SAML MWS Issue

Hi Forum Members,

We are facing issue in MWS in prod region WM 9.7 version where users are able to login MWS but they are not able to view services/transactions and even not to do resubmit a failed transaction BUT with user Administrator are working good.

I have checked SAML URL is configured and working good, where as central user management is configured and in JDBC pool MWS DB for central user is connected fine even have checked Directory Structure is enable and configured properly where as have check system setting and task engine are connected and working good.

Even disabled and enabled Directory Structure ans restarted IS + MWS but still not luck

Any quick help

Find the exception for your reference

2015-10-30 13:51:04 CDT [ISS.0053.0002C] Access denied for user cn=abc,ou=domain users,ou=security,dc=externaldirName,dc=companyname,dc=com on port portname → ‘soap/rpc’ from IP address.
2015-10-30 13:51:04 CDT [ISS.0012.0011W] Resolution of SAML artifact “AAFtd3MgICAgICAgICAgICAgICAgIDAxNjY0OTg5ODU3NDYxMzcyMDIz” failed with exception: org.opensaml.SAMLException: com.webmethods.portal.PortalException: [POP.012.0002.wm_xt_samlsecurityservice] The SAML artifact is invalid or has expired…
2015-10-30 13:51:04 CDT [ISS.0012.0012W] Authentication of user “SAMLart” failed with exception: Login Failure: all modules ignored.
2015-10-30 13:51:10 CDT [ISS.0053.0002C] Access denied for user SAMLart on port portname → ‘soap/rpc’ from IP address.
2015-10-30 13:51:11 CDT [ISS.0012.0022C] Access Denied. Authentication resolved to user “cn=userid,ou=domain users,ou=security,dc=externaldirName,dc=companyname,dc=com”. User is not defined in any of the available user stores

WM 9.7
OS : AIX

I reinstalled but still get same issue

If running Unix:
In a shell, , go to the //MWS/server/default/deploy subdirectory.
Execute “touch wm_xt_samlsecurityservice.pdp”

That should trigger a re-install of the component and resolve your issue

------- But issue still exist

(Framework:INFO) [WS:1] - WebService Request: http://www.oasis-open.org/committees/security completed in 3929
(directory:WARN) [WS:2] - Failed SAML authentication
com.webmethods.portal.PortalException: [POP.012.0002.wm_xt_samlsecurityservice] The SAML artifact is invalid or has expired.
at com.webmethods.portal.portlet.wm_xt_samlsecurityservice.service.SamlSecuritySvc.validateSamlAssertion(SamlSecuritySvc.java:299)
at com.webmethods.portal.portlet.wm_xt_samlsecurityservice.endpoint.SamlServiceEndpoint.samlAssertionHandler(SamlServiceEndpoint.java:35)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
(Framework:INFO) [WS:2] - WebService Request: http://www.oasis-open.org/committees/security completed in 39
(Framework:INFO) [WS:3] - WebService Request: http://www.oasis-open.org/committees/security completed in 27
(directory:WARN) [WS:4] - Failed SAML authentication
com.webmethods.portal.PortalException: [POP.012.0002.wm_xt_samlsecurityservice] The SAML artifact is invalid or has expired.
at com.webmethods.portal.portlet.wm_xt_samlsecurityservice.service.SamlSecuritySvc.validateSamlAssertion(SamlSecuritySvc.java:299)
at com.webmethods.portal.portlet.wm_xt_samlsecurityservice.endpoint.SamlServiceEndpoint.samlAssertionHandler(SamlServiceEndpoint.java:35)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method
(Framework:INFO) [WS:4] - WebService Request: http://www.oasis-open.org/committees/security completed in 24
(wsclient:FATAL) [RID:198] - com.webmethods.caf.wsclient.proxy.impl.WSClientDynamicProxy: HTTP error response:

Access Denied

java.rmi.RemoteException: HTTP error response:

Access Denied

    at electric.soap.http.reference.SOAPToHTTP.invoke(SOAPToHTTP.java:209)
    at electric.soap.http.reference.SOAPToHTTP.handle(SOAPToHTTP.java:136)

The admin is working, that indicates that the SAML is configured fine.

What’s missing are the permission configurations for that user.
Make sure your user is in the right group, and role. And the role has the access to those pages and data.
check these:
Admin>System-Wide>B2B permissions>Data Permissions
Admin>System-Wide>Permission Management
Admin>My webMethods>System Settings>TN Servers

Hi Wong,

We don’t have B2B transaction/integration’s or data getting transfer to TN console but we have pure EAI pub-sub model integration’s where as users and group belong to LDAP(active directory) ie developer/L2 team are getting log into MWS to check services status or even they used this console if in case any of the transactions get failed then to do resubmit Monitoring → Integration → Services where as user Administrator or sysadmin is working fine

We have check our LDAP configuration and it’s look good and SAML setting are okay.

Admin>System-Wide>B2B permissions>Data Permissions
Nothing is configured here (empty)
Admin>System-Wide>Permission Management
Nothing is configured here (empty)
Admin>My webMethods>System Settings>TN Servers
Roles Tn MWS users and TN Partners are configured here

I have checked permission for user My webMethods Administrators and My webMethods users is okay and related ACL are okay in IS console as well.

Issue in MWS, below webservice call is throwing exception —

(Framework:INFO) [WS:1] - WebService Request: http://www.oasis-open.org/committees/security completed in 3929

(directory:WARN) [WS:2] - Failed SAML authentication
com.webmethods.portal.PortalException: [POP.012.0002.wm_xt_samlsecurityservice] The SAML artifact is invalid or has expired.
at com.webmethods.portal.portlet.wm_xt_samlsecurityservice.service.SamlSecuritySvc.validateSamlAssertion(SamlSecuritySvc.java:299)
at com.webmethods.portal.portlet.wm_xt_samlsecurityservice.endpoint.SamlServiceEndpoint.samlAssertionHandler(SamlServiceEndpoint.java:35)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

Rajiv:

Try this empower recomendation


https://empower.softwareag.com/sl24sec/SecuredServices/KCFullTextASP/viewing/view.asp?KEY=110410-15451324&DSN=PIVOTAL&DST=TCD&HL=1&QUERY=The|SAML|artifact|invalid|has|expired&SessionID=9848149

Regards.
Norberto

Thanks,

Mention all KB articles steps has been performed but still issue exist.
So, again I have tried bring down MWS server and executed below steps and then restarted MWS

If running Unix:-
In a shell, , go to the //MWS/server/default/deploy subdirectory.
Execute “touch wm_xt_samlsecurityservice.pdp”

Hence Issue resolved.

Hello Team,

I am facing the same issue without SAML error.
We are using wM 9.8 and facing issue with user access in MWS. User is able to access MWS but they are not able to see the process instances.

Logs:
Access Denied. Authentication resolved to user “uid=shxxxx,ou=people,o=system,o=mws”. User is not defined in any of the available user stores.
2018-09-06 09:49:43 CEST [ISS.0053.0002C] Access denied for user uid=shxxxx,ou=people,o=system,o=mws on port 5555 → ‘soap/rpc’ from 10.xx.xx.xx.

Getting HTTP error response when trying to access process instance.

Please provide your valuable suggestions.

Thanks.

Look at


https://empower.softwareag.com/sl24sec/SecuredServices/KCFullTextASP/viewing/view.asp?KEY=133346-5335957&DSN=PIVOTAL&DST=TCD&HL=1&QUERY=ISS.0053.0002C&SessionID=253943429

Regards.