I just installed OpenAM 13.0.0, created an hosted IDP, and registered a remote SP.
Within the remote SP (a product called Questetra), I configured the entityID, login URL, logout URL, and certificate using values found in the XML at http://idp:8080/openam/saml2/jsp/exportmetadata.jsp?entityid=http://idp:8080/openam&realm=/
Problem: OpenAM says 500 Internal Server Error at the step where the browser loads the successURL.
Any idea what is happening?
Any tips on how to debug? There is nothing special in the Tomcat and OpenAM logs.
Shortened Wireshark trace
HTTP/1.1 200 OK
[...]
{"successURL":"/SSORedirect/metaAlias/idp?ReqID=a41de50e29c99ff3422f82b7g660ch6&index=null&acsURL=http%3A%2F%2Fthesp%3A8080%2Fuserweb%2Fsaml%2FSSO%2Falias%2Fbpm&spEntityID=http%3A%2F%2Fthesp%3A8080%2Fuserweb%2F&binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST"}
GET /openam/SSORedirect/metaAlias/idp?ReqID=a41de50e29c99ff3422f82b7g660ch6&index=null&acsURL=http%3A%2F%2Fthesp%3A8080%2Fuserweb%2Fsaml%2FSSO%2Falias%2Fbpm&spEntityID=http%3A%2F%2Fthesp%3A8080%2Fuserweb%2F&binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST HTTP/1.1
[...]
HTTP/1.1 500 Internal Server Error
[...]
<html>[...]HTTP Status 500 - Unable to do Single Sign On or Federation[...]</html>
Full trace at https://gist.github.com/nicolas-raoul/5ff26f37a95bc8088c6af7fe6ea5e468
Tomcat 7.0.72, Ubuntu 2016.04.1 LTS, Firefox 50.1.0
I solved this same error by taking the Certificate value directly from the metadata file exported from OpenAM and entering that directly again, to ensure that it was the exact same.
Related
When user clicks login, redirected to Keycloak login page & then after successful login, user comes back to application with 400 error page.
Server log shows following:
[Server:node-00] 13:40:00,709 WARN
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-30)
state parameter invalid
My application conf is:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="appWEB.war">
<realm>demo</realm>
<resource>app</resource>
<public-client>true</public-client>
<auth-server-url>http://localhost:8180/auth</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
</secure-deployment>
</subsystem>
Application URL is https://localhost:8443/app & redirect_url is https://localhost:8443/app/private.jsf.
When I use http, it works. But the error comes when I use same with https.
Any thoughts?
Here it can be many scenario which may failing with https
Keycloak running in https
Create self sign certification for keycloak.
Import this certificate to your local Java environment.SO handshake can be possible.
I hope you generate the certificates in keycloak you can find the the certificate inside keycloak/security/ssl.
We are currently trying to deploy CAS 4.0.1 on a JBoss EAP 6.3.0 server.
The login webflow was customised in order to redirect to a specific login form depending on the service calling CAS for authentication. Depending on these forms, we use specific authentication handlers, and a specific Credential model. Besides that, the configuration is rather standard.
At the moment, we are experiencing the following issue: when a user attempts to access a service secured by CAS, he is correctly redirected to the portal, and the expected login view is rendered ; upon successful login, the Service Ticket is delivered to the authentication filter on the service side (standard j_spring_cas_security_check), which then validates it successfully against CAS' ticket registry. We see in the logs that CAS is rendering the cas2ServiceSuccessView ; however, instead of delivering the expected XML response, the user is redirected to the login form.
We then confirmed that we were in fact getting a 404 error after the cas2ServiceSuccessView... Any idea what could trigger such behaviour/what we could have done wrong ?
Note that we are getting the same error regardless of how we call CAS for the ST validation: whether it is manually through /serviceValidate?ticket=ST-YYY&service=XXX, or via the /j_spring_cas_security_check on the service side...
Edit: we have the same behaviour running CAS on Tomcat 7.
Thanks in advance.
Below the debug logs that we are getting:
08:54:10,806 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) Last-Modified value for [/cas/serviceValidate] is: -1
08:54:10,809 INFO [org.perf4j.TimingLogger] (http-/0.0.0.0:8080-7) start[1433314450807] time[2] tag[VALIDATE_SERVICE_TICKET]
08:54:10,810 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] (http-/0.0.0.0:8080-7) Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-3-uecoOwdbdIn4bc2WvXfe-cas-test
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Wed Jun 03 08:54:10 CEST 2015
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
08:54:10,810 DEBUG [org.springframework.validation.DataBinder] (http-/0.0.0.0:8080-7) DataBinder requires binding of required fields [renew]
08:54:10,811 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) Rendering view [org.springframework.web.servlet.view.InternalResourceView: name 'cas2ServiceSuccessView'; URL [/WEB-INF/view/jsp/cas2ServiceSuccessView.jsp]] in DispatcherServlet with name 'cas'
08:54:10,811 DEBUG [org.springframework.web.servlet.view.InternalResourceView] (http-/0.0.0.0:8080-7) Added model object 'assertion' of type [org.jasig.cas.validation.ImmutableAssertion] to request in view with name 'cas2ServiceSuccessView'
08:54:10,811 DEBUG [org.springframework.web.servlet.view.InternalResourceView] (http-/0.0.0.0:8080-7) Removed model object 'pgtIou' from request in view with name 'cas2ServiceSuccessView'
08:54:10,811 DEBUG [org.springframework.web.servlet.view.InternalResourceView] (http-/0.0.0.0:8080-7) Forwarding to resource [/WEB-INF/view/jsp/cas2ServiceSuccessView.jsp] in InternalResourceView 'cas2ServiceSuccessView'
08:54:10,812 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) Successfully completed request
08:54:10,814 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) DispatcherServlet with name 'cas' processing GET request for [/cas/login]
08:54:10,814 DEBUG [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] (http-/0.0.0.0:8080-7) Mapping request with URI '/cas/login' to flow with id 'login'
In SpringSecurity 4.x, CasAuthenticationFilter's defaultFilterProcessesUrl path is changed.
So Change '/j_spring_cas_security_check' to '/login/cas' in Configuration.
... and of course, the cause was rather silly: somehow (I have to look at our merge/git history), the viewResolver bean defined in cas-servlet.xml did not have a basenames property set.
I have a Flash website. When I want to use Paypal Express Checkout with Digital Goods, I call this javascript code :
dg = new PAYPAL.apps.DGFlow();
dg.startFlow("http://mydomain.com/setup.php");
setup.php calls SetExpressCheckoutPayment function and redirect to https://www.sandbox.paypal.com/incontext?token=...&useraction=commit
With Firebug I can see this address returns a 302, and redirects to https://www.sandbox.paypal.com/webapps/checkout/webflow/sparta/expresscheckoutvalidatedataflow?exp_type=&cookiesBlocked=&token=...&useraction=commit
This adress returns also a 302 and redirects to https://www.sandbox.paypal.com/webapps/checkout/webflow/sparta/expresscheckoutvalidatedataflow?execution=e1s1
Here it hangs for several minutes and ends with this error message :
Proxy Error
The proxy server could not handle the request GET /webapps/checkout/webflow/sparta/expresscheckoutvalidatedataflow.
Reason: Error during SSL Handshake with remote server
I started to get this error sometimes last week, and I have it every time today.
It happens on my MAMP environment and on my website.
I don't have SSL certificate but I didn't last week and it was not a problem.
Do you know anything about this error message ?
Edit
I tried with Opera, proxyError comes at a different step : https://www.sandbox.paypal.com/webapps/checkout/webflow/sparta/expresscheckoutvalidatedataflow?execution=e1s4
And once this morning on Firefox I had another Proxy Error after the first redirection :
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /webapps/checkout/webflow/sparta/expresscheckoutvalidatedataflow.
Reason: Error reading from remote server
I don't have the Proxy Error anymore since yesterday. I didn't change anything so it seems PayPal servers are unstable...
I'm having the same issue since Sunday evening (sorry that I can't post this as a comment, don't have enough reputation yet).
I'm on LiquidWeb shared hosting, using the Merchant SDK ( https://github.com/paypal/merchant-sdk-php ). I was on merchant-sdk-php-2.1.96 when the errors began, and tried upgrading to merchant-sdk-php-2.2.98 but now it is worse (won't even do the first redirect, which is confusing). My code is server side, but getting the timeout and proxy error at the same urls:
$setECResponse = $PayPal_service->SetExpressCheckout($setECReq);
if($setECResponse->Ack == 'Success') {
$token = $setECResponse->Token;
$payPalURL = 'https://www.sandbox.paypal.com/incontext?token=' . $token;
$this->Redirect($payPalURL);
}
After I invoke single-log-out (SLO), by calling 'GET' on https://[PingFederate Server Instance]:[Port]/sp/startSLO.ping, my PingFederate server begins making requests to my SP logout services. [I know this because I can see it happening in Fiddler.]
But when one my SPs invokes “https://<PingFederate DNS>:XXXX” + request.getParameter(“resume”); (per #Scott T.'s answer here), I get an error message:
Error - Single Logout Nonsuccess Response status:
urn:oasis:names:tc:SAML:2.0:status:Requester Status Message: Invalid
signature Your Single Logout request did not complete successfully. To
logout out of your Identity Provider and each Service Provider, close
all your browser windows. Partner: XXXX:IDP Target Resource:
http://<domain>/<default SLO endpoint>
My Questions:
What is this error message referring to?
How can I resolve this error condition?
This error is likely due to a mismatch in configuration between IdP and SP. The signing keys/certificate for SAML messages used at one end, must match the verification certificate at the other end. Check your Credentials configuration on your connection for both IdP and SP. See this section in the PingFederate Administration Guide for some details.
I'm trying to update Eclipse 3.5.1 (on Gentoo Linux) from the Galileo Discovery Site and I get this error message:
Network connection problems encountered during search.
Unable to access "http://download.eclipse.org/releases/galileo".
Error accessing site stream. [Server returned HTTP response code: 503 for URL: http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd]
Server returned HTTP response code: 503 for URL: http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd
Error accessing site stream. [Server returned HTTP response code: 503 for URL: http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd]
Server returned HTTP response code: 503 for URL: http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd
It seems the 503 error code is intended to stop software from constantly downloading this file from w3.org. But how do I persuade Eclipse to stop requesting it?
After several updates of Eclipse, the supporting software and libraries this now works.
The correct way to update from the Galileo site is via "Help/Install New Software" or "Help/Update".
The route via "Help/Software Updates/Find and Install/Search for new..." fails because the update-site format has changed.