Can't login WSO2 API manager via wso2 identity server and Facebook credential

问题

What I wanna do is:

1.SSO with wso2 Identity server 5.1.0 and wso2 API manager 1.10.0 (done)

reference : https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2

2.Login wso2 API manager 1.10.0 via Facebook credential (fail)

reference : https://docs.wso2.com/display/IS510/How+To%3A+Login+to+the+Identity+Server+using+Facebook+Credentials

The situation is :

1.When I go to the login page of APIM , it will redirect to Facebook login page via Identity server.

2.I login to Facebook and then it redirect to APIM via Identity server.

3.APIM shows Error 401 : Authorization Required. The server couldn't verify that you are authorized to access the requested resource.

---

Identity server logs

==> audit.log <==
[2016-05-03 01:34:56,770]  INFO {AUDIT_LOG}-  Initiator : sbyangtw@yahoo.com.tw | Action : Login | Target : ApplicationAuthenticationFramework | Data : { "ContextIdentifier" : "c2474e20-3b83-4007-b34e-a6c461f7b9fa","AuthenticatedUser" : "sbyangtw@yahoo.com.tw","AuthenticatedUserTenantDomain" : "null","ServiceProviderName" : "APIM_PUBLISHER","RequestType" : "samlsso","RelyingParty" : "API_PUBLISHER_ISSUER","AuthenticatedIdPs" : "eyJ0eXAiOiJKV1QiLCAiYWxnIjoibm9uZSJ9.eyJpc3MiOiJ3c28yIiwiZXhwIjoxNDYyMjM5Mjk2NzY1MzAwMCwiaWF0IjoxNDYyMjM5Mjk2NzY1LCJpZHBzIjpbeyJpZHAiOiJmYWNlYm9vayIsImF1dGhlbnRpY2F0b3IiOiJGYWNlYm9va0F1dGhlbnRpY2F0b3IifV19." } | Result : Success

==> http_access_2016-05-03.log <==
122.147.238.98 - - [03/May/2016:01:34:56 +0000] "GET /commonauth?code=AQBs01GQq0m76-z1ilUNzgIF-8qgBq7ES9MxIE_as5-EwoUg9kROlrKNQynM0xdZ7ZkdAMAxDq5wa8WRAZHoU8AHNTEHj_eEDzix5KKKyNTFkzqE0bRd4DXMaDwQg2r1WW9BTqVwAJYeJGuySE7aabNYfBaSyasqSOH0_kaow6-68MbDt6oAxCNBYUocn-JIDmS3-TUS6bYJsLMwYo8mcib22ZOl7pJWIhCPtx6mbIvcJmzIopdNqQwQkDMK741PN4jfNGfqkwkyRi1AQikgzomYSvqHt1slVV8KnHVDj-OTM2EwkDdVzWGiiyfKbT9P9MPZ7vxLYlkS6JgWdntzXDM7&state=c2474e20-3b83-4007-b34e-a6c461f7b9fa%2Cfacebook HTTP/1.1" 302 - "https://www.facebook.com/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
122.147.238.98 - - [03/May/2016:01:34:58 +0000] "GET /samlsso?sessionDataKey=a492a7af-202f-4370-af83-f96d8240f526 HTTP/1.1" 200 3632 "https://www.facebook.com/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"

APIM logs

==> wso2carbon.log <==
TID: [-1234] [] [2016-05-03 01:34:43,373] ERROR {org.wso2.carbon.registry.core.jdbc.realm.RegistryRealm} -  Realm service is not available. Make sure that the required version of the User Manager component is properly installed. {org.wso2.carbon.registry.core.jdbc.realm.RegistryRealm}

==> wso2-apigw-errors.log <==
2016-05-03 01:34:43,373 [-] [http-nio-9443-exec-28] ERROR RegistryRealm Realm service is not available. Make sure that the required version of the User Manager component is properly installed.

==> wso2carbon.log <==
TID: [-1234] [] [2016-05-03 01:34:43,374] ERROR {org.wso2.carbon.core.internal.permission.update.PermissionUpdater} -  Error when updating the permission cache for tenant : -1 {org.wso2.carbon.core.internal.permission.update.PermissionUpdater}
org.wso2.carbon.user.core.UserStoreException: Realm service is not available. Make sure that the required version of the User Manager component is properly installed.
        at org.wso2.carbon.registry.core.jdbc.realm.RegistryRealm.getRealm(RegistryRealm.java:149)
        at org.wso2.carbon.core.internal.permission.update.PermissionUpdater.getAuthzManager(PermissionUpdater.java:90)
        at org.wso2.carbon.core.internal.permission.update.PermissionUpdater.update(PermissionUpdater.java:60)
        at org.wso2.carbon.core.util.PermissionUpdateUtil.updatePermissionTree(PermissionUpdateUtil.java:46)
        at org.wso2.carbon.apimgt.impl.utils.APIUtil.updatePermissionCache(APIUtil.java:4554)
        at org.wso2.carbon.apimgt.hostobjects.APIProviderHostObject.jsFunction_updatePermissionCache(APIProviderHostObject.java:284)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
        at org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386)
        at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
        at org.jaggeryjs.rhino.publisher.modules.api.c1._c_anonymous_7(/publisher/modules/api/check-permissions.jag:169)
        at org.jaggeryjs.rhino.publisher.modules.api.c1.call(/publisher/modules/api/check-permissions.jag)
        at org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430)
        at org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269)
        at org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:97)
        at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42)
        at org.jaggeryjs.rhino.publisher.modules.api.c0._c_anonymous_25(/publisher/modules/api/module.jag:83)
        at org.jaggeryjs.rhino.publisher.modules.api.c0.call(/publisher/modules/api/module.jag)
        at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
        at org.jaggeryjs.rhino.publisher.jagg.c1._c_anonymous_1(/publisher/jagg/jaggery_acs.jag:59)
        at org.jaggeryjs.rhino.publisher.jagg.c1.call(/publisher/jagg/jaggery_acs.jag)
        at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23)
        at org.jaggeryjs.rhino.publisher.jagg.c1._c_script_0(/publisher/jagg/jaggery_acs.jag:5)
        at org.jaggeryjs.rhino.publisher.jagg.c1.call(/publisher/jagg/jaggery_acs.jag)
        at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394)
        at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091)
        at org.jaggeryjs.rhino.publisher.jagg.c1.call(/publisher/jagg/jaggery_acs.jag)
        at org.jaggeryjs.rhino.publisher.jagg.c1.exec(/publisher/jagg/jaggery_acs.jag)
        at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567)
        at org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273)
        at org.jaggeryjs.jaggery.core.manager.WebAppManager.exec(WebAppManager.java:587)
        at org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:507)
        at org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748)
        at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486)
        at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:378)
        at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338)
        at org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
        at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
        at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
        at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
        at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
        at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

==> wso2-apigw-errors.log <==
2016-05-03 01:34:43,374 [-] [http-nio-9443-exec-28] ERROR PermissionUpdater Error when updating the permission cache for tenant : -1
org.wso2.carbon.user.core.UserStoreException: Realm service is not available. Make sure that the required version of the User Manager component is properly installed.
        at org.wso2.carbon.registry.core.jdbc.realm.RegistryRealm.getRealm(RegistryRealm.java:149)
        at org.wso2.carbon.core.internal.permission.update.PermissionUpdater.getAuthzManager(PermissionUpdater.java:90)
        at org.wso2.carbon.core.internal.permission.update.PermissionUpdater.update(PermissionUpdater.java:60)
        at org.wso2.carbon.core.util.PermissionUpdateUtil.updatePermissionTree(PermissionUpdateUtil.java:46)
        at org.wso2.carbon.apimgt.impl.utils.APIUtil.updatePermissionCache(APIUtil.java:4554)
        at org.wso2.carbon.apimgt.hostobjects.APIProviderHostObject.jsFunction_updatePermissionCache(APIProviderHostObject.java:284)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
        at org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386)
        at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
        at org.jaggeryjs.rhino.publisher.modules.api.c1._c_anonymous_7(/publisher/modules/api/check-permissions.jag:169)
        at org.jaggeryjs.rhino.publisher.modules.api.c1.call(/publisher/modules/api/check-permissions.jag)
        at org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430)
        at org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269)
        at org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:97)
        at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42)
        at org.jaggeryjs.rhino.publisher.modules.api.c0._c_anonymous_25(/publisher/modules/api/module.jag:83)
        at org.jaggeryjs.rhino.publisher.modules.api.c0.call(/publisher/modules/api/module.jag)
        at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
        at org.jaggeryjs.rhino.publisher.jagg.c1._c_anonymous_1(/publisher/jagg/jaggery_acs.jag:59)
        at org.jaggeryjs.rhino.publisher.jagg.c1.call(/publisher/jagg/jaggery_acs.jag)
        at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23)
        at org.jaggeryjs.rhino.publisher.jagg.c1._c_script_0(/publisher/jagg/jaggery_acs.jag:5)
        at org.jaggeryjs.rhino.publisher.jagg.c1.call(/publisher/jagg/jaggery_acs.jag)
        at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394)
        at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091)
        at org.jaggeryjs.rhino.publisher.jagg.c1.call(/publisher/jagg/jaggery_acs.jag)
        at org.jaggeryjs.rhino.publisher.jagg.c1.exec(/publisher/jagg/jaggery_acs.jag)
        at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567)
        at org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273)
        at org.jaggeryjs.jaggery.core.manager.WebAppManager.exec(WebAppManager.java:587)
        at org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:507)
        at org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748)
        at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486)
        at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:378)
        at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338)
        at org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
        at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
        at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
        at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
        at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
        at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

Identity.xml

  <JDBCPersistenceManager>
        <DataSource>
            <!-- Include a data source name (jndiConfigName) from the set of data
                sources defined in master-datasources.xml -->
            <Name>jdbc/WSO2CarbonDB</Name>
        </DataSource>
        <!-- If the identity database is created from another place and if it is
            required to skip schema initialization during the server start up, set the
            following property to "true". -->
        <!-- <SkipDBSchemaCreation>false</SkipDBSchemaCreation> -->
        <!--SessionDataPersist>
            <Enable>true</Enable>
            <Temporary>false</Temporary>
            <SessionDataCleanUp>
                <Enable>true</Enable>
                <CleanUpTimeout>20160</CleanUpTimeout>
                <CleanUpPeriod>1140</CleanUpPeriod>
            </SessionDataCleanUp>
            <OperationDataCleanUp>
                <Enable>true</Enable>
                <CleanUpPeriod>720</CleanUpPeriod>
            </OperationDataCleanUp>
        </SessionDataPersist-->
    </JDBCPersistenceManager>

saml response from facebook

    <saml2p:Response Destination="https://52.38.21.105:9443/publisher/jagg/jaggery_acs.jag"
                 ID="nfbjmnijblahmijdkcjolekcjnodibpjicoebece"
                 InResponseTo="ahnmgghndidhnoefdghpcdjiipifggdddnhiblej"
                 IssueInstant="2016-05-03T12:18:05.854Z"
                 Version="2.0"
                 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 xmlns:xs="http://www.w3.org/2001/XMLSchema"
                 >
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  >localhost</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#nfbjmnijblahmijdkcjolekcjnodibpjicoebece">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="xs"
                                                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>ggxLiK1EmD+McPcZeg1N83Fv9gg=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>CP2lIDldQ982Ipdr2L+lbX/heU170cY6mhmhxGNbPs80gn0dxLq/GjFSXiF8jPHjGgPVgnRR0YcpTtCLK9R0ApSyND+P4PgR7/diylqWJMx7t+U5317WYQF3eHabH2NgFvnSzKthjv1Pj3hjyBsobX3Y9gV76mH1yt5n5XZFaY0=</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion ID="eadlilbmecplfedkihojbidmefiekgpihihgngbd"
                     IssueInstant="2016-05-03T12:18:05.854Z"
                     Version="2.0"
                     xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                     xmlns:xs="http://www.w3.org/2001/XMLSchema"
                     >
        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#eadlilbmecplfedkihojbidmefiekgpihihgngbd">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="xs"
                                                    xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                    />
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>ooEBywjtlX+KP3skLWU+Ug66gjQ=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>G5KWqTchrtk4XSsAhDfhocIAguNVJdT25btnD4/OtFMBJ0jYYL/MnQO14eAdniPQ163ijPmgbh6GZWhI8FzpkXi73zPxVkiOLCO9LP7VJK4fjwEH+hrs5ukjKRfu1t5/aE08HwGjZXOJg6sKs00oXrWdm+a5UluyMndbuappbT8=</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">sbyangtw@yahoo.com.tw</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="ahnmgghndidhnoefdghpcdjiipifggdddnhiblej"
                                               NotOnOrAfter="2016-05-03T12:23:05.854Z"
                                               Recipient="https://52.38.21.105:9443/publisher/jagg/jaggery_acs.jag"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2016-05-03T12:18:05.854Z"
                          NotOnOrAfter="2016-05-03T12:23:05.854Z"
                          >
            <saml2:AudienceRestriction>
                <saml2:Audience>API_PUBLISHER_ISSUER</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2016-05-03T12:18:05.858Z"
                              SessionIndex="f6348dd6-0c44-48c9-8d23-becbb07f61de"
                              >
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="http://wso2.org/claims/emailaddress"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >sbyangtw@yahoo.com.tw</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

I guess the error is related with tenant id and I found Identity server log shows "AuthenticatedUserTenantDomain" : "null" , but I don't know how to fix it.

Thanks

Tom

回答1:

This would work once you enable email username in your IS and APIM as mentioned here.

回答2:

It seems like the reason for the issue is, in your identity.xml of Identity Server is pointing to a different database than the AM_DB defined in the master-datasources.xml of your API manager. Then your API-M is pointing to a different set of tables and IS is pointing to another.

To fix this, you need to add the AM_DB as a data source in the master-datasource.xml of your Identity Server and in your identity.xml, include AM_DB as pointing data source.

Refer to Configuring Identity Server at this for more details on how to do this.

回答3:

I was able to reproduce the error "Error 401 : Authorization Required. The server couldn't verify that you are authorized to access the requested resource." by following the provided instructions in the documents. I have raised the ticket [1] to address/ get feedback regarding this issue.

[1] https://wso2.org/jira/browse/IDENTITY-4566

Regards, Pubudu.

来源：https://stackoverflow.com/questions/36994534/cant-login-wso2-api-manager-via-wso2-identity-server-and-facebook-credential