Re: [gatein-dev] problem when config SAML2 with google and saleforce

Hi, I tried to reconfigure as you recommended, But i still meet the same problems, when i try to access, it still don't redirect to idp site. I'm sure that i can access http://www.idp.com:8080/portal from my browser and i can login. Do you have any other suggestion? Thanks! Nguyen The Tuyen. On Fri, Oct 18, 2013 at 2:33 PM, Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: Hi, there are some differences between recommended setup and your setup. See here https://docs.jboss.org/author/display/GTNPORTAL36/SAML2#SAML2-Integration... . You will need to choose "Assertion contains the Federation ID from the User object", otherwise integration won't work. I would recommend to configure EntityId to be "https://saml.salesforce.com" <https://saml.salesforce.com> and Issuer to be "http://www.idp.com:8080/portal/dologin" <http://www.idp.com:8080/portal/dologin> without slash in the end. Also make sure that you have GateIn running and bind to correct address and you can access "http://www.idp.com:8080/portal" <http://www.idp.com:8080/portal> from your browser. Hope this helps, Marek On 18.10.2013 04:34, Tuyen The Nguyen wrote: > Hi, > > Do you have experience about config sso in saleforce. I'm trying > to configure sso on saleforce, but it doesn't work. > > I registered a developer account and register domain > tuyennt-dev-ed.my.salesforce.com > <http://tuyennt-dev-ed.my.salesforce.com> in "my domain" menu > > I configure as attached image, but when i access to > https://tuyennt-dev-ed.my.salesforce.com/, i see saleforce > login-form, not gatein login-form as expected. > > > Thanks! > > > > On Mon, Oct 14, 2013 at 11:31 PM, Marek Posolda > <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: > > This error is caused by the fact that Picketlink (GateIn) is > trying to validate signature from the SAMLRequest from > Google, but SAML requests from Google are not signed. To > disable validation, you need to correctly configure > sp-metadata as described in the docs > https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App... > . You should have something like this in metadata file: > > <md:EntityDescriptor > xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" > *entityID="google.com/a/yourdomain1.mygbiz.com > <http://google.com/a/yourdomain1.mygbiz.com>"* > validUntil="2022-06-13T21:46:02.496Z"> > <md:SPSSODescriptor *AuthnRequestsSigned="false"* > WantAssertionsSigned="true" > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" > /> > </md:EntityDescriptor> > > Note that entityId must be either > "google.com/a/yourdomain1.mygbiz.com > <http://google.com/a/yourdomain1.mygbiz.com>" (replace > yourdomain1 with the name of your Google apps domain) or just > "google.com <http://google.com>" . It depends on settings of > option "Use a domain specific issuer" which can be specified > on Google Apps page (If true, Google will use SAMLRequest > with entity "google.com/a/yourdomain1.mygbiz.com > <http://google.com/a/yourdomain1.mygbiz.com>";, If false, > Google will use SAMLRequest with entity "google.com > <http://google.com>"). > > I would recomment to use Firefox plugin "SAML tracer", which > will show you decoded SAMLRequest in the browser, so that you > will see what is the domain name used by Google for > SAMLRequest and same value must be used as entityId in metadata. > > Cheers, > Marek > > > On 14.10.2013 06:11, Tuyen The Nguyen wrote: >> Hi, >> >> Follow by docs, i generate certificate file by command: >> */keytool -export -keystore jbid_test_keystore.jks -alias >> servercert -file test-certificate.crt/* >> And then upload file test-certificate.crt to google. >> >> Then i try to declare in the >> GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml >> a ValidatingDomain >> */<ValidatingAlias Key="127.0.0.1" Value="servercert"/>/* >> >> I see other exception on gatein site. >> And when i change the value of gatein.sso.sp.host in >> configuration.properties file as: >> gatein.sso.sp.host=google.com <http://google.com> >> I also see the same exception. >> >> *Exception:* >> >> 10:21:20,112 ERROR [org.picketlink.identity.federation] >> (http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception >> in processing request: >> org.picketlink.identity.federation.core.exceptions.ProcessingException: >> PLFED000145: Signature Validation failed >> at >> org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106) >> at >> org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152) >> at >> org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94) >> at >> org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56) >> at >> org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579) >> at >> org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255) >> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final] >> at >> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155) >> [sso-integration-1.3.1.Final.jar:1.3.1.Final] >> at >> org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88) >> [exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT] >> at >> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) >> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) >> [jbossweb-7.0.13.Final.jar:] >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >> [jbossweb-7.0.13.Final.jar:] >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >> [jbossweb-7.0.13.Final.jar:] >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) >> [jbossweb-7.0.13.Final.jar:] >> at >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) >> [jbossweb-7.0.13.Final.jar:] >> at >> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) >> [jbossweb-7.0.13.Final.jar:] >> at >> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) >> [jbossweb-7.0.13.Final.jar:] >> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45] >> Caused by: java.lang.IllegalArgumentException: PLFED000078: >> Null Parameter: queryString >> at >> org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64) >> at >> org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309) >> at >> org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203) >> at >> org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188) >> at >> org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144) >> ... 15 more >> >> >> On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda >> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: >> >> Hi, >> >> you can try to declare in the >> |GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml| >> a ValidatingDomain directive like: >> >> <ValidatingAlias Key="127.0.0.1" Value="secure-key"/> >> >> Even though Google SAML requests are not signed, >> PicketLink requires that there is validating key >> corresponding to each SAMLRequest. When a key is not >> found for a specific domain (in this case google.com >> <http://google.com>), PicketLink will search for keys >> with the alias |127.0.0.1| . You can use alias for any >> key you have declared in your keystore. It will be used >> just as placeholder as SAML requests from Google are not >> signed, so validation won't be checked anyway. >> >> Marek >> >> >> On 10.10.2013 11:55, Tuyen The Nguyen wrote: >>> Hi all, >>> >>> I'm configuring SSO for gatein 3.5 with google and >>> salefore use SAML2 protocol. >>> I follow by three docs: >>> https://docs.jboss.org/author/display/GTNPORTAL35/SAML2 >>> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce... >>> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App... >>> >>> When i try to login to google, it redirect to IDP (use >>> gatein) and login success, but when redirect back to >>> google, i meet error "google could not parse the login >>> request" and i can't login. >>> I see an exception on console of gatein: >>> >>> 16:26:01,844 ERROR [org.picketlink.identity.federation] >>> (http-www.idp.com-127.0.0.1-8080-7) PLFED000253: >>> Exception in processing request: >>> java.lang.IllegalStateException: PLFED000058: >>> KeyStoreKeyManager : Domain Alias missing for : 127.0.0.1 >>> at >>> org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183) >>> at >>> org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196) >>> at >>> org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140) >>> at >>> org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683) >>> at >>> org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545) >>> at >>> org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final] >>> at >>> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)[sso-integration-1.3.1.Final.jar:1.3.1.Final] >>> at >>> org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88) >>> [exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT] >>> at >>> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)[jboss-as-web-7.1.1.Final.jar:7.1.1.Final] >>> at >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) >>> [jbossweb-7.0.13.Final.jar:] >>> at >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>> [jbossweb-7.0.13.Final.jar:] >>> at >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>> [jbossweb-7.0.13.Final.jar:] >>> at >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) >>> [jbossweb-7.0.13.Final.jar:] >>> at >>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) >>> [jbossweb-7.0.13.Final.jar:] >>> at >>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) >>> [jbossweb-7.0.13.Final.jar:] >>> at >>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) >>> [jbossweb-7.0.13.Final.jar:] >>> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45] >>> *Is there any one know how to fix this problem?* >>> >>> Tuyen Nguyen The. >>> >>> >>> _______________________________________________ >>> gatein-dev mailing list >>> gatein-dev(a)lists.jboss.org <mailto:gatein-dev@lists.jboss.org> >>> https://lists.jboss.org/mailman/listinfo/gatein-dev >> >> > >