Fórumok

  1. Nyitólap
  2. Development
  3. SAML protocol signature issue in Liferay SP

SAML protocol signature issue in Liferay SP

thumbnail
Rahul Jaiswal, módosítva 9 év-val korábban

SAML protocol signature issue in Liferay SP

New Member Bejegyzések: 10 Csatlakozás dátuma: 2011.07.06. Legújabb bejegyzések
Hello,

I am configuring Liferay 6.1 EE sp3 as a service provider(SP) and TFIM as Identity provider(IDP).

I have used Liferay's SAML plugin for EE.

When I click on sign-in page, it is taking me to TFIM login page.

After authentication it is redirecting me back to Liferay but not signing me in.

I am getting following error message in log:

18:20:24,951 INFO [http-bio-8080-exec-16][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:125] SAML protocol message was not signed, skipping XML signature processing
18:20:24,952 ERROR [http-bio-8080-exec-16][MandatoryAuthenticatedMessageRule:82] Inbound message issuer was not authenticated.
18:20:24,953 ERROR [http-bio-8080-exec-16][BaseSamlStrutsAction:45] com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:165)
at com.liferay.saml.profile.WebSsoProfileUtil.processResponse(WebSsoProfileUtil.java:50)


This is expecting signature on SAML protocol message.

Is this signature mandatory? can we not configure SAML plugin to ignore signature.

What will be the best way to fix this issue
thumbnail
Rahul Jaiswal, módosítva 9 év-val korábban

RE: SAML protocol signature issue in Liferay SP

New Member Bejegyzések: 10 Csatlakozás dátuma: 2011.07.06. Legújabb bejegyzések
My TFIM as IDP is generating signature at assertion level but not on SAML response level.

But Liferay's SAML plugin is always expecting signature on SAML response.

There is no effect of setting saml.sp.sign.authn.request=false

If I use Liferay as IDP then Liferay is always generating signature on SAML response, no matter whether saml.sp.sign.authn.request is set to true or false.

It will be great help, if anyone can share any idea or resolution.
Tomas Dusek, módosítva 9 év-val korábban

RE: SAML protocol signature issue in Liferay SP

New Member Bejegyzések: 2 Csatlakozás dátuma: 2014.06.11. Legújabb bejegyzések
Hello,
did anyone find a sollution to this issue? Thus we are facing the same problem?

Thanks in advance
thumbnail
Corné Aussems, módosítva 9 év-val korábban

RE: SAML protocol signature issue in Liferay SP

Liferay Legend Bejegyzések: 1313 Csatlakozás dátuma: 2006.10.03. Legújabb bejegyzések
I suffer from the same, it suddenly popped up apparently after changing the "Name Identifier Format" to "Persistant"


09:05:30,058 INFO  [http-bio-8080-exec-5][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:125] SAML protocol message was not signed, skipping XML signature processing
09:05:30,058 ERROR [http-bio-8080-exec-5][MandatoryAuthenticatedMessageRule:82] Inbound message issuer was not authenticated.
09:05:30,058 ERROR [http-bio-8080-exec-5][BaseSamlStrutsAction:45] com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
	at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:166)
	at com.liferay.saml.profile.WebSsoProfileUtil.processResponse(WebSsoProfileUtil.java:50)
	at com.liferay.saml.hook.action.AssertionConsumerServiceAction.doExecute(AssertionConsumerServiceAction.java:38)


Hmm quite strange behaviour because i can't set anything straight anymore.
thumbnail
Tomas Polesovsky, módosítva 9 év-val korábban

RE: SAML protocol signature issue in Liferay SP

Liferay Master Bejegyzések: 676 Csatlakozás dátuma: 2009.02.13. Legújabb bejegyzések
Hi guys, try to configure IdP to sign whole SAML message. I think Liferay SAML plugin doesn't take into account assertion signatures.
thumbnail
Rahul Jaiswal, módosítva 9 év-val korábban

RE: SAML protocol signature issue in Liferay SP

New Member Bejegyzések: 10 Csatlakozás dátuma: 2011.07.06. Legújabb bejegyzések
I was able to fix this by turning ON all signature on SAML message at IDP side.

Liferay SAML plugin always expects signature on all message. I could not find way to turn-off this signature check from any configuration.
thumbnail
Corné Aussems, módosítva 9 év-val korábban

RE: SAML protocol signature issue in Liferay SP

Liferay Legend Bejegyzések: 1313 Csatlakozás dátuma: 2006.10.03. Legújabb bejegyzések
Thanks Tomas and Rahul,

Due to holiday and work i was not able to continue on this and respond properly.

So i will now try to find out how i can force my Idp Shibboleth to sign all messages.
There are a lot of config files so one should be it emoticon

Keep you posted.

Regards
Corné
thumbnail
Corné Aussems, módosítva 9 év-val korábban

RE: SAML protocol signature issue in Liferay SP

Liferay Legend Bejegyzések: 1313 Csatlakozás dátuma: 2006.10.03. Legújabb bejegyzések
Hi guys,
Just want to let you know that after several hours of trial and error i finally succeed in seting up Sibboleth as Saml2 IDP.

Indeed as Tomas suggested the first was to sign all responses.
Secondly encryptAssertions should be put on never.

<rp:profileconfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true" assertionLifetime="PT5M" assertionProxyCount="0" signResponses="always" signAssertions="never" encryptAssertions="never" encryptNameIds="never" /> 
.


One i will type a blog about the whole endeavour.

Once again thanks for the very useful push in the right direction.

C.heers
thumbnail
Rahul Jaiswal, módosítva 9 év-val korábban

RE: SAML protocol signature issue in Liferay SP

New Member Bejegyzések: 10 Csatlakozás dátuma: 2011.07.06. Legújabb bejegyzések
Thanks Corné, for sharing your workaround on Sibboleth.