8:51 p.m.
Hi,
I tried to reconfigure as you recommended, But i still meet the same
problems, when i try to access, it still don't redirect to idp site.
I'm sure that i can access http://www.idp.com:8080/portal from my browser
and i can login.
Do you have any other suggestion?
Thanks!
Nguyen The Tuyen.
On Fri, Oct 18, 2013 at 2:33 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
Hi,
there are some differences between recommended setup and your setup. See
here
https://docs.jboss.org/author/display/GTNPORTAL36/SAML2#SAML2-Integration....
You will need to choose "Assertion contains the Federation ID from the
User object", otherwise integration won't work. I would recommend to
configure EntityId to be
"https://saml.salesforce.com"<https://saml.salesforce.com>and Issuer to
be
"http://www.idp.com:8080/portal/dologin"<http://www.idp.com:8080/portal/dologin>without
slash in the end. Also make sure that you have GateIn running and
bind to correct address and you can access
"http://www.idp.com:8080/portal" <http://www.idp.com:8080/portal> from
your browser.
Hope this helps,
Marek
On 18.10.2013 04:34, Tuyen The Nguyen wrote:
Hi,
Do you have experience about config sso in saleforce. I'm trying to
configure sso on saleforce, but it doesn't work.
I registered a developer account and register domain
tuyennt-dev-ed.my.salesforce.com in "my domain" menu
I configure as attached image, but when i access to
https://tuyennt-dev-ed.my.salesforce.com/, i see saleforce login-form,
not gatein login-form as expected.
Thanks!
On Mon, Oct 14, 2013 at 11:31 PM, Marek Posolda <mposolda(a)redhat.com>wrote:
> This error is caused by the fact that Picketlink (GateIn) is trying to
> validate signature from the SAMLRequest from Google, but SAML requests from
> Google are not signed. To disable validation, you need to correctly
> configure sp-metadata as described in the docs
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App.... You
should have something like this in metadata file:
>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
*
>
entityID="google.com/a/yourdomain1.mygbiz.com"*validUntil="...
> <md:SPSSODescriptor
*AuthnRequestsSigned="false"*WantAssertionsSigned="true"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" />
> </md:EntityDescriptor>
>
> Note that entityId must be either "google.com/a/yourdomain1.mygbiz.com"
> (replace yourdomain1 with the name of your Google apps domain) or just "
> google.com" . It depends on settings of option "Use a domain specific
> issuer" which can be specified on Google Apps page (If true, Google will
> use SAMLRequest with entity "google.com/a/yourdomain1.mygbiz.com", If
> false, Google will use SAMLRequest with entity "google.com").
>
> I would recomment to use Firefox plugin "SAML tracer", which will show
> you decoded SAMLRequest in the browser, so that you will see what is the
> domain name used by Google for SAMLRequest and same value must be used as
> entityId in metadata.
>
> Cheers,
> Marek
>
>
> On 14.10.2013 06:11, Tuyen The Nguyen wrote:
>
> Hi,
>
> Follow by docs, i generate certificate file by command:
> *keytool -export -keystore jbid_test_keystore.jks -alias servercert
> -file test-certificate.crt*
> And then upload file test-certificate.crt to google.
>
> Then i try to declare in the
> GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
> a ValidatingDomain
> *<ValidatingAlias Key="127.0.0.1" Value="servercert"/>*
>
> I see other exception on gatein site.
> And when i change the value of gatein.sso.sp.host in
> configuration.properties file as:
> gatein.sso.sp.host=google.com
> I also see the same exception.
>
> *Exception:*
>
> 10:21:20,112 ERROR [org.picketlink.identity.federation]
> (http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception in processing
> request:
> org.picketlink.identity.federation.core.exceptions.ProcessingException:
> PLFED000145: Signature Validation failed
> at
>
org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)
> at
>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)
> at
>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
> at
> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
> at
>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
> at
>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
> [jbossweb-7.0.13.Final.jar:]
> at
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
> [jbossweb-7.0.13.Final.jar:]
> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
> Caused by: java.lang.IllegalArgumentException: PLFED000078: Null
> Parameter: queryString
> at
>
org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)
> at
>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)
> at
>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)
> at
>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)
> ... 15 more
>
>
> On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda <mposolda(a)redhat.com>wrote:
>
>> Hi,
>>
>> you can try to declare in the
>>
GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xmla
ValidatingDomain directive like:
>>
>> <ValidatingAlias Key="127.0.0.1" Value="secure-key"/>
>>
>> Even though Google SAML requests are not signed, PicketLink requires
>> that there is validating key corresponding to each SAMLRequest. When a key
>> is not found for a specific domain (in this case google.com),
>> PicketLink will search for keys with the alias 127.0.0.1 . You can use
>> alias for any key you have declared in your keystore. It will be used just
>> as placeholder as SAML requests from Google are not signed, so validation
>> won't be checked anyway.
>>
>> Marek
>>
>>
>> On 10.10.2013 11:55, Tuyen The Nguyen wrote:
>>
>> Hi all,
>>
>> I'm configuring SSO for gatein 3.5 with google and salefore use SAML2
>> protocol.
>> I follow by three docs:
>> https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
>>
>> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce...
>>
>> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
>>
>> When i try to login to google, it redirect to IDP (use gatein) and
>> login success, but when redirect back to google, i meet error "google could
>> not parse the login request" and i can't login.
>> I see an exception on console of gatein:
>>
>> 16:26:01,844 ERROR [org.picketlink.identity.federation]
>> (http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception in processing
>> request: java.lang.IllegalStateException: PLFED000058: KeyStoreKeyManager :
>> Domain Alias missing for : 127.0.0.1
>> at
>>
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
>> at
>>
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
>> at
>>
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
>> at
>>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
>> at
>>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
>> at
>>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
>> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
>> at
>> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
>> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
>> at
>>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
>> at
>>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
>> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
>> [jbossweb-7.0.13.Final.jar:]
>> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
>> *Is there any one know how to fix this problem?*
>>
>> Tuyen Nguyen The.
>>
>>
>> _______________________________________________
>> gatein-dev mailing
listgatein-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/gatein-dev
>>
>>
>>
>
>
