[gatein-dev] problem when config SAML2 with google and saleforce

Marek Posolda mposolda at redhat.com
Thu Oct 10 09:01:38 EDT 2013 

Hi,

you can try to declare in the 
|GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml| 
a ValidatingDomain directive like:

<ValidatingAlias  Key="127.0.0.1"  Value="secure-key"/>

Even though Google SAML requests are not signed, PicketLink requires 
that there is validating key corresponding to each SAMLRequest. When a 
key is not found for a specific domain (in this case google.com), 
PicketLink will search for keys with the alias |127.0.0.1| . You can use 
alias for any key you have declared in your keystore. It will be used 
just as placeholder as SAML requests from Google are not signed, so 
validation won't be checked anyway.

Marek

On 10.10.2013 11:55, Tuyen The Nguyen wrote:
> Hi all,
>
> I'm configuring SSO for gatein 3.5 with google and salefore use SAML2 
> protocol.
> I follow by three docs:
> https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP
>
> When i try to login to google, it redirect to IDP (use gatein) and 
> login success, but when redirect back to google, i meet error "google 
> could not parse the login request" and i can't login.
> I see an exception on console of gatein:
>
> 16:26:01,844 ERROR [org.picketlink.identity.federation] 
> (http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception in 
> processing request: java.lang.IllegalStateException: PLFED000058: 
> KeyStoreKeyManager : Domain Alias missing for : 127.0.0.1
> at 
> org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
> at 
> org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
> at 
> org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
> at 
> org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
> at 
> org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
> at 
> org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255) 
> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
> at 
> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155) 
> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
> at 
> org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88) 
> [exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
> at 
> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) 
> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
> at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) 
> [jbossweb-7.0.13.Final.jar:]
> at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) 
> [jbossweb-7.0.13.Final.jar:]
> at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
> [jbossweb-7.0.13.Final.jar:]
> at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) 
> [jbossweb-7.0.13.Final.jar:]
> at 
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) 
> [jbossweb-7.0.13.Final.jar:]
> at 
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) 
> [jbossweb-7.0.13.Final.jar:]
> at 
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
> *Is there any one know how to fix this problem?*
>
> Tuyen Nguyen The.
>
>
> _______________________________________________
> gatein-dev mailing list
> gatein-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/gatein-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/gatein-dev/attachments/20131010/649e8fd7/attachment.html

More information about the gatein-dev mailing list