<div dir="ltr"><div>Hi,</div><div><br></div><div>Follow by docs, i generate certificate file by command: </div><div><span class="" style="white-space:pre"> </span><b><i>keytool -export -keystore jbid_test_keystore.jks -alias servercert -file test-certificate.crt</i></b></div>
<div>And then upload file test-certificate.crt to google.</div><div><br></div><div>Then i try to declare in the GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml a ValidatingDomain </div><div>
<b><i><ValidatingAlias Key="127.0.0.1" Value="servercert"/></i></b></div><div><br></div><div>I see other exception on gatein site.</div><div>And when i change the value of gatein.sso.sp.host in configuration.properties file as:</div>
<div><span class="" style="white-space:pre"> </span>gatein.sso.sp.host=<a href="http://google.com">google.com</a></div><div>I also see the same exception.</div><div><br></div><div><b>Exception:</b></div><div><br></div><div>
10:21:20,112 ERROR [org.picketlink.identity.federation] (http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception in processing request: org.picketlink.identity.federation.core.exceptions.ProcessingException: PLFED000145: Signature Validation failed</div>
<div><span class="" style="white-space:pre"> </span>at org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)</div><div><span class="" style="white-space:pre"> </span>at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)</div>
<div><span class="" style="white-space:pre"> </span>at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)</div><div><span class="" style="white-space:pre"> </span>at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)</div>
<div><span class="" style="white-space:pre"> </span>at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)</div><div><span class="" style="white-space:pre"> </span>at org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255) [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]</div>
<div><span class="" style="white-space:pre"> </span>at org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155) [sso-integration-1.3.1.Final.jar:1.3.1.Final]</div><div><span class="" style="white-space:pre"> </span>at org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88) [exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]</div>
<div><span class="" style="white-space:pre"> </span>at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]</div><div><span class="" style="white-space:pre"> </span>at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]</div>
<div><span class="" style="white-space:pre"> </span>at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]</div><div><span class="" style="white-space:pre"> </span>at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]</div>
<div><span class="" style="white-space:pre"> </span>at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]</div><div><span class="" style="white-space:pre"> </span>at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]</div>
<div><span class="" style="white-space:pre"> </span>at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]</div><div><span class="" style="white-space:pre"> </span>at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]</div>
<div><span class="" style="white-space:pre"> </span>at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]</div><div>Caused by: java.lang.IllegalArgumentException: PLFED000078: Null Parameter: queryString</div><div><span class="" style="white-space:pre"> </span>at org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)</div>
<div><span class="" style="white-space:pre"> </span>at org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)</div><div><span class="" style="white-space:pre"> </span>at org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)</div>
<div><span class="" style="white-space:pre"> </span>at org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)</div><div><span class="" style="white-space:pre"> </span>at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)</div>
<div><span class="" style="white-space:pre"> </span>... 15 more</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi,<br>
<br>
you can try to declare in the <code>GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml</code>
a ValidatingDomain directive like:<br>
<pre><span><ValidatingAlias</span><span> Key=</span><span>"127.0.0.1"</span><span> Value=</span><span>"secure-key"</span><span>/></span>
</pre>
Even though Google SAML requests are not signed, PicketLink
requires that there is validating key corresponding to each
SAMLRequest. When a key is not found for a specific domain (in
this case <a href="http://google.com" target="_blank">google.com</a>), PicketLink will search for keys with the
alias <code>127.0.0.1</code> . You can use alias for
any key you have declared in your keystore. It will be used just
as placeholder as SAML requests from Google are not signed, so
validation won't be checked anyway.<br>
<br>
Marek<div><div class="h5"><br>
<br>
On 10.10.2013 11:55, Tuyen The Nguyen wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div>Hi all,</div>
<div><br>
</div>
<div>I'm configuring SSO for gatein 3.5 with google and salefore
use SAML2 protocol.</div>
<div>I follow by three docs: </div>
<div><a href="https://docs.jboss.org/author/display/GTNPORTAL35/SAML2" target="_blank">https://docs.jboss.org/author/display/GTNPORTAL35/SAML2</a></div>
<div><a href="https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP" target="_blank">https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP</a></div>
<div><a href="https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP" target="_blank">https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP</a></div>
<div><br>
</div>
<div>When i try to login to google, it redirect to IDP (use
gatein) and login success, but when redirect back to google, i
meet error "google could not parse the login request" and i
can't login.</div>
<div>I see an exception on console of gatein:</div>
<div><br>
</div>
<div>16:26:01,844 ERROR [org.picketlink.identity.federation]
(http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception in
processing request: java.lang.IllegalStateException:
PLFED000058: KeyStoreKeyManager : Domain Alias missing for :
127.0.0.1</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
[sso-integration-1.3.1.Final.jar:1.3.1.Final]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span style="white-space:pre-wrap"> </span>at
java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]</div>
<div><span style="white-space:pre-wrap"> </span></div>
<div><span style="white-space:pre-wrap"> </span></div>
<div><b>Is there any one know how to fix this problem?</b></div>
<div><br>
</div>
<div>Tuyen Nguyen The.</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
gatein-dev mailing list
<a href="mailto:gatein-dev@lists.jboss.org" target="_blank">gatein-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/gatein-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/gatein-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div>