[gatein-dev] problem when config SAML2 with google and saleforce
Marek Posolda
mposolda at redhat.com
Fri Oct 18 03:33:23 EDT 2013
Hi,
there are some differences between recommended setup and your setup. See
here
https://docs.jboss.org/author/display/GTNPORTAL36/SAML2#SAML2-IntegrationwithSalesforceandGoogleApps
. You will need to choose "Assertion contains the Federation ID from the
User object", otherwise integration won't work. I would recommend to
configure EntityId to be "https://saml.salesforce.com" and Issuer to be
"http://www.idp.com:8080/portal/dologin" without slash in the end. Also
make sure that you have GateIn running and bind to correct address and
you can access "http://www.idp.com:8080/portal" from your browser.
Hope this helps,
Marek
On 18.10.2013 04:34, Tuyen The Nguyen wrote:
> Hi,
>
> Do you have experience about config sso in saleforce. I'm trying to
> configure sso on saleforce, but it doesn't work.
>
> I registered a developer account and register domain
> tuyennt-dev-ed.my.salesforce.com
> <http://tuyennt-dev-ed.my.salesforce.com> in "my domain" menu
>
> I configure as attached image, but when i access to
> https://tuyennt-dev-ed.my.salesforce.com/, i see saleforce login-form,
> not gatein login-form as expected.
>
>
> Thanks!
>
>
>
> On Mon, Oct 14, 2013 at 11:31 PM, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> This error is caused by the fact that Picketlink (GateIn) is
> trying to validate signature from the SAMLRequest from Google, but
> SAML requests from Google are not signed. To disable validation,
> you need to correctly configure sp-metadata as described in the
> docs
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP
> . You should have something like this in metadata file:
>
> <md:EntityDescriptor
> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> *entityID="google.com/a/yourdomain1.mygbiz.com
> <http://google.com/a/yourdomain1.mygbiz.com>"*
> validUntil="2022-06-13T21:46:02.496Z">
> <md:SPSSODescriptor *AuthnRequestsSigned="false"*
> WantAssertionsSigned="true"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" />
> </md:EntityDescriptor>
>
> Note that entityId must be either
> "google.com/a/yourdomain1.mygbiz.com
> <http://google.com/a/yourdomain1.mygbiz.com>" (replace yourdomain1
> with the name of your Google apps domain) or just "google.com
> <http://google.com>" . It depends on settings of option "Use a
> domain specific issuer" which can be specified on Google Apps page
> (If true, Google will use SAMLRequest with entity
> "google.com/a/yourdomain1.mygbiz.com
> <http://google.com/a/yourdomain1.mygbiz.com>", If false, Google
> will use SAMLRequest with entity "google.com <http://google.com>").
>
> I would recomment to use Firefox plugin "SAML tracer", which will
> show you decoded SAMLRequest in the browser, so that you will see
> what is the domain name used by Google for SAMLRequest and same
> value must be used as entityId in metadata.
>
> Cheers,
> Marek
>
>
> On 14.10.2013 06:11, Tuyen The Nguyen wrote:
>> Hi,
>>
>> Follow by docs, i generate certificate file by command:
>> */keytool -export -keystore jbid_test_keystore.jks -alias
>> servercert -file test-certificate.crt/*
>> And then upload file test-certificate.crt to google.
>>
>> Then i try to declare in the
>> GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
>> a ValidatingDomain
>> */<ValidatingAlias Key="127.0.0.1" Value="servercert"/>/*
>>
>> I see other exception on gatein site.
>> And when i change the value of gatein.sso.sp.host in
>> configuration.properties file as:
>> gatein.sso.sp.host=google.com <http://google.com>
>> I also see the same exception.
>>
>> *Exception:*
>>
>> 10:21:20,112 ERROR [org.picketlink.identity.federation]
>> (http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception in
>> processing request:
>> org.picketlink.identity.federation.core.exceptions.ProcessingException:
>> PLFED000145: Signature Validation failed
>> at
>> org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)
>> at
>> org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)
>> at
>> org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)
>> at
>> org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)
>> at
>> org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)
>> at
>> org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
>> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
>> at
>> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
>> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
>> at
>> org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>> [exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
>> at
>> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
>> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
>> [jbossweb-7.0.13.Final.jar:]
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
>> [jbossweb-7.0.13.Final.jar:]
>> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
>> Caused by: java.lang.IllegalArgumentException: PLFED000078: Null
>> Parameter: queryString
>> at
>> org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)
>> at
>> org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)
>> at
>> org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)
>> at
>> org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)
>> at
>> org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)
>> ... 15 more
>>
>>
>> On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda
>> <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>> Hi,
>>
>> you can try to declare in the
>> |GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml|
>> a ValidatingDomain directive like:
>>
>> <ValidatingAlias Key="127.0.0.1" Value="secure-key"/>
>>
>> Even though Google SAML requests are not signed, PicketLink
>> requires that there is validating key corresponding to each
>> SAMLRequest. When a key is not found for a specific domain
>> (in this case google.com <http://google.com>), PicketLink
>> will search for keys with the alias |127.0.0.1| . You can use
>> alias for any key you have declared in your keystore. It will
>> be used just as placeholder as SAML requests from Google are
>> not signed, so validation won't be checked anyway.
>>
>> Marek
>>
>>
>> On 10.10.2013 11:55, Tuyen The Nguyen wrote:
>>> Hi all,
>>>
>>> I'm configuring SSO for gatein 3.5 with google and salefore
>>> use SAML2 protocol.
>>> I follow by three docs:
>>> https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
>>> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP
>>> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP
>>>
>>> When i try to login to google, it redirect to IDP (use
>>> gatein) and login success, but when redirect back to google,
>>> i meet error "google could not parse the login request" and
>>> i can't login.
>>> I see an exception on console of gatein:
>>>
>>> 16:26:01,844 ERROR [org.picketlink.identity.federation]
>>> (http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception
>>> in processing request: java.lang.IllegalStateException:
>>> PLFED000058: KeyStoreKeyManager : Domain Alias missing for :
>>> 127.0.0.1
>>> at
>>> org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
>>> at
>>> org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
>>> at
>>> org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
>>> at
>>> org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
>>> at
>>> org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
>>> at
>>> org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
>>> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
>>> at
>>> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
>>> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
>>> at
>>> org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>>> [exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
>>> at
>>> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
>>> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
>>> at
>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at
>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
>>> [jbossweb-7.0.13.Final.jar:]
>>> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
>>> *Is there any one know how to fix this problem?*
>>>
>>> Tuyen Nguyen The.
>>>
>>>
>>> _______________________________________________
>>> gatein-dev mailing list
>>> gatein-dev at lists.jboss.org <mailto:gatein-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/gatein-dev/attachments/20131018/dec22021/attachment-0001.html
More information about the gatein-dev
mailing list