2:33 a.m.
Hi,
there are some differences between recommended setup and your setup. See
here
https://docs.jboss.org/author/display/GTNPORTAL36/SAML2#SAML2-Integration...
. You will need to choose "Assertion contains the Federation ID from the
User object", otherwise integration won't work. I would recommend to
configure EntityId to be "https://saml.salesforce.com" and Issuer to be
"http://www.idp.com:8080/portal/dologin" without slash in the end. Also
make sure that you have GateIn running and bind to correct address and
you can access "http://www.idp.com:8080/portal" from your browser.
Hope this helps,
Marek
On 18.10.2013 04:34, Tuyen The Nguyen wrote:
Hi,
Do you have experience about config sso in saleforce. I'm trying to
configure sso on saleforce, but it doesn't work.
I registered a developer account and register domain
tuyennt-dev-ed.my.salesforce.com
<http://tuyennt-dev-ed.my.salesforce.com> in "my domain" menu
I configure as attached image, but when i access to
https://tuyennt-dev-ed.my.salesforce.com/, i see saleforce login-form,
not gatein login-form as expected.
Thanks!
On Mon, Oct 14, 2013 at 11:31 PM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
This error is caused by the fact that Picketlink (GateIn) is
trying to validate signature from the SAMLRequest from Google, but
SAML requests from Google are not signed. To disable validation,
you need to correctly configure sp-metadata as described in the
docs
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
. You should have something like this in metadata file:
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
*entityID="google.com/a/yourdomain1.mygbiz.com
<http://google.com/a/yourdomain1.mygbiz.com>"*
validUntil="2022-06-13T21:46:02.496Z">
<md:SPSSODescriptor *AuthnRequestsSigned="false"*
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" />
</md:EntityDescriptor>
Note that entityId must be either
"google.com/a/yourdomain1.mygbiz.com
<http://google.com/a/yourdomain1.mygbiz.com>" (replace yourdomain1
with the name of your Google apps domain) or just "google.com
<http://google.com>" . It depends on settings of option "Use a
domain specific issuer" which can be specified on Google Apps page
(If true, Google will use SAMLRequest with entity
"google.com/a/yourdomain1.mygbiz.com
<http://google.com/a/yourdomain1.mygbiz.com>";, If false, Google
will use SAMLRequest with entity "google.com <http://google.com>").
I would recomment to use Firefox plugin "SAML tracer", which will
show you decoded SAMLRequest in the browser, so that you will see
what is the domain name used by Google for SAMLRequest and same
value must be used as entityId in metadata.
Cheers,
Marek
On 14.10.2013 06:11, Tuyen The Nguyen wrote:
> Hi,
>
> Follow by docs, i generate certificate file by command:
> */keytool -export -keystore jbid_test_keystore.jks -alias
> servercert -file test-certificate.crt/*
> And then upload file test-certificate.crt to google.
>
> Then i try to declare in the
>
GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
> a ValidatingDomain
> */<ValidatingAlias Key="127.0.0.1"
Value="servercert"/>/*
>
> I see other exception on gatein site.
> And when i change the value of gatein.sso.sp.host in
> configuration.properties file as:
> gatein.sso.sp.host=google.com <http://google.com>
> I also see the same exception.
>
> *Exception:*
>
> 10:21:20,112 ERROR [org.picketlink.identity.federation]
> (http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception in
> processing request:
> org.picketlink.identity.federation.core.exceptions.ProcessingException:
> PLFED000145: Signature Validation failed
> at
>
org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)
> at
>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)
> at
>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
> at
> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
> at
>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
> at
>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> [jbossweb-7.0.13.Final.jar:]
> at
>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
> [jbossweb-7.0.13.Final.jar:]
> at
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
> [jbossweb-7.0.13.Final.jar:]
> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
> Caused by: java.lang.IllegalArgumentException: PLFED000078: Null
> Parameter: queryString
> at
>
org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)
> at
>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)
> at
>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)
> at
>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)
> ... 15 more
>
>
> On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda
> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>
> Hi,
>
> you can try to declare in the
>
|GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml|
> a ValidatingDomain directive like:
>
> <ValidatingAlias Key="127.0.0.1"
Value="secure-key"/>
>
> Even though Google SAML requests are not signed, PicketLink
> requires that there is validating key corresponding to each
> SAMLRequest. When a key is not found for a specific domain
> (in this case google.com <http://google.com>), PicketLink
> will search for keys with the alias |127.0.0.1| . You can use
> alias for any key you have declared in your keystore. It will
> be used just as placeholder as SAML requests from Google are
> not signed, so validation won't be checked anyway.
>
> Marek
>
>
> On 10.10.2013 11:55, Tuyen The Nguyen wrote:
>> Hi all,
>>
>> I'm configuring SSO for gatein 3.5 with google and salefore
>> use SAML2 protocol.
>> I follow by three docs:
>> https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
>>
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce...
>>
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
>>
>> When i try to login to google, it redirect to IDP (use
>> gatein) and login success, but when redirect back to google,
>> i meet error "google could not parse the login request" and
>> i can't login.
>> I see an exception on console of gatein:
>>
>> 16:26:01,844 ERROR [org.picketlink.identity.federation]
>> (http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception
>> in processing request: java.lang.IllegalStateException:
>> PLFED000058: KeyStoreKeyManager : Domain Alias missing for :
>> 127.0.0.1
>> at
>>
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
>> at
>>
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
>> at
>>
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
>> at
>>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
>> at
>>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
>> at
>>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
>> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
>> at
>>
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
>> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
>> at
>>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
>> at
>>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
>> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
>> at
>>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
>> [jbossweb-7.0.13.Final.jar:]
>> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
>> *Is there any one know how to fix this problem?*
>>
>> Tuyen Nguyen The.
>>
>>
>> _______________________________________________
>> gatein-dev mailing list
>> gatein-dev(a)lists.jboss.org <mailto:gatein-dev@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>
>