4:55 a.m.
Hi all,
I'm configuring SSO for gatein 3.5 with google and salefore use SAML2
protocol.
I follow by three docs:
https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce...
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
When i try to login to google, it redirect to IDP (use gatein) and login
success, but when redirect back to google, i meet error "google could not
parse the login request" and i can't login.
I see an exception on console of gatein:
16:26:01,844 ERROR [org.picketlink.identity.federation]
(http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception in processing
request: java.lang.IllegalStateException: PLFED000058: KeyStoreKeyManager :
Domain Alias missing for : 127.0.0.1
at
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
at
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
at
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
at
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
[sso-integration-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
*Is there any one know how to fix this problem?*
Tuyen Nguyen The.
8:01 a.m.
Hi,
you can try to declare in the
|GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml|
a ValidatingDomain directive like:
<ValidatingAlias Key="127.0.0.1" Value="secure-key"/>
Even though Google SAML requests are not signed, PicketLink requires
that there is validating key corresponding to each SAMLRequest. When a
key is not found for a specific domain (in this case google.com),
PicketLink will search for keys with the alias |127.0.0.1| . You can use
alias for any key you have declared in your keystore. It will be used
just as placeholder as SAML requests from Google are not signed, so
validation won't be checked anyway.
Marek
On 10.10.2013 11:55, Tuyen The Nguyen wrote:
Hi all,
I'm configuring SSO for gatein 3.5 with google and salefore use SAML2
protocol.
I follow by three docs:
https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce...
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
When i try to login to google, it redirect to IDP (use gatein) and
login success, but when redirect back to google, i meet error "google
could not parse the login request" and i can't login.
I see an exception on console of gatein:
16:26:01,844 ERROR [org.picketlink.identity.federation]
(http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception in
processing request: java.lang.IllegalStateException: PLFED000058:
KeyStoreKeyManager : Domain Alias missing for : 127.0.0.1
at
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
at
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
at
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
at
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
[sso-integration-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
*Is there any one know how to fix this problem?*
Tuyen Nguyen The.
_______________________________________________
gatein-dev mailing list
gatein-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/gatein-dev
11:11 p.m.
Hi,
Follow by docs, i generate certificate file by command:
*keytool -export -keystore jbid_test_keystore.jks -alias servercert -file
test-certificate.crt*
And then upload file test-certificate.crt to google.
Then i try to declare in the
GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
a ValidatingDomain
*<ValidatingAlias Key="127.0.0.1" Value="servercert"/>*
I see other exception on gatein site.
And when i change the value of gatein.sso.sp.host in
configuration.properties file as:
gatein.sso.sp.host=google.com
I also see the same exception.
*Exception:*
10:21:20,112 ERROR [org.picketlink.identity.federation]
(http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception in processing
request:
org.picketlink.identity.federation.core.exceptions.ProcessingException:
PLFED000145: Signature Validation failed
at
org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)
at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)
at
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
[sso-integration-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
Caused by: java.lang.IllegalArgumentException: PLFED000078: Null Parameter:
queryString
at
org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)
... 15 more
On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
Hi,
you can try to declare in the
GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xmla
ValidatingDomain directive like:
<ValidatingAlias Key="127.0.0.1" Value="secure-key"/>
Even though Google SAML requests are not signed, PicketLink requires that
there is validating key corresponding to each SAMLRequest. When a key is
not found for a specific domain (in this case google.com), PicketLink
will search for keys with the alias 127.0.0.1 . You can use alias for any
key you have declared in your keystore. It will be used just as placeholder
as SAML requests from Google are not signed, so validation won't be checked
anyway.
Marek
On 10.10.2013 11:55, Tuyen The Nguyen wrote:
Hi all,
I'm configuring SSO for gatein 3.5 with google and salefore use SAML2
protocol.
I follow by three docs:
https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce...
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
When i try to login to google, it redirect to IDP (use gatein) and login
success, but when redirect back to google, i meet error "google could not
parse the login request" and i can't login.
I see an exception on console of gatein:
16:26:01,844 ERROR [org.picketlink.identity.federation]
(http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception in processing
request: java.lang.IllegalStateException: PLFED000058: KeyStoreKeyManager :
Domain Alias missing for : 127.0.0.1
at
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
at
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
at
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
at
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
[sso-integration-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
*Is there any one know how to fix this problem?*
Tuyen Nguyen The.
_______________________________________________
gatein-dev mailing
listgatein-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/gatein-dev
11:31 a.m.
This error is caused by the fact that Picketlink (GateIn) is trying to
validate signature from the SAMLRequest from Google, but SAML requests
from Google are not signed. To disable validation, you need to correctly
configure sp-metadata as described in the docs
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
. You should have something like this in metadata file:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
*entityID="google.com/a/yourdomain1.mygbiz.com"*
validUntil="2022-06-13T21:46:02.496Z">
<md:SPSSODescriptor *AuthnRequestsSigned="false"*
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" />
</md:EntityDescriptor>
Note that entityId must be either "google.com/a/yourdomain1.mygbiz.com"
(replace yourdomain1 with the name of your Google apps domain) or just
"google.com" . It depends on settings of option "Use a domain specific
issuer" which can be specified on Google Apps page (If true, Google will
use SAMLRequest with entity "google.com/a/yourdomain1.mygbiz.com", If
false, Google will use SAMLRequest with entity "google.com").
I would recomment to use Firefox plugin "SAML tracer", which will show
you decoded SAMLRequest in the browser, so that you will see what is the
domain name used by Google for SAMLRequest and same value must be used
as entityId in metadata.
Cheers,
Marek
On 14.10.2013 06:11, Tuyen The Nguyen wrote:
Hi,
Follow by docs, i generate certificate file by command:
*/keytool -export -keystore jbid_test_keystore.jks -alias servercert
-file test-certificate.crt/*
And then upload file test-certificate.crt to google.
Then i try to declare in the
GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
a ValidatingDomain
*/<ValidatingAlias Key="127.0.0.1" Value="servercert"/>/*
I see other exception on gatein site.
And when i change the value of gatein.sso.sp.host in
configuration.properties file as:
gatein.sso.sp.host=google.com <http://google.com>
I also see the same exception.
*Exception:*
10:21:20,112 ERROR [org.picketlink.identity.federation]
(http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception in
processing request:
org.picketlink.identity.federation.core.exceptions.ProcessingException: PLFED000145:
Signature Validation failed
at
org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)
at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)
at
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
[sso-integration-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
Caused by: java.lang.IllegalArgumentException: PLFED000078: Null
Parameter: queryString
at
org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)
... 15 more
On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
Hi,
you can try to declare in the
|GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml|
a ValidatingDomain directive like:
<ValidatingAlias Key="127.0.0.1" Value="secure-key"/>
Even though Google SAML requests are not signed, PicketLink
requires that there is validating key corresponding to each
SAMLRequest. When a key is not found for a specific domain (in
this case google.com <http://google.com>), PicketLink will search
for keys with the alias |127.0.0.1| . You can use alias for any
key you have declared in your keystore. It will be used just as
placeholder as SAML requests from Google are not signed, so
validation won't be checked anyway.
Marek
On 10.10.2013 11:55, Tuyen The Nguyen wrote:
> Hi all,
>
> I'm configuring SSO for gatein 3.5 with google and salefore use
> SAML2 protocol.
> I follow by three docs:
> https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce...
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
>
> When i try to login to google, it redirect to IDP (use gatein)
> and login success, but when redirect back to google, i meet error
> "google could not parse the login request" and i can't login.
> I see an exception on console of gatein:
>
> 16:26:01,844 ERROR [org.picketlink.identity.federation]
> (http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception in
> processing request: java.lang.IllegalStateException: PLFED000058:
> KeyStoreKeyManager : Domain Alias missing for : 127.0.0.1
> at
>
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
> at
>
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
> at
>
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
> at
>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
> at
>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
> at
>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
> at
> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
> at
>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
> at
>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> [jbossweb-7.0.13.Final.jar:]
> at
>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
> [jbossweb-7.0.13.Final.jar:]
> at
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
> [jbossweb-7.0.13.Final.jar:]
> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
> *Is there any one know how to fix this problem?*
>
> Tuyen Nguyen The.
>
>
> _______________________________________________
> gatein-dev mailing list
> gatein-dev(a)lists.jboss.org <mailto:gatein-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/gatein-dev
9:34 p.m.
Hi,
Do you have experience about config sso in saleforce. I'm trying to
configure sso on saleforce, but it doesn't work.
I registered a developer account and register domain
tuyennt-dev-ed.my.salesforce.com in "my domain" menu
I configure as attached image, but when i access to
https://tuyennt-dev-ed.my.salesforce.com/, i see saleforce login-form, not
gatein login-form as expected.
Thanks!
On Mon, Oct 14, 2013 at 11:31 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
This error is caused by the fact that Picketlink (GateIn) is trying
to
validate signature from the SAMLRequest from Google, but SAML requests from
Google are not signed. To disable validation, you need to correctly
configure sp-metadata as described in the docs
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App.... You
should have something like this in metadata file:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" *
entityID="google.com/a/yourdomain1.mygbiz.com"*validUntil="...
<md:SPSSODescriptor
*AuthnRequestsSigned="false"*WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" />
</md:EntityDescriptor>
Note that entityId must be either "google.com/a/yourdomain1.mygbiz.com"
(replace yourdomain1 with the name of your Google apps domain) or just "
google.com" . It depends on settings of option "Use a domain specific
issuer" which can be specified on Google Apps page (If true, Google will
use SAMLRequest with entity "google.com/a/yourdomain1.mygbiz.com", If
false, Google will use SAMLRequest with entity "google.com").
I would recomment to use Firefox plugin "SAML tracer", which will show you
decoded SAMLRequest in the browser, so that you will see what is the domain
name used by Google for SAMLRequest and same value must be used as entityId
in metadata.
Cheers,
Marek
On 14.10.2013 06:11, Tuyen The Nguyen wrote:
Hi,
Follow by docs, i generate certificate file by command:
*keytool -export -keystore jbid_test_keystore.jks -alias servercert
-file test-certificate.crt*
And then upload file test-certificate.crt to google.
Then i try to declare in the
GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
a ValidatingDomain
*<ValidatingAlias Key="127.0.0.1" Value="servercert"/>*
I see other exception on gatein site.
And when i change the value of gatein.sso.sp.host in
configuration.properties file as:
gatein.sso.sp.host=google.com
I also see the same exception.
*Exception:*
10:21:20,112 ERROR [org.picketlink.identity.federation]
(http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception in processing
request:
org.picketlink.identity.federation.core.exceptions.ProcessingException:
PLFED000145: Signature Validation failed
at
org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)
at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)
at
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
[sso-integration-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
Caused by: java.lang.IllegalArgumentException: PLFED000078: Null
Parameter: queryString
at
org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)
... 15 more
On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda <mposolda(a)redhat.com>wrote:
> Hi,
>
> you can try to declare in the
> GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xmla
ValidatingDomain directive like:
>
> <ValidatingAlias Key="127.0.0.1" Value="secure-key"/>
>
> Even though Google SAML requests are not signed, PicketLink requires that
> there is validating key corresponding to each SAMLRequest. When a key is
> not found for a specific domain (in this case google.com), PicketLink
> will search for keys with the alias 127.0.0.1 . You can use alias for
> any key you have declared in your keystore. It will be used just as
> placeholder as SAML requests from Google are not signed, so validation
> won't be checked anyway.
>
> Marek
>
>
> On 10.10.2013 11:55, Tuyen The Nguyen wrote:
>
> Hi all,
>
> I'm configuring SSO for gatein 3.5 with google and salefore use SAML2
> protocol.
> I follow by three docs:
> https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
>
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce...
>
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
>
> When i try to login to google, it redirect to IDP (use gatein) and
> login success, but when redirect back to google, i meet error "google could
> not parse the login request" and i can't login.
> I see an exception on console of gatein:
>
> 16:26:01,844 ERROR [org.picketlink.identity.federation]
> (http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception in processing
> request: java.lang.IllegalStateException: PLFED000058: KeyStoreKeyManager :
> Domain Alias missing for : 127.0.0.1
> at
>
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
> at
>
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
> at
>
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
> at
>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
> at
>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
> at
>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
> at
> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
> at
>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
> at
>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
> [jbossweb-7.0.13.Final.jar:]
> at
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
> [jbossweb-7.0.13.Final.jar:]
> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
> *Is there any one know how to fix this problem?*
>
> Tuyen Nguyen The.
>
>
> _______________________________________________
> gatein-dev mailing
listgatein-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/gatein-dev
>
>
>
2:33 a.m.
Hi,
there are some differences between recommended setup and your setup. See
here
https://docs.jboss.org/author/display/GTNPORTAL36/SAML2#SAML2-Integration...
. You will need to choose "Assertion contains the Federation ID from the
User object", otherwise integration won't work. I would recommend to
configure EntityId to be "https://saml.salesforce.com" and Issuer to be
"http://www.idp.com:8080/portal/dologin" without slash in the end. Also
make sure that you have GateIn running and bind to correct address and
you can access "http://www.idp.com:8080/portal" from your browser.
Hope this helps,
Marek
On 18.10.2013 04:34, Tuyen The Nguyen wrote:
Hi,
Do you have experience about config sso in saleforce. I'm trying to
configure sso on saleforce, but it doesn't work.
I registered a developer account and register domain
tuyennt-dev-ed.my.salesforce.com
<http://tuyennt-dev-ed.my.salesforce.com> in "my domain" menu
I configure as attached image, but when i access to
https://tuyennt-dev-ed.my.salesforce.com/, i see saleforce login-form,
not gatein login-form as expected.
Thanks!
On Mon, Oct 14, 2013 at 11:31 PM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
This error is caused by the fact that Picketlink (GateIn) is
trying to validate signature from the SAMLRequest from Google, but
SAML requests from Google are not signed. To disable validation,
you need to correctly configure sp-metadata as described in the
docs
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
. You should have something like this in metadata file:
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
*entityID="google.com/a/yourdomain1.mygbiz.com
<http://google.com/a/yourdomain1.mygbiz.com>"*
validUntil="2022-06-13T21:46:02.496Z">
<md:SPSSODescriptor *AuthnRequestsSigned="false"*
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" />
</md:EntityDescriptor>
Note that entityId must be either
"google.com/a/yourdomain1.mygbiz.com
<http://google.com/a/yourdomain1.mygbiz.com>" (replace yourdomain1
with the name of your Google apps domain) or just "google.com
<http://google.com>" . It depends on settings of option "Use a
domain specific issuer" which can be specified on Google Apps page
(If true, Google will use SAMLRequest with entity
"google.com/a/yourdomain1.mygbiz.com
<http://google.com/a/yourdomain1.mygbiz.com>";, If false, Google
will use SAMLRequest with entity "google.com <http://google.com>").
I would recomment to use Firefox plugin "SAML tracer", which will
show you decoded SAMLRequest in the browser, so that you will see
what is the domain name used by Google for SAMLRequest and same
value must be used as entityId in metadata.
Cheers,
Marek
On 14.10.2013 06:11, Tuyen The Nguyen wrote:
> Hi,
>
> Follow by docs, i generate certificate file by command:
> */keytool -export -keystore jbid_test_keystore.jks -alias
> servercert -file test-certificate.crt/*
> And then upload file test-certificate.crt to google.
>
> Then i try to declare in the
>
GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
> a ValidatingDomain
> */<ValidatingAlias Key="127.0.0.1"
Value="servercert"/>/*
>
> I see other exception on gatein site.
> And when i change the value of gatein.sso.sp.host in
> configuration.properties file as:
> gatein.sso.sp.host=google.com <http://google.com>
> I also see the same exception.
>
> *Exception:*
>
> 10:21:20,112 ERROR [org.picketlink.identity.federation]
> (http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception in
> processing request:
> org.picketlink.identity.federation.core.exceptions.ProcessingException:
> PLFED000145: Signature Validation failed
> at
>
org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)
> at
>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)
> at
>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
> at
> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
> at
>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
> at
>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> [jbossweb-7.0.13.Final.jar:]
> at
>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
> [jbossweb-7.0.13.Final.jar:]
> at
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
> [jbossweb-7.0.13.Final.jar:]
> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
> Caused by: java.lang.IllegalArgumentException: PLFED000078: Null
> Parameter: queryString
> at
>
org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)
> at
>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)
> at
>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)
> at
>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)
> ... 15 more
>
>
> On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda
> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>
> Hi,
>
> you can try to declare in the
>
|GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml|
> a ValidatingDomain directive like:
>
> <ValidatingAlias Key="127.0.0.1"
Value="secure-key"/>
>
> Even though Google SAML requests are not signed, PicketLink
> requires that there is validating key corresponding to each
> SAMLRequest. When a key is not found for a specific domain
> (in this case google.com <http://google.com>), PicketLink
> will search for keys with the alias |127.0.0.1| . You can use
> alias for any key you have declared in your keystore. It will
> be used just as placeholder as SAML requests from Google are
> not signed, so validation won't be checked anyway.
>
> Marek
>
>
> On 10.10.2013 11:55, Tuyen The Nguyen wrote:
>> Hi all,
>>
>> I'm configuring SSO for gatein 3.5 with google and salefore
>> use SAML2 protocol.
>> I follow by three docs:
>> https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
>>
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce...
>>
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
>>
>> When i try to login to google, it redirect to IDP (use
>> gatein) and login success, but when redirect back to google,
>> i meet error "google could not parse the login request" and
>> i can't login.
>> I see an exception on console of gatein:
>>
>> 16:26:01,844 ERROR [org.picketlink.identity.federation]
>> (http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception
>> in processing request: java.lang.IllegalStateException:
>> PLFED000058: KeyStoreKeyManager : Domain Alias missing for :
>> 127.0.0.1
>> at
>>
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
>> at
>>
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
>> at
>>
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
>> at
>>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
>> at
>>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
>> at
>>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
>> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
>> at
>>
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
>> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
>> at
>>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
>> at
>>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
>> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
>> at
>>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
>> [jbossweb-7.0.13.Final.jar:]
>> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
>> *Is there any one know how to fix this problem?*
>>
>> Tuyen Nguyen The.
>>
>>
>> _______________________________________________
>> gatein-dev mailing list
>> gatein-dev(a)lists.jboss.org <mailto:gatein-dev@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>
>
8:51 p.m.
Hi,
I tried to reconfigure as you recommended, But i still meet the same
problems, when i try to access, it still don't redirect to idp site.
I'm sure that i can access http://www.idp.com:8080/portal from my browser
and i can login.
Do you have any other suggestion?
Thanks!
Nguyen The Tuyen.
On Fri, Oct 18, 2013 at 2:33 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
Hi,
there are some differences between recommended setup and your setup. See
here
https://docs.jboss.org/author/display/GTNPORTAL36/SAML2#SAML2-Integration....
You will need to choose "Assertion contains the Federation ID from the
User object", otherwise integration won't work. I would recommend to
configure EntityId to be
"https://saml.salesforce.com"<https://saml.salesforce.com>and Issuer to
be
"http://www.idp.com:8080/portal/dologin"<http://www.idp.com:8080/portal/dologin>without
slash in the end. Also make sure that you have GateIn running and
bind to correct address and you can access
"http://www.idp.com:8080/portal" <http://www.idp.com:8080/portal> from
your browser.
Hope this helps,
Marek
On 18.10.2013 04:34, Tuyen The Nguyen wrote:
Hi,
Do you have experience about config sso in saleforce. I'm trying to
configure sso on saleforce, but it doesn't work.
I registered a developer account and register domain
tuyennt-dev-ed.my.salesforce.com in "my domain" menu
I configure as attached image, but when i access to
https://tuyennt-dev-ed.my.salesforce.com/, i see saleforce login-form,
not gatein login-form as expected.
Thanks!
On Mon, Oct 14, 2013 at 11:31 PM, Marek Posolda <mposolda(a)redhat.com>wrote:
> This error is caused by the fact that Picketlink (GateIn) is trying to
> validate signature from the SAMLRequest from Google, but SAML requests from
> Google are not signed. To disable validation, you need to correctly
> configure sp-metadata as described in the docs
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App.... You
should have something like this in metadata file:
>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
*
>
entityID="google.com/a/yourdomain1.mygbiz.com"*validUntil="...
> <md:SPSSODescriptor
*AuthnRequestsSigned="false"*WantAssertionsSigned="true"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" />
> </md:EntityDescriptor>
>
> Note that entityId must be either "google.com/a/yourdomain1.mygbiz.com"
> (replace yourdomain1 with the name of your Google apps domain) or just "
> google.com" . It depends on settings of option "Use a domain specific
> issuer" which can be specified on Google Apps page (If true, Google will
> use SAMLRequest with entity "google.com/a/yourdomain1.mygbiz.com", If
> false, Google will use SAMLRequest with entity "google.com").
>
> I would recomment to use Firefox plugin "SAML tracer", which will show
> you decoded SAMLRequest in the browser, so that you will see what is the
> domain name used by Google for SAMLRequest and same value must be used as
> entityId in metadata.
>
> Cheers,
> Marek
>
>
> On 14.10.2013 06:11, Tuyen The Nguyen wrote:
>
> Hi,
>
> Follow by docs, i generate certificate file by command:
> *keytool -export -keystore jbid_test_keystore.jks -alias servercert
> -file test-certificate.crt*
> And then upload file test-certificate.crt to google.
>
> Then i try to declare in the
> GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
> a ValidatingDomain
> *<ValidatingAlias Key="127.0.0.1" Value="servercert"/>*
>
> I see other exception on gatein site.
> And when i change the value of gatein.sso.sp.host in
> configuration.properties file as:
> gatein.sso.sp.host=google.com
> I also see the same exception.
>
> *Exception:*
>
> 10:21:20,112 ERROR [org.picketlink.identity.federation]
> (http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception in processing
> request:
> org.picketlink.identity.federation.core.exceptions.ProcessingException:
> PLFED000145: Signature Validation failed
> at
>
org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)
> at
>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)
> at
>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
> at
> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
> at
>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
> at
>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
> [jbossweb-7.0.13.Final.jar:]
> at
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
> [jbossweb-7.0.13.Final.jar:]
> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
> Caused by: java.lang.IllegalArgumentException: PLFED000078: Null
> Parameter: queryString
> at
>
org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)
> at
>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)
> at
>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)
> at
>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)
> at
>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)
> ... 15 more
>
>
> On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda <mposolda(a)redhat.com>wrote:
>
>> Hi,
>>
>> you can try to declare in the
>>
GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xmla
ValidatingDomain directive like:
>>
>> <ValidatingAlias Key="127.0.0.1" Value="secure-key"/>
>>
>> Even though Google SAML requests are not signed, PicketLink requires
>> that there is validating key corresponding to each SAMLRequest. When a key
>> is not found for a specific domain (in this case google.com),
>> PicketLink will search for keys with the alias 127.0.0.1 . You can use
>> alias for any key you have declared in your keystore. It will be used just
>> as placeholder as SAML requests from Google are not signed, so validation
>> won't be checked anyway.
>>
>> Marek
>>
>>
>> On 10.10.2013 11:55, Tuyen The Nguyen wrote:
>>
>> Hi all,
>>
>> I'm configuring SSO for gatein 3.5 with google and salefore use SAML2
>> protocol.
>> I follow by three docs:
>> https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
>>
>> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce...
>>
>> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
>>
>> When i try to login to google, it redirect to IDP (use gatein) and
>> login success, but when redirect back to google, i meet error "google could
>> not parse the login request" and i can't login.
>> I see an exception on console of gatein:
>>
>> 16:26:01,844 ERROR [org.picketlink.identity.federation]
>> (http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception in processing
>> request: java.lang.IllegalStateException: PLFED000058: KeyStoreKeyManager :
>> Domain Alias missing for : 127.0.0.1
>> at
>>
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
>> at
>>
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
>> at
>>
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
>> at
>>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
>> at
>>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
>> at
>>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
>> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
>> at
>> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
>> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
>> at
>>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
>> at
>>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
>> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
>> [jbossweb-7.0.13.Final.jar:]
>> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
>> *Is there any one know how to fix this problem?*
>>
>> Tuyen Nguyen The.
>>
>>
>> _______________________________________________
>> gatein-dev mailing
listgatein-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/gatein-dev
>>
>>
>>
>
>
2:50 a.m.
Hi,
settings of your Salesforce domain are quite same like mine, but
according to your screenshot, there seems to be one difference. It seems
that for SSO, you enabled option "Enable Multiple configs", am I right?
TBH, I don't want to try it for my domain as in Salesforce it's
mentioned that "Once you enable this feature, you can't disable it." :-)
So it's possible that Salesforce URL for init SAML SSO flow is different
for your domain because of this. I am seeing two possibilities:
- Do some investigation in Salesforce and investigate what should be
done to initiate SAML flow when the option "Enable Multiple configs" is
enabled. Especially what is correct URL on Salesforce, which will
redirect you to "http://www.idp.com:8080/portal" with SAMLRequest
attached. It's possible that this settings don't support SP-initiated
login, which means that it's not possible to setup it...
- You can create another domain and configure SSO and all other settings
again, but keep "Enable Multiple configs" disabled.
Hope this helps,
Marek
On 21.10.2013 03:51, Tuyen The Nguyen wrote:
Hi,
I tried to reconfigure as you recommended, But i still meet the same
problems, when i try to access, it still don't redirect to idp site.
I'm sure that i can access http://www.idp.com:8080/portal from my
browser and i can login.
Do you have any other suggestion?
Thanks!
Nguyen The Tuyen.
On Fri, Oct 18, 2013 at 2:33 PM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
Hi,
there are some differences between recommended setup and your
setup. See here
https://docs.jboss.org/author/display/GTNPORTAL36/SAML2#SAML2-Integration...
. You will need to choose "Assertion contains the Federation ID
from the User object", otherwise integration won't work. I would
recommend to configure EntityId to be
"https://saml.salesforce.com" <https://saml.salesforce.com> and
Issuer to be "http://www.idp.com:8080/portal/dologin"
<http://www.idp.com:8080/portal/dologin> without slash in the end.
Also make sure that you have GateIn running and bind to correct
address and you can access "http://www.idp.com:8080/portal"
<http://www.idp.com:8080/portal> from your browser.
Hope this helps,
Marek
On 18.10.2013 04:34, Tuyen The Nguyen wrote:
> Hi,
>
> Do you have experience about config sso in saleforce. I'm trying
> to configure sso on saleforce, but it doesn't work.
>
> I registered a developer account and register domain
> tuyennt-dev-ed.my.salesforce.com
> <http://tuyennt-dev-ed.my.salesforce.com> in "my domain" menu
>
> I configure as attached image, but when i access to
> https://tuyennt-dev-ed.my.salesforce.com/, i see saleforce
> login-form, not gatein login-form as expected.
>
>
> Thanks!
>
>
>
> On Mon, Oct 14, 2013 at 11:31 PM, Marek Posolda
> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>
> This error is caused by the fact that Picketlink (GateIn) is
> trying to validate signature from the SAMLRequest from
> Google, but SAML requests from Google are not signed. To
> disable validation, you need to correctly configure
> sp-metadata as described in the docs
>
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
> . You should have something like this in metadata file:
>
> <md:EntityDescriptor
> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> *entityID="google.com/a/yourdomain1.mygbiz.com
> <http://google.com/a/yourdomain1.mygbiz.com>"*
> validUntil="2022-06-13T21:46:02.496Z">
> <md:SPSSODescriptor *AuthnRequestsSigned="false"*
> WantAssertionsSigned="true"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
> />
> </md:EntityDescriptor>
>
> Note that entityId must be either
> "google.com/a/yourdomain1.mygbiz.com
> <http://google.com/a/yourdomain1.mygbiz.com>" (replace
> yourdomain1 with the name of your Google apps domain) or just
> "google.com <http://google.com>" . It depends on settings of
> option "Use a domain specific issuer" which can be specified
> on Google Apps page (If true, Google will use SAMLRequest
> with entity "google.com/a/yourdomain1.mygbiz.com
> <http://google.com/a/yourdomain1.mygbiz.com>";, If false,
> Google will use SAMLRequest with entity "google.com
> <http://google.com>").
>
> I would recomment to use Firefox plugin "SAML tracer", which
> will show you decoded SAMLRequest in the browser, so that you
> will see what is the domain name used by Google for
> SAMLRequest and same value must be used as entityId in metadata.
>
> Cheers,
> Marek
>
>
> On 14.10.2013 06:11, Tuyen The Nguyen wrote:
>> Hi,
>>
>> Follow by docs, i generate certificate file by command:
>> */keytool -export -keystore jbid_test_keystore.jks -alias
>> servercert -file test-certificate.crt/*
>> And then upload file test-certificate.crt to google.
>>
>> Then i try to declare in the
>>
GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
>> a ValidatingDomain
>> */<ValidatingAlias Key="127.0.0.1"
Value="servercert"/>/*
>>
>> I see other exception on gatein site.
>> And when i change the value of gatein.sso.sp.host in
>> configuration.properties file as:
>> gatein.sso.sp.host=google.com <http://google.com>
>> I also see the same exception.
>>
>> *Exception:*
>>
>> 10:21:20,112 ERROR [org.picketlink.identity.federation]
>> (http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception
>> in processing request:
>> org.picketlink.identity.federation.core.exceptions.ProcessingException:
>> PLFED000145: Signature Validation failed
>> at
>>
org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)
>> at
>>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)
>> at
>>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)
>> at
>>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)
>> at
>>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)
>> at
>>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
>> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
>> at
>>
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
>> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
>> at
>>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
>> at
>>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
>> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
>> at
>>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
>> [jbossweb-7.0.13.Final.jar:]
>> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
>> Caused by: java.lang.IllegalArgumentException: PLFED000078:
>> Null Parameter: queryString
>> at
>>
org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)
>> at
>>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)
>> at
>>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)
>> at
>>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)
>> at
>>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)
>> ... 15 more
>>
>>
>> On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda
>> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>>
>> Hi,
>>
>> you can try to declare in the
>>
|GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml|
>> a ValidatingDomain directive like:
>>
>> <ValidatingAlias Key="127.0.0.1"
Value="secure-key"/>
>>
>> Even though Google SAML requests are not signed,
>> PicketLink requires that there is validating key
>> corresponding to each SAMLRequest. When a key is not
>> found for a specific domain (in this case google.com
>> <http://google.com>), PicketLink will search for keys
>> with the alias |127.0.0.1| . You can use alias for any
>> key you have declared in your keystore. It will be used
>> just as placeholder as SAML requests from Google are not
>> signed, so validation won't be checked anyway.
>>
>> Marek
>>
>>
>> On 10.10.2013 11:55, Tuyen The Nguyen wrote:
>>> Hi all,
>>>
>>> I'm configuring SSO for gatein 3.5 with google and
>>> salefore use SAML2 protocol.
>>> I follow by three docs:
>>> https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
>>>
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce...
>>>
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
>>>
>>> When i try to login to google, it redirect to IDP (use
>>> gatein) and login success, but when redirect back to
>>> google, i meet error "google could not parse the login
>>> request" and i can't login.
>>> I see an exception on console of gatein:
>>>
>>> 16:26:01,844 ERROR [org.picketlink.identity.federation]
>>> (http-www.idp.com-127.0.0.1-8080-7) PLFED000253:
>>> Exception in processing request:
>>> java.lang.IllegalStateException: PLFED000058:
>>> KeyStoreKeyManager : Domain Alias missing for : 127.0.0.1
>>> at
>>>
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
>>> at
>>>
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
>>> at
>>>
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
>>> at
>>>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
>>> at
>>>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
>>> at
>>>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
>>> at
>>>
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)[sso-integration-1.3.1.Final.jar:1.3.1.Final]
>>> at
>>>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>>>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
>>> at
>>>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
>>> at
>>>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>>
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>>
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>>
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>>
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
>>> *Is there any one know how to fix this problem?*
>>>
>>> Tuyen Nguyen The.
>>>
>>>
>>> _______________________________________________
>>> gatein-dev mailing list
>>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>>
>>
>
>
3:02 a.m.
BTW. aren't you seeing on Salesforce login page something like normal
Salesforce login form on left part on the page and on right part of the
page something like "Or log in with" and button "tuyennt-dev-ed" (name
of your SSO provider)? Something like screenshot on this page
http://blog.force365.com/2013/07/30/multi-provider-single-sign-on/ ?
Cheers,
Marek
On 21.10.2013 09:50, Marek Posolda wrote:
Hi,
settings of your Salesforce domain are quite same like mine, but
according to your screenshot, there seems to be one difference. It
seems that for SSO, you enabled option "Enable Multiple configs", am I
right? TBH, I don't want to try it for my domain as in Salesforce it's
mentioned that "Once you enable this feature, you can't disable it." :-)
So it's possible that Salesforce URL for init SAML SSO flow is
different for your domain because of this. I am seeing two possibilities:
- Do some investigation in Salesforce and investigate what should be
done to initiate SAML flow when the option "Enable Multiple configs"
is enabled. Especially what is correct URL on Salesforce, which will
redirect you to "http://www.idp.com:8080/portal" with SAMLRequest
attached. It's possible that this settings don't support SP-initiated
login, which means that it's not possible to setup it...
- You can create another domain and configure SSO and all other
settings again, but keep "Enable Multiple configs" disabled.
Hope this helps,
Marek
On 21.10.2013 03:51, Tuyen The Nguyen wrote:
> Hi,
>
> I tried to reconfigure as you recommended, But i still meet the same
> problems, when i try to access, it still don't redirect to idp site.
>
> I'm sure that i can access http://www.idp.com:8080/portal from my
> browser and i can login.
>
> Do you have any other suggestion?
>
> Thanks!
>
> Nguyen The Tuyen.
>
>
>
> On Fri, Oct 18, 2013 at 2:33 PM, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>> wrote:
>
> Hi,
>
> there are some differences between recommended setup and your
> setup. See here
>
https://docs.jboss.org/author/display/GTNPORTAL36/SAML2#SAML2-Integration...
> . You will need to choose "Assertion contains the Federation ID
> from the User object", otherwise integration won't work. I would
> recommend to configure EntityId to be
> "https://saml.salesforce.com" <https://saml.salesforce.com> and
> Issuer to be "http://www.idp.com:8080/portal/dologin"
> <http://www.idp.com:8080/portal/dologin> without slash in the
> end. Also make sure that you have GateIn running and bind to
> correct address and you can access
> "http://www.idp.com:8080/portal"
<http://www.idp.com:8080/portal>
> from your browser.
>
> Hope this helps,
> Marek
>
>
>
> On 18.10.2013 04:34, Tuyen The Nguyen wrote:
>> Hi,
>>
>> Do you have experience about config sso in saleforce. I'm trying
>> to configure sso on saleforce, but it doesn't work.
>>
>> I registered a developer account and register domain
>> tuyennt-dev-ed.my.salesforce.com
>> <http://tuyennt-dev-ed.my.salesforce.com> in "my domain"
menu
>>
>> I configure as attached image, but when i access to
>> https://tuyennt-dev-ed.my.salesforce.com/, i see saleforce
>> login-form, not gatein login-form as expected.
>>
>>
>> Thanks!
>>
>>
>>
>> On Mon, Oct 14, 2013 at 11:31 PM, Marek Posolda
>> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>>
>> This error is caused by the fact that Picketlink (GateIn) is
>> trying to validate signature from the SAMLRequest from
>> Google, but SAML requests from Google are not signed. To
>> disable validation, you need to correctly configure
>> sp-metadata as described in the docs
>>
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
>> . You should have something like this in metadata file:
>>
>> <md:EntityDescriptor
>> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>> *entityID="google.com/a/yourdomain1.mygbiz.com
>> <http://google.com/a/yourdomain1.mygbiz.com>"*
>> validUntil="2022-06-13T21:46:02.496Z">
>> <md:SPSSODescriptor *AuthnRequestsSigned="false"*
>> WantAssertionsSigned="true"
>>
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
>> />
>> </md:EntityDescriptor>
>>
>> Note that entityId must be either
>> "google.com/a/yourdomain1.mygbiz.com
>> <http://google.com/a/yourdomain1.mygbiz.com>" (replace
>> yourdomain1 with the name of your Google apps domain) or
>> just "google.com <http://google.com>" . It depends on
>> settings of option "Use a domain specific issuer" which can
>> be specified on Google Apps page (If true, Google will use
>> SAMLRequest with entity "google.com/a/yourdomain1.mygbiz.com
>> <http://google.com/a/yourdomain1.mygbiz.com>";, If false,
>> Google will use SAMLRequest with entity "google.com
>> <http://google.com>").
>>
>> I would recomment to use Firefox plugin "SAML tracer", which
>> will show you decoded SAMLRequest in the browser, so that
>> you will see what is the domain name used by Google for
>> SAMLRequest and same value must be used as entityId in metadata.
>>
>> Cheers,
>> Marek
>>
>>
>> On 14.10.2013 06:11, Tuyen The Nguyen wrote:
>>> Hi,
>>>
>>> Follow by docs, i generate certificate file by command:
>>> */keytool -export -keystore jbid_test_keystore.jks -alias
>>> servercert -file test-certificate.crt/*
>>> And then upload file test-certificate.crt to google.
>>>
>>> Then i try to declare in the
>>>
GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
>>> a ValidatingDomain
>>> */<ValidatingAlias Key="127.0.0.1"
Value="servercert"/>/*
>>>
>>> I see other exception on gatein site.
>>> And when i change the value of gatein.sso.sp.host in
>>> configuration.properties file as:
>>> gatein.sso.sp.host=google.com <http://google.com>
>>> I also see the same exception.
>>>
>>> *Exception:*
>>>
>>> 10:21:20,112 ERROR [org.picketlink.identity.federation]
>>> (http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception
>>> in processing request:
>>>
org.picketlink.identity.federation.core.exceptions.ProcessingException:
>>> PLFED000145: Signature Validation failed
>>> at
>>>
org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)
>>> at
>>>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)
>>> at
>>>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)
>>> at
>>>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)
>>> at
>>>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)
>>> at
>>>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
>>> at
>>>
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)[sso-integration-1.3.1.Final.jar:1.3.1.Final]
>>> at
>>>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>>>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
>>> at
>>>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
>>> at
>>>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>>
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>>
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>>
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>>
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
>>> Caused by: java.lang.IllegalArgumentException: PLFED000078:
>>> Null Parameter: queryString
>>> at
>>>
org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)
>>> at
>>>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)
>>> at
>>>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)
>>> at
>>>
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)
>>> at
>>>
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)
>>> ... 15 more
>>>
>>>
>>> On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda
>>> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>>
wrote:
>>>
>>> Hi,
>>>
>>> you can try to declare in the
>>>
|GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml|
>>> a ValidatingDomain directive like:
>>>
>>> <ValidatingAlias Key="127.0.0.1"
Value="secure-key"/>
>>>
>>> Even though Google SAML requests are not signed,
>>> PicketLink requires that there is validating key
>>> corresponding to each SAMLRequest. When a key is not
>>> found for a specific domain (in this case google.com
>>> <http://google.com>), PicketLink will search for keys
>>> with the alias |127.0.0.1| . You can use alias for any
>>> key you have declared in your keystore. It will be used
>>> just as placeholder as SAML requests from Google are
>>> not signed, so validation won't be checked anyway.
>>>
>>> Marek
>>>
>>>
>>> On 10.10.2013 11:55, Tuyen The Nguyen wrote:
>>>> Hi all,
>>>>
>>>> I'm configuring SSO for gatein 3.5 with google and
>>>> salefore use SAML2 protocol.
>>>> I follow by three docs:
>>>> https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
>>>>
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce...
>>>>
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+App...
>>>>
>>>> When i try to login to google, it redirect to IDP (use
>>>> gatein) and login success, but when redirect back to
>>>> google, i meet error "google could not parse the login
>>>> request" and i can't login.
>>>> I see an exception on console of gatein:
>>>>
>>>> 16:26:01,844 ERROR
>>>> [org.picketlink.identity.federation]
>>>> (http-www.idp.com-127.0.0.1-8080-7) PLFED000253:
>>>> Exception in processing request:
>>>> java.lang.IllegalStateException: PLFED000058:
>>>> KeyStoreKeyManager : Domain Alias missing for : 127.0.0.1
>>>> at
>>>>
org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
>>>> at
>>>>
org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
>>>> at
>>>>
org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
>>>> at
>>>>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
>>>> at
>>>>
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
>>>> at
>>>>
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
>>>> at
>>>>
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)[sso-integration-1.3.1.Final.jar:1.3.1.Final]
>>>> at
>>>>
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>>>>
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
>>>> at
>>>>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
>>>> at
>>>>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)[jbossweb-7.0.13.Final.jar:]
>>>> at
>>>>
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)[jbossweb-7.0.13.Final.jar:]
>>>> at
>>>>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)[jbossweb-7.0.13.Final.jar:]
>>>> at
>>>>
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)[jbossweb-7.0.13.Final.jar:]
>>>> at
>>>>
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)[jbossweb-7.0.13.Final.jar:]
>>>> at
>>>>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)[jbossweb-7.0.13.Final.jar:]
>>>> at
>>>>
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
>>>> [jbossweb-7.0.13.Final.jar:]
>>>> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
>>>> *Is there any one know how to fix this problem?*
>>>>
>>>> Tuyen Nguyen The.
>>>>
>>>>
>>>> _______________________________________________
>>>> gatein-dev mailing list
>>>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>>>
>>>
>>
>>
>
>
_______________________________________________
gatein-dev mailing list
gatein-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/gatein-dev
4060
days inactive
4071
days old
8 comments
2 participants
participants (2)
-
Marek Posolda -
Tuyen The Nguyen