SAML protocol signature issue in Liferay SP

Forums de discussion

Rahul Jaiswal, modifié il y a 9 années.

SAML protocol signature issue in Liferay SP

New Member Publications: 10 Date d'inscription: 06/07/11 Publications récentes

Hello,

I am configuring Liferay 6.1 EE sp3 as a service provider(SP) and TFIM as Identity provider(IDP).

I have used Liferay's SAML plugin for EE.

When I click on sign-in page, it is taking me to TFIM login page.

After authentication it is redirecting me back to Liferay but not signing me in.

I am getting following error message in log:

18:20:24,951 INFO [http-bio-8080-exec-16][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:125] SAML protocol message was not signed, skipping XML signature processing
18:20:24,952 ERROR [http-bio-8080-exec-16][MandatoryAuthenticatedMessageRule:82] Inbound message issuer was not authenticated.
18:20:24,953 ERROR [http-bio-8080-exec-16][BaseSamlStrutsAction:45] com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:165)
at com.liferay.saml.profile.WebSsoProfileUtil.processResponse(WebSsoProfileUtil.java:50)

This is expecting signature on SAML protocol message.

Is this signature mandatory? can we not configure SAML plugin to ignore signature.

What will be the best way to fix this issue

Rahul Jaiswal, modifié il y a 9 années.

RE: SAML protocol signature issue in Liferay SP

New Member Publications: 10 Date d'inscription: 06/07/11 Publications récentes

My TFIM as IDP is generating signature at assertion level but not on SAML response level.

But Liferay's SAML plugin is always expecting signature on SAML response.

There is no effect of setting saml.sp.sign.authn.request=false

If I use Liferay as IDP then Liferay is always generating signature on SAML response, no matter whether saml.sp.sign.authn.request is set to true or false.

It will be great help, if anyone can share any idea or resolution.

Tomas Dusek, modifié il y a 9 années.

RE: SAML protocol signature issue in Liferay SP

New Member Publications: 2 Date d'inscription: 11/06/14 Publications récentes

Hello,
did anyone find a sollution to this issue? Thus we are facing the same problem?

Thanks in advance

Corné Aussems, modifié il y a 9 années.

RE: SAML protocol signature issue in Liferay SP

Liferay Legend Publications: 1313 Date d'inscription: 03/10/06 Publications récentes

I suffer from the same, it suddenly popped up apparently after changing the "Name Identifier Format" to "Persistant"


09:05:30,058 INFO  [http-bio-8080-exec-5][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:125] SAML protocol message was not signed, skipping XML signature processing
09:05:30,058 ERROR [http-bio-8080-exec-5][MandatoryAuthenticatedMessageRule:82] Inbound message issuer was not authenticated.
09:05:30,058 ERROR [http-bio-8080-exec-5][BaseSamlStrutsAction:45] com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
	at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:166)
	at com.liferay.saml.profile.WebSsoProfileUtil.processResponse(WebSsoProfileUtil.java:50)
	at com.liferay.saml.hook.action.AssertionConsumerServiceAction.doExecute(AssertionConsumerServiceAction.java:38)

Hmm quite strange behaviour because i can't set anything straight anymore.

Tomas Polesovsky, modifié il y a 9 années.

RE: SAML protocol signature issue in Liferay SP

Liferay Master Publications: 676 Date d'inscription: 13/02/09 Publications récentes

Hi guys, try to configure IdP to sign whole SAML message. I think Liferay SAML plugin doesn't take into account assertion signatures.

Rahul Jaiswal, modifié il y a 9 années.

RE: SAML protocol signature issue in Liferay SP

New Member Publications: 10 Date d'inscription: 06/07/11 Publications récentes

I was able to fix this by turning ON all signature on SAML message at IDP side.

Liferay SAML plugin always expects signature on all message. I could not find way to turn-off this signature check from any configuration.

Corné Aussems, modifié il y a 9 années.

RE: SAML protocol signature issue in Liferay SP

Liferay Legend Publications: 1313 Date d'inscription: 03/10/06 Publications récentes

Thanks Tomas and Rahul,

Due to holiday and work i was not able to continue on this and respond properly.

So i will now try to find out how i can force my Idp Shibboleth to sign all messages.
There are a lot of config files so one should be it emoticon

Keep you posted.

Regards
Corné

Corné Aussems, modifié il y a 9 années.

RE: SAML protocol signature issue in Liferay SP

Liferay Legend Publications: 1313 Date d'inscription: 03/10/06 Publications récentes

Hi guys,
Just want to let you know that after several hours of trial and error i finally succeed in seting up Sibboleth as Saml2 IDP.

Indeed as Tomas suggested the first was to sign all responses.
Secondly encryptAssertions should be put on never.

<rp:profileconfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true" assertionLifetime="PT5M" assertionProxyCount="0" signResponses="always" signAssertions="never" encryptAssertions="never" encryptNameIds="never" /> 
.

One i will type a blog about the whole endeavour.

Once again thanks for the very useful push in the right direction.

C.heers

Rahul Jaiswal, modifié il y a 9 années.

RE: SAML protocol signature issue in Liferay SP

New Member Publications: 10 Date d'inscription: 06/07/11 Publications récentes

Thanks Corné, for sharing your workaround on Sibboleth.