11:31 a.m.
This error is caused by the fact that Picketlink (GateIn) is trying to
validate signature from the SAMLRequest from Google, but SAML requests
from Google are not signed. To disable validation, you need to correctly
configure sp-metadata as described in the docs
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
. You should have something like this in metadata file:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
*entityID="google.com/a/yourdomain1.mygbiz.com"*
validUntil="2022-06-13T21:46:02.496Z">
<md:SPSSODescriptor *AuthnRequestsSigned="false"*
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" />
</md:EntityDescriptor>
Note that entityId must be either "google.com/a/yourdomain1.mygbiz.com"
(replace yourdomain1 with the name of your Google apps domain) or just
"google.com" . It depends on settings of option "Use a domain specific
issuer" which can be specified on Google Apps page (If true, Google will
use SAMLRequest with entity "google.com/a/yourdomain1.mygbiz.com", If
false, Google will use SAMLRequest with entity "google.com").
I would recomment to use Firefox plugin "SAML tracer", which will show
you decoded SAMLRequest in the browser, so that you will see what is the
domain name used by Google for SAMLRequest and same value must be used
as entityId in metadata.
Cheers,
Marek
On 14.10.2013 06:11, Tuyen The Nguyen wrote:
Hi,
Follow by docs, i generate certificate file by command:
*/keytool -export -keystore jbid_test_keystore.jks -alias servercert
-file test-certificate.crt/*
And then upload file test-certificate.crt to google.
Then i try to declare in the
GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
a ValidatingDomain
*/<ValidatingAlias Key="127.0.0.1" Value="servercert"/>/*
I see other exception on gatein site.
And when i change the value of gatein.sso.sp.host in
configuration.properties file as:
gatein.sso.sp.host=google.com <http://google.com>
I also see the same exception.
*Exception:*
10:21:20,112 ERROR [org.picketlink.identity.federation]
(http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception in
processing request:
org.picketlink.identity.federation.core.exceptions.ProcessingException: PLFED000145:
Signature Validation failed
at
org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)
at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)
at
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
[sso-integration-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
Caused by: java.lang.IllegalArgumentException: PLFED000078: Null
Parameter: queryString
at
org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)
... 15 more
On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
Hi,
you can try to declare in the
|GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml|
a ValidatingDomain directive like:
<ValidatingAlias Key="127.0.0.1" Value="secure-key"/>
Even though Google SAML requests are not signed, PicketLink
requires that there is validating key corresponding to each
SAMLRequest. When a key is not found for a specific domain (in
this case google.com <http://google.com>), PicketLink will search
for keys with the alias |127.0.0.1| . You can use alias for any
key you have declared in your keystore. It will be used just as
placeholder as SAML requests from Google are not signed, so
validation won't be checked anyway.
Marek
On 10.10.2013 11:55, Tuyen The Nguyen wrote:
> Hi all,
>
> I'm configuring SSO for gatein 3.5 with google and salefore use
> SAML2 protocol.
> I follow by three docs:
> https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce...
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
>
> When i try to login to google, it redirect to IDP (use gatein)
> and login success, but when redirect back to google, i meet error
> "google could not parse the login request" and i can't login.
> I see an exception on console of gatein:
>
> 16:26:01,844 ERROR [org.picketlink.identity.federation]
> (http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception in
> processing request: java.lang.IllegalStateException: PLFED000058:
> KeyStoreKeyManager : Domain Alias missing for : 127.0.0.1
> at
>
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
> at
>
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
> at
>
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
> at
>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
> at
>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
> at
>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
> at
> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
> at
>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
> at
>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> [jbossweb-7.0.13.Final.jar:]
> at
>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
> [jbossweb-7.0.13.Final.jar:]
> at
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
> [jbossweb-7.0.13.Final.jar:]
> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
> *Is there any one know how to fix this problem?*
>
> Tuyen Nguyen The.
>
>
> _______________________________________________
> gatein-dev mailing list
> gatein-dev(a)lists.jboss.org <mailto:gatein-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/gatein-dev