0

In WSO2 IS v5.11.0 I have "local & Outbound Athentication Configuration" with two steps Authentication Step Configuration. Step1 uses basic authenticator. Step2 uses X509Certificate authenticator. But when I try to login I get the following error: "Couldn't find any certificate belongs to this user!" Error message.

On the other side when I use one step authentication with X509Certificate authenticator, I can login without any errors.

So the question is how can I attach certificate to the user to have no errors with X509Certificate authenticator configured as the second step of Multi-factor Authentication when the first step is basic authentication?

In both cases I use the same certificate.

Environment information:
Product Version: IS 5.11.0
OS: Windows
Database: MsSQL
Userstore: JDBC

Community
  • 1
  • 1
stapter
  • 1
  • 1

3 Answers3

1

You need to make sure that the CN in the certificate & username are equal. When you pass the username in the first step, IS will search for the relevant certificate in the trust store by CN, if it cannot find any CN same as the username in the first step you will get the above error. You can follow blog[1] to try out the two steps authentication properly.

[1]https://piraveenaparalogarajah.medium.com/configuring-x509-certificate-authenticator-in-wso2-identity-server-9b6e30428e78

Inthirakumaaran
  • 369
  • 1
  • 8
  • I read this article and tried to repeat some steps from it. But I think it's a bit deprecated, because in step 3.2 of this article **"application-authentication.xml"** is always rewritten on server restart and I can't be sure that **wso is** would take this xml configuration without restart.As I understood that configuration changes should be made in deployment.toml instead. – stapter Apr 23 '21 at 06:47
  • To be sure that CN in the certificate & username are equal, I used one step authentication using **X509Certificate** authenticator. I could successfully login as a user with correct username.And the user certificate was automatically added to the user claim with uri "http://wso2.org/claims/identity/userCertificate". But I could't login with the same username using multi-factor authentication. **Why?** If I did mistake in adding new CA of user certificate in server trust store or other settings, why one step authentication works? – stapter Apr 23 '21 at 07:10
1

In step 3.2 of this article[1], "application-authentication.xml" is rewritten when the IS is restarted since the file is templated with a application-authentication.xml.j2 file. Hence the config has to be added as follows to deployment.toml file in IS_HOME/repository/conf.

    [authentication.authenticator.x509_certificate.parameters]
    name ="x509CertificateAuthenticator"
    enable=true
    AuthenticationEndpoint="https://localhost:9443/x509-certificate-servlet"

Likewise, step 3.1 can also be configured from deployment.toml file as follows.


    [custom_transport.x509.properties]
    protocols="HTTP/1.1"
    port="9443"
    maxThreads="200"
    scheme="https"
    secure=true
    SSLEnabled=true
    keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
    keystorePass="wso2carbon"
    truststoreFile="${carbon.home}/repository/resources/security/client-truststore.jks"
    truststorePass="wso2carbon"
    bindOnInit=false
    clientAuth="want"
    ssl_protocol = "TLS"

[1] https://piraveenaparalogarajah.medium.com/configuring-x509-certificate-authenticator-in-wso2-identity-server-9b6e30428e78

Yasara Yasawardhana
  • 31
  • 3
0

This issue occurs because the CN in the certificate and authenticated user's username from the first step do not match. It seems '@carbon.super' gets appended from the first step to the authenticated user's name and the names fail to match. This issue has been identified[1] and fixed with[2]

[1]https://github.com/wso2/product-is/issues/13381

[2]https://github.com/wso2-extensions/identity-outbound-auth-x509/pull/60

Tharaka Wijekoon
  • 11
  • 2