[gatein-dev] problem when config SAML2 with google and saleforce
Tuyen The Nguyen
tuyennt at exoplatform.com
Mon Oct 14 00:11:00 EDT 2013
Hi,
Follow by docs, i generate certificate file by command:
*keytool -export -keystore jbid_test_keystore.jks -alias servercert -file
test-certificate.crt*
And then upload file test-certificate.crt to google.
Then i try to declare in the
GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
a ValidatingDomain
*<ValidatingAlias Key="127.0.0.1" Value="servercert"/>*
I see other exception on gatein site.
And when i change the value of gatein.sso.sp.host in
configuration.properties file as:
gatein.sso.sp.host=google.com
I also see the same exception.
*Exception:*
10:21:20,112 ERROR [org.picketlink.identity.federation]
(http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception in processing
request:
org.picketlink.identity.federation.core.exceptions.ProcessingException:
PLFED000145: Signature Validation failed
at
org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)
at
org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)
at
org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
[sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
[sso-integration-1.3.1.Final.jar:1.3.1.Final]
at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
[exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
Caused by: java.lang.IllegalArgumentException: PLFED000078: Null Parameter:
queryString
at
org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)
at
org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)
at
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)
... 15 more
On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda <mposolda at redhat.com> wrote:
> Hi,
>
> you can try to declare in the
> GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xmla ValidatingDomain directive like:
>
> <ValidatingAlias Key="127.0.0.1" Value="secure-key"/>
>
> Even though Google SAML requests are not signed, PicketLink requires that
> there is validating key corresponding to each SAMLRequest. When a key is
> not found for a specific domain (in this case google.com), PicketLink
> will search for keys with the alias 127.0.0.1 . You can use alias for any
> key you have declared in your keystore. It will be used just as placeholder
> as SAML requests from Google are not signed, so validation won't be checked
> anyway.
>
> Marek
>
>
> On 10.10.2013 11:55, Tuyen The Nguyen wrote:
>
> Hi all,
>
> I'm configuring SSO for gatein 3.5 with google and salefore use SAML2
> protocol.
> I follow by three docs:
> https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
>
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP
>
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP
>
> When i try to login to google, it redirect to IDP (use gatein) and login
> success, but when redirect back to google, i meet error "google could not
> parse the login request" and i can't login.
> I see an exception on console of gatein:
>
> 16:26:01,844 ERROR [org.picketlink.identity.federation]
> (http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception in processing
> request: java.lang.IllegalStateException: PLFED000058: KeyStoreKeyManager :
> Domain Alias missing for : 127.0.0.1
> at
> org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
> at
> org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
> at
> org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
> at
> org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
> at
> org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
> at
> org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
> at
> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
> at
> org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
> [exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
> at
> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
> [jbossweb-7.0.13.Final.jar:]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
> [jbossweb-7.0.13.Final.jar:]
> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
> *Is there any one know how to fix this problem?*
>
> Tuyen Nguyen The.
>
>
> _______________________________________________
> gatein-dev mailing listgatein-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/gatein-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/gatein-dev/attachments/20131014/f12990a9/attachment.html
More information about the gatein-dev
mailing list