I am facing an issue with SSO implementation between Liferay and ADFS using SAML 2.0. When the request goes from Liferay to ADFS, it asks for authentication. Once authenticated, the ADFS generats the SAML response and sends it back to Liferay. But, here in our case, when the SAML response is getting generated, the status is showing Invalid NameiD policy.
Please help finding out the root cause of the issue as it is very urgent.
SAML Request:
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://XXXXXportal-dev.XXXXXXXXX.com/c/portal/saml/acs"
Destination="https://qfrwflt2.eur.gad.XXXXXXXXX.com/adfs/ls/"
ForceAuthn="false"
ID="_a9dfae2f46957ca98052fe69ae5fae7bd3aa245b"
IsPassive="false"
IssueInstant="2013-09-18T14:53:26.387Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://XXXXXportal-dev.XXXXXXXXX.com</saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
SPNameQualifier="https://XXXXXportal-dev.XXXXXXXXX.com"
/>
</saml2p:AuthnRequest>
SAML Response:
<samlp:Response ID="_cce4e935-a258-42c2-b1d8-98f012dd37d2"
Version="2.0"
IssueInstant="2013-09-19T09:36:52.556Z"
Destination="https://XXXXXportal-dev.XXXXXXXXX.com/c/portal/saml/acs"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_91f09e8f9ca820a904a06e6d573bc9daf18d1163"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://QFRWFLT2.eur.gad.XXXXXXXXX.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_cce4e935-a258-42c2-b1d8-98f012dd37d2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds
igestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsigestValue>DWQF//rxdoIkD5F7ZeQWDIS8G9I=</dsigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Jwd/gBVHa1Ka9oYMvK4LFLZybaWz+kGwxMtRpg/zTq5V+uJN7MTT0DFjpxOuilG/AYzFfcdtavCsmAh4Uk2hHqum2e8kbeiqFj3C3D5O+biIa7ZhxQRA9usuKZsu1sIGGRRzuhgg8lSkpsqnJIpJjs2vJUhaILFs2rZ3J1oMM1owIMfkcRdjR
2D+D2VXC/X7xWGKHVnlBI+RRBo3uODNWj1GayR4qJXlPEnFBDv9YnihxRlT/6tQMkUXyidMvWeWIVGzmeG+ve1fAY+HB61e4WWTZXuLGXQJAi+diBVjXjhITlrNU5R3SNdlv36ggmBz3dInmIpv6tz/UeeNJnXg==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDCjCCAfKgAwIBAgIQGMfNCIjn9ZxNCkc0FnK7djANBgkqhkiG9w0BAQsFADBBMT8wPQYDVQQDEzZBREZTIFNpZ25pbmcgLSBRRlJXRkxUMi5ldXIuZ2FkLnNjaG5laWRlci1lbGVjdHJpYy5jb20wHhcNMTMwNTMwMTIwMzU3WhcNMTQwNTMwMTIwMzU3WjBBMT8wPQYDVQQDEzZBREZTIFNpZ25pbmcgLSBRRlJXRkxUMi5ldXIuZ2FkLnNjaG5laWRlci1lbGVjdHJpYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9XqxFgWns8jDM3FsRt3rIKDWGG+59CnPRIxe0Bkaw7b1EmYc4LQpTzKKFy/Ll8jAeHviObUM1rhAtvbH0/iN+e0b9Jqy3vTqT0B4Bf0SiKKebLNgicnRHZO8ZyZKxLPDxkkThHRMtjOP23pl02TI+MPUhMJMlwwYZ76Mjj9QdUvzyH9RqnzWxPM3FpisPjxPVix/vTNOMVLr3oTP3eEJ1XYdFBWiyjbJomFsJwP367BVLohv3hSCN7BVviEPccRL4ChY0j3lZU02FqWx6v1uFH+u+vTSdhWW9jwstpuCv8cIFZxt3z5EG0yiXq/F+jd+e7i2L0GLCsCCVvpKWasDlAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIfgCpxehPaPJQr+2bsEWA2g/XOykxkYHicFdj9NHDOsNLsQhYEAVApUhHEIXiPDl4klNDMkYvs8fTXgAaTlWapt89wRJhztWYp9Cs5pggRoH0tsh9k138Phi/NuV89Q3MEFLnTr8Xbd7Lib/jeqQt80ZIeSiz01y1LnMmFPgDW6YES0/OLV6wAY0FTDvjLJyeFzHShFd7tMoCeWvMn5Uu9rnaREBsc55DU9wSUO3Nq3dG/iVB+onmmGBhOHfbazSSXzDz2akyu40RF2JP5tqlfyuu0K2ttiw8aaETAzuZYHVDnH66AySpgUXX/DOqF0LwVeHWBoUPN7FK4Vb5Y47k0=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>
Please help finding out the root cause of the issue as it is very urgent.
SAML Request:
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://XXXXXportal-dev.XXXXXXXXX.com/c/portal/saml/acs"
Destination="https://qfrwflt2.eur.gad.XXXXXXXXX.com/adfs/ls/"
ForceAuthn="false"
ID="_a9dfae2f46957ca98052fe69ae5fae7bd3aa245b"
IsPassive="false"
IssueInstant="2013-09-18T14:53:26.387Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://XXXXXportal-dev.XXXXXXXXX.com</saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
SPNameQualifier="https://XXXXXportal-dev.XXXXXXXXX.com"
/>
</saml2p:AuthnRequest>
SAML Response:
<samlp:Response ID="_cce4e935-a258-42c2-b1d8-98f012dd37d2"
Version="2.0"
IssueInstant="2013-09-19T09:36:52.556Z"
Destination="https://XXXXXportal-dev.XXXXXXXXX.com/c/portal/saml/acs"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_91f09e8f9ca820a904a06e6d573bc9daf18d1163"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://QFRWFLT2.eur.gad.XXXXXXXXX.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_cce4e935-a258-42c2-b1d8-98f012dd37d2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds
igestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds
igestValue>DWQF//rxdoIkD5F7ZeQWDIS8G9I=</dsigestValue></ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Jwd/gBVHa1Ka9oYMvK4LFLZybaWz+kGwxMtRpg/zTq5V+uJN7MTT0DFjpxOuilG/AYzFfcdtavCsmAh4Uk2hHqum2e8kbeiqFj3C3D5O+biIa7ZhxQRA9usuKZsu1sIGGRRzuhgg8lSkpsqnJIpJjs2vJUhaILFs2rZ3J1oMM1owIMfkcRdjR
2D+D2VXC/X7xWGKHVnlBI+RRBo3uODNWj1GayR4qJXlPEnFBDv9YnihxRlT/6tQMkUXyidMvWeWIVGzmeG+ve1fAY+HB61e4WWTZXuLGXQJAi+diBVjXjhITlrNU5R3SNdlv36ggmBz3dInmIpv6tz/UeeNJnXg==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDCjCCAfKgAwIBAgIQGMfNCIjn9ZxNCkc0FnK7djANBgkqhkiG9w0BAQsFADBBMT8wPQYDVQQDEzZBREZTIFNpZ25pbmcgLSBRRlJXRkxUMi5ldXIuZ2FkLnNjaG5laWRlci1lbGVjdHJpYy5jb20wHhcNMTMwNTMwMTIwMzU3WhcNMTQwNTMwMTIwMzU3WjBBMT8wPQYDVQQDEzZBREZTIFNpZ25pbmcgLSBRRlJXRkxUMi5ldXIuZ2FkLnNjaG5laWRlci1lbGVjdHJpYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9XqxFgWns8jDM3FsRt3rIKDWGG+59CnPRIxe0Bkaw7b1EmYc4LQpTzKKFy/Ll8jAeHviObUM1rhAtvbH0/iN+e0b9Jqy3vTqT0B4Bf0SiKKebLNgicnRHZO8ZyZKxLPDxkkThHRMtjOP23pl02TI+MPUhMJMlwwYZ76Mjj9QdUvzyH9RqnzWxPM3FpisPjxPVix/vTNOMVLr3oTP3eEJ1XYdFBWiyjbJomFsJwP367BVLohv3hSCN7BVviEPccRL4ChY0j3lZU02FqWx6v1uFH+u+vTSdhWW9jwstpuCv8cIFZxt3z5EG0yiXq/F+jd+e7i2L0GLCsCCVvpKWasDlAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIfgCpxehPaPJQr+2bsEWA2g/XOykxkYHicFdj9NHDOsNLsQhYEAVApUhHEIXiPDl4klNDMkYvs8fTXgAaTlWapt89wRJhztWYp9Cs5pggRoH0tsh9k138Phi/NuV89Q3MEFLnTr8Xbd7Lib/jeqQt80ZIeSiz01y1LnMmFPgDW6YES0/OLV6wAY0FTDvjLJyeFzHShFd7tMoCeWvMn5Uu9rnaREBsc55DU9wSUO3Nq3dG/iVB+onmmGBhOHfbazSSXzDz2akyu40RF2JP5tqlfyuu0K2ttiw8aaETAzuZYHVDnH66AySpgUXX/DOqF0LwVeHWBoUPN7FK4Vb5Y47k0=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>
Hi Mika,
we are using Liferay as Idp and when we issue the SAML and try to login on salesforce its successful.
but in the SAML response we are getting SAML2 as a prefix
for eg<saml2:Attribute>
Ideally it should not create any issue but our vendors don't want prefix with attributes
Is there a way to remove the prefix from SAML response generated by SAML 2.0 Plugin.
Thanks in advance.....
we are using Liferay as Idp and when we issue the SAML and try to login on salesforce its successful.
but in the SAML response we are getting SAML2 as a prefix
for eg<saml2:Attribute>
Ideally it should not create any issue but our vendors don't want prefix with attributes
Is there a way to remove the prefix from SAML response generated by SAML 2.0 Plugin.
Thanks in advance.....
Hi guys,
I'm using Liferay Portal Enterprise Edition 6.2.10 EE GA1 (Newton / Build 6210 / November 1, 2013). with the SAML plugin. My liferay instance acts as a SP and the ADFS as IP. The issue I have is that my metadata file generated does not have any name id policy information. Below is the metadata file generated and the portal-ext.properties. Any ideas?
portal-ext.properties
saml.enabled=true
saml.role=sp
saml.entity.id=liferaysamlspdemo
saml.metadata.paths=${liferay.home}/data/FederationMetadata.xml
saml.sp.user.attribute.mappings=screenName=screenName\nemailAddress=emailAddress\nfirstName=firstName\nlastName=myCustomAttribute
saml.sp.metadata.name.id.format[https\://XXXXXXXX:8443]=urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
saml.keystore.type=jks
saml.keystore.path=${liferay.home}/data/keystore.jks
saml.keystore.password=liferay
saml.keystore.credential.password[liferaysamlspdemo]=liferay
saml.sp.default.idp.entity.id='http://XXXXXX/adfs/services/trust'
saml.sp.sign.authn.request=true
saml.sp.assertion.signature.required=false
saml.sp.clock.skew=3000
saml.sp.session.keepalive.url=http://localhost:8080/c/portal/saml/idp/keepalive
metadata.xml
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="liferaysamlspdemo"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<dsigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsigestValue>9emGvqy5NWUuYWETTmQRHk5uwVc=</dsigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>coxd3VRofeO8y/gDqvoqEaJAXWcZ8WRTi1Hnd7d52eUkeI9gDAi/lQ8zJVMFrcF1EaobDrpoT5fhwgGcZFhSE/CpkTlJQd0ApLfNUzUrQVvRySwZXRM3TH2evp72BUYIiKGnXNQBJGmc2Oh0z4778EG0BEUBb376crbaMcPuj6Dxc50keJCJypQ/zeHrkAKGy1iOQbKU6yJx+x0SOF2/6KbR4JCFK5agJsDKU29509sFYZEkRtyFe8XLDR2VGHcpL8CGv74JFpJxGdhEA2uWyYs2Dzb9lZqzjCnZhmh9cpuMP6scwP4HtRi+jHo9qqaX0iy9gCWWEkr6TFv7ayjh3Q==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>....
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:SPSSODescriptor AuthnRequestsSigned="false"
ID="liferaysamlspdemo" WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>....
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://XXXXXXXXXXXXXX:8443/c/portal/saml/slo_soap" />
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://XXXXXXXXXXXXXX:8443/c/portal/saml/acs"
index="1" isDefault="true" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
I'm using Liferay Portal Enterprise Edition 6.2.10 EE GA1 (Newton / Build 6210 / November 1, 2013). with the SAML plugin. My liferay instance acts as a SP and the ADFS as IP. The issue I have is that my metadata file generated does not have any name id policy information. Below is the metadata file generated and the portal-ext.properties. Any ideas?
portal-ext.properties
saml.enabled=true
saml.role=sp
saml.entity.id=liferaysamlspdemo
saml.metadata.paths=${liferay.home}/data/FederationMetadata.xml
saml.sp.user.attribute.mappings=screenName=screenName\nemailAddress=emailAddress\nfirstName=firstName\nlastName=myCustomAttribute
saml.sp.metadata.name.id.format[https\://XXXXXXXX:8443]=urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
saml.keystore.type=jks
saml.keystore.path=${liferay.home}/data/keystore.jks
saml.keystore.password=liferay
saml.keystore.credential.password[liferaysamlspdemo]=liferay
saml.sp.default.idp.entity.id='http://XXXXXX/adfs/services/trust'
saml.sp.sign.authn.request=true
saml.sp.assertion.signature.required=false
saml.sp.clock.skew=3000
saml.sp.session.keepalive.url=http://localhost:8080/c/portal/saml/idp/keepalive
metadata.xml
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="liferaysamlspdemo"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds
igestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds
igestValue>9emGvqy5NWUuYWETTmQRHk5uwVc=</dsigestValue></ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>coxd3VRofeO8y/gDqvoqEaJAXWcZ8WRTi1Hnd7d52eUkeI9gDAi/lQ8zJVMFrcF1EaobDrpoT5fhwgGcZFhSE/CpkTlJQd0ApLfNUzUrQVvRySwZXRM3TH2evp72BUYIiKGnXNQBJGmc2Oh0z4778EG0BEUBb376crbaMcPuj6Dxc50keJCJypQ/zeHrkAKGy1iOQbKU6yJx+x0SOF2/6KbR4JCFK5agJsDKU29509sFYZEkRtyFe8XLDR2VGHcpL8CGv74JFpJxGdhEA2uWyYs2Dzb9lZqzjCnZhmh9cpuMP6scwP4HtRi+jHo9qqaX0iy9gCWWEkr6TFv7ayjh3Q==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>....
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:SPSSODescriptor AuthnRequestsSigned="false"
ID="liferaysamlspdemo" WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>....
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://XXXXXXXXXXXXXX:8443/c/portal/saml/slo_soap" />
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://XXXXXXXXXXXXXX:8443/c/portal/saml/acs"
index="1" isDefault="true" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
