Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Anton Herber
SAML: Response does not contain any acceptable assertions
January 5, 2013 2:46 PM
Answer

Anton Herber

Rank: New Member

Posts: 3

Join Date: January 3, 2013

Recent Posts

Good evening,

I'm currently testing Liferay 6.1 with SAML using an NetIQ IdP. Metadata can be exchanged, but I've trouble establishing a connection between IdP and Liferay. Just signing the Assertion I'm getting the following Error Message within the logfile:

No Encryption for assertions, just signing:

1
222:03:17,412 INFO  [http-bio-8080-exec-9][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:114] SAML protocol message was not signed, skipping XML signature processing
322:03:17,413 ERROR [http-bio-8080-exec-9][MandatoryAuthenticatedMessageRule:76] Inbound message issuer was not authenticated.
422:03:17,438 ERROR [http-bio-8080-exec-9][status_jsp:665] com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
5com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.


After turning on the encryption for assertions at the IdP I get:

121:59:50,103 INFO  [http-bio-8080-exec-3][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:122] Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
221:59:50,137 ERROR [http-bio-8080-exec-3][status_jsp:665] com.liferay.saml.SamlException: Response does not contain any acceptable assertions
3com.liferay.saml.SamlException: Response does not contain any acceptable assertions


The Responses from the server are:

SAML Response without encryption: http://pastebin.com/Wi8rMK5D
SAML Response with ecnryption: http://pastebin.com/KEtJR6SF

(I'm sorry, I wasn't able to include the responses it in this posting. There was always an erroe message like "illegal message")

Am I missing something? Using this IdP with SimpleSAMLPHP is working without problems.

Thanks
Anton
Alex Belt
RE: SAML: Response does not contain any acceptable assertions
January 7, 2013 6:46 AM
Answer

Alex Belt

Rank: Junior Member

Posts: 49

Join Date: October 9, 2012

Recent Posts

It looks like the very first error message on the unencrypted response is telling you what you need to know:

SAML protocol message was not signed, skipping XML signature processing


Instead of signing just the assertion, try signing the entire request and attach the signature block to the Response block instead of the Assertion block. That seems to work ok for me.
Mika Koivisto
RE: SAML: Response does not contain any acceptable assertions
January 7, 2013 4:40 PM
Answer

Mika Koivisto

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1499

Join Date: August 7, 2006

Recent Posts

Like Alex already said the whole message has to be signed. That's just a security measure to ensure that the message is unaltered and came from a trusted source. Signing the individual assertions is optional (configured with property saml.sp.assertion.signature.required)
Anton Herber
RE: SAML: Response does not contain any acceptable assertions
January 8, 2013 7:07 AM
Answer

Anton Herber

Rank: New Member

Posts: 3

Join Date: January 3, 2013

Recent Posts

Thanks Alex and Mike. Unfortunately it's not possible to sign the whole message (you can choose between "Message signing", "Mutual SSL" or "Basic Auth" - but the whole message is not signed obviously) within the used Implementation of the IdP. There's just possible to encrypt the message and/or sign the assertion itself. I've to dig a little bit deeper to find the right switch for it i guess.

There's no possibility to turn of the need for signing the whole message within the SAML Liferay Plugin isn't it?

---- Edit ---

Got my IdP to sign the SAML Message. When I click on login, I get redirected to my IdP. After login for the first time I'm returned to the initial Liferay Login. That's the message:

115:35:51,889 INFO  [http-bio-8080-exec-2][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:122] Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
215:35:51,927 ERROR [http-bio-8080-exec-4][AutoLoginFilter:245] Current URL / generates exception: java.lang.NullPointerException


After I hit refresh I get:

115:38:57,824 INFO  [http-bio-8080-exec-6][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:122] Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
215:38:57,849 ERROR [http-bio-8080-exec-6][status_jsp:665] com.liferay.saml.SamlException: Response does not contain any acceptable assertions
3com.liferay.saml.SamlException: Response does not contain any acceptable assertions


I think I should take a look at the mappings...

--- Edit 2 ---

116:13:19,173 INFO  [http-bio-8080-exec-4][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:122] Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
216:13:19,358 ERROR [http-bio-8080-exec-7][AutoLoginFilter:245] Current URL /web/guest/home generates exception: com.liferay.portal.UserScreenNameException


I'm getting closer... digging through the forums right now ;)

---- Edit 3 ---

After removing spaces with displayName mapped to screenName now I get:

118:13:14,024 DEBUG [Reference:?] Verification successful for URI "#idrHR924FGxUNnKYZPnCU6h6O7vQk"
218:13:14,024 DEBUG [Manifest:?] The Reference has Type
318:13:14,156 ERROR [http-bio-8080-exec-3][AutoLoginFilter:245] Current URL / generates exception: com.liferay.portal.DuplicateUserScreenNameException


--- Edit 4 ---

New fun: using an non-existing user will get me logged in. But I'm asked for a new password and new secret question. Why? I've been searching the forums and found a posting with the same problem as mine, but after I closed the window I can't find it again...

I'm also not able to logout, my IdP is telling me: "No binding set for LogoutResponse" (there's something misconfigures I guess).

After manually logout through the IdP and trying to login with the user again I get:

118:45:23,443 DEBUG [Reference:?] Verification successful for URI "#idUta0RqUgdDOxdqgTUOLdPtO9pMk"
218:45:23,443 DEBUG [Manifest:?] The Reference has Type
318:45:23,450 ERROR [http-bio-8080-exec-8][AutoLoginFilter:245] Current URL / generates exception: com.liferay.portal.DuplicateUserScreenNameException


Strange...
Alex Belt
RE: SAML: Response does not contain any acceptable assertions
January 8, 2013 8:39 AM
Answer

Alex Belt

Rank: Junior Member

Posts: 49

Join Date: October 9, 2012

Recent Posts

If you look at the SAML code inside Liferay, it's setup so that if it doesn't locate the user contained in the SAML assertion, it adds the user entry as a new user. So the first time you login with a non-existent user, it let's you in because you just registered a new user. The second time, it's trying to add the same user so you get the DuplicateUserScreenNameException error. What is your installation configured to use for the username? I disabled the add user code inside the SAML code to avoid something like that, and I also found that the method being used to retrieve user data didn't match the data it was being passed - User ID vs. Email Address, so I had to switch that call to a different method and I noticed that the patch I used didn't populate certain pieces of information correctly, so I had to fix that as well. For me, that code resides in portal-impl/com/liferay/portal/security/auth/SAMLAutoLogin.java.

I'm patching our 5.2.3 installation to add SAML support, so under 6.x that class may be in a different package. The messages indicate that you're validating the signature just fine, now you need to tweak how you're retrieving the user data so that it finds it.

HTH,
Alex
Anton Herber
RE: SAML: Response does not contain any acceptable assertions
January 9, 2013 2:50 AM
Answer

Anton Herber

Rank: New Member

Posts: 3

Join Date: January 3, 2013

Recent Posts

Thanks Alex. I think it was your post I've been reading yesterday and can't find anymore. I'll take a look where to make those changes in Liferay 6. Where do i find the Sources of the SAML plugin? I'm just using the WAR-Version within demo EE environment at the moment.

-- Edit --

Okay, I'll have to open a ticket. I see.
Avinash Seetharamu
RE: SAML: Response does not contain any acceptable assertions
April 30, 2014 10:03 PM
Answer

Avinash Seetharamu

Rank: New Member

Posts: 1

Join Date: October 23, 2009

Recent Posts

Could you please share ticket no if you already open?

Thanks,