Foros de discusión
SAML: Response does not contain any acceptable assertions
Anton Herber, modificado hace 11 años.
SAML: Response does not contain any acceptable assertions
New Member Mensajes: 3 Fecha de incorporación: 3/01/13 Mensajes recientes
Good evening,
I'm currently testing Liferay 6.1 with SAML using an NetIQ IdP. Metadata can be exchanged, but I've trouble establishing a connection between IdP and Liferay. Just signing the Assertion I'm getting the following Error Message within the logfile:
No Encryption for assertions, just signing:
After turning on the encryption for assertions at the IdP I get:
The Responses from the server are:
SAML Response without encryption: http://pastebin.com/Wi8rMK5D
SAML Response with ecnryption: http://pastebin.com/KEtJR6SF
(I'm sorry, I wasn't able to include the responses it in this posting. There was always an erroe message like "illegal message")
Am I missing something? Using this IdP with SimpleSAMLPHP is working without problems.
Thanks
Anton
I'm currently testing Liferay 6.1 with SAML using an NetIQ IdP. Metadata can be exchanged, but I've trouble establishing a connection between IdP and Liferay. Just signing the Assertion I'm getting the following Error Message within the logfile:
No Encryption for assertions, just signing:
22:03:17,412 INFO [http-bio-8080-exec-9][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:114] SAML protocol message was not signed, skipping XML signature processing
22:03:17,413 ERROR [http-bio-8080-exec-9][MandatoryAuthenticatedMessageRule:76] Inbound message issuer was not authenticated.
22:03:17,438 ERROR [http-bio-8080-exec-9][status_jsp:665] com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.After turning on the encryption for assertions at the IdP I get:
21:59:50,103 INFO [http-bio-8080-exec-3][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:122] Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
21:59:50,137 ERROR [http-bio-8080-exec-3][status_jsp:665] com.liferay.saml.SamlException: Response does not contain any acceptable assertions
com.liferay.saml.SamlException: Response does not contain any acceptable assertionsThe Responses from the server are:
SAML Response without encryption: http://pastebin.com/Wi8rMK5D
SAML Response with ecnryption: http://pastebin.com/KEtJR6SF
(I'm sorry, I wasn't able to include the responses it in this posting. There was always an erroe message like "illegal message")
Am I missing something? Using this IdP with SimpleSAMLPHP is working without problems.
Thanks
Anton
Alex Belt, modificado hace 11 años.
RE: SAML: Response does not contain any acceptable assertions
Junior Member Mensajes: 49 Fecha de incorporación: 9/10/12 Mensajes recientes
It looks like the very first error message on the unencrypted response is telling you what you need to know:
Instead of signing just the assertion, try signing the entire request and attach the signature block to the Response block instead of the Assertion block. That seems to work ok for me.
SAML protocol message was not signed, skipping XML signature processing
Instead of signing just the assertion, try signing the entire request and attach the signature block to the Response block instead of the Assertion block. That seems to work ok for me.
Mika Koivisto, modificado hace 11 años.
RE: SAML: Response does not contain any acceptable assertions
Liferay Legend Mensajes: 1519 Fecha de incorporación: 7/08/06 Mensajes recientes
Like Alex already said the whole message has to be signed. That's just a security measure to ensure that the message is unaltered and came from a trusted source. Signing the individual assertions is optional (configured with property saml.sp.assertion.signature.required)
Anton Herber, modificado hace 11 años.
RE: SAML: Response does not contain any acceptable assertions
New Member Mensajes: 3 Fecha de incorporación: 3/01/13 Mensajes recientes
Thanks Alex and Mike. Unfortunately it's not possible to sign the whole message (you can choose between "Message signing", "Mutual SSL" or "Basic Auth" - but the whole message is not signed obviously) within the used Implementation of the IdP. There's just possible to encrypt the message and/or sign the assertion itself. I've to dig a little bit deeper to find the right switch for it i guess.
There's no possibility to turn of the need for signing the whole message within the SAML Liferay Plugin isn't it?
---- Edit ---
Got my IdP to sign the SAML Message. When I click on login, I get redirected to my IdP. After login for the first time I'm returned to the initial Liferay Login. That's the message:
After I hit refresh I get:
I think I should take a look at the mappings...
--- Edit 2 ---
I'm getting closer... digging through the forums right now ;)
---- Edit 3 ---
After removing spaces with displayName mapped to screenName now I get:
--- Edit 4 ---
New fun: using an non-existing user will get me logged in. But I'm asked for a new password and new secret question. Why? I've been searching the forums and found a posting with the same problem as mine, but after I closed the window I can't find it again...
I'm also not able to logout, my IdP is telling me: "No binding set for LogoutResponse" (there's something misconfigures I guess).
After manually logout through the IdP and trying to login with the user again I get:
Strange...
There's no possibility to turn of the need for signing the whole message within the SAML Liferay Plugin isn't it?
---- Edit ---
Got my IdP to sign the SAML Message. When I click on login, I get redirected to my IdP. After login for the first time I'm returned to the initial Liferay Login. That's the message:
15:35:51,889 INFO [http-bio-8080-exec-2][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:122] Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
15:35:51,927 ERROR [http-bio-8080-exec-4][AutoLoginFilter:245] Current URL / generates exception: java.lang.NullPointerExceptionAfter I hit refresh I get:
15:38:57,824 INFO [http-bio-8080-exec-6][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:122] Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
15:38:57,849 ERROR [http-bio-8080-exec-6][status_jsp:665] com.liferay.saml.SamlException: Response does not contain any acceptable assertions
com.liferay.saml.SamlException: Response does not contain any acceptable assertionsI think I should take a look at the mappings...
--- Edit 2 ---
16:13:19,173 INFO [http-bio-8080-exec-4][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:122] Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
16:13:19,358 ERROR [http-bio-8080-exec-7][AutoLoginFilter:245] Current URL /web/guest/home generates exception: com.liferay.portal.UserScreenNameExceptionI'm getting closer... digging through the forums right now ;)
---- Edit 3 ---
After removing spaces with displayName mapped to screenName now I get:
18:13:14,024 DEBUG [Reference:?] Verification successful for URI "#idrHR924FGxUNnKYZPnCU6h6O7vQk"
18:13:14,024 DEBUG [Manifest:?] The Reference has Type
18:13:14,156 ERROR [http-bio-8080-exec-3][AutoLoginFilter:245] Current URL / generates exception: com.liferay.portal.DuplicateUserScreenNameException--- Edit 4 ---
New fun: using an non-existing user will get me logged in. But I'm asked for a new password and new secret question. Why? I've been searching the forums and found a posting with the same problem as mine, but after I closed the window I can't find it again...
I'm also not able to logout, my IdP is telling me: "No binding set for LogoutResponse" (there's something misconfigures I guess).
After manually logout through the IdP and trying to login with the user again I get:
18:45:23,443 DEBUG [Reference:?] Verification successful for URI "#idUta0RqUgdDOxdqgTUOLdPtO9pMk"
18:45:23,443 DEBUG [Manifest:?] The Reference has Type
18:45:23,450 ERROR [http-bio-8080-exec-8][AutoLoginFilter:245] Current URL / generates exception: com.liferay.portal.DuplicateUserScreenNameException
Strange...
Alex Belt, modificado hace 11 años.
RE: SAML: Response does not contain any acceptable assertions
Junior Member Mensajes: 49 Fecha de incorporación: 9/10/12 Mensajes recientes
If you look at the SAML code inside Liferay, it's setup so that if it doesn't locate the user contained in the SAML assertion, it adds the user entry as a new user. So the first time you login with a non-existent user, it let's you in because you just registered a new user. The second time, it's trying to add the same user so you get the DuplicateUserScreenNameException error. What is your installation configured to use for the username? I disabled the add user code inside the SAML code to avoid something like that, and I also found that the method being used to retrieve user data didn't match the data it was being passed - User ID vs. Email Address, so I had to switch that call to a different method and I noticed that the patch I used didn't populate certain pieces of information correctly, so I had to fix that as well. For me, that code resides in portal-impl/com/liferay/portal/security/auth/SAMLAutoLogin.java.
I'm patching our 5.2.3 installation to add SAML support, so under 6.x that class may be in a different package. The messages indicate that you're validating the signature just fine, now you need to tweak how you're retrieving the user data so that it finds it.
HTH,
Alex
I'm patching our 5.2.3 installation to add SAML support, so under 6.x that class may be in a different package. The messages indicate that you're validating the signature just fine, now you need to tweak how you're retrieving the user data so that it finds it.
HTH,
Alex
Anton Herber, modificado hace 11 años.
RE: SAML: Response does not contain any acceptable assertions
New Member Mensajes: 3 Fecha de incorporación: 3/01/13 Mensajes recientes
Thanks Alex. I think it was your post I've been reading yesterday and can't find anymore. I'll take a look where to make those changes in Liferay 6. Where do i find the Sources of the SAML plugin? I'm just using the WAR-Version within demo EE environment at the moment.
-- Edit --
Okay, I'll have to open a ticket. I see.
-- Edit --
Okay, I'll have to open a ticket. I see.
Avinash Seetharamu, modificado hace 9 años.
RE: SAML: Response does not contain any acceptable assertions
New Member Mensaje: 1 Fecha de incorporación: 23/10/09 Mensajes recientes
Could you please share ticket no if you already open?
Thanks,
Thanks,