[gatein-dev] problem when config SAML2 with google and saleforce

Sun Oct 20 21:51:15 EDT 2013

Hi,

I tried to reconfigure as you recommended, But i still meet the same
problems, when i try to access, it still don't redirect to idp site.

I'm sure that i can access http://www.idp.com:8080/portal from my browser
and i can login.

Do you have any other suggestion?

Thanks!

Nguyen The Tuyen.

On Fri, Oct 18, 2013 at 2:33 PM, Marek Posolda <mposolda at redhat.com> wrote:

>  Hi,
>
> there are some differences between recommended setup and your setup. See
> here
> https://docs.jboss.org/author/display/GTNPORTAL36/SAML2#SAML2-IntegrationwithSalesforceandGoogleApps. You will need to choose "Assertion contains the Federation ID from the
> User object", otherwise integration won't work. I would recommend to
> configure EntityId to be "https://saml.salesforce.com"<https://saml.salesforce.com>and Issuer to be
> "http://www.idp.com:8080/portal/dologin"<http://www.idp.com:8080/portal/dologin>without slash in the end. Also make sure that you have GateIn running and
> bind to correct address and you can access
> "http://www.idp.com:8080/portal" <http://www.idp.com:8080/portal> from
> your browser.
>
> Hope this helps,
> Marek
>
>
>
> On 18.10.2013 04:34, Tuyen The Nguyen wrote:
>
>  Hi,
>
>  Do you have experience about config sso in saleforce. I'm trying to
> configure sso on saleforce, but it doesn't work.
>
>  I registered a developer account and register domain
> tuyennt-dev-ed.my.salesforce.com in "my domain" menu
>
>  I configure as attached image, but when i access to
> https://tuyennt-dev-ed.my.salesforce.com/, i see saleforce login-form,
> not gatein login-form as expected.
>
>
>  Thanks!
>
>
>
> On Mon, Oct 14, 2013 at 11:31 PM, Marek Posolda <mposolda at redhat.com>wrote:
>
>>  This error is caused by the fact that Picketlink (GateIn) is trying to
>> validate signature from the SAMLRequest from Google, but SAML requests from
>> Google are not signed. To disable validation, you need to correctly
>> configure sp-metadata as described in the docs
>> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP. You should have something like this in metadata file:
>>
>>    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" *
>> entityID="google.com/a/yourdomain1.mygbiz.com"*validUntil="2022-06-13T21:46:02.496Z">
>>       <md:SPSSODescriptor *AuthnRequestsSigned="false"*WantAssertionsSigned="true"
>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" />
>>  </md:EntityDescriptor>
>>
>> Note that entityId must be either "google.com/a/yourdomain1.mygbiz.com"
>> (replace yourdomain1 with the name of your Google apps domain) or just "
>> google.com" . It depends on settings of option "Use a domain specific
>> issuer" which can be specified on Google Apps page (If true, Google will
>> use SAMLRequest with entity "google.com/a/yourdomain1.mygbiz.com", If
>> false, Google will use SAMLRequest with entity "google.com").
>>
>> I would recomment to use Firefox plugin "SAML tracer", which will show
>> you decoded SAMLRequest in the browser, so that you will see what is the
>> domain name used by Google for SAMLRequest and same value must be used as
>> entityId in metadata.
>>
>> Cheers,
>> Marek
>>
>>
>> On 14.10.2013 06:11, Tuyen The Nguyen wrote:
>>
>>  Hi,
>>
>>  Follow by docs, i generate certificate file by command:
>>  *keytool -export -keystore jbid_test_keystore.jks -alias servercert
>> -file test-certificate.crt*
>> And then upload file test-certificate.crt to google.
>>
>>  Then i try to declare in the
>> GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml
>> a ValidatingDomain
>>  *<ValidatingAlias Key="127.0.0.1" Value="servercert"/>*
>>
>>  I see other exception on gatein site.
>> And when i change the value of gatein.sso.sp.host in
>> configuration.properties file as:
>>  gatein.sso.sp.host=google.com
>> I also see the same exception.
>>
>>  *Exception:*
>>
>>  10:21:20,112 ERROR [org.picketlink.identity.federation]
>> (http-www.idp.com-127.0.0.1-8080-1) PLFED000253: Exception in processing
>> request:
>> org.picketlink.identity.federation.core.exceptions.ProcessingException:
>> PLFED000145: Signature Validation failed
>>  at
>> org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerSignatureValidationError(PicketLinkLoggerImpl.java:1106)
>>  at
>> org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:152)
>>  at
>> org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:94)
>>  at
>> org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56)
>>  at
>> org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:579)
>>  at
>> org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
>> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
>>  at
>> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
>> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
>>  at
>> org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>> [exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
>>  at
>> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
>> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
>>  at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
>> [jbossweb-7.0.13.Final.jar:]
>>  at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>> [jbossweb-7.0.13.Final.jar:]
>>  at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>> [jbossweb-7.0.13.Final.jar:]
>>  at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
>> [jbossweb-7.0.13.Final.jar:]
>>  at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
>> [jbossweb-7.0.13.Final.jar:]
>>  at
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
>> [jbossweb-7.0.13.Final.jar:]
>>  at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
>> [jbossweb-7.0.13.Final.jar:]
>>  at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
>> Caused by: java.lang.IllegalArgumentException: PLFED000078: Null
>> Parameter: queryString
>>  at
>> org.picketlink.identity.federation.PicketLinkLoggerImpl.nullArgumentError(PicketLinkLoggerImpl.java:64)
>>  at
>> org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getToken(RedirectBindingSignatureUtil.java:309)
>>  at
>> org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getTokenValue(RedirectBindingSignatureUtil.java:203)
>>  at
>> org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(RedirectBindingSignatureUtil.java:188)
>>  at
>> org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyRedirectBindingSignature(SAML2SignatureValidationHandler.java:144)
>>  ... 15 more
>>
>>
>> On Thu, Oct 10, 2013 at 8:01 PM, Marek Posolda <mposolda at redhat.com>wrote:
>>
>>>  Hi,
>>>
>>> you can try to declare in the
>>> GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xmla ValidatingDomain directive like:
>>>
>>> <ValidatingAlias Key="127.0.0.1" Value="secure-key"/>
>>>
>>> Even though Google SAML requests are not signed, PicketLink requires
>>> that there is validating key corresponding to each SAMLRequest. When a key
>>> is not found for a specific domain (in this case google.com),
>>> PicketLink will search for keys with the alias 127.0.0.1 . You can use
>>> alias for any key you have declared in your keystore. It will be used just
>>> as placeholder as SAML requests from Google are not signed, so validation
>>> won't be checked anyway.
>>>
>>> Marek
>>>
>>>
>>> On 10.10.2013 11:55, Tuyen The Nguyen wrote:
>>>
>>>   Hi all,
>>>
>>>  I'm configuring SSO for gatein 3.5 with google and salefore use SAML2
>>> protocol.
>>> I follow by three docs:
>>> https://docs.jboss.org/author/display/GTNPORTAL35/SAML2
>>>
>>> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP
>>>
>>> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP
>>>
>>>  When i try to login to google, it redirect to IDP (use gatein) and
>>> login success, but when redirect back to google, i meet error "google could
>>> not parse the login request" and i can't login.
>>> I see an exception on console of gatein:
>>>
>>>  16:26:01,844 ERROR [org.picketlink.identity.federation]
>>> (http-www.idp.com-127.0.0.1-8080-7) PLFED000253: Exception in processing
>>> request: java.lang.IllegalStateException: PLFED000058: KeyStoreKeyManager :
>>> Domain Alias missing for : 127.0.0.1
>>>  at
>>> org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183)
>>>  at
>>> org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196)
>>>  at
>>> org.picketlink.identity.federation.core.util.CoreConfigUtil.getValidatingKey(CoreConfigUtil.java:140)
>>>  at
>>> org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.getIssuerPublicKey(AbstractIDPValve.java:683)
>>>  at
>>> org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:545)
>>>  at
>>> org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve.invoke(PortalIDPWebBrowserSSOValve.java:255)
>>> [sso-saml-plugin-1.3.1.Final.jar:1.3.1.Final]
>>>  at
>>> org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
>>> [sso-integration-1.3.1.Final.jar:1.3.1.Final]
>>>  at
>>> org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:88)
>>> [exo.portal.component.web.security-jboss-3.5.7.Final-SNAPSHOT.jar:3.5.7.Final-SNAPSHOT]
>>>  at
>>> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
>>> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
>>>  at
>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
>>> [jbossweb-7.0.13.Final.jar:]
>>>  at
>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>> [jbossweb-7.0.13.Final.jar:]
>>>  at
>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>> [jbossweb-7.0.13.Final.jar:]
>>>  at
>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
>>> [jbossweb-7.0.13.Final.jar:]
>>>  at
>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
>>> [jbossweb-7.0.13.Final.jar:]
>>>  at
>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
>>> [jbossweb-7.0.13.Final.jar:]
>>>  at
>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
>>> [jbossweb-7.0.13.Final.jar:]
>>>  at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
>>>   *Is there any one know how to fix this problem?*
>>>
>>>  Tuyen Nguyen The.
>>>
>>>
>>>  _______________________________________________
>>> gatein-dev mailing listgatein-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/gatein-dev
>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/gatein-dev/attachments/20131021/3dfcacd4/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: saml2_reconfig.png
Type: image/png
Size: 219011 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/gatein-dev/attachments/20131021/3dfcacd4/attachment-0001.png 