Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Graham Matthews
Liferay IDP SAML plugin - missing 'InResponseTo'
December 4, 2012 1:34 PM
Answer

Graham Matthews

Rank: New Member

Posts: 2

Join Date: November 26, 2012

Recent Posts

Hi,

I've setup the SAML IDP in Liferay 6.1 EE and have it partially working. My SAML Service Provider is Jive SBS, which uses the Spring Security Framework. I'm initiating the Sign On from the SP.

The SP complains of the following when it tries to decode the assertion:-

- Processing Bearer subject confirmation
- Bearer SubjectConfirmation invalidated by missing inResponseTo field
- Assertion invalidated by subject confirmation - can't be confirmed by the bearer method


From looking at JOSSO, it seems they had the same issue with this field being missing. http://www.josso.org/jira/browse/JOSSO-332

Attached is what my SP receives from Liferay. This doesn't have the 'InResponseTo' field within 'SubjectConfirmationData'

Here is what I have configured for the IDP portal-ext.properties.

 1saml.enabled=true
 2saml.role=idp
 3saml.entity.id=liferaysamlidpdemo
 4saml.require.ssl=false
 5saml.sign.metadata=true
 6saml.idp.authn.request.signature.required=true
 7
 8saml.keystore.path=${liferay.home}/data/keystore.jks
 9saml.keystore.password=liferay
10saml.keystore.type=jks
11saml.keystore.credential.password[liferaysamlidpdemo]=liferay
12
13saml.metadata.paths=${liferay.home}/data/saml/jive-metadata.xml
14saml.idp.metadata.nameid.resolver=com.liferay.saml.DefaultNameIDResolver
15saml.idp.metadata.name.id.format[http://dev102.refpod.net]=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
16
17saml.idp.metadata.attributes.enabled=true
18saml.idp.metadata.attributes.enabled[http://dev102.refpod.net]=true
19saml.idp.metadata.attribute.names[http://dev102.refpod.net]=screenName,firstName,lastName,emailAddress,uuid


Also I have managed to get the same SP to work fine with OpenAM. OpenAM does pass the following which includes the 'InResponseTo' field.

1 <saml:Subject>
2<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="http://id.example.org:8080/openam">TGDK0eN42EnAGM/ADfyiZH19MZ0X</saml:NameID>
3         <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
4<saml:SubjectConfirmationData InResponseTo="a8ij5dii5ceagd4c6bae0ed8db656" NotOnOrAfter="2012-12-04T19:42:56Z" Recipient="http://jive.example.org/saml/sso"/>
5         </saml:SubjectConfirmation>
6</saml:Subject>


Any help on identifying if this is a bug or if I have configured something wrong would be much appreciated.

Thanks
Graham
Attachments: SAML Response.xml (4.4k)
Mika Koivisto
RE: Liferay IDP SAML plugin - missing 'InResponseTo'
December 6, 2012 5:54 PM
Answer

Mika Koivisto

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1501

Join Date: August 7, 2006

Recent Posts

That's a bug. It's missing the inresponseto message id from the subjectconfirmationdata even thought we are already adding it in the Response it's missing from SubjectConfimationData. The fix itself is very simple. Can you request a patch for it through your support account and reference this message. The issue will be fixed in LPS-31488
Graham Matthews
RE: Liferay IDP SAML plugin - missing 'InResponseTo'
December 11, 2012 2:47 AM
Answer

Graham Matthews

Rank: New Member

Posts: 2

Join Date: November 26, 2012

Recent Posts

Thanks Mike for confirming this is a bug and I see also that a fix has been commited. Fast work!

I'm actually on a 30 day trial of Liferay so I don't have a support account setup yet. I'll make my account manager aware of this issue though.

Thanks
Graham