Hi,

you can try to declare in the GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml a ValidatingDomain directive like:

<ValidatingAlias Key="127.0.0.1" Value="secure-key"/>

Even though Google SAML requests are not signed, PicketLink requires that there is validating key corresponding to each SAMLRequest. When a key is not found for a specific domain (in this case google.com), PicketLink will search for keys with the alias 127.0.0.1 . You can use alias for any key you have declared in your keystore. It will be used just as placeholder as SAML requests from Google are not signed, so validation won't be checked anyway.

Marek

On 10.10.2013 11:55, Tuyen The Nguyen wrote:

Hi all,

I'm configuring SSO for gatein 3.5 with google and salefore use SAML2 protocol.

I follow by three docs: 

https://docs.jboss.org/author/display/GTNPORTAL35/SAML2

https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP

https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP

When i try to login to google, it redirect to IDP (use gatein) and login success, but when redirect back to google, i meet error "google could not parse the login request" and i can't login.

I see an exception on console of gatein:

16:26:01,844 ERROR [org.picketlink.identity.federation] (http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception in processing request: java.lang.IllegalStateException: PLFED000058: KeyStoreKeyManager : Domain Alias missing for : 127.0.0.1

at org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)

at org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)

at org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)

at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)

at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)

at org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255) [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]

at org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155) [sso-integration-1.3.1.Final.jar:1.3.1.Final]

at org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88) [exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]

at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]

at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]

at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]

Is there any one know how to fix this problem?

Tuyen Nguyen The.

_______________________________________________
gatein-dev mailing list
gatein-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/gatein-dev