Forums de discussion
Facing an issue with SSO with Liferay as SP
vaibhav kachare, modifié il y a 10 années.
Facing an issue with SSO with Liferay as SP
New Member Publications: 19 Date d'inscription: 14/10/13 Publications récentes
Hi All
In my current use case liferay is acting as SP and need to configure appropriately but I am getting hard time figuring out the properties defined in portal-ext.properties.
##
## SAML
##
# Enable SAML Plugin
saml.enabled=true
# Set the role to sp on the Service Provider side
saml.role=sp
# Set the SAML entity id, it matches the alias we used to setup the keystore
saml.entity.id=sample_sp_saml
# The metadata location for Identity Provider
saml.metadata.paths=https://idp-Ip:8080/Metadata.xml
#
# Keystore
#
# keystore type
saml.keystore.type=jks
# location of the keystore
saml.keystore.path=${liferay.home}/data/keystoresp.jks
# pwd for accessing the keystore
saml.keystore.password=liferay
# pwd for accessing the certificate of the entity in the keystore
saml.keystore.credential.password[sample_sp_saml]=liferay
#
# Service Provider
#
# Service Provider SAML entity id
saml.sp.default.idp.entity.id=sample_idp_saml
# Set the SAML authentication mandatory
saml.sp.sign.authn.request=true
# disable signatures for the demo
saml.sp.assertion.signature.required=false
# timeout setting for IdP clock deviation in ms
saml.sp.clock.skew=3000
# Session keep alive url (idp url for keeping session alive)
saml.sp.session.keepalive.url=
# Service Provider user attribute mappings
saml.sp.user.attribute.mappings=screenName=screenName\nemailAddress=emailAddress\nfirstName=firstName\nlastName=lastName
I have received IDP entity id , metadata and public key to talk with liferay(SP) from the IDP system team but as shown I can configure metadata and entity ID but not sure about where to configure public key in portal-ext.properties, with current configuration I am getting error "org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.xml.security.SecurityException: java.security.UnrecoverableKeyException: requested entry requires a password" where the keystore pasword is already set correctly as shown. any help is appreciated or direct me to right resource would be great? Thanks in advance
Full log trace
14:51:21,412 ERROR [portal-web.docroot.html.portal.status_jsp] org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.xml.security.SecurityException: java.security.UnrecoverableKeyException: requested entry requires a password
org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.xml.security.SecurityException: java.security.UnrecoverableKeyException: requested entry requires a password
at com.liferay.saml.metadata.MetadataManagerImpl.getEntityDescriptor(MetadataManagerImpl.java:121)
at com.liferay.saml.metadata.MetadataManagerUtil.getEntityDescriptor(MetadataManagerUtil.java:48)
at com.liferay.saml.hook.action.MetadataAction.doExecute(MetadataAction.java:64)
at com.liferay.saml.hook.action.MetadataAction.execute(MetadataAction.java:46)
at com.liferay.portal.kernel.struts.BaseStrutsAction.execute(BaseStrutsAction.java:37)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.liferay.portal.kernel.bean.ClassLoaderBeanHandler.invoke(ClassLoaderBeanHandler.java:67)
at $Proxy548.execute(Unknown Source)
at com.liferay.portal.struts.ActionAdapter.execute(ActionAdapter.java:50)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at com.liferay.portal.struts.PortalRequestProcessor.process(PortalRequestProcessor.java:176)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at com.liferay.portal.servlet.MainServlet.callParentService(MainServlet.java:560)
at com.liferay.portal.servlet.MainServlet.service(MainServlet.java:537)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.strip.StripFilter.processFilter(StripFilter.java:335)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.gzip.GZipFilter.processFilter(GZipFilter.java:123)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.secure.SecureFilter.processFilter(SecureFilter.java:294)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter.processFilter(NtlmPostFilter.java:83)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.saml.hook.filter.SamlSpSsoFilter.processFilter(SamlSpSsoFilter.java:168)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.liferay.portal.kernel.bean.ClassLoaderBeanHandler.invoke(ClassLoaderBeanHandler.java:67)
at $Proxy547.doFilter(Unknown Source)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:80)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:216)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:738)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:167)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:167)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.opensaml.xml.security.SecurityException: java.security.UnrecoverableKeyException: requested entry requires a password
at com.liferay.saml.credential.KeyStoreCredentialResolver.resolveFromSource(KeyStoreCredentialResolver.java:180)
at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
at org.opensaml.xml.security.credential.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:30)
at org.opensaml.xml.security.credential.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:26)
at com.liferay.saml.metadata.MetadataManagerImpl.getSigningCredential(MetadataManagerImpl.java:338)
at com.liferay.saml.metadata.MetadataManagerImpl.getEntityDescriptor(MetadataManagerImpl.java:115)
... 100 more
Caused by: java.security.UnrecoverableKeyException: requested entry requires a password
at java.security.KeyStoreSpi.engineGetEntry(Unknown Source)
at java.security.KeyStore.getEntry(Unknown Source)
at com.liferay.saml.credential.KeyStoreCredentialResolver.resolveFromSource(KeyStoreCredentialResolver.java:160)
... 105 more
Regards
Vaibhav
In my current use case liferay is acting as SP and need to configure appropriately but I am getting hard time figuring out the properties defined in portal-ext.properties.
##
## SAML
##
# Enable SAML Plugin
saml.enabled=true
# Set the role to sp on the Service Provider side
saml.role=sp
# Set the SAML entity id, it matches the alias we used to setup the keystore
saml.entity.id=sample_sp_saml
# The metadata location for Identity Provider
saml.metadata.paths=https://idp-Ip:8080/Metadata.xml
#
# Keystore
#
# keystore type
saml.keystore.type=jks
# location of the keystore
saml.keystore.path=${liferay.home}/data/keystoresp.jks
# pwd for accessing the keystore
saml.keystore.password=liferay
# pwd for accessing the certificate of the entity in the keystore
saml.keystore.credential.password[sample_sp_saml]=liferay
#
# Service Provider
#
# Service Provider SAML entity id
saml.sp.default.idp.entity.id=sample_idp_saml
# Set the SAML authentication mandatory
saml.sp.sign.authn.request=true
# disable signatures for the demo
saml.sp.assertion.signature.required=false
# timeout setting for IdP clock deviation in ms
saml.sp.clock.skew=3000
# Session keep alive url (idp url for keeping session alive)
saml.sp.session.keepalive.url=
# Service Provider user attribute mappings
saml.sp.user.attribute.mappings=screenName=screenName\nemailAddress=emailAddress\nfirstName=firstName\nlastName=lastName
I have received IDP entity id , metadata and public key to talk with liferay(SP) from the IDP system team but as shown I can configure metadata and entity ID but not sure about where to configure public key in portal-ext.properties, with current configuration I am getting error "org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.xml.security.SecurityException: java.security.UnrecoverableKeyException: requested entry requires a password" where the keystore pasword is already set correctly as shown. any help is appreciated or direct me to right resource would be great? Thanks in advance
Full log trace
14:51:21,412 ERROR [portal-web.docroot.html.portal.status_jsp] org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.xml.security.SecurityException: java.security.UnrecoverableKeyException: requested entry requires a password
org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.xml.security.SecurityException: java.security.UnrecoverableKeyException: requested entry requires a password
at com.liferay.saml.metadata.MetadataManagerImpl.getEntityDescriptor(MetadataManagerImpl.java:121)
at com.liferay.saml.metadata.MetadataManagerUtil.getEntityDescriptor(MetadataManagerUtil.java:48)
at com.liferay.saml.hook.action.MetadataAction.doExecute(MetadataAction.java:64)
at com.liferay.saml.hook.action.MetadataAction.execute(MetadataAction.java:46)
at com.liferay.portal.kernel.struts.BaseStrutsAction.execute(BaseStrutsAction.java:37)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.liferay.portal.kernel.bean.ClassLoaderBeanHandler.invoke(ClassLoaderBeanHandler.java:67)
at $Proxy548.execute(Unknown Source)
at com.liferay.portal.struts.ActionAdapter.execute(ActionAdapter.java:50)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at com.liferay.portal.struts.PortalRequestProcessor.process(PortalRequestProcessor.java:176)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at com.liferay.portal.servlet.MainServlet.callParentService(MainServlet.java:560)
at com.liferay.portal.servlet.MainServlet.service(MainServlet.java:537)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.strip.StripFilter.processFilter(StripFilter.java:335)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.gzip.GZipFilter.processFilter(GZipFilter.java:123)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.secure.SecureFilter.processFilter(SecureFilter.java:294)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter.processFilter(NtlmPostFilter.java:83)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.saml.hook.filter.SamlSpSsoFilter.processFilter(SamlSpSsoFilter.java:168)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.liferay.portal.kernel.bean.ClassLoaderBeanHandler.invoke(ClassLoaderBeanHandler.java:67)
at $Proxy547.doFilter(Unknown Source)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:80)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:216)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:738)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:167)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:167)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.opensaml.xml.security.SecurityException: java.security.UnrecoverableKeyException: requested entry requires a password
at com.liferay.saml.credential.KeyStoreCredentialResolver.resolveFromSource(KeyStoreCredentialResolver.java:180)
at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
at org.opensaml.xml.security.credential.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:30)
at org.opensaml.xml.security.credential.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:26)
at com.liferay.saml.metadata.MetadataManagerImpl.getSigningCredential(MetadataManagerImpl.java:338)
at com.liferay.saml.metadata.MetadataManagerImpl.getEntityDescriptor(MetadataManagerImpl.java:115)
... 100 more
Caused by: java.security.UnrecoverableKeyException: requested entry requires a password
at java.security.KeyStoreSpi.engineGetEntry(Unknown Source)
at java.security.KeyStore.getEntry(Unknown Source)
at com.liferay.saml.credential.KeyStoreCredentialResolver.resolveFromSource(KeyStoreCredentialResolver.java:160)
... 105 more
Regards
Vaibhav
Mika Koivisto, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
Liferay Legend Publications: 1519 Date d'inscription: 07/08/06 Publications récentes
Make sure your password for the credential in keystore is correct. You can test it with keytool that comes with your jdk. As for the IdP public key that needs to be included in the metadata as a certificate.
vaibhav kachare, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
New Member Publications: 19 Date d'inscription: 14/10/13 Publications récentes
Thanks Mika for response, I though about that and verified the password by listing out entity ID in keystore using keytool command and it did returned the SP entity ID, the value in property file I have posted are changed for confidential purpose the basic idea is same. I was able to generate the metadata file by setting up internally two instance of liferay one as SP and other as IDP as per blog but in this case its throwing mentioned error.
vaibhav kachare, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
New Member Publications: 19 Date d'inscription: 14/10/13 Publications récentes
I found why its causing that error but not sure why it is doing that. The entity ID I used for liferay SP was url eg http://sso.xxx.xxxxx.com when I generate keypair using this entity ID and configure liferay ext properties for SAML plugin, it throw the mentioned error in my earlier post. but When I try to generate using entity ID sso.xx.xxxx.com simple string and configure ext properties it works perfectly. Is it so that liferay SAML plugin doesn't support entity ID with URL?. I appreciate any help and Thanks in advance
Jack Bakker, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
Liferay Master Publications: 978 Date d'inscription: 03/01/10 Publications récentes
sounds like you resolved your own issue ; I haven't tried a URL for an id so wouldn't know ; glad it is working for you now and thanks for sharing
vaibhav kachare, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
New Member Publications: 19 Date d'inscription: 14/10/13 Publications récentes
No Problem Peter, its working for me but I would like to know why it doesn't take URL format as entity ID, hope to see if someone has has came across such situation and have any defined answer for it.
Mika Koivisto, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
Liferay Legend Publications: 1519 Date d'inscription: 07/08/06 Publications récentes
You probably didn't escape the URL correctly. The config you provided above didn't have URL format entityID but had it had that I probably could have instantly told you what the problem is.
vaibhav kachare, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
New Member Publications: 19 Date d'inscription: 14/10/13 Publications récentes
Thanks Mike for response, Below is the ext properties file which was configure before I change the entity ID to simple character single word. In below case, it was throwing the error. Since we don't have the plugin source code, I am not sure where can we escape the URL correctly. before configuring ext properties I generate key pair based on entity id as mentioned as 'http://sso.acp.xxxxxx.com' using keytool. The path for keystore and password were set correctly. I am not sure why it didn't took entity id as http://sso.acp.xxxxxx.com.
##
## SAML
##
# Enable SAML Plugin
saml.enabled=true
# Set the role to sp on the Service Provider side
saml.role=sp
# Set the SAML entity id, it matches the alias we used to setup the keystore
saml.entity.id=http://sso.acp.xxxxxx.com
# The metadata location for Identity Provider
saml.metadata.paths=https://xxxx-xx-xxxxx.xxxxxx.com/FederationMetadata/2007-06/FederationMetadata.xml
#
# Keystore
#
# keystore type
saml.keystore.type=jks
# location of the keystore
saml.keystore.path=${liferay.home}/data/keystoresp.jks
# pwd for accessing the keystore
saml.keystore.password=xxxxxx
# pwd for accessing the certificate of the entity in the keystore
saml.keystore.credential.password[http://sso.acp.xxxxxxx.com]=xxxxxx
#
# Service Provider
#
# Service Provider SAML entity id
saml.sp.default.idp.entity.id=urn:federation:xxxxxxx
# Set the SAML authentication mandatory
saml.sp.sign.authn.request=true
# disable signatures for the demo
saml.sp.assertion.signature.required=false
# timeout setting for IdP clock deviation in ms
saml.sp.clock.skew=3000
# Session keep alive url (idp url for keeping session alive)
saml.sp.session.keepalive.url=https://xxxxxxx-xxxx.xxxxxx.com/adfs/ls/
# Service Provider user attribute mappings
saml.sp.user.attribute.mappings=screenName=screenName\nemailAddress=emailAddress\nfirstName=firstName\nlastName=lastName
Thanks
Vaibhav
##
## SAML
##
# Enable SAML Plugin
saml.enabled=true
# Set the role to sp on the Service Provider side
saml.role=sp
# Set the SAML entity id, it matches the alias we used to setup the keystore
saml.entity.id=http://sso.acp.xxxxxx.com
# The metadata location for Identity Provider
saml.metadata.paths=https://xxxx-xx-xxxxx.xxxxxx.com/FederationMetadata/2007-06/FederationMetadata.xml
#
# Keystore
#
# keystore type
saml.keystore.type=jks
# location of the keystore
saml.keystore.path=${liferay.home}/data/keystoresp.jks
# pwd for accessing the keystore
saml.keystore.password=xxxxxx
# pwd for accessing the certificate of the entity in the keystore
saml.keystore.credential.password[http://sso.acp.xxxxxxx.com]=xxxxxx
#
# Service Provider
#
# Service Provider SAML entity id
saml.sp.default.idp.entity.id=urn:federation:xxxxxxx
# Set the SAML authentication mandatory
saml.sp.sign.authn.request=true
# disable signatures for the demo
saml.sp.assertion.signature.required=false
# timeout setting for IdP clock deviation in ms
saml.sp.clock.skew=3000
# Session keep alive url (idp url for keeping session alive)
saml.sp.session.keepalive.url=https://xxxxxxx-xxxx.xxxxxx.com/adfs/ls/
# Service Provider user attribute mappings
saml.sp.user.attribute.mappings=screenName=screenName\nemailAddress=emailAddress\nfirstName=firstName\nlastName=lastName
Thanks
Vaibhav
Mika Koivisto, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
Liferay Legend Publications: 1519 Date d'inscription: 07/08/06 Publications récentessaml.keystore.credential.password[http://sso.acp.xxxxxxx.com]=xxxxxx
This is where you got it wrong. It's a properties file so you need to escape : if it's before =. Like this:
saml.keystore.credential.password[http\://sso.acp.xxxxxxx.com]=xxxxxx
Jack Bakker, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
Liferay Master Publications: 978 Date d'inscription: 03/01/10 Publications récentesMika Koivisto:
It's a properties file so you need to escape : if it's before =. Like this:saml.keystore.credential.password[http\://sso.acp.xxxxxxx.com]=xxxxxx
good to know for SAML or just in general for properties files
Mika Koivisto, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
Liferay Legend Publications: 1519 Date d'inscription: 07/08/06 Publications récentes
That is in general for properties files. You can use either : or = as the separator between key and value.
vaibhav kachare, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
New Member Publications: 19 Date d'inscription: 14/10/13 Publications récentes
Hi Mika,
I am facing another issue here, unrelated to entity ID. We happen to turned on SSL, so that being said I add the parameter saml.require.ssl=true in portal-ext.properties file. when I run the plugin with that, I can see the metadata but I don't see the urls with https. I have posted the part of metadata file which mentions redirect URLS. do I need to make any other changes beside adding the ssl parameter?.
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://54.xxx.xxx.xx/c/portal/saml/slo_redirect"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://54.xxx.xxx.xx/c/portal/saml/slo_soap"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://54.xxx.xxx.xx/c/portal/saml/acs" index="1" isDefault="true"/>
</md:SPSSODescriptor>
Thanks in advance
Vaibhav
I am facing another issue here, unrelated to entity ID. We happen to turned on SSL, so that being said I add the parameter saml.require.ssl=true in portal-ext.properties file. when I run the plugin with that, I can see the metadata but I don't see the urls with https. I have posted the part of metadata file which mentions redirect URLS. do I need to make any other changes beside adding the ssl parameter?.
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://54.xxx.xxx.xx/c/portal/saml/slo_redirect"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://54.xxx.xxx.xx/c/portal/saml/slo_soap"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://54.xxx.xxx.xx/c/portal/saml/acs" index="1" isDefault="true"/>
</md:SPSSODescriptor>
Thanks in advance
Vaibhav
Mika Koivisto, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
Liferay Legend Publications: 1519 Date d'inscription: 07/08/06 Publications récentes
You need to access the metadata through https for the urls to have https. The ssl required will only cause message processing to reject any messages that aren't transported over https.
vaibhav kachare, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
New Member Publications: 19 Date d'inscription: 14/10/13 Publications récentes
I actually accessed metadata file through https since we have turned on ssl by accessing url https://54.xxx.xxx.xx/c/portal/saml/metadata, but the metadata file shows urls in http as mentioned in previous post. Also, the team which configure IDP register the app with that metadata by manually changing to https in metadata, but the redirect was not successful, IDP team member mentioned that SAML request is sending the end point as http and we are posting the token to https so there is a mismatch, is there any thing else I need to configure? we are kinda stuck , any help is appreciated.
vaibhav kachare, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
New Member Publications: 19 Date d'inscription: 14/10/13 Publications récentes
The SAML request that out portal is sending to IDP is having AssertionConsumerServiceURL as http and not https because of which it unreachable
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="http://54.20x.xxx.xx/c/portal/saml/acs" Destination="https://federation-sts-stage.accenture.com/adfs/ls/" ForceAuthn="false" ID="_4868050581ab86f69739efdebcc71584fc9c467d" IsPassive="false" IssueInstant="2013-11-14T19:54:47.664Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">sso.acp.accenture.com</saml2:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" SPNameQualifier="sso.acp.accenture.com"/></saml2p:AuthnRequest>
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="http://54.20x.xxx.xx/c/portal/saml/acs" Destination="https://federation-sts-stage.accenture.com/adfs/ls/" ForceAuthn="false" ID="_4868050581ab86f69739efdebcc71584fc9c467d" IsPassive="false" IssueInstant="2013-11-14T19:54:47.664Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">sso.acp.accenture.com</saml2:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" SPNameQualifier="sso.acp.accenture.com"/></saml2p:AuthnRequest>
Mika Koivisto, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
Liferay Legend Publications: 1519 Date d'inscription: 07/08/06 Publications récentes
I'm guessing request.isSecure() returns false on the server which means your appserver doesn't see the request being secure and thus the http.
vaibhav kachare, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
New Member Publications: 19 Date d'inscription: 14/10/13 Publications récentes
Thanks Mika for response,
How can I check whether the request isSecure() return false, I have already enabled port 8443 on tomcat for ssl, what else I need to configure so it can pick up request as secure?
How can I check whether the request isSecure() return false, I have already enabled port 8443 on tomcat for ssl, what else I need to configure so it can pick up request as secure?
vaibhav kachare, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP (Réponse)
New Member Publications: 19 Date d'inscription: 14/10/13 Publications récentes
I found why it was not taking request as https, when I configured SSL one of the parameter was needed to add in portal-ext.properties which is
web.server.protocol=https
after adding above parameter when I run plugin, it gave me URL with https in metadata files
web.server.protocol=https
after adding above parameter when I run plugin, it gave me URL with https in metadata files
vaibhav kachare, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
New Member Publications: 19 Date d'inscription: 14/10/13 Publications récentes
Hi Mika,
I am getting this issue, please take a look, I found blog which were having same issue but couldn't followed. I have attached both metadata IDP and SP , I have also imported public key cert given by IDP in my keystore. Please help me with this issue.
https://www.liferay.com/community/forums/-/message_boards/message/31675284
portal-ext.properties saml configuration
##
## SAML
##
# Enable SAML Plugin
saml.enabled=true
# Set the role to sp on the Service Provider side
saml.role=sp
#set SSL required
saml.require.ssl=true
# Set the SAML entity id, it matches the alias we used to setup the keystore
saml.entity.id=sso.acp.xxxxxx.com
# The metadata location for Identity Provider
#saml.metadata.paths=${liferay.home}/data/saml/FederationMetadata.xml
saml.metadata.paths=https://federation-sts-stage.xxxxxxx.com/FederationMetadata/2007-06/FederationMetadata.xml
saml.sign.metadata=true
#
# Keystore
#
# keystore type
saml.keystore.type=jks
# location of the keystore
saml.keystore.path=${liferay.home}/data/keystoresp.jks
# pwd for accessing the keystore
saml.keystore.password=asgard
# pwd for accessing the certificate of the entity in the keystore
saml.keystore.credential.password[sso.acp.xxxxxxx.com]=asgard
#
# Service Provider
#
# Service Provider SAML entity id
saml.sp.default.idp.entity.id=urn:federation:xxxxxxx:stage
# Set the SAML authentication mandatory
saml.sp.sign.authn.request=true
# disable signatures for the demo
saml.sp.assertion.signature.required=true
# timeout setting for IdP clock deviation in ms
saml.sp.clock.skew=3000
# Session keep alive url (idp url for keeping session alive)
saml.sp.session.keepalive.url=https://federation-sts-stage.xxxxxxx.com/adfs/ls/
# Service Provider user attribute mappings
saml.sp.user.attribute.mappings=screenName=screenName\nemailAddress=emailAddress\nfirstName=firstName\nlastName=lastName
Regards
Vaibhav Kachare
I am getting this issue, please take a look, I found blog which were having same issue but couldn't followed. I have attached both metadata IDP and SP , I have also imported public key cert given by IDP in my keystore. Please help me with this issue.
https://www.liferay.com/community/forums/-/message_boards/message/31675284
portal-ext.properties saml configuration
##
## SAML
##
# Enable SAML Plugin
saml.enabled=true
# Set the role to sp on the Service Provider side
saml.role=sp
#set SSL required
saml.require.ssl=true
# Set the SAML entity id, it matches the alias we used to setup the keystore
saml.entity.id=sso.acp.xxxxxx.com
# The metadata location for Identity Provider
#saml.metadata.paths=${liferay.home}/data/saml/FederationMetadata.xml
saml.metadata.paths=https://federation-sts-stage.xxxxxxx.com/FederationMetadata/2007-06/FederationMetadata.xml
saml.sign.metadata=true
#
# Keystore
#
# keystore type
saml.keystore.type=jks
# location of the keystore
saml.keystore.path=${liferay.home}/data/keystoresp.jks
# pwd for accessing the keystore
saml.keystore.password=asgard
# pwd for accessing the certificate of the entity in the keystore
saml.keystore.credential.password[sso.acp.xxxxxxx.com]=asgard
#
# Service Provider
#
# Service Provider SAML entity id
saml.sp.default.idp.entity.id=urn:federation:xxxxxxx:stage
# Set the SAML authentication mandatory
saml.sp.sign.authn.request=true
# disable signatures for the demo
saml.sp.assertion.signature.required=true
# timeout setting for IdP clock deviation in ms
saml.sp.clock.skew=3000
# Session keep alive url (idp url for keeping session alive)
saml.sp.session.keepalive.url=https://federation-sts-stage.xxxxxxx.com/adfs/ls/
# Service Provider user attribute mappings
saml.sp.user.attribute.mappings=screenName=screenName\nemailAddress=emailAddress\nfirstName=firstName\nlastName=lastName
Regards
Vaibhav Kachare
Pièces jointes:
vaibhav kachare, modifié il y a 10 années.
RE: Facing an issue with SSO with Liferay as SP
New Member Publications: 19 Date d'inscription: 14/10/13 Publications récentes
Got it, Thanks a lot Mika for pointing that out and clarifying, I really appreciate your help!
Regard
Vaibhav
Regard
Vaibhav
Willem Vermeer, modifié il y a 9 années.
RE: Facing an issue with SSO with Liferay as SP
Junior Member Publications: 32 Date d'inscription: 30/03/12 Publications récentes
Thanks for pointing this out - this tripped me up too. Our entityID contains several colons which need to be escaped in portal-ext.properties