<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
settings of your Salesforce domain are quite same like mine, but
according to your screenshot, there seems to be one difference. It
seems that for SSO, you enabled option "Enable Multiple configs",
am I right? TBH, I don't want to try it for my domain as in
Salesforce it's mentioned that "Once you enable this feature, you
can't disable it." <span class="moz-smiley-s1"><span> :-) </span></span><br>
<br>
So it's possible that Salesforce URL for init SAML SSO flow is
different for your domain because of this. I am seeing two
possibilities:<br>
- Do some investigation in Salesforce and investigate what should
be done to initiate SAML flow when the option "Enable Multiple
configs" is enabled. Especially what is correct URL on Salesforce,
which will redirect you to <a class="moz-txt-link-rfc2396E" href="http://www.idp.com:8080/portal">"http://www.idp.com:8080/portal"</a> with
SAMLRequest attached. It's possible that this settings don't
support SP-initiated login, which means that it's not possible to
setup it...<br>
- You can create another domain and configure SSO and all other
settings again, but keep "Enable Multiple configs" disabled.<br>
<br>
Hope this helps,<br>
Marek<br>
<br>
On 21.10.2013 03:51, Tuyen The Nguyen wrote:<br>
</div>
<blockquote
cite="mid:CADdLygi9tHGd9DKa63Zg6SjzabRyrm-uYR=yEU5MGX9unYPyhA@mail.gmail.com"
type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>I tried to reconfigure as you recommended, But i still meet
the same problems, when i try to access, it still don't
redirect to idp site.</div>
<div><br>
</div>
<div>I'm sure that i can access <a moz-do-not-send="true"
href="http://www.idp.com:8080/portal">http://www.idp.com:8080/portal</a>
from my browser and i can login.</div>
<div><br>
</div>
<div>Do you have any other suggestion?</div>
<div><br>
</div>
<div>Thanks!</div>
<div><br>
</div>
<div>Nguyen The Tuyen.</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Oct 18, 2013 at 2:33 PM, Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi,<br>
<br>
there are some differences between recommended setup and
your setup. See here <a moz-do-not-send="true"
href="https://docs.jboss.org/author/display/GTNPORTAL36/SAML2#SAML2-IntegrationwithSalesforceandGoogleApps"
target="_blank">https://docs.jboss.org/author/display/GTNPORTAL36/SAML2#SAML2-IntegrationwithSalesforceandGoogleApps</a>
. You will need to choose "Assertion contains the
Federation ID from the User object", otherwise
integration won't work. I would recommend to configure
EntityId to be <a moz-do-not-send="true"
href="https://saml.salesforce.com" target="_blank">"https://saml.salesforce.com"</a>
and Issuer to be <a moz-do-not-send="true"
href="http://www.idp.com:8080/portal/dologin"
target="_blank">"http://www.idp.com:8080/portal/dologin"</a>
without slash in the end. Also make sure that you have
GateIn running and bind to correct address and you can
access <a moz-do-not-send="true"
href="http://www.idp.com:8080/portal" target="_blank">"http://www.idp.com:8080/portal"</a>
from your browser.<br>
<br>
Hope this helps,<br>
Marek
<div>
<div class="h5"><br>
<br>
<br>
On 18.10.2013 04:34, Tuyen The Nguyen wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>Do you have experience about config sso in
saleforce. I'm trying to configure sso on
saleforce, but it doesn't work.</div>
<div><br>
</div>
<div>I registered a developer account and register
domain <a moz-do-not-send="true"
href="http://tuyennt-dev-ed.my.salesforce.com"
target="_blank">tuyennt-dev-ed.my.salesforce.com</a>
in "my domain" menu<br>
</div>
<div><br>
</div>
<div>I configure as attached image, but when i
access to <a moz-do-not-send="true"
href="https://tuyennt-dev-ed.my.salesforce.com/"
target="_blank">https://tuyennt-dev-ed.my.salesforce.com/</a>,
i see saleforce login-form, not gatein
login-form as expected.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks!</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Oct 14, 2013 at
11:31 PM, Marek Posolda <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>This error is caused by the fact that
Picketlink (GateIn) is trying to validate
signature from the SAMLRequest from
Google, but SAML requests from Google are
not signed. To disable validation, you
need to correctly configure sp-metadata as
described in the docs <a
moz-do-not-send="true"
href="https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP"
target="_blank">https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP</a>
. You should have something like this in
metadata file:<br>
<br>
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
<b>entityID="<a moz-do-not-send="true"
href="http://google.com/a/yourdomain1.mygbiz.com"
target="_blank">google.com/a/yourdomain1.mygbiz.com</a>"</b>
validUntil="2022-06-13T21:46:02.496Z"><br>
<md:SPSSODescriptor <b>AuthnRequestsSigned="false"</b>
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
/><br>
</md:EntityDescriptor><br>
<br>
Note that entityId must be either "<a
moz-do-not-send="true"
href="http://google.com/a/yourdomain1.mygbiz.com"
target="_blank">google.com/a/yourdomain1.mygbiz.com</a>"
(replace yourdomain1 with the name of your
Google apps domain) or just "<a
moz-do-not-send="true"
href="http://google.com" target="_blank">google.com</a>"
. It depends on settings of option "<span>Use
a domain specific issuer" which can be
specified on Google Apps page (If true,
Google will use SAMLRequest with entity
"<a moz-do-not-send="true"
href="http://google.com/a/yourdomain1.mygbiz.com"
target="_blank">google.com/a/yourdomain1.mygbiz.com</a>",
If false, Google will use SAMLRequest
with entity "<a moz-do-not-send="true"
href="http://google.com"
target="_blank">google.com</a>"). <br>
<br>
I would recomment to use Firefox plugin
"SAML tracer", which will show you
decoded SAMLRequest in the browser, so
that you will see what is the domain
name used by Google for SAMLRequest and
same value must be used as entityId in
metadata.<br>
<br>
Cheers,<br>
Marek<br>
</span>
<div>
<div><br>
<br>
On 14.10.2013 06:11, Tuyen The Nguyen
wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>Follow by docs, i generate
certificate file by command: </div>
<div><span
style="white-space:pre-wrap"> </span><b><i>keytool
-export -keystore
jbid_test_keystore.jks -alias
servercert -file
test-certificate.crt</i></b></div>
<div>And then upload file
test-certificate.crt to google.</div>
<div><br>
</div>
<div>Then i try to declare in the
GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
a ValidatingDomain </div>
<div> <b><i><ValidatingAlias
Key="127.0.0.1"
Value="servercert"/></i></b></div>
<div><br>
</div>
<div>I see other exception on gatein
site.</div>
<div>And when i change the value of
gatein.sso.sp.host in
configuration.properties file as:</div>
<div><span
style="white-space:pre-wrap"> </span>gatein.sso.sp.host=<a
moz-do-not-send="true"
href="http://google.com"
target="_blank">google.com</a></div>
<div>I also see the same exception.</div>
<div><br>
</div>
<div><b>Exception:</b></div>
<div><br>
</div>
<div> 10:21:20,112 ERROR
[org.picketlink.identity.federation]
(http-www.idp.com-127.0.0.1-8080-1)
PLFED000253: Exception in
processing request:
org.picketlink.identity.federation.core.exceptions.ProcessingException:
PLFED000145: Signature Validation
failed</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
[sso-integration-1.3.1.Final.jar:1.3.1.Final]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap"> </span>at
java.lang.Thread.run(Thread.java:662)
[rt.jar:1.6.0_45]</div>
<div>Caused by:
java.lang.IllegalArgumentException:
PLFED000078: Null Parameter:
queryString</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)</div>
<div><span
style="white-space:pre-wrap"> </span>at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)</div>
<div><span
style="white-space:pre-wrap"> </span>...
15 more</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Oct
10, 2013 at 8:01 PM, Marek Posolda
<span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF">
<div>Hi,<br>
<br>
you can try to declare in
the <code>GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml</code>
a ValidatingDomain directive
like:<br>
<pre><span><ValidatingAlias</span><span> Key=</span><span>"127.0.0.1"</span><span> Value=</span><span>"secure-key"</span><span>/></span>
</pre>
Even though Google SAML
requests are not signed,
PicketLink requires that
there is validating key
corresponding to each
SAMLRequest. When a key is
not found for a specific
domain (in this case <a
moz-do-not-send="true"
href="http://google.com"
target="_blank">google.com</a>),
PicketLink will search for
keys with the alias <code>127.0.0.1</code>
. You can use alias for any
key you have declared in
your keystore. It will be
used just as placeholder as
SAML requests from Google
are not signed, so
validation won't be checked
anyway.<br>
<br>
Marek
<div>
<div><br>
<br>
On 10.10.2013 11:55,
Tuyen The Nguyen wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>Hi all,</div>
<div><br>
</div>
<div>I'm configuring
SSO for gatein 3.5
with google and
salefore use SAML2
protocol.</div>
<div>I follow by three
docs: </div>
<div><a
moz-do-not-send="true"
href="https://docs.jboss.org/author/display/GTNPORTAL35/SAML2"
target="_blank">https://docs.jboss.org/author/display/GTNPORTAL35/SAML2</a></div>
<div><a
moz-do-not-send="true"
href="https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP"
target="_blank">https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP</a></div>
<div><a
moz-do-not-send="true"
href="https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP"
target="_blank">https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP</a></div>
<div><br>
</div>
<div>When i try to
login to google, it
redirect to IDP (use
gatein) and login
success, but when
redirect back to
google, i meet error
"google could not
parse the login
request" and i can't
login.</div>
<div>I see an
exception on console
of gatein:</div>
<div><br>
</div>
<div>16:26:01,844
ERROR
[org.picketlink.identity.federation]
(http-www.idp.com-127.0.0.1-8080-7)
PLFED000253:
Exception in
processing request:
java.lang.IllegalStateException:
PLFED000058:
KeyStoreKeyManager :
Domain Alias missing
for : 127.0.0.1</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)[sso-integration-1.3.1.Final.jar:1.3.1.Final]</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap">
</span>at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]</div>
<div><span
style="white-space:pre-wrap">
</span>at
java.lang.Thread.run(Thread.java:662)
[rt.jar:1.6.0_45]</div>
<div><span
style="white-space:pre-wrap">
</span></div>
<div><span
style="white-space:pre-wrap">
</span></div>
<div><b>Is there any
one know how to
fix this problem?</b></div>
<div><br>
</div>
<div>Tuyen Nguyen The.</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
gatein-dev mailing list
<a moz-do-not-send="true" href="mailto:gatein-dev@lists.jboss.org" target="_blank">gatein-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/gatein-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/gatein-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>