I am trying to configure my application (SP) to work with remote IDP. The IDP provided me with a certificate to configure with SP. For SAML request.
I get this exception :
org.springframework.security.saml.trust.UntrustedCertificateException: Peer SSL/TLS certificate XXX, issued by XXX is not trusted, add the certificate or it's CA to your trust store and optionally update tlsKey in >extended metadata with the certificate's alias.
Follow certificates (in PEM format) presented by the peer. Content between being/end certificate (including) can be stored in a file and imported using keytool, e.g. 'keytool -importcert -file cert.cer -alias certAlias -keystore keystore.jks'). Make sure the presented certificates are issued by your trusted CA before adding them to the keystore.
why i get this exception?
I am using gluu server and it's shibboleth component.in SP there is an apollo.cert and a samlkeystore.jks . apollo.crt is imported in samlkeystore.jks .
I run SP and get metadadata.xml (it contains ds:X509Certificate) and import this file into gluu server .
I am confused , where is the problem ? IDP or SP?what can i do to fix that?
I really need help.
EDIT :
#Bernahrd,#Guillermo thank you so much for your reply.
I still working but can't find out what happen here.
I add metadata xml file in idp and sp .
this is gluu idp metadata , to generate idp metadata on gluu server I use https://hostname/idp/shibboleth
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor entityID="https://ubuntu.gluu.info/idp/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<IDPSSODescriptor errorURL="https://ubuntu.gluu.info/identity/feedback.htm"
protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">ubuntu.gluu.info</shibmd:Scope>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDaDCCAlACCQD165zhtG0q6DANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJJ
UjELMAkGA1UECAwCVEgxDzANBgNVBAcMBnRlaHJhbjENMAsGA1UECgwER0xVVTEZ
MBcGA1UEAwwQdWJ1bnR1LmdsdXUuaW5mbzEfMB0GCSqGSIb3DQEJARYQc3VwcG9y
dEBnbHV1Lm9yZzAeFw0xNjA2MTcyMDMxMTlaFw0xNzA2MTcyMDMxMTlaMHYxCzAJ
BgNVBAYTAklSMQswCQYDVQQIDAJUSDEPMA0GA1UEBwwGdGVocmFuMQ0wCwYDVQQK
DARHTFVVMRkwFwYDVQQDDBB1YnVudHUuZ2x1dS5pbmZvMR8wHQYJKoZIhvcNAQkB
FhBzdXBwb3J0QGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAuSkeEK+lK498Yc8OspdYoqoDQLDPs8cF0qE84hLRhdEHU1y++/dzaC6271sV
KtTXt/aG1PwBS7unPIMOEKFNJXdO0FHEgt4nkuhq7KUvcR4ckNvL+5Ys5r/3Egzh
8nm96Z0jtuUlu1e8b6iAsw+9tYq1olDZO9Hv6hR9V/ZlTolmuZqnXEy3p/47W25p
ROLVuR7jIH+cKDVJe8lW1702wWEQWDhxPBJ1fJsMuBA/RiB/J6SBAgkxs/9m513Y
+lYaobhqMfocwzt/GAqsq4Fnixf1PldJpi/ZJfnyJ0JOFcLj8YHY/CFRiRm8b3UE
1VUYZRTHK9Qc3ryd+KA14QTymwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBRS5aR
CSPS+3qoWI5wj3f97QEncv0Q80sb0tzumUJIWqDoYWW0ucyRWGiUSSVIBeVJmmmG
Yus9ML6Khb1WNCsXZW3GcBfoA8FImTtTBMyXWHpDtR6Ne156kSv2ymmdyipZo6OB
iItWjEgAOmRsynxkJASEPhH5RM8iqGAJVBCgU738so0X3e7N5pQSNMKLiCkf8afK
EsL9Q61f9RiLImlehkdw3m2B0wKQJZo1Q1D/L7sZzaOXiif3YkcVNO8t0CJpZSog
YSKS+2cM7LTDdiNS3YMpcRdcvZTixDMSAfO+7PDTfubio8ADAmjr7Gj7vwzG8sFi
PmIqbqM/Ii1e0kD7
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://ubuntu.gluu.info:9443/idp/profile/SAML1/SOAP/ArtifactResolution"
index="1"/>
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://ubuntu.gluu.info:9443/idp/profile/SAML2/SOAP/ArtifactResolution"
index="2"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
Location="https://ubuntu.gluu.info/idp/profile/Shibboleth/SSO"/>
<SingleSignOnService Binding="urn:mace:shibboleth:2.0:profiles:AuthnRequest"
Location="https://ubuntu.gluu.info/idp/profile/SAML2/Unsolicited/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://ubuntu.gluu.info/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://ubuntu.gluu.info/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://ubuntu.gluu.info/idp/profile/SAML2/Redirect/SSO"/>
</IDPSSODescriptor>
<AttributeAuthorityDescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">ubuntu.gluu.info</shibmd:Scope>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDaDCCAlACCQD165zhtG0q6DANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJJ
UjELMAkGA1UECAwCVEgxDzANBgNVBAcMBnRlaHJhbjENMAsGA1UECgwER0xVVTEZ
MBcGA1UEAwwQdWJ1bnR1LmdsdXUuaW5mbzEfMB0GCSqGSIb3DQEJARYQc3VwcG9y
dEBnbHV1Lm9yZzAeFw0xNjA2MTcyMDMxMTlaFw0xNzA2MTcyMDMxMTlaMHYxCzAJ
BgNVBAYTAklSMQswCQYDVQQIDAJUSDEPMA0GA1UEBwwGdGVocmFuMQ0wCwYDVQQK
DARHTFVVMRkwFwYDVQQDDBB1YnVudHUuZ2x1dS5pbmZvMR8wHQYJKoZIhvcNAQkB
FhBzdXBwb3J0QGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAuSkeEK+lK498Yc8OspdYoqoDQLDPs8cF0qE84hLRhdEHU1y++/dzaC6271sV
KtTXt/aG1PwBS7unPIMOEKFNJXdO0FHEgt4nkuhq7KUvcR4ckNvL+5Ys5r/3Egzh
8nm96Z0jtuUlu1e8b6iAsw+9tYq1olDZO9Hv6hR9V/ZlTolmuZqnXEy3p/47W25p
ROLVuR7jIH+cKDVJe8lW1702wWEQWDhxPBJ1fJsMuBA/RiB/J6SBAgkxs/9m513Y
+lYaobhqMfocwzt/GAqsq4Fnixf1PldJpi/ZJfnyJ0JOFcLj8YHY/CFRiRm8b3UE
1VUYZRTHK9Qc3ryd+KA14QTymwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBRS5aR
CSPS+3qoWI5wj3f97QEncv0Q80sb0tzumUJIWqDoYWW0ucyRWGiUSSVIBeVJmmmG
Yus9ML6Khb1WNCsXZW3GcBfoA8FImTtTBMyXWHpDtR6Ne156kSv2ymmdyipZo6OB
iItWjEgAOmRsynxkJASEPhH5RM8iqGAJVBCgU738so0X3e7N5pQSNMKLiCkf8afK
EsL9Q61f9RiLImlehkdw3m2B0wKQJZo1Q1D/L7sZzaOXiif3YkcVNO8t0CJpZSog
YSKS+2cM7LTDdiNS3YMpcRdcvZTixDMSAfO+7PDTfubio8ADAmjr7Gj7vwzG8sFi
PmIqbqM/Ii1e0kD7
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://ubuntu.gluu.info:9443/idp/profile/SAML1/SOAP/AttributeQuery"/>
<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://ubuntu.gluu.info:9443/idp/profile/SAML2/SOAP/AttributeQuery"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
</AttributeAuthorityDescriptor>
</EntityDescriptor>
Then I add it to SP in shibboleth-idb.xml
this is my SP metadata file that should be add to the gluu idp :
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor ID="http://ubuntu.gluu.info:9090/saml/metadata/alias/defaultAlias"
entityID="http://ubuntu.gluu.info:9090/saml/metadata/alias/defaultAlias"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://ubuntu.gluu.info:9090/saml/SingleLogout/alias/defaultAlias"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://ubuntu.gluu.info:9090/saml/SingleLogout/alias/defaultAlias"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="0"
isDefault="true"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
Location="http://ubuntu.gluu.info:9090/saml/HoKSSO/alias/defaultAlias"
hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
index="3"
xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
Location="http://ubuntu.gluu.info:9090/saml/HoKSSO/alias/defaultAlias"
hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="4"
xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
in gluu server I add new trust relationship and add SP metadata file to it.
but some thing strange happen here,In SP index page i select shibolleth idp,then login page of shibolleth idp appears,after enter username and password it redirect to my SP and then Exception happen, according to the exception,idp send me this certificate and want me to add this to my trust store :
-----BEGIN CERTIFICATE-----
MIIDaDCCAlACCQDTFXuxD0vSJTANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJJUjELMAkGA1UE
CAwCVEgxDzANBgNVBAcMBnRlaHJhbjENMAsGA1UECgwER0xVVTEZMBcGA1UEAwwQdWJ1bnR1Lmds
dXUuaW5mbzEfMB0GCSqGSIb3DQEJARYQc3VwcG9ydEBnbHV1Lm9yZzAeFw0xNjA2MTcyMDMxMTha
Fw0xNzA2MTcyMDMxMThaMHYxCzAJBgNVBAYTAklSMQswCQYDVQQIDAJUSDEPMA0GA1UEBwwGdGVo
cmFuMQ0wCwYDVQQKDARHTFVVMRkwFwYDVQQDDBB1YnVudHUuZ2x1dS5pbmZvMR8wHQYJKoZIhvcN
AQkBFhBzdXBwb3J0QGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvt/V
JO3o7LCwmgUSJg1CyTfSwUL28d2FaMsiiSUZ5Qs6kPHKwJ22IltBpIaJBgFcqyNxOgve3z7agJtJ
dBmyWJRoz7yMbtXmHJdk+XRs4LqRCl0CFprlPtfg9Avyb8tBqWa+c3VBbbhJ0dKpWpvzVLoRm33J
u9+/TnlM6a5UUHGsQIynjndFJSFnittNfDLQglooKyjUuiv0OrN5E7qG9bGe+w+EytYrzfx+AI/t
9wGIjMKyY9MWO4/ai0Ei7tX5CHS1GxFg2xp6Q6705YjFxrfFTbB+5XIbUCLi62nzas51hYeVzWHZ
B2XODA8ClE+U31EtwvVHbNJP5DOoM9441QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBBYAvHpshQ
8SH7wrPKNhFpbdxJ49PYmMDlCtKyU10umiEYmCSg9m4vado9MLrqblQ5qUMX1YYiIQbR47RXtSdG
AAr16JcBbiktrGv+KeGuLp7K0Ye3WsUS/uSrCimvW+lilNqAHj0MvqjQuSKCgOrmpxT55C8e21/h
piFjQF7ReCAeD0DV5ZGiDZQP0wdjJvHAMVQbQGeIpizZnOmmozsCiUDpSN2gZgu59TPimTD7rcfi
WZdaOr9L3pevZFLOrCXweyS6eiD2pTV1hWnfX6Ck3c0pM+yuA7Ug3BSFoOCXigKiA1EO4aqnGHLG
dswo1zee5kgF8oJbyYjVcYhZgc5w
-----END CERTIFICATE-----
Thanks.
You SP-metadata has
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="0"
isDefault="true"/>
hence artifact binding will be used.
--> The SP tries to connect to the Artifact Resolution service of the IdP (Location="https://ubuntu.gluu.info:9443/idp/profile/SAML2/SOAP/ArtifactResolution").
As this has scheme 'https' a secure SOAP call has to be performed.
Either you configure a JSSE truststore for your deployment container running the app (JVM-option -Djavax.net.ssl.trustStore=PATH_TO_JKS_TRUSTORE) and add the provided cert to hat truststore or remove artifact binding from your SP's meta data and only use front-channel bindings (where all communication goes through the user-agent)
Related
I am trying to set the signing and encryption option on my SP metadata to have AuthnRequestsSigned="true" but my AM server keeps throwing the below Error in the /debug/Federation log
Authentication Requests Signed option is the only one giving me issues.
Im running
ForgeRock Access Management 6.5.2
Tomcat 8.0.35
openjdk version "1.8.0_212"
AM Settings
Error Message
libSAML2:08/02/2019 03:16:50:299 PM UTC: Thread[http-nio-80-exec-8,5,main]: TransactionId[f1638b0a-6687-4953-ae04-8ce8c9299079-62363]
ERROR: UtilProxySAMLAuthenticator.authenticate: authn request destination verification failed for
IdpEntity: http://x.canadacentral.cloudapp.azure.com:80/opensso
MetaAlias: /idp Destination: http://x.canadacentral.cloudapp.azure.com/opensso/SSORedirect/metaAlias/idp
Location: http://x.canadacentral.cloudapp.azure.com:80/opensso/SSORedirect/metaAlias/idp
SP Meta-data
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2019-08-02T12:04:36Z"
cacheDuration="PT604800S" entityID="nestjs-sp-signed-0070">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
</md:KeyDescriptor>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://localhost:3000/auth/logout/callback"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:3000/auth/login/callback" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="http://localhost:3000/auth/login/callback" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://localhost:3000/auth/login/callback" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="http://localhost:3000/auth/login/callback" index="3"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
Location="http://localhost:3000/auth/login/callback" index="4"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Passport Settings
export const samlPassportConf = {
issuer: 'nestjs-sp-signed-0070', // match metadata entityID
identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
callbackUrl: 'http://localhost:3000/auth/login/callback',
entryPoint: 'http://x.canadacentral.cloudapp.azure.com/opensso/SSORedirect/metaAlias/idp',
logoutUrl: 'http://x.canadacentral.cloudapp.azure.com/opensso/IDPSloRedirect/metaAlias/idp',
privateCert: fs.readFileSync('cert/privatekey.pem', 'utf-8'),
decryptionPvk: fs.readFileSync('cert/privatekey.pem', 'utf-8'),
};
Question:
I am trying to set the signing and encryption option on my SP metadata to have AuthnRequestsSigned="true" but my AM server keeps throwing the below Error in the /debug/Federation log
(1) Authentication Requests Signed option is the only one giving me issues.
(2) I unchecked authentication requests signed and it works.
Answer:
(1) You unchecked authentication requests signed, indicating that OpenAM SAML IdP would never verify the signature of authentication request sent by your SAML SP, thus it works as you expected.
(2) Your SAML SP signs Authentication Request using a signing key.
OpenAM SAML IdP uses the corresponding public cert (which it extracts from your SAML SP metadata) to verify the signed Authentication Request sent by your SAML SP.
If the Authentication Request is signed, OpenAM SAML IdP MUST verify Destination (i.e., SAML Login URL/Entrypoint of SAML IdP) and entityID of SAML SP.
Two issues have been identified:
(I) Destination "http://x.canadacentral.cloudapp.azure.com/opensso/SSORedirect/metaAlias/idp"
does NOT exactly matches the location/entryPoint
"http://idp5.canadacentral.cloudapp.azure.com/opensso/SSORedirect/metaAlias/idp"
Your SAML SP sends "idp5.canadacentral", but OpenAM SAML IdP receives "x.canadacentral"
(II) issuer: 'nestjs-sp-signed-0070' in the Authentication Request sent by your SAML SP
does NOT match
entityID="nestjs-sp-signed-0090"
in your SAMP SP metadata uploaded to OpenAM SAML IdP.
Resolution:
In your Passport Settings, Replace 'nestjs-sp-signed-0070' with 'nestjs-sp-signed-0090', because OpenAM SAML IdP MUST verify that entityID of your SAML SP 'nestjs-sp-signed-0070' carried by the Authentication Request should be exactly equal to entityID of your SAML SP 'nestjs-sp-signed-0090' in your SAML SP metadata.
(III) You need to ensure that private key and public cert should be a key pair. that is,
private key "privateCert: fs.readFileSync('cert/privatekey.pem', 'utf-8')" in your Passport Settings
should be corresponding to
public cert in your SAML SP metadata
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
Potential root cause of Authentication Requests Signed is that
OpenAM SAML IdP uses the public cert of encryption (carried by your SAML SP metadata) to verify the signed Authentication Request. That is, OpenAM SAML IdP uses the wrong public cert for signature verification.
Resolution:
Use the same key pair for both signing and encryption. In your SAML SP metadata, let both signing cert and encryption cert "" be the same, that is,
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
is the same as
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
</md:KeyDescriptor>
The PingFederate server responds with error Signature Required on SP initiated SSO, though we are sending Signature Value in the SAML auth request. Following is the request I am sending to Ping Federate:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > AssertionConsumerServiceURL="https://mycompany.com/saml2/acs/" Destination="https://idp.com/idp/SSO.saml2" ID="id-1305fe524135c3980b2446c10dec5f08" IssueInstant="2017-11-21T18:27:17Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="My Service" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://mycompany.com/</saml:Issuer>
<ds:Signature Id="Signature1">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id-1305fe524135c3980b2446c10dec5f08">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>PgekvX9t5tSi2t……..KMSXBPFMlhjcpk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>m0/……………….J5bmNQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MII………………o6jkYDUjhprKdQ+m4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>
I have shortened Signature Value and Certificate for better readability.
PingFederate is rejecting this request with SAML response
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
<samlp:StatusMessage>Signature required</samlp:StatusMessage></samlp:Status>
Following are logs of PingFederate:
2017-11-21 13:27:17,222 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.websso.servlet.ProtocolControllerServlet] [qtp2106609649-286] ---REQUEST (GET)/idp/SSO.saml2 from 123.123.123.3:
---PARAMETERS---
SAMLRequest:
3VZJl6LYEt7nr/BYi1p4U……<shortened request for readability>…….zdsjP10u10KWIGwjw6it3/9v4/+l78B
RelayState:
/myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/
2017-11-21 13:27:17,222 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.saml20.bindings.BindingFactory] [qtp2106609649-286] GET
with Params: [SAMLRequest, RelayState]
assume binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
from: 123.123.123.3
Referer: https://mycompany.com/saml2/login/?email=user1%40myidp.com&tenantIdentifier=undefined(https://mycompany.com/saml2/login/?email=user1%40myidp.com&tenantIdentifier=undefined)
AuthType: null
Content-Type: null
2017-11-21 13:27:17,225 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.saml20.bindings.LoggingInterceptor] [qtp2106609649-286] Received InMessageContext:
InMessageContext
XML: https://mycompany.com/saml2/acs/" Destination="https://idp.com/idp/SSO.saml2" ID="id-1305fe524135c3980b2446c10dec5f08" IssueInstant="2017-11-21T18:27:17Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="My Service" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig# (http://www.w3.org/2000/09/xmldsig) " xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
https://mycompany.com/ (https://mycompany.com/%3c/saml:Issuer) >
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmlenc#sha256"/>
PgekvX9t5tSi2t/………………J5bmNQ==
MIIDpjCC……………………Q+m4=
entityId: https://mycompany.com/ (https://mycompany.com/) (SP)
virtualServerId: XYZSSO2.0
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
relayState: /myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/
SignatureStatus: NOT_PRESENT
Binding says to sign: true
2017-11-21 13:27:17,226 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.util.log.internal.TrackingIdSupport] [qtp2106609649-286] [cross-reference-message] entityid:null subject:null
2017-11-21 13:27:17,226 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 ERROR [org.sourceid.saml20.profiles.idp.HandleAuthnRequest] [qtp2106609649-286] Exception occurred during request processing
org.sourceid.saml20.profiles.StatusResponseException: Signature required
……..
…….
2017-11-21 13:27:17,251 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.servlet.HttpServletRespProxy] [qtp2106609649-286] flush cookies: adding Cookie{PF=hashedValue:pSs3mUSSSSSSSSSSSSSSSXLK4; path=/; maxAge=-1; domain=null}
2017-11-21 13:27:17,252 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.saml20.bindings.LoggingInterceptor] [qtp2106609649-286] Transported Response. OutMessageContext:
OutMessageContext
XML: https://mycompany.com/saml2/acs/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
XYZSSO2.0
http://www.w3.org/2000/09/xmldsig#">
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmlenc#sha256"/>
vRc7z0pcj5wzfn/………….UV3nYqUjgsnwHx9tziUqFwmAI=
Signature required
entityId: https://mycompany.com/ (https://mycompany.com/) (SP)
virtualServerId: XYZSSO2.0
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
relayState: /myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/
Endpoint: https://mycompany.com/saml2/acs/ (https://mycompany.com/saml2/acs/)
SignaturePolicy: BINDING_DEFAULT
2017-11-21 13:27:18,348 DEBUG [org.sourceid.servlet.HttpServletRespProxy] [qtp2106609649-101] adding lazy cookie Cookie{PF=hashedValue:E0oc11111111111111VkfIwa0I; path=/; maxAge=-1; domain=null} replacing null
2017-11-21 13:27:18,348 tid:E0oc11111111111111VkfIwa0I DEBUG [org.sourceid.websso.servlet.IntegrationControllerServlet] [qtp2106609649-101] GET: https://idp.com/idp/startSSO.ping
Need help how can we fix this problem, any knob/flag which could be set on Ping Federate to make it work.
It appears PingFed is expecting your message via Redirect Binding (you are making a GET request) but you are including the Signature in the Request like a Post binding.
PingFederate expects SigAlg and signature as URL parameters along with SAMLRequest in the redirect URL. You need to correct the way you generate the SAML authentication request.
The URL should look like this:
{IDP target URL}?SAMLRequest={url_encoded_SAML_auth_req}&Signature={signature}&RelayState={optional_landing_url}&SigAlg={signature_algorithm}
I am using PySaml2 library and in my case, I had to use the below call to get a working SAML Signed Authn request.
saml_client.prepare_for_authenticate(relay_state=landing_url, sign=True, sigalg=sig_dict[args.sigalg])
You should be able to find the similar flag (sign, sigalg) for your library too.
I have got the following SP's Request and IDP's reponse:
<samlp:LogoutRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" Destination="https://dev-nnn.oktapreview.com/app/somename_hped800eportal_1/exk8dlkd0tCutHWlj0h7/slo/saml" ID="_af6eaa4a-9d5b-41ce-b265-d39dfdc5248e" Version="2.0" IssueInstant="2016-10-14T12:31:59Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="http://www.w3.org/2005/Atom">https://HPED800E:444/SynPortal/login.aspx</saml:Issuer><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">CDA_Main\hjami</saml:NameID><samlp:SessionIndex>_d9f07562-3a7f-4c03-a62d-8a985f34058f</samlp:SessionIndex><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>bBbMvzSjRc0zc1jtIxmqmkO4bYo=</DigestValue></Reference></SignedInfo><SignatureValue>...5g==</SignatureValue><KeyInfo><X509Data><X509Certificate>...Cw==</X509Certificate></X509Data></KeyInfo></Signature></samlp:LogoutRequest>
<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://hped800e:444/SynPortal/logout.aspx" ID="id50277036872307661186452042" InResponseTo="_1eef2809-b49e-412e-a0c5-3596e3c0b158" IssueInstant="2016-10-14T00:32:05.949Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk8dlkd0tCutHWlj0h7</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id50277036872307661186452042"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>3k7z8GF3kBemyYm+6+mEbZMSAYw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>...MA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>...VNm</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/></saml2p:Status></saml2p:LogoutResponse>
the request is encoded base-64 and then sent via post binding.
I am getting the AuthnFailed response.
I have set up only one sp for the IDP for simplicity.
Does anyone know what I am doing wrong here?
This information is insufficient to determine as what has gone wrong in your implementation for single logout. Can you please provide following information
1) Your single logout settings in Okta that can be found under SAML Settings -> Advanced Settings under General tab of your app?
2) Based on above settings please make sure you have uploaded certificate to Okta?
3) Which SAML toolkit are you using? Can you provide toolkit settings for your toolkit?
See the working SLO request below.
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_d2be8c5de3aeeeac27c8xxxxyyyy"
Version="2.0"
IssueInstant="2016-04-27T16:15:06Z"
Destination="https://org-name.okta.com/app/simplesamlphpexample/exk4xxyyPcvdVq70x7/slo/saml"
>
<saml:Issuer>http://localhost:8888/simplesamlphp/www/module.php/saml/sp/metadata.php/example-okta-com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_d1be8c5dc2aeeeac27c8daf04b7xxxyyy6b36287bd6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>{{some_value}}</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>{{some_value}}</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>{{some_value}}</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">{{email}}</saml:NameID>
<samlp:SessionIndex>{{some_value}}</samlp:SessionIndex>
Comparing the SLO settings for your request and mine few things stood out.
1) CanonicalizationMethod Algorithm in my case is set to http://www.w3.org/2001/10/xml-exc-c14n#. Yours is http://www.w3.org/TR/2001/REC-xml-c14n-20010315.
2) Name ID in your case is "CDA_Main\hjami". Can you please let me know which attribute in Okta is this? Also, have you overridden the userName of your app using the mappings from Okta to app (under profile editor -> your app mappings). For example, I am overriding the app userName from Okta login/email to be custom attribute.
If you are using another attribute (whose value is set to CDA_Main\hjami) from Okta as the username of the app, please make sure that you are overriding it like I am doing in the screenshot above.
I also had a hard time in making this Logout request successfully.
Here is the solution that worked for me:
You'll need the following keys:-
(a) Service provider's (your application's) private key, e.g. sp-pvt-key.pem
(b) Service provider's public key, e.g. sp-pub-key.pem
Note: You can generate these keys via openssl from your terminal.
Steps:
Provide SP's private key on SAML's configuration strategy in you application's code.
Upload SP's public key on okta's logout configuration.
Now you'll get successful logout response.
I am using PingFederate to act both as IdP server and SP server. After which i have OpenToken adapters for each components. And i have created IdP-to-SP Adapter Mapping under Server Configuration setting using the newly created Adapters.
And moving forward to SP CONNECTIONS > IdP Configuration section , i have created a new connection.
After which in Server Configuration > Administrative Functions > MetaData Export , i have exported the newly created SP Connections.
Now when i tried to use the metadata in SP Configuration > IDP Connections > Create New , the export functionality works fine but the data that was supposed to be loaded from the .xml file is not happening.
Here is what my metadata.xml file looks like :
<?xml version="1.0"?>
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="localhost:default:entityId" cacheDuration="PT1440M" ID="Kuvm5eRQl_BYQ27ZVtV4OCcHb.1">
-<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
-<ds:Reference URI="#Kuvm5eRQl_BYQ27ZVtV4OCcHb.1">
-<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>wn/+y44KVd1I0RfdGVnq7NGW9wc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue> pX78c96Eq//dZQIRIzEFquvcnzlnrOh4Nnfdfc5BNgdpokdnBEE91Cr20YatuQqHg61XssjVoyLi 4HfzhAqf85ni+p/NyEi8iQx86W3JptmawzkA1nFY8+JD6m/WIblipHh/1l63tF1N0akoNwhbDhky jmiBpPgPc8FxJAOPE7k= </ds:SignatureValue>
-<ds:KeyInfo>
-<ds:X509Data>
<ds:X509Certificate> MIICRzCCAbCgAwIBAgIGAUIOacSJMA0GCSqGSIb3DQEBBQUAMGYxCzAJBgNVBAYTAlVTMQswCQYD VQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMQwwCgYDVQQKEwNEZXYxDTALBgNVBAsTBFBpbmcxHDAa BgNVBAMTE0NvbmZpZyBTaWduaW5nIENlcnQwIBcNMTMxMDMxMTIwODAxWhgPMjExMzEwMDcxMjA4 MDFaMGYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMQwwCgYDVQQK EwNEZXYxDTALBgNVBAsTBFBpbmcxHDAaBgNVBAMTE0NvbmZpZyBTaWduaW5nIENlcnQwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBALD4NA4uYzAxWBih6BXwyPSFlw94dolpigT1FrTeT/SGAlAg teWp2Fy2LB0mVm2tSmRyYOi85c8M9jRjaB8SB688C1Q6TqNUvhfhje46GqDuUPxguCXHZsNS9XwM trWwGzm7IenVL1WJ4LHPJI0OYt8qH7nZ6FFUDW0fbuIMMLo/AgMBAAEwDQYJKoZIhvcNAQEFBQAD gYEAkzykqYJasH8Tms2QlFa5HNWL1q8dpbp6ksEOi4E1mL1SZGs7iWM8ltYfMro1mGF/SWWxfStJ EEWiA01AigehJn2w5VPysYZxODBO1jYzRSyZo8hU8ioMcSZTpwgokzUZmMlwDhrbzDQmdh//sbri 1QB59uqG0CwU2/AJV3KU2KM= </ds:X509Certificate>
</ds:X509Data>
-<ds:KeyValue>
-<ds:RSAKeyValue>
<ds:Modulus> sPg0Di5jMDFYGKHoFfDI9IWXD3h2iWmKBPUWtN5P9IYCUCC15anYXLYsHSZWba1KZHJg6Lzlzwz2 NGNoHxIHrzwLVDpOo1S+F+GN7joaoO5Q/GC4Jcdmw1L1fAy2tbAbObsh6dUvVYngsc8kjQ5i3yof udnoUVQNbR9u4gwwuj8= </ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
-<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-<md:KeyDescriptor use="signing">
-<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-<ds:X509Data>
<ds:X509Certificate>MIICRzCCAbCgAwIBAgIGAUIOacSJMA0GCSqGSIb3DQEBBQUAMGYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMQwwCgYDVQQKEwNEZXYxDTALBgNVBAsTBFBpbmcxHDAaBgNVBAMTE0NvbmZpZyBTaWduaW5nIENlcnQwIBcNMTMxMDMxMTIwODAxWhgPMjExMzEwMDcxMjA4MDFaMGYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMQwwCgYDVQQKEwNEZXYxDTALBgNVBAsTBFBpbmcxHDAaBgNVBAMTE0NvbmZpZyBTaWduaW5nIENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALD4NA4uYzAxWBih6BXwyPSFlw94dolpigT1FrTeT/SGAlAgteWp2Fy2LB0mVm2tSmRyYOi85c8M9jRjaB8SB688C1Q6TqNUvhfhje46GqDuUPxguCXHZsNS9XwMtrWwGzm7IenVL1WJ4LHPJI0OYt8qH7nZ6FFUDW0fbuIMMLo/AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAkzykqYJasH8Tms2QlFa5HNWL1q8dpbp6ksEOi4E1mL1SZGs7iWM8ltYfMro1mGF/SWWxfStJEEWiA01AigehJn2w5VPysYZxODBO1jYzRSyZo8hU8ioMcSZTpwgokzUZmMlwDhrbzDQmdh//sbri1QB59uqG0CwU2/AJV3KU2KM=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:SingleSignOnService Location="https://localhost:9031/idp/SSO.saml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="administrative"/>
</md:EntityDescriptor>
And the entityId attribute in .xml file points to localhost:default:entityId but ain't it suppose to be the Partner's Entity Id of SP Connection. It looks like it is extracting value from Server Setting > Federal Info of global server setting.
Question :
So is the entityId supposed to be extracted from Federal Info or SP
Connection ?
How to map SP Connection and IdP connection ?
What are the field that are populated by the metadata.xml file ?
Reference :
Training Video
By default, your entityId is set globally under Server Setting > Federation Info. So that is what you will see when you export generic or connection level meta-data to share with Partners. The value you enter into the actual IDP or SP Connection is your PARTNER'S entityId. In this case, since you are acting as the IDP and SP at the same time, the entityId values will be the same (localhost:default:entityId) in your IDP and SP Connection which can be confusing.
If needed, you can override the server-level default entityId by utilizing the Virtual Server ID which will override the Issuer value for a given connection.
You can find more information on these fields in the PingFedate Admin Guide
--Ian
I am implementing an SP initiated web browser SAML SSO profile.
My application is the SP.
The customers ask me to supply them a metadata file.
I have a Shibboleth metadata file I used for testing my application against a local Shibboleth IDP server.
Now, When I sent this file to a non-Shibboleth customer, he said that this file is a Shibboleth file and he needs a different one.
My question is:
Is there a standard SP metadata file I can use which will fit all customers, no matter what IDP they are using?
I found an example:
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
ID="_z7b6d339da96016iib0ed98ed476er3d7ae4dct5"
entityID="https://my.application.sp/login">
<md:SPSSODescriptor AuthnRequestsSigned="false"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509SubjectName>CN=my.application.sp</ds:X509SubjectName>
<ds:X509Certificate>--my certificate--</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>--my certificate--</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://my.application.sp/handleLogin" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Is this enough?
Can I use this as a general metadata for all the IDPs?
Thanks
The sp.xml is constrained by SAML which is an open protocol so there's no such thing as "Shibboleth metadata" - it is SAML metadata as used by Shibboleth.
The various details have to be negotiated between the two parties e.g. you have specified HTTP-POST.
What if the IDP prefers HTTP-Redirect?
What if they want the nameid-format to be persistent rather than transient and so on.
Or your certificate might be 1024 bit instead of 2048?
The metadata as it pertains to SAML can be used as a general example but it probably won't meet all the individual IDP requirements.