<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
there are some differences between recommended setup and your
setup. See here
<a class="moz-txt-link-freetext" href="https://docs.jboss.org/author/display/GTNPORTAL36/SAML2#SAML2-IntegrationwithSalesforceandGoogleApps">https://docs.jboss.org/author/display/GTNPORTAL36/SAML2#SAML2-IntegrationwithSalesforceandGoogleApps</a>
. You will need to choose "Assertion contains the Federation ID
from the User object", otherwise integration won't work. I would
recommend to configure EntityId to be
<a class="moz-txt-link-rfc2396E" href="https://saml.salesforce.com">"https://saml.salesforce.com"</a> and Issuer to be
<a class="moz-txt-link-rfc2396E" href="http://www.idp.com:8080/portal/dologin">"http://www.idp.com:8080/portal/dologin"</a> without slash in the end.
Also make sure that you have GateIn running and bind to correct
address and you can access <a class="moz-txt-link-rfc2396E" href="http://www.idp.com:8080/portal">"http://www.idp.com:8080/portal"</a> from
your browser.<br>
<br>
Hope this helps,<br>
Marek<br>
<br>
<br>
On 18.10.2013 04:34, Tuyen The Nguyen wrote:<br>
</div>
<blockquote
cite="mid:CADdLyggPWo-8i7XE531jXTsLwxpOgXuRbxJ2pWEcUPN3ohhbig@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>Do you have experience about config sso in saleforce. I'm
trying to configure sso on saleforce, but it doesn't work.</div>
<div><br>
</div>
<div>I registered a developer account and register domain <a
moz-do-not-send="true"
href="http://tuyennt-dev-ed.my.salesforce.com">tuyennt-dev-ed.my.salesforce.com</a>
in "my domain" menu<br>
</div>
<div><br>
</div>
<div>I configure as attached image, but when i access to <a
moz-do-not-send="true"
href="https://tuyennt-dev-ed.my.salesforce.com/">https://tuyennt-dev-ed.my.salesforce.com/</a>,
i see saleforce login-form, not gatein login-form as expected.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks!</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Oct 14, 2013 at 11:31 PM, Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>This error is caused by the fact that Picketlink
(GateIn) is trying to validate signature from the
SAMLRequest from Google, but SAML requests from Google
are not signed. To disable validation, you need to
correctly configure sp-metadata as described in the docs
<a moz-do-not-send="true"
href="https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP"
target="_blank">https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP</a>
. You should have something like this in metadata file:<br>
<br>
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" <b>entityID="<a
moz-do-not-send="true"
href="http://google.com/a/yourdomain1.mygbiz.com"
target="_blank">google.com/a/yourdomain1.mygbiz.com</a>"</b>
validUntil="2022-06-13T21:46:02.496Z"><br>
<md:SPSSODescriptor <b>AuthnRequestsSigned="false"</b>
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
/><br>
</md:EntityDescriptor><br>
<br>
Note that entityId must be either "<a
moz-do-not-send="true"
href="http://google.com/a/yourdomain1.mygbiz.com"
target="_blank">google.com/a/yourdomain1.mygbiz.com</a>"
(replace yourdomain1 with the name of your Google apps
domain) or just "<a moz-do-not-send="true"
href="http://google.com" target="_blank">google.com</a>"
. It depends on settings of option "<span>Use a domain
specific issuer" which can be specified on Google Apps
page (If true, Google will use SAMLRequest with entity
"<a moz-do-not-send="true"
href="http://google.com/a/yourdomain1.mygbiz.com"
target="_blank">google.com/a/yourdomain1.mygbiz.com</a>",
If false, Google will use SAMLRequest with entity "<a
moz-do-not-send="true" href="http://google.com"
target="_blank">google.com</a>"). <br>
<br>
I would recomment to use Firefox plugin "SAML tracer",
which will show you decoded SAMLRequest in the
browser, so that you will see what is the domain name
used by Google for SAMLRequest and same value must be
used as entityId in metadata.<br>
<br>
Cheers,<br>
Marek<br>
</span>
<div>
<div class="h5"><br>
<br>
On 14.10.2013 06:11, Tuyen The Nguyen wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>Follow by docs, i generate certificate file
by command: </div>
<div><span style="white-space:pre-wrap"> </span><b><i>keytool
-export -keystore jbid_test_keystore.jks
-alias servercert -file test-certificate.crt</i></b></div>
<div>And then upload file test-certificate.crt to
google.</div>
<div><br>
</div>
<div>Then i try to declare in the
GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
a ValidatingDomain </div>
<div> <b><i><ValidatingAlias Key="127.0.0.1"
Value="servercert"/></i></b></div>
<div><br>
</div>
<div>I see other exception on gatein site.</div>
<div>And when i change the value of
gatein.sso.sp.host in configuration.properties
file as:</div>
<div><span style="white-space:pre-wrap"> </span>gatein.sso.sp.host=<a
moz-do-not-send="true"
href="http://google.com" target="_blank">google.com</a></div>
<div>I also see the same exception.</div>
<div><br>
</div>
<div><b>Exception:</b></div>
<div><br>
</div>
<div> 10:21:20,112 ERROR
[org.picketlink.identity.federation]
(http-www.idp.com-127.0.0.1-8080-1) PLFED000253:
Exception in processing request:
org.picketlink.identity.federation.core.exceptions.ProcessingException:
PLFED000145: Signature Validation failed</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
[sso-integration-1.3.1.Final.jar:1.3.1.Final]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span style="white-space:pre-wrap"> </span>at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span style="white-space:pre-wrap"> </span>at
java.lang.Thread.run(Thread.java:662)
[rt.jar:1.6.0_45]</div>
<div>Caused by:
java.lang.IllegalArgumentException: PLFED000078:
Null Parameter: queryString</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)</div>
<div><span style="white-space:pre-wrap"> </span>...
15 more</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Oct 10, 2013 at
8:01 PM, Marek Posolda <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi,<br>
<br>
you can try to declare in the <code>GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml</code>
a ValidatingDomain directive like:<br>
<pre><span><ValidatingAlias</span><span> Key=</span><span>"127.0.0.1"</span><span> Value=</span><span>"secure-key"</span><span>/></span>
</pre>
Even though Google SAML requests are not
signed, PicketLink requires that there is
validating key corresponding to each
SAMLRequest. When a key is not found for a
specific domain (in this case <a
moz-do-not-send="true"
href="http://google.com" target="_blank">google.com</a>),
PicketLink will search for keys with the
alias <code>127.0.0.1</code> . You can
use alias for any key you have declared in
your keystore. It will be used just as
placeholder as SAML requests from Google
are not signed, so validation won't be
checked anyway.<br>
<br>
Marek
<div>
<div><br>
<br>
On 10.10.2013 11:55, Tuyen The Nguyen
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>Hi all,</div>
<div><br>
</div>
<div>I'm configuring SSO for gatein
3.5 with google and salefore use
SAML2 protocol.</div>
<div>I follow by three docs: </div>
<div><a moz-do-not-send="true"
href="https://docs.jboss.org/author/display/GTNPORTAL35/SAML2"
target="_blank">https://docs.jboss.org/author/display/GTNPORTAL35/SAML2</a></div>
<div><a moz-do-not-send="true"
href="https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP"
target="_blank">https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP</a></div>
<div><a moz-do-not-send="true"
href="https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP"
target="_blank">https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP</a></div>
<div><br>
</div>
<div>When i try to login to google,
it redirect to IDP (use gatein)
and login success, but when
redirect back to google, i meet
error "google could not parse the
login request" and i can't login.</div>
<div>I see an exception on console
of gatein:</div>
<div><br>
</div>
<div>16:26:01,844 ERROR
[org.picketlink.identity.federation]
(http-www.idp.com-127.0.0.1-8080-7)
PLFED000253: Exception in
processing request:
java.lang.IllegalStateException:
PLFED000058: KeyStoreKeyManager :
Domain Alias missing for :
127.0.0.1</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
[sso-integration-1.3.1.Final.jar:1.3.1.Final]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap"> </span>at
java.lang.Thread.run(Thread.java:662)
[rt.jar:1.6.0_45]</div>
<div><span
style="white-space:pre-wrap"> </span></div>
<div><span
style="white-space:pre-wrap"> </span></div>
<div><b>Is there any one know how to
fix this problem?</b></div>
<div><br>
</div>
<div>Tuyen Nguyen The.</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
gatein-dev mailing list
<a moz-do-not-send="true" href="mailto:gatein-dev@lists.jboss.org" target="_blank">gatein-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/gatein-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/gatein-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>