 p.m. CDT

Copy

Hi Dan, Could you try re-installing your Gluu server. Use only the v2.4.3 FINAL version. Note that this will re-generate all the parameters. As for the client, keep in mind that you only need `scim_rp_client_id` and `scim-rp-openid-keys.json`. Just get these two after the installation. And if you're only after SCIM, you only need to import SCIM-Client in Maven, nothing else. Also, could you post your environment info (OS, etc.) and the OxTrust build info. Login to oxTrust GUI and go to "Configuration" -> "Organization Configuration" -> "OxTrust Settings".

By Michael Schwartz Account Admin 27 May 2016 at 2:55 p.m. CDT

Copy

Did this fix the problem?

By Christopher Robbins user 27 May 2016 at 5:18 p.m. CDT

Copy

Our re-install resulted in check_ssl issues, which I've documented in the following case - I didn't get a chance to check this ticket before I submitted the ticket. https://support.gluu.org/installation/issues-post-reinstall-of-gluu-243-2797

By Dan Seibert user 01 Jun 2016 at 2:07 p.m. CDT

Copy

After our re-install, we are now able to successfully use the SCIM client. :D The problem may have been that our previous install did not include Asimba.

By Mohib Zico staff 01 Jun 2016 at 2:09 p.m. CDT

Copy

>> The problem may have been that our previous install did not include Asimba. Asimba??

You need to Login in order to post an answer

TestScimClient Issues.

By: Dan Seibert user 16 May 2016 at 7:46 p.m. CDT

Answers

By Dan Seibert user 16 May 2016 at 8:02 p.m. CDT

By Valentino Pecaoco user 17 May 2016 at 12:38 a.m. CDT

By Dan Seibert user 25 May 2016 at 4:34 p.m. CDT

By Dan Seibert user 25 May 2016 at 4:39 p.m. CDT

By Dan Seibert user 25 May 2016 at 4:45 p.m. CDT

By Valentino Pecaoco user 25 May 2016 at 10:21 p.m. CDT

By Michael Schwartz Account Admin 27 May 2016 at 2:55 p.m. CDT

By Christopher Robbins user 27 May 2016 at 5:18 p.m. CDT

By Dan Seibert user 01 Jun 2016 at 2:07 p.m. CDT

By Mohib Zico staff 01 Jun 2016 at 2:09 p.m. CDT

Post an answer