Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
soumyajit sarkar
Facing an issue with SSO implementation between Liferay and ADFS using SAML
September 20, 2013 10:10 AM
Answer

soumyajit sarkar

Rank: New Member

Posts: 8

Join Date: November 3, 2011

Recent Posts

I am facing an issue with SSO implementation between Liferay and ADFS using SAML 2.0. When the request goes from Liferay to ADFS, it asks for authentication. Once authenticated, the ADFS generats the SAML response and sends it back to Liferay. But, here in our case, when the SAML response is getting generated, the status is showing Invalid NameiD policy.

Please help finding out the root cause of the issue as it is very urgent.

SAML Request:

<saml2p:AuthnRequest AssertionConsumerServiceURL="https://XXXXXportal-dev.XXXXXXXXX.com/c/portal/saml/acs"
Destination="https://qfrwflt2.eur.gad.XXXXXXXXX.com/adfs/ls/"
ForceAuthn="false"
ID="_a9dfae2f46957ca98052fe69ae5fae7bd3aa245b"
IsPassive="false"
IssueInstant="2013-09-18T14:53:26.387Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://XXXXXportal-dev.XXXXXXXXX.com</saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
SPNameQualifier="https://XXXXXportal-dev.XXXXXXXXX.com"
/>
</saml2p:AuthnRequest>


SAML Response:

<samlp:Response ID="_cce4e935-a258-42c2-b1d8-98f012dd37d2"
Version="2.0"
IssueInstant="2013-09-19T09:36:52.556Z"
Destination="https://XXXXXportal-dev.XXXXXXXXX.com/c/portal/saml/acs"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_91f09e8f9ca820a904a06e6d573bc9daf18d1163"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://QFRWFLT2.eur.gad.XXXXXXXXX.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_cce4e935-a258-42c2-b1d8-98f012dd37d2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<dsemoticonigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsemoticonigestValue>DWQF//rxdoIkD5F7ZeQWDIS8G9I=</dsemoticonigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Jwd/gBVHa1Ka9oYMvK4LFLZybaWz+kGwxMtRpg/zTq5V+uJN7MTT0DFjpxOuilG/AYzFfcdtavCsmAh4Uk2hHqum2e8kbeiqFj3C3D5O+biIa7ZhxQRA9usuKZsu1sIGGRRzuhgg8lSkpsqnJIpJjs2vJUhaILFs2rZ3J1oMM1owIMfkcRdjRemoticon2D+D2VXC/X7xWGKHVnlBI+RRBo3uODNWj1GayR4qJXlPEnFBDv9YnihxRlT/6tQMkUXyidMvWeWIVGzmeG+ve1fAY+HB61e4WWTZXuLGXQJAi+diBVjXjhITlrNU5R3SNdlv36ggmBz3dInmIpv6tz/UeeNJnXg==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDCjCCAfKgAwIBAgIQGMfNCIjn9ZxNCkc0FnK7djANBgkqhkiG9w0BAQsFADBBMT8wPQYDVQQDEzZBREZTIFNpZ25pbmcgLSBRRlJXRkxUMi5ldXIuZ2FkLnNjaG5laWRlci1lbGVjdHJpYy5jb20wHhcNMTMwNTMwMTIwMzU3WhcNMTQwNTMwMTIwMzU3WjBBMT8wPQYDVQQDEzZBREZTIFNpZ25pbmcgLSBRRlJXRkxUMi5ldXIuZ2FkLnNjaG5laWRlci1lbGVjdHJpYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9XqxFgWns8jDM3FsRt3rIKDWGG+59CnPRIxe0Bkaw7b1EmYc4LQpTzKKFy/Ll8jAeHviObUM1rhAtvbH0/iN+e0b9Jqy3vTqT0B4Bf0SiKKebLNgicnRHZO8ZyZKxLPDxkkThHRMtjOP23pl02TI+MPUhMJMlwwYZ76Mjj9QdUvzyH9RqnzWxPM3FpisPjxPVix/vTNOMVLr3oTP3eEJ1XYdFBWiyjbJomFsJwP367BVLohv3hSCN7BVviEPccRL4ChY0j3lZU02FqWx6v1uFH+u+vTSdhWW9jwstpuCv8cIFZxt3z5EG0yiXq/F+jd+e7i2L0GLCsCCVvpKWasDlAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIfgCpxehPaPJQr+2bsEWA2g/XOykxkYHicFdj9NHDOsNLsQhYEAVApUhHEIXiPDl4klNDMkYvs8fTXgAaTlWapt89wRJhztWYp9Cs5pggRoH0tsh9k138Phi/NuV89Q3MEFLnTr8Xbd7Lib/jeqQt80ZIeSiz01y1LnMmFPgDW6YES0/OLV6wAY0FTDvjLJyeFzHShFd7tMoCeWvMn5Uu9rnaREBsc55DU9wSUO3Nq3dG/iVB+onmmGBhOHfbazSSXzDz2akyu40RF2JP5tqlfyuu0K2ttiw8aaETAzuZYHVDnH66AySpgUXX/DOqF0LwVeHWBoUPN7FK4Vb5Y47k0=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>
Attachments: IDP_Metadata.txt (32.6k), SP_Metadata.txt (2.4k), portal-ext.properties (1.1k)
Mika Koivisto
RE: Facing an issue with SSO implementation between Liferay and ADFS using
September 20, 2013 11:57 AM
Answer

Mika Koivisto

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1513

Join Date: August 7, 2006

Recent Posts

Your ADFS doesn't like the NameIDPolicy the SP is sending. You'll probably find more details about what it doesn't like about it in ADFS logs and you'll need to ask your ADFS administrator to configure it so that it allows the policy. Also if you are using unpatched saml-portlet for 6.1.20 you'll need to contact support to get a patch for it so that SLO works with ADFS. What you are asking patch for is so that it doesn't send SPNameQualifier in the NameIDPolicy.
soumyajit sarkar
RE: Facing an issue with SSO implementation between Liferay and ADFS using
September 20, 2013 1:12 PM
Answer

soumyajit sarkar

Rank: New Member

Posts: 8

Join Date: November 3, 2011

Recent Posts

Thanks a lot Mika for your quick reply. Appreciate it.
I will contact Liferay support team and apply the patch.
soumyajit sarkar
RE: Facing an issue with SSO implementation between Liferay and ADFS using
September 23, 2013 8:28 AM
Answer

soumyajit sarkar

Rank: New Member

Posts: 8

Join Date: November 3, 2011

Recent Posts

The Invalid Name Id policy exception is resolved now. The Response is also getting generated properly from ADFS side. But, when response is coming back to Liferay is throwing the following exception. I have attached the error log.

com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed
Attachments: SAML_Exception.txt (10.4k)
Mika Koivisto
RE: Facing an issue with SSO implementation between Liferay and ADFS using
September 23, 2013 12:04 PM
Answer

Mika Koivisto

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1513

Join Date: August 7, 2006

Recent Posts

The messages need to be signed and the metadata must contain the certificate that can be used to verify that signature.
Abhi R
RE: Facing an issue with SSO implementation between Liferay and ADFS using
August 20, 2014 8:15 PM
Answer

Abhi R

Rank: New Member

Posts: 20

Join Date: December 18, 2013

Recent Posts

Hi guys,

I'm using Liferay Portal Enterprise Edition 6.2.10 EE GA1 (Newton / Build 6210 / November 1, 2013). with the SAML plugin. My liferay instance acts as a SP and the ADFS as IP. The issue I have is that my metadata file generated does not have any name id policy information. Below is the metadata file generated and the portal-ext.properties. Any ideas?

portal-ext.properties
saml.enabled=true
saml.role=sp
saml.entity.id=liferaysamlspdemo
saml.metadata.paths=${liferay.home}/data/FederationMetadata.xml
saml.sp.user.attribute.mappings=screenName=screenName\nemailAddress=emailAddress\nfirstName=firstName\nlastName=myCustomAttribute
saml.sp.metadata.name.id.format[https\://XXXXXXXX:8443]=urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
saml.keystore.type=jks
saml.keystore.path=${liferay.home}/data/keystore.jks
saml.keystore.password=liferay
saml.keystore.credential.password[liferaysamlspdemo]=liferay
saml.sp.default.idp.entity.id='http://XXXXXX/adfs/services/trust'
saml.sp.sign.authn.request=true
saml.sp.assertion.signature.required=false
saml.sp.clock.skew=3000
saml.sp.session.keepalive.url=http://localhost:8080/c/portal/saml/idp/keepalive

metadata.xml
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="liferaysamlspdemo"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<dsemoticonigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsemoticonigestValue>9emGvqy5NWUuYWETTmQRHk5uwVc=</dsemoticonigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>coxd3VRofeO8y/gDqvoqEaJAXWcZ8WRTi1Hnd7d52eUkeI9gDAi/lQ8zJVMFrcF1EaobDrpoT5fhwgGcZFhSE/CpkTlJQd0ApLfNUzUrQVvRySwZXRM3TH2evp72BUYIiKGnXNQBJGmc2Oh0z4778EG0BEUBb376crbaMcPuj6Dxc50keJCJypQ/zeHrkAKGy1iOQbKU6yJx+x0SOF2/6KbR4JCFK5agJsDKU29509sFYZEkRtyFe8XLDR2VGHcpL8CGv74JFpJxGdhEA2uWyYs2Dzb9lZqzjCnZhmh9cpuMP6scwP4HtRi+jHo9qqaX0iy9gCWWEkr6TFv7ayjh3Q==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>....
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:SPSSODescriptor AuthnRequestsSigned="false"
ID="liferaysamlspdemo" WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>....
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://XXXXXXXXXXXXXX:8443/c/portal/saml/slo_soap" />
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://XXXXXXXXXXXXXX:8443/c/portal/saml/acs"
index="1" isDefault="true" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
Kapil Burange
RE: Facing an issue with SSO implementation between Liferay and ADFS using
October 7, 2014 12:38 AM
Answer

Kapil Burange

Rank: New Member

Posts: 4

Join Date: September 4, 2014

Recent Posts

Hi Mika,

we are using Liferay as Idp and when we issue the SAML and try to login on salesforce its successful.
but in the SAML response we are getting SAML2 as a prefix
for eg<saml2:Attribute>
Ideally it should not create any issue but our vendors don't want prefix with attributes
Is there a way to remove the prefix from SAML response generated by SAML 2.0 Plugin.


Thanks in advance.....emoticon
Parth N Vachhani
RE: Facing an issue with SSO implementation between Liferay and ADFS using
October 7, 2014 11:52 PM
Answer

Parth N Vachhani

Rank: New Member

Posts: 6

Join Date: May 13, 2010

Recent Posts

Hi Soumyajit ,

I am having similar requirement to use Liferay as a Service Provider and ADFS as a IdP. Can you please help me if you were able to resolve the issue you have mentioned over here.

Thanks in Advance.
- Parth