Fóruns

Início » Liferay Portal » English » 6. Portal Framework

Visualização combinada Visão plana Exibição em árvore
Tópicos [ Anterior | Próximo ]
toggle
Graham Matthews
Liferay IDP SAML plugin - missing 'InResponseTo'
4 de Dezembro de 2012 13:34
Resposta

Graham Matthews

Ranking: New Member

Mensagens: 2

Data de entrada: 26 de Novembro de 2012

Mensagens recentes

Hi,

I've setup the SAML IDP in Liferay 6.1 EE and have it partially working. My SAML Service Provider is Jive SBS, which uses the Spring Security Framework. I'm initiating the Sign On from the SP.

The SP complains of the following when it tries to decode the assertion:-

- Processing Bearer subject confirmation
- Bearer SubjectConfirmation invalidated by missing inResponseTo field
- Assertion invalidated by subject confirmation - can't be confirmed by the bearer method


From looking at JOSSO, it seems they had the same issue with this field being missing. http://www.josso.org/jira/browse/JOSSO-332

Attached is what my SP receives from Liferay. This doesn't have the 'InResponseTo' field within 'SubjectConfirmationData'

Here is what I have configured for the IDP portal-ext.properties.

 1saml.enabled=true
 2saml.role=idp
 3saml.entity.id=liferaysamlidpdemo
 4saml.require.ssl=false
 5saml.sign.metadata=true
 6saml.idp.authn.request.signature.required=true
 7
 8saml.keystore.path=${liferay.home}/data/keystore.jks
 9saml.keystore.password=liferay
10saml.keystore.type=jks
11saml.keystore.credential.password[liferaysamlidpdemo]=liferay
12
13saml.metadata.paths=${liferay.home}/data/saml/jive-metadata.xml
14saml.idp.metadata.nameid.resolver=com.liferay.saml.DefaultNameIDResolver
15saml.idp.metadata.name.id.format[http://dev102.refpod.net]=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
16
17saml.idp.metadata.attributes.enabled=true
18saml.idp.metadata.attributes.enabled[http://dev102.refpod.net]=true
19saml.idp.metadata.attribute.names[http://dev102.refpod.net]=screenName,firstName,lastName,emailAddress,uuid


Also I have managed to get the same SP to work fine with OpenAM. OpenAM does pass the following which includes the 'InResponseTo' field.

1 <saml:Subject>
2<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="http://id.example.org:8080/openam">TGDK0eN42EnAGM/ADfyiZH19MZ0X</saml:NameID>
3         <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
4<saml:SubjectConfirmationData InResponseTo="a8ij5dii5ceagd4c6bae0ed8db656" NotOnOrAfter="2012-12-04T19:42:56Z" Recipient="http://jive.example.org/saml/sso"/>
5         </saml:SubjectConfirmation>
6</saml:Subject>


Any help on identifying if this is a bug or if I have configured something wrong would be much appreciated.

Thanks
Graham
Anexos: SAML Response.xml (4,4k)
Mika Koivisto
RE: Liferay IDP SAML plugin - missing 'InResponseTo'
6 de Dezembro de 2012 17:54
Resposta

Mika Koivisto

LIFERAY STAFF

Ranking: Liferay Legend

Mensagens: 1505

Data de entrada: 7 de Agosto de 2006

Mensagens recentes

That's a bug. It's missing the inresponseto message id from the subjectconfirmationdata even thought we are already adding it in the Response it's missing from SubjectConfimationData. The fix itself is very simple. Can you request a patch for it through your support account and reference this message. The issue will be fixed in LPS-31488
Graham Matthews
RE: Liferay IDP SAML plugin - missing 'InResponseTo'
11 de Dezembro de 2012 02:47
Resposta

Graham Matthews

Ranking: New Member

Mensagens: 2

Data de entrada: 26 de Novembro de 2012

Mensagens recentes

Thanks Mike for confirming this is a bug and I see also that a fix has been commited. Fast work!

I'm actually on a 30 day trial of Liferay so I don't have a support account setup yet. I'll make my account manager aware of this issue though.

Thanks
Graham