Affected: 5.8.0-Alpha2
Severity: Normal
Priority: Law
Component: User Mgt
Type: Docs

Add necessary descriptions for the soap request parameters to force to reset password

[1] https://docs.wso2.com/display/IS580/Forced+Password+Reset

Description:
Adaptive authentication: There needs to be documentation for
-Adding new templates
-Adding new template categories
-Template category ordering and adding template icons

Suggested Labels
Affected : 5.8.0- alpha2
Severity: Major
Priority: High
Component: SAML SSO
Type-Doc

In [1] needs to explain the difference in the behavior( what is the expected behavior) when a user use the following logout methods.

Front-Channel Logout (HTTP Redirect Binding)
Front-Channel Logout (HTTP POST Binding)
Back-Channel Logout

[1]. https://docs.wso2.com/display/IS580/Configuring+Single+Sign-On

New
Location : http://127.0.0.1:8000/

Suggested Labels
Affected : 5.8.0- alpha3
Severity: Major
Priority: High
Component: SCIM2
Type-Doc

Environment
Linux, JDBC UserStore and Linux, Embedded LDAP

When creating a user with scim2/Me endpoint please include the exact property line that we need to make as false in the identity.xml as below. Please include it under the Create Me section in the doc.

<Resource context="(.*)/scim2/Me" secured="false" http-method="POST">
            <Permissions>/permission/admin/manage/identity/usermgt/create</Permissions></Resource>

Also explain the reason for setting the secured property to false only in the Create Me section. We are not making the secured property to false under other sections like Delete, Get, Update. If someone mistakenly make this property to false under Delete, Update, Get then server will give a null pointer exception. Therefore it is better to explain this by mentioning that we need to make this property to false only under /create endpoint.

Further after a user creation that user needs to be assigned with a a role with login permission to carry out a update or a delete request. In Update operation using PUT it is mandatory to pass the username parameter of the created user. Otherwise it will give a 500 server error. Better to include these information

[1]. https://docs.wso2.com/display/IS570/apidocs/SCIM2-endpoints/#!/operations#MeEndpoint#updateUserMe

There's missing information on 'Allow authentication without the client secret' option when creating the auth application in 'Configuring OAuth2-OpenID Connect Single-Sign-On' document [1]. Needs to update the image and add description on what above option would do.

[1] https://docs.wso2.com/display/IS570/Configuring+OAuth2-OpenID+Connect+Single-Sign-On

Some of the instructions in the documentation are outdated.

Test the button
Location : http://127.0.0.1:8000/

Suggested Labels
Affected : 5.8.0- alpha3
Severity: Major
Priority: High
Component: SCIM2
Type-Doc

Environment
Linux, JDBC UserStore and Linux, Embedded LDAP

In [1] under Me endpoint section there is no consistency in the username:password used for the sample commands. Under create section user is created as alex:alexwso2 But in other sections like Delete, Get, Update those commands are using kim:kimwso2. It is better to have a consistency in the sample commands without changing the credentials for different commands.

[1]. https://docs.wso2.com/display/IS570/apidocs/SCIM2-endpoints/#!/operations#MeEndpoint#createUserMe

Suggested Labels
Affected : 5.8.0- alpha2
Severity: Major
Priority: Low
Component: Account Locking
Type-Doc

In [1] under configuring account suspension settings explain what does the setting Lock timeout increment factor would do.

[1]. https://docs.wso2.com/display/IS580/User+Account+Suspension

Affected: Affected/5.8.0-Alpha2
Severity: Minor
Priority: Normal
Component: Outbound Prov
Type: Docs/improvement

Issue 01: Configuring Just-In-Time Provisioning for an Identity Provider [1] page, ' configure a user store' href link is a invalid one.

Issue 02: It's better if the document more explain the 5th point 3rd bullet, provisioning options. So the reader can clearly understand differences and usage of it.

[1] https://docs.wso2.com/display/IS580/Configuring+Just-In-Time+Provisioning+for+an+Identity+Provider

Test
Location : http://127.0.0.1:8000/

There should be a note mentioning that this connector can not be configured as the first factor.

The endpoint "/scim2/Bulk", mentioned in the IS scim2 endpoint list and in RFC 7644 section 3.7, is missing from the Swagger SCIM2 documentation

There is no documentation on how to enable MFA for the End User Dashboard.

It can be done via <IS_HOME>/repository/conf/identity/service-providers/sp_dashboard.xml, but it is not documented.

Another way is to change the File Based Dashboard SP to a UI based SP as described in [1].

[1] https://medium.com/@hasinthaindrajee/how-to-change-file-based-dahsboard-sp-to-a-ui-based-sp-2aaad225f83d

A sample with actual usage should be provided for Outbound Provisioning Connectors. The documentation describes how to configure IS but doesn't show the usage, therefore, the document has less value. If we provide a sample with what's the purpose of this configuration then it will be more useful.

https://docs.wso2.com/display/IS530/Configuring+Outbound+Provisioning+Connectors+for+an+Identity+Provider

Purpose

Doc its say to skip 1-3 steps for new product versions but when it comes to step 4 it wont match for IS v5.8.0. as the TOTP authenticator config section is already there in v5.8.0. But with different values.

<AuthenticatorConfig name="totp" enabled="true">
    <Parameter name="encodingMethod">Base32</Parameter>
    <Parameter name="timeStepSize">30</Parameter>
    <Parameter name="windowSize">3</Parameter>
    <Parameter name="authenticationMandatory">true</Parameter>
    <Parameter name="enrolUserInAuthenticationFlow">true</Parameter>
    <Parameter name="usecase">local</Parameter>
    <Parameter name="secondaryUserstore">primary</Parameter>
    <Parameter name="TOTPAuthenticationEndpointURL">totpauthenticationendpoint/totp.jsp</Parameter>
    <Parameter name="TOTPAuthenticationEndpointErrorPage">totpauthenticationendpoint/totpError.jsp</Parameter>
    <Parameter name="TOTPAuthenticationEndpointEnableTOTPPage">totpauthenticationendpoint/enableTOTP.jsp</Parameter>
    <Parameter name="redirectToMultiOptionPageOnFailure">false</Parameter>
</AuthenticatorConfig>

Field explanation table content should sort to match configuration code block

Should explain why we need to comment out <module ref="addressing"/> line

Should elaborate more about the sample app path

E.g. After following sample app build guide you can find the .war file in the path: product-is\modules\samples\sso\sso-agent-sample\target\travelocity.com.war and can be deployed it in the tomcat server as instructed in the previous step.

Cannot find option to enable/disable SaaS Application as guide. That option comes only after you click register

Travelocity screenshot needs to update

Whats there in the doc

Whats there in v5.8.0

Environment

Windows 10

Steps to reproduce

1. Follow the guide: https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+Authenticator

Currently there are no sample requests for the services in the admin service https://localhost:9443/services/WorkflowImplAdminService?wsdl.
E.g for addBPSProfile, the admin service is expecting the 'password' field as a char array. We need to properly document these requirements.

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsd="http://impl.workflow.identity.carbon.wso2.org/xsd" xmlns:xsd1="http://bean.impl.workflow.identity.carbon.wso2.org/xsd">
   <soap:Header/>
   <soap:Body>
      <xsd:addBPSProfile>
         <!--Optional:-->
         <xsd:bpsProfileDTO>
            <!--Optional:-->
            <xsd1:managerHostURL>https://localhost:9443/services</xsd1:managerHostURL>
            <!--Zero or more repetitions:-->
            <xsd1:password>a</xsd1:password>
            <xsd1:password>d</xsd1:password>
            <xsd1:password>m</xsd1:password>
            <xsd1:password>i</xsd1:password>
            <xsd1:password>n</xsd1:password>
            <!--Optional:-->
            <xsd1:profileName>embededbps28</xsd1:profileName>
            <!--Optional:-->
            <xsd1:username>admin</xsd1:username>
            <!--Optional:-->
            <xsd1:workerHostURL>https://localhost:9443/services</xsd1:workerHostURL>
         </xsd:bpsProfileDTO>
      </xsd:addBPSProfile>
   </soap:Body>
</soap:Envelope>

https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator This documentation should include the fact that when authenticating a user using X509 certificate the certificates CN should be the fully qualified name of the user.

In tenant mode:
[email protected]
(abc.com is the tenant domain)

In secondary user store
TEST/wso2is
(TEST is the secondary user store name)

The WSO2 IS docs do not provide guidance on configuring multi factor authentication for file based SP.
The following blog post can be referred for the content relevant to the missing docs.

Configuring MFA for File-based SP in WSO2 Identity Server[1]

[1] https://medium.com/@sajithekanayaka/configuring-mfa-for-file-based-sp-in-wso2-identity-server-e09c96d71d66

Maven build fails with the error One or more certificates rejected. Cannot proceed with installation. To fix this we need to import the GTE CyberTrust Global Root to the Java certificate store. The required steps needs to be added to the Readme.md as in product-ei [1].

[1] https://github.com/wso2/product-ei

Test2
Location : http://127.0.0.1:8000/

When an ID token is requested with the SAML bearer grant access token, claim dialect for the claims included in the SAML assertion are directly copied in the default pack.

If the SAML assertion contained a claim in the local dialect, it will not be converted to the oidc dialect by default. This is due to the configuration option, <ConvertOriginalClaimsFromAssertionsToOIDCDialect> is disabled by default.

Above config is introduced with Handling Custom Claims with the JWT Bearer Grant Type and explained in the doc, which needs to be linked/explained in https://docs.wso2.com/display/IS580/Setting+up+a+SAML2+Bearer+Assertion+Profile+for+OAuth+2.0

We need to move following docs to IS doc space.

org.wso2.carbon.extension.identity.authenticator.emailotp.connector-2.0.16.jar
org.wso2.carbon.extension.identity.authenticator.office365.connector-1.0.5
org.wso2.carbon.extension.identity.authenticator.smsotp.connector-2.0.18
org.wso2.carbon.extension.identity.authenticator.totp.connector-2.0.14
org.wso2.carbon.extension.identity.authenticator.twitter.connector-1.0.10
org.wso2.carbon.extension.identity.authenticator.x509Certificate.connector-2.0.8
org.wso2.carbon.identity.application.authentication.handler.identifier-6.0.7
org.wso2.carbon.identity.application.authenticator.basicauth-6.0.7
org.wso2.carbon.identity.application.authenticator.basicauth.jwt-6.0.7
org.wso2.carbon.identity.application.authenticator.facebook-5.1.14
org.wso2.carbon.identity.application.authenticator.fido-5.1.14
org.wso2.carbon.identity.application.authenticator.google-5.1.6
org.wso2.carbon.identity.application.authenticator.google-5.1.6
org.wso2.carbon.identity.application.authenticator.live-5.1.4
org.wso2.carbon.identity.application.authenticator.iwa-5.3.11
org.wso2.carbon.identity.application.authenticator.oidc-5.1.19
org.wso2.carbon.identity.application.authenticator.passive.sts-5.2.2
org.wso2.carbon.identity.application.authenticator.samlsso-5.1.21
org.wso2.carbon.identity.application.authenticator.yahoo-5.1.4
org.wso2.carbon.identity.local.auth.api.core-2.1.2

Page [1] should be updated with following details.

You can pass required_claims as an additional parameter in the token validation request. When AuthorizationContextTokenGeneration is enabled as described in [2], the token validation response will contain a JWT, with the required_claims sent in the request. Also sending empty value in required_claims, would return a JWT with no custom claims within the introspection response.

Sample Request
curl -k -u admin:admin -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=bd89fc8d-dc08-3409-937b-69a28a4d5851&required_claims=http://wso2.org/claims/givenname' https://localhost:9443/oauth2/introspect

Sample Response

{  
 "token_string":"eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJodHRwOlwvXC93c28yLm9yZ1wvZ2F0ZXdheVwvYXBwbGljYXRpb25uYW1lIjoiYXBwbGljYXRpb25fMSIsImlzcyI6Imh0dHA6XC9cL3dzbzIub3JnXC9nYXRld2F5IiwiZXhwIjoxNTMyNzk1NjQyLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9naXZlbm5hbWUiOiJOdXdhbmRpIiwiaWF0IjoxNTMyNzk0NDUzLCJqdGkiOiJjNzI4Yzg1OC04NjczLTQ0YmItYjQyZS0xNzI4YjU4NzAzYjkiLCJodHRwOlwvXC93c28yLm9yZ1wvZ2F0ZXdheVwvc3Vic2NyaWJlciI6ImFkbWluQGNhcmJvbi5zdXBlciIsImh0dHA6XC9cL3dzbzIub3JnXC9nYXRld2F5XC9lbmR1c2VyIjoiYWRtaW5AY2FyYm9uLnN1cGVyIn0.BCQHmb-ulFUr2F2kxWtGQ-m4nyMC5mZsd1WYsS87mqTGQRxtx2Zy5NWNXvIyleZuzt31wge4f0ZLMaxXsoQr-Fa0Hei7TC8LCF4_gSYuNRvXxS3j72K_oEGYmZkn7d5kWsxJ_6sppFgrO1OSWdkPOiDD-hTHp5rBW6gXwCiuWTvftlvcgawLeQaLP7ycaeLgd2NODHIjE3WK0aP8LxyBlgE09I0GGhoAthGRynDZgIDZHEtce4XHkdeDYF8xyxqsSGUCmjQ8inDhYPOIRDCIBfuvO1YLqlYBzpY8lxrJIJeOzzfqEMfbwFzUX4RgszyQ8QfxMtHR0FI6NknnarCHCg",
   "active":true,
   "token_type":"Bearer",
   "exp":1532798053,
   "iat":1532794453,
   "client_id":"testconsumerkey1",
   "username":"[email protected]"
}

[1] https://docs.wso2.com/display/IS560/Invoke+the+OAuth+Introspection+Endpoint
[2] https://docs.wso2.com/display/IS560/JWT+Token+Generation

In a service provider, we can configure multiple ACS URLs. If we are using IdP inited SSO, we can send "acs" query parameter mention the required ACS URL. This needs to be mentioned in under "Enable IdP Initiated SSO" section in [1].

[1] https://docs.wso2.com/display/IS580/Configuring+Single+Sign-On

Ability is provided to register OAuth application with provided client ID and secret value.

[1] should contain following parameter details
ext_param_client_id (optional) schema - string
ext_param_client_secret (optional) schema - string

[2] should contain following.
Sample Request
curl -k -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{"client_name": "application_test","grant_types": ["password"], "ext_param_client_id":"provided_client_id0001", "ext_param_client_secret":"provided_client_secret0001" }' "https://localhost:9443/api/identity/oauth2/dcr/v1.0/register"

Sample Response
{"client_name":"application_test","client_id":"provided_client_id0001","client_secret":"provided_client_secret0001","redirect_uris":[""]}

[1] https://docs.wso2.com/display/IS560/apidocs/OAuth2-dynamic-client-registration/index.html#!/models#RegistrationRequest
[2] https://docs.wso2.com/display/IS560/apidocs/OAuth2-dynamic-client-registration/index.html#!/operations#OAuthDCR#registerApplication

Purpose

Couldn't find a way to configure "TOTP" by doing a documentation search. Though it's a connector technically, for users its a feature supported by default. So this content should be within product documentation instead IS connector documentation: https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+Authenticator

Steps to reproduce

1. Navigate to https://docs.wso2.com/dosearchsite.action?cql=siteSearch+~+%22totp%22+and+space+%3D+%22IS580%22&queryString=totp
   OR go to WSO2 IS 5.8.0 Documentation and do search for "TOTP"

Are there any schema documents available for Identity Server's XML configuration files? This will be a significant help for file-based configurations.

Refer issue wso2/product-is#1672

Since en_us is the default locale used in the server, all the email template types should have a template for this locale. All the default templates provided with the product has this locale and templates for this locale should not be deleted. This need to be captured in forced password reset doc and other email template related docs.

Purpose

Wrong version number (Hard coded version number shows - should show it as an example instead direct command instruction)

And cant complete this step. [Was able to pass this step by using git clone command instead]

Also the file access path is wrong is-samples/modules/samples should be product-is/modules/samples

Should explain how to compile the sample apps

Because this is what you see when you navigate to that path

Also would be better to add little bit information on starting the tomcat server, as we have rest of the steps explained. E.g. Start tomcat server by running catalina.bat start

Environment

Windows 10

Steps to reproduce

1. Navigate to https://docs.wso2.com/display/ISCONNECTORS/Deploying+the+Sample+App
2. Follow the instructions

Creating a secondary user store is one of the important task in WSO2 IS. But for a beginner, there is no proper documentation to configure a secondary user store end to end flow.
Eg: If its mysql , install it, create DB, run scripts, then do add user store in management console.
It would be good to have a sample or training material for this as well.

The documentation [1] which is already there, is not leading properly to achieve the task.

[1] https://docs.wso2.com/display/IS530/Configuring+Secondary+User+Stores

Starting from the base doc space [1], one has to navigate,
Installation Guide -> Installing the Product -> Installation Prerequisites
to find out "Working with Databases" [2] base doc which is common to all WSO2 products.

Then, one would set up a Postgres database & look for necessary configurations need to be done in IS. This is described in [3] and that is the place where the main improvements need to be done.

"Setting up data source configurations" Section

#Issue1
Not clear on the recommended datasource configurations for IS-5.8.0. It should provide directly recommended configurations for datasource.

"Creating database tables" Section

#Issue2
That doc mention only running,

• dbscripts/postgresql.sql

No mention on running,

• dbscripts/identity/postgresql.sql
• dbscripts/identity/uma/postgresql.sql
• dbscripts/consent/postgresql.sql

No mention on what to do with,

• dbscripts/identity/stored-procedures/postgre/postgresql-tokencleanup.sql
• dbscripts/identity/stored-procedures/postgre/postgresql-tokencleanup-restore.sql
• dbscripts/metrics/postgresql.sql
• dbscripts/bps/bpel/create/postgresql.sql
• dbscripts/bps/bpel/drop/postgresql-drop.sql
• dbscripts/bps/bpel/truncate/postgresql-truncate.sql
  scripts.

#Issue3
The document first mentions using "-Dsetup" option and later in a note its mention on its deprecated. It should not mention using "-Dsetup" initially. Rather it should only have it in the deprecated note section.

[1] https://docs.wso2.com/display/IS580
[2] https://docs.wso2.com/display/ADMIN44x/Working+with+Databases
[3] https://docs.wso2.com/display/ADMIN44x/Changing+to+PostgreSQL

In https://docs.wso2.com/display/IS530/Extensible+SCIM+User+Schemas+With+WSO2+Identity+Server we have given instructions for enabling extensions in SCIM1. We need to provide similar instructions for SCIM2 EnterpriseUser schema extensions in the same document.

Create documentation on how add new templates for
wso2/product-is#3342

Test 3
Location : http://127.0.0.1:8000/

Suggested Labels
Affected : 5.8.0- alpha2
Severity: Major
Priority: Normal
Component: SAML SSO
Type-Doc

In configuring a IDP with SAML 2.0 Web SSO [1] directions given in the doc related to the following are not clear for a first time user. Better if we can explain the use case as a scenario including screen shots for configurations as in [2]

eg :-
Service Provider Entity ID
Identity Provider Entity Id
SSO URL

Further the hyperlink given for Managing Keystores with the UI in the UI section does not point to any details.

[1]. https://docs.wso2.com/display/IS580/Configuring+SAML+2.0+Web+SSO#
[2]. https://medium.com/@nshani/federated-idp-initiated-sso-in-wso2-identity-provider-a715fedb8b17

When configuring a proxy server for the WSO2 identity server, some may need to allow certain URLs only. For that, a list of different URLs and their usage will be required.

For example, it is hard for users to identify service endpoints like below which are being used for internal calls. It will break some features if we allow certain URLs only without knowing these.

User recovery: https://[hostname]:[port]/api/identity/recovery/*

Followed [1] and tried to lock an account with the following request. But unable to do so due to the below given error

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://services.mgt.identity.carbon.wso2.org">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:lockUserAccount>
         <!--Optional:-->
         <ser:userName>davefields</ser:userName>
      </ser:lockUserAccount>
   </soapenv:Body>
</soapenv:Envelope>

[2017-12-20 18:26:02,336] ERROR {org.wso2.carbon.identity.mgt.services.UserIdentityManagementAdminService} -  Error occurred while trying to lock the account erandi
org.wso2.carbon.identity.base.IdentityException: Cannot lock account, IdentityMgtEventListener is not enabled.
	at org.wso2.carbon.identity.base.IdentityException.error(IdentityException.java:52)
	at org.wso2.carbon.identity.mgt.util.UserIdentityManagementUtil.lockUserAccount(UserIdentityManagementUtil.java:111)
	at org.wso2.carbon.identity.mgt.services.UserIdentityManagementAdminService.lockUserAccount(UserIdentityManagementAdminService.java:105)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212)
	at org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117)
	at org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
	at org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:110)
	at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
	at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:173)
	at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
	at org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:232)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
	at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
	at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
	at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
	at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:72)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:65)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
	at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
	at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:60)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
	at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
	at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
	at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
	at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
	at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

[1] https://docs.wso2.com/display/IS540/Locking+a+Specific+User+Account

Refer to the issue wso2/product-is#1703.
This happening due to a missing config in the service provider.

Docs need to be updated to enable "Use tenant domain in local subject identifier" and "Use user store domain in local subject identifier" in the service provider config.

Update documentation instructing list of DB tables need to alter when increasing certificate key size.
Let's add this in Administration guide [1] since this is common to all the products.

[1] https://docs.wso2.com/display/ADMIN44x/WSO2+Administration+Guide

Affected: 5.8.0-Alpha2
Severity: Major
Priority: High
Component: User Mgt
Type:Docs

Force to reset password option can be done from the management console as well. But documented only the admin services option. [1]

steps to send force password to reset request from management console,

1. Admin user login to the carbon
2. Admin user navigate to the Claims -> List -> http://wso2.org/claims/identity/adminForcedPasswordReset and click edit
3. Admin user enable Supported by Default option
4. Admin user create a user
5. Admin user navigate to the created users, default user profile for update user profile
6. Admin user update the user profile fields,
7. First Name, Last Name, Email (with valid email), Force password reset (with string true)
8. Admin user click update

[1] https://docs.wso2.com/display/IS580/Forced+Password+Reset

Affected: Affected/5.8.0-Alpha2
Severity: Major
Priority: Normal
Component: Identity mgt
Type: Docs

Configuring a Read-write Active Directory User Store [1] document have incorrect descriptions for Configuring a Read-write Active Directory User Store properties. Its contain LDAP detail other than AD details.

[1] https://docs.wso2.com/display/IS580/Configuring+a+Read-only+LDAP+User+Store#ConfiguringaRead-onlyLDAPUserStore-PropertiesusedinRead-onlyLDAPuserstoremanager

Purpose

Change "Local and Outbound Authentication Configuration" to "Local & Outbound Authentication Configuration" to match the product UI

Screenshot below should come before explaining the type of option (bullet points) users get.

And would be better to add this screenshot and explain the options screen

There is says, that there is an option to 'Add Authenticator". But couldn't find it there. I can only see "Add Authentication Step" option.

Or may be need to explain that you need to at least one step to add multiple authentication options

Steps to reproduce

Navigate to https://docs.wso2.com/display/IS580/Multi-factor+Authentication+for+WSO2+IS and scroll down to step 5

Test the feedback button for docs-is
Location : http://127.0.0.1:8000/

Affected: 5.8.0-Alpha2
Severity: Major
Priority: High
Component: User Store Mgt
Type: Docs/Improvement

To connect IS which have user store with different server requires one of the below solution to avoid from the security exceptions and start the server successfully. These information are missing from the document [1] and better to add them as well.

Solution 01:
* Add an /etc/host entry for the ip of the server to point to host name
ex: 192.168.104.6 windows-2012-ad.wso2.test
* Use host name instead of the IP in the user-mgt.xml

Solution 02:
Get the trusted cert for the IP and import it to the client truststore.
* openssl s_client -showcerts -connect 192.168.104.6:636 < /dev/null | openssl x509 -outform PEM > adcert.pem
* The above command would give the public cert corresponding to the IP. Import it to the client truststore.

[1] https://docs.wso2.com/display/IS530/Configuring+a+Read-Write+Active+Directory+User+Store

Affected: 5.8.0-Alpha2
Severity: Critical
Priority: High
Component: User Mgt
Type: Docs

Document have to include below information as well. [1]

1. Configuring the request expired time
2. How to configure the email reach time period (ex; Email reach from 30 days or week)
3. How to configure User to reset password using the recovery mail when a correct email address is not defined for the user

[1] https://docs.wso2.com/display/IS580/Forced+Password+Reset

Affected: 5.8.0-Alpha2
Severity: Major
Priority: High
Component: User Mgt
Type: Docs/Improvement

Document not has mentioned that the associate account validity. Account should be available in the system at the time associate. Better to add this information as well.

[1] https://docs.wso2.com/display/IS580/Associating+User+Accounts

Would be better if we document the SOAP API details of ChallengeQuestionManagementAdminService [1]. Since there is a deprecated admin service (UserIdentityManagementAdminService) exists which contains a similar set of challenge question-related APIs, it leads to confusing the users.

[1] https://docs.wso2.com/display/IS560/SOAP+APIs

Scenario: Role/rule-based provisioning has been enabled for the roleX and password provisioning is enabled.

• A user is created without assigning any role - In this case, user along with his password will be persisted to the local user-store(if the dumb mode is disabled) and the user will not be outbound provisioned as the user doesn't have the roleX.
• RoleX is assigned to the user. Then outbound provisioning will be triggered. But the outbound provisioning data doesn't contain the user password as from IS's perspective this is a user role list update operation(Even though password provisioning is enabled there will be no password to be outbound provisioned).

wso2/product-is#4755 will handle the above scenario as follows

1. If a default password is configured then it will be provisioned with the user entity
2. Otherwise, an empty password will be sent with the outbound provisioning request(Inbound provisioning handler should be dealing with this scenario.)