Fóruns

Início » Liferay Portal » English » 6. Portal Framework

Visualização combinada Visão plana Exibição em árvore
Tópicos [ Anterior | Próximo ]
toggle
Carlos Andonaegui
Saml plugin exception Unknown peer entity id
9 de Janeiro de 2013 13:23
Resposta

Carlos Andonaegui

Ranking: New Member

Mensagens: 6

Data de entrada: 11 de Dezembro de 2012

Mensagens recentes

Hello

Im trying to setup a liferay SP to work with an existing Idp (simplesamlphp)

This is the exception Im getting when I click in "sign in"

18:06:31,529 ERROR [http-bio-8080-exec-5][SamlSpSsoFilter:81] com.liferay.saml.SamlException: Unknown peer entity ID idpentityid
com.liferay.saml.SamlException: Unknown peer entity ID idpentityid

I allready read this post set the log4j on debug mode but it doesn't send me any information after or before the exception, no saml response.

I'm sure the entity id is the right one, this is my portal-ext.properties, I don't know if I'm missing something

## SAML
saml.enabled=true
saml.role=sp
saml.entity.id=liferaysamlspdemo
saml.metadata.path="url to idp metadata usign https"
saml.require.ssl=true
saml.sign.metadata=true

## KEYSTORE
saml.keystore.type=jks
saml.keystore.path=${liferay.home}/data/keystore.jks
saml.keystore.password=liferay
saml.keystore.credential.password[liferaysamlspdemo]=liferay

## Service Provider
saml.sp.default.idp.entity.id=idpentityid
saml.sp.sign.authn.request=true
saml.sp.assertion.signature.required=false
saml.sp.clock.skew=3000
saml.sp.user.attribute.mappings=screenName=screenName
Mika Koivisto
RE: Saml plugin exception Unknown peer entity id
9 de Janeiro de 2013 14:23
Resposta

Mika Koivisto

LIFERAY STAFF

Ranking: Liferay Legend

Mensagens: 1505

Data de entrada: 7 de Agosto de 2006

Mensagens recentes

The exception says it all. It doesn't seem to have metadata for ipdentityid so either your idp entity id is different or it has failed to retrieve metadata for it. Can you post the metadata for your idp?
Carlos Andonaegui
RE: Saml plugin exception Unknown peer entity id
9 de Janeiro de 2013 14:41
Resposta

Carlos Andonaegui

Ranking: New Member

Mensagens: 6

Data de entrada: 11 de Dezembro de 2012

Mensagens recentes

I don't think so the idp is the production one in the company that I work for, maybe I can explain what im doing.

when I consult the metadata in the browser https://hostname/simplesaml/saml2/idp/metadata.php
It asked me for a password an then shows me the metadata and the entityID that comes in the metadata is the one I'm using.

I think the password is the part I'm missing but I don't know whats the name of that property in the portal-ext.properties
Mika Koivisto
RE: Saml plugin exception Unknown peer entity id
10 de Janeiro de 2013 09:30
Resposta

Mika Koivisto

LIFERAY STAFF

Ranking: Liferay Legend

Mensagens: 1505

Data de entrada: 7 de Agosto de 2006

Mensagens recentes

There is no property for that. If the metadata is not accessible without password then you need to download it and place it in ${liferay.home}/data/saml/ for instance and refer to it in your saml.metadata.path property.
Carlos Andonaegui
RE: Saml plugin exception Unknown peer entity id
10 de Janeiro de 2013 10:53
Resposta

Carlos Andonaegui

Ranking: New Member

Mensagens: 6

Data de entrada: 11 de Dezembro de 2012

Mensagens recentes

Ok I do what you say
downloaded the metadata, put it in ${liferay.home}/data/saml/simplesaml-metadata.xml
and modify my portal-ext.properties
saml.enabled=true
saml.role=sp
saml.entity.id=liferaysamlspdemo
saml.metadata.path=${liferay.home}/data/saml/simplesaml-metadata.xml
saml.require.ssl=true
saml.sign.metadata=true

copy and paste the entityID that comes in the simplesaml-metadata.xml to my properties file and still get the same exception

I redeploy the plugin and restart liferay and still get the same.
Mika Koivisto
RE: Saml plugin exception Unknown peer entity id
10 de Janeiro de 2013 12:26
Resposta

Mika Koivisto

LIFERAY STAFF

Ranking: Liferay Legend

Mensagens: 1505

Data de entrada: 7 de Agosto de 2006

Mensagens recentes

Ah I see the problem. The property name is saml.metadata.paths not saml.metadata.path see the missing S.
Carlos Andonaegui
RE: Saml plugin exception Unknown peer entity id
10 de Janeiro de 2013 15:38
Resposta

Carlos Andonaegui

Ranking: New Member

Mensagens: 6

Data de entrada: 11 de Dezembro de 2012

Mensagens recentes

Thank you Mika that was the problem.
Carlos Andonaegui
RE: Saml plugin exception Unknown peer entity id
14 de Janeiro de 2013 15:46
Resposta

Carlos Andonaegui

Ranking: New Member

Mensagens: 6

Data de entrada: 11 de Dezembro de 2012

Mensagens recentes

Hi Mika I'm finally not getting errors on the call and the response of the login, but the portal is not authenticating the user on the redirect goes back to the welcome page in liferay.

this is the final log i get

I hope you can give me any idea

23:34:12,013 DEBUG [DigesterOutputStream:?] <xml response>
23:34:12,013 DEBUG [Reference:?] Verification successful for URI "#_51c1fd6028546c87d63b816c6b990ee82c2027e2d3"
23:34:12,013 DEBUG [Manifest:?] The Reference has Type

here is the response if you need it
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_51c1fd6028546c87d63b816c6b990ee82c2027e2d3" IssueInstant="2013-01-14T23:34:56Z" Version="2.0"><saml:Issuer>https://googlesso.xxxxx.com/simplesaml/saml2/idp/metadata.php</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent" SPNameQualifier="liferaysamlspdemo">user.name@xxxxx.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_1b13ec635586acee99b34eda437027633df28faf" NotOnOrAfter="2013-01-14T23:39:56Z" Recipient="http://172.24.91.117:8080/c/portal/saml/acs">
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2013-01-14T23:34:26Z" NotOnOrAfter="2013-01-14T23:39:56Z">
<saml:AudienceRestriction><saml:Audience>liferaysamlspdemo</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2013-01-14T19:01:47Z" SessionIndex="_5291d785a4533fd608eb01d78de8374d3126396e7d" SessionNotOnOrAfter="2013-01-15T07:34:56Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classesemoticonassword</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">name</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="extensionAttribute5" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.name@xxxxx.com</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="sAMAccountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user_name</saml:AttributeValue></saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
Mika Koivisto
RE: Saml plugin exception Unknown peer entity id
14 de Janeiro de 2013 22:54
Resposta

Mika Koivisto

LIFERAY STAFF

Ranking: Liferay Legend

Mensagens: 1505

Data de entrada: 7 de Agosto de 2006

Mensagens recentes

The problem is the NameID it's email address but it says the format is urn:oasis:names:tc:SAML:1.1:nameid-format:persistent which means the SP interprets it as screenName. You can either change the format to emailAddress or you can change the NameID value to the screenName. Those are the only options currently without modifying code. I've planned to add more flexibility to the SP configuration in future versions.
Carlos Andonaegui
RE: Saml plugin exception Unknown peer entity id
15 de Janeiro de 2013 09:12
Resposta

Carlos Andonaegui

Ranking: New Member

Mensagens: 6

Data de entrada: 11 de Dezembro de 2012

Mensagens recentes

I check the two cases but still no login and adding the user also I'm not getting any error in the logs.

perhaps can be the attributes names and who I'm mapping them

saml-responce

<saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">name</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="extensionAttribute5" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.name@xxxxx.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sAMAccountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user_name</saml:AttributeValue></saml:Attribute>

portal-ext.properties

saml.sp.user.attribute.mappings=screenName=sAMAccountName\nemailAddress=extensionAttribute5\nfirstName=givenName\nlastName=sn

i'm keep reading about attribute mapping and simplesamlphp configuration.
Kapil Burange
RE: Saml plugin exception Unknown peer entity id
22 de Outubro de 2014 00:22
Resposta

Kapil Burange

Ranking: New Member

Mensagens: 4

Data de entrada: 4 de Setembro de 2014

Mensagens recentes

Hi Mika

I want to add the service provider in my liferay idp.
And on the Service Provider end they are not generating the metadata.xml
in that case how we can generate metadata.xml of service provider on liferay and then configure it for sso.


we are stuck in this and waiting for response........
Please reply.......

thanks
Kapil