Using SAML authentication with existing IdP - user mapping issue? - Forums

Foren

Using SAML authentication with existing IdP - user mapping issue?

Matthew Stevenson, geändert vor 11 Jahren.

Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 12 Beitrittsdatum: 17.05.12 Neueste Beiträge

I am having some issues getting the SAML portlet provided with Liferay 6.1EE to work with our existing IdP.

First question: where is the official documentation for this portlet? I have only been able to find snippets of information in blog posts etc so far.

Specific issue:

I roughly followed the Service Provider part of this guide in order to get my Liferay development environment configured for SSO: http://blogs.xtivia.com/home/-/blogs/configuring-liferay-6-1-ee-as-saml-identity-provider-and-service-provider

I had to make a few tweaks to get it all working over SSL, but now the login process seems to be flowing properly - when I click “Sign In” I am redirected to the IdP login page, and when I authenticate correctly, I am returned to the Liferay site. The problem is that when I arrive back at the Liferay site, I am not logged in.

I assume this is because Liferay doesn't have enough information to know who I have authenticated as. How does Liferay work out which user I am logged in as? There is a line in the portal-ext.properties file like so:

saml.sp.user.attribute.mappings=

Do I need to pass something in here so that it can match my federated account up to an existing Liferay account, and if so, what?

Thanks,
Matt

Mika Koivisto, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

It's the name identifier what Liferay uses as the authenticated user. If it can't find the user from Liferay database it will either try to import it from ldap (if enabled) or use the attribute statements from the saml assertion. If you use email address for the nameid the idp needs to set the nameid format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress anything else will be interpreted as screenName.

Here's a sample config for sp with attribute mapping:

saml.enabled=true
saml.role=sp
saml.entity.id=liferaysamlspdemo
saml.require.ssl=false
saml.sign.metadata=true

saml.keystore.path=${liferay.home}/data/keystore.jks
saml.keystore.password=liferay
saml.keystore.type=jks

saml.keystore.credential.password[liferaysamlspdemo]=liferay

saml.metadata.paths=http://alpha.test.com:8080/c/portal/saml/metadata
saml.sp.default.idp.entity.id=liferaysamlidpdemo

saml.sp.user.attribute.mappings=screenName=screenName\nemailAddress=emailAddress\nfirstName=firstName\nlastName=myCustomAttribute

Just out of curiosity what IdP are you using?

I would also like to hear what improvements you'd like to see in the next version of saml plugin.

Matthew Stevenson, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 12 Beitrittsdatum: 17.05.12 Neueste Beiträge

Hi Mika,

My Liferay is set to use screenName, and my IdP (it's OpenAthens LA by the way) can send back an appropriate attribute called username, but if I put the following in portal-ext.properties, it still doesn't log me in:

saml.sp.user.attribute.mappings=screenName=username

I have checked the SAMLResponse, and the username attribute is definitely being passed through in there. How can I find out why it's not matching up the user?

Regarding future enhancements, I am sure that I will be able to come up with some, but because I'm not sure what the feature set of the current version is I can't do that just yet!

Matthew Stevenson, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 12 Beitrittsdatum: 17.05.12 Neueste Beiträge

This is the only info in the console, I don't know if it helps:

12:27:08,367 ERROR [AutoLoginFilter:239] Current URL / generates exception: java.lang.NullPointerException
12:27:08,370 ERROR [AutoLoginFilter:239] Current URL / generates exception: java.lang.NullPointerException
12:27:17,989 INFO [SAMLProtocolMessageXMLSignatureSecurityPolicyRule:121] Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
12:27:18,160 ERROR [AutoLoginFilter:239] Current URL / generates exception: java.lang.NullPointerException
12:27:18,161 ERROR [AutoLoginFilter:239] Current URL / generates exception: java.lang.NullPointerException

Mika Koivisto, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

You should enable DEBUG level logging for org.opensaml that way you can see what kind a SAML response it's actually sending.

Matthew Stevenson, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 12 Beitrittsdatum: 17.05.12 Neueste Beiträge

Sorry Mika, I think I'm going to need a hand...

I've tried adding the line

org.opensaml = DEBUG

to the tomcat logging.properties, and have also tried the approach outlined here:
http://www.liferay.com/community/wiki/-/wiki/Main/How+to+configure+the+logs+in+Liferay

by deploying a jar containing META-INF/portal-log4j-ext.xml with the following contents:

<!--?xml version="1.0"?-->


<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/">
	<category name="org.opensaml">      
		<priority value="DEBUG" />
	</category>
</log4j:configuration>

Neither of these has resulted in anything extra coming through on the console though. Where do I need to enable this?

Mika Koivisto, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

Looks like the saml message is actually logged by org.apache.xml.security.utils.DigesterOutputStream. I usually just enable the logging from Control Panel -> Server Administration -> Log Levels or directly in the saml-portlet/WEB-INF/classes/log4j.properties and set the rootLogger to DEBUG.

Matthew Stevenson, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 12 Beitrittsdatum: 17.05.12 Neueste Beiträge

I've made a bit more progress with this by attaching the source code and running in debug mode.

First problem was that Liferay was trying to trim an email address that it assumed would be present, and throwing a NullPointerException when it didn't find one (I wasn't passing the email address as an attribute, and in a SSO scenario I shouldn't need to but that's another topic!).

By passing email address as an attribute, it seems to be getting past this, but now I get a DuplicateUserScreenNameException. It appears that in the file SamlSpAutoLoginHook.java the attempt to set the user with:

user = UserLocalServiceUtil.getUserByScreenName(companyId, nameIdValue);

is failing, and it therefore attempts to create the user, at which point it finds out that the username already exists and throws the exception.

In the above call to getUserByScreenName, the nameIdValue is set to an unrecognizable string: IZLF_KzsEUIW_FXZsBzpCV6qyRBqFRDK which is different from the screenName taken from the attribute map. I don't know whether this is to be expected?

Matthew Stevenson, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 12 Beitrittsdatum: 17.05.12 Neueste Beiträge

Mika,

A few issues I'm finding with the plugin:

In the SAMLResponse sent by my IDP, both of the following are present:


<saml:nameid namequalifier="https://login.uea.ac.uk/entity" spnamequalifier="samlspdemo" format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">yDKHiOgNm_mKyAHAkz_TeIOlwdROFYfN</saml:nameid>

<saml:nameid namequalifier="https://login.uea.ac.uk/entity" spnamequalifier="samlspdemo" format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">PpiUBF11Nak/b86AqJUQiAVs8xs=</saml:nameid>

The string that that the SAML plugin is trying to search for existing users by (NameID) appears to be populated with the transient version, not the persistent. The result is that if I try and log in as a new user (and pass all the required attributes), an account is generated on-demand. However, because the transient NameID changes with each login, the next time I log in, this ID has changed, and I don't get logged in to my newly created account. Instead, I get the DuplicateUserScreenNameException mentioned in the previous post.

Secondly, after an account has been auto-generated as mentioned, on login I am presented with the "change password" and "security question". For an SSO account, these don't really apply. Is there a way to make these screens not appear?

The main issue I think we are going to have though, is that our portal is already populated with users and we just want to switch on SAML authentication, matching up users by screenName. However, the plugin doesn't appear to be able to match up users like this, and instead assumes that they have been created via SAML and already have a matching NameID value stored against the user.

If you are able to help on these points I'd appreciate it.

Mika Koivisto, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

The SP implementation is currently very limited and only supports one NameID which has to be either a emailAddress or screenName and it has to not change between logins. It will use the assertion which has subject confirmation method urn:oasis:names:tc:SAML:2.0:cm:bearer.

Can you post you full saml response? Just X out any sensitive data. I'm interested to see if it's a bug or if it's just a limitation that I can address in a future version.

Matthew Stevenson, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 12 Beitrittsdatum: 17.05.12 Neueste Beiträge

Hi Mika,

I see. I think it's possibly a combination of bug and limitation in that case, but would like to hear your thoughts on it. I'm more than happy to work with you to fine tune the SP's behaviour:

Bug because it's picking out a transient NameID rather than a persistent one.

Limitation in a couple of ways:
1. Because it is assuming that the NameID is populated with a screenName or email address whereas with most IdPs in the wild that I'm aware of (Shibboleth is used heavily in the education sector), populate these with "opaque" values that are non-identifiable as far as the user is concerned.

2. It would be better to be able to specify which attribute should be used as the persistent ID. E.g. with the way it's currently working, I would need to be able to specify the "username" attribute in the xml below as the screenName rather than it automatically picking out the persistent NameID value.

However, it would be preferable to use the persistent ID as the unique ID, and also have a way to match people up to existing accounts (if present) via a seperately specified screenName/emailAddress attribute. The use case here is that if we have an existing liferay DB (with people with screenNames), that SAML sign in can be enabled and their SAML persistentID is attached to their existing user account and that is used to match them from then on. An attribute mapped to screenName would be used as a one-off to link the SAML ID to the existing liferay user account. This way, if the screenName is not present as an attribute (e.g. if the SAML authentication has come from an IdP in a different organisation) we can create them a new guest account using only SAML persistent ID. Internally I guess liferay would have to set their screenName to be the persistentID (which is something that the user doesn't recognise as their username), but hopefully they won't need to see that.

Here's the full SAML Response (the "eduPerson" attributes are widely used in the eduation sector so that IdPs and SPs can interoperate with minimal configuration):

<!--?xml version="1.0" encoding="utf-8"?-->
<samlp:response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" id="tbs_ik0_nhHDXnN0NfEjNrwyGDg6Ur6l" issueinstant="2012-05-24T08:18:21Z" version="2.0" inresponseto="_6582af87cd60059502faec6709055539f460e952" destination="https://xxxxxxxxxxx:8443/c/portal/saml/acs">
	<saml:issuer>https://login.uea.ac.uk/entity</saml:issuer>
	<ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
		<ds:signedinfo>
			<ds:canonicalizationmethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
			<ds:signaturemethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
			<ds:reference uri="#tbs_ik0_nhHDXnN0NfEjNrwyGDg6Ur6l">
				<ds:transforms>
					<ds:transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
					<ds:transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
				</ds:transforms>
				<ds:digestmethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
				<ds:digestvalue>Jmd7VJsgsshQA1tFBxoHiggVVMs=</ds:digestvalue>
			</ds:reference>
		</ds:signedinfo>
		<ds:signaturevalue>DvNcc2RjSL0hfh9mMJ5Cc04IjE7OGgvv0UuT+trd70AszYwgrVrRWttet6esWizj
xq5CbPc6DJ7Wie64mzeWreQuJ0uwAWWtS25ufhVsG0WqAcvSePiIx3s9GWWV+8z6
s0jn1rK4T6Q3iPj768sliwXIdsS+jQ95xhDXfBZ2LGs7+94uA2cz1SGNVFd1p+8/
DkopziHosmxc7/DC2hEjw/rpl6AZKVueWRqxjBuVjzh2qzNffrudAeH0d/ex5Vv0
E5haHllnVn/G7eEBA9iygHFDaMMbFpJv+bL8xUUFLii8Z5gE9Yi6C8JoaN7mc9dg
QiFp2Tlyv9Od8cr2wjQ6AQ==</ds:signaturevalue>
		<ds:keyinfo>
			<ds:x509data>
				<ds:x509certificate>MIIDoDCCAoigAwIBAgIJAIuKNtoJUQjXMA0GCSqGSIb3DQEBBQUAMD4xIjAgBgNV
BAoTGVVuaXZlcnNpdHkgb2YgRWFzdCBBbmdsaWExGDAWBgNVBAMTD2xvZ2luLnVl
YS5hYy51azAeFw0xMDExMDkwNzU3NTJaFw0yMDExMDYwNzU3NTJaMD4xIjAgBgNV
BAoTGVVuaXZlcnNpdHkgb2YgRWFzdCBBbmdsaWExGDAWBgNVBAMTD2xvZ2luLnVl
YS5hYy51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM9oeuK7k5dK
bp97dCPSq7gqVrm3Rq2fyW62SFx1IVwFBtoW1CIQOkDJF8bVkKa2U+dMmwLHvfEP
qVnXXA59eDJeGRib2ME6o1q90McllqBVWhuBoR08GFEdXhbt1lpUpBNOF+V9lv+y
f37bDm2ii+iaCaOcaT5sO9g0krqw/mlWsSPUIhAG7TzndSECH4lHdqBEWPlk87gn
5LeuezjWpgQmdPD6PaB2fuTyQyP+BeNeIK8EiJvCpBzA92EKitTHxTa6ON3LEy0L
qzJCDWx7rq0R0ch7TmzGw8DLrKIWRHbfH2nMWMFMp7Hf1EhB/Z1+R7nhgIV6HxQi
d+DmuhrLJB8CAwEAAaOBoDCBnTAdBgNVHQ4EFgQUREAlXs64Gbcn4E+0R5mumL5k
+MwwbgYDVR0jBGcwZYAUREAlXs64Gbcn4E+0R5mumL5k+MyhQqRAMD4xIjAgBgNV
BAoTGVVuaXZlcnNpdHkgb2YgRWFzdCBBbmdsaWExGDAWBgNVBAMTD2xvZ2luLnVl
YS5hYy51a4IJAIuKNtoJUQjXMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
ggEBAKhau/vUIiWf7K2ILlfdK89NKLuvUwndns9sYEcIFAqTMWnGlpXogPzFUqvd
PTEjYSkffvr5xHPIasBpaouVmqsr245P1aX9qZh4f6K7FLS+hUHdJvaFrGl6oxEe
WPILAJimme/YZqVCmyyLeYAB+l9Yt81wd+xkaajOrbNalv2f1fxIwQpGp3oosR3b
WXVQwwCnZX7KrZHmIfiRvY9yYctOsXs1xlbZoR8m0F5Tq3xOZIoHjOoWyl4AARFM
NpCaUKSy/eK1MvlZph0VK6QY4P7xlZMvEnMQscrf/bEBblQ+dGyfM664mnPAvWgR
nIhXWvtGhtoIysHU01bNRSH11OA=</ds:x509certificate>
			</ds:x509data>
		</ds:keyinfo>
	</ds:signature>
	<samlp:status>
		<samlp:statuscode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
	</samlp:status>
	<saml:assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="SgNnSkV9Bfo4Q4SGgiKXRYELurf93e66" issueinstant="2012-05-24T08:18:21Z" version="2.0">
		<saml:issuer>https://login.uea.ac.uk/entity</saml:issuer>
		<saml:subject>
			<saml:nameid namequalifier="https://login.uea.ac.uk/entity" spnamequalifier="samlspdemo" format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">DwbzSlmx76O0Vu760_P0DDd4krmbKv4d</saml:nameid>
			<saml:subjectconfirmation method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<saml:subjectconfirmationdata Recipient="https://xxxxxxxxxxxxx:8443/c/portal/saml/acs" NotOnOrAfter="2012-05-24T08:23:21Z" />
			</saml:subjectconfirmation>
		</saml:subject>
		<saml:conditions notbefore="2012-05-24T08:13:21Z" notonorafter="2012-05-24T08:23:21Z">
			<saml:audiencerestriction>
				<saml:audience>samlspdemo</saml:audience>
			</saml:audiencerestriction>
		</saml:conditions>
		<saml:authnstatement authninstant="2012-05-24T08:17:01Z" sessionindex="8b0921a0ec8123efb059e1dae8d1b3e0adc32227">
			<saml:subjectlocality Address="xxx.xxx.xxx.xxx" />
			<saml:authncontext>
				<saml:authncontextdeclref>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:authncontextdeclref>
			</saml:authncontext>
		</saml:authnstatement>
		<saml:attributestatement>
			<saml:attribute name="username" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:attributevalue>xxxxxxxxxxx</saml:attributevalue>
			</saml:attribute>
			<saml:attribute name="surname" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:attributevalue>xxxxxxxxxx</saml:attributevalue>
			</saml:attribute>
			<saml:attribute name="forename" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:attributevalue>xxxxxxxxx</saml:attributevalue>
			</saml:attribute>
			<saml:attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:attributevalue>PpiUBF11Nak/b86AqJUQiAVs8xs=</saml:attributevalue>
			</saml:attribute>
			<saml:attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:attributevalue>
					<saml:nameid namequalifier="https://login.uea.ac.uk/entity" spnamequalifier="samlspdemo" format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">PpiUBF11Nak/b86AqJUQiAVs8xs=</saml:nameid>
				</saml:attributevalue>
			</saml:attribute>
			<saml:attribute name="eduPersonAffiliation" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:attributevalue>member</saml:attributevalue>
				<saml:attributevalue>employee</saml:attributevalue>
				<saml:attributevalue>staff</saml:attributevalue>
			</saml:attribute>
			<saml:attribute name="eduPersonScopedAffiliation" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:attributevalue>member@uea.ac.uk</saml:attributevalue>
				<saml:attributevalue>employee@uea.ac.uk</saml:attributevalue>
				<saml:attributevalue>staff@uea.ac.uk</saml:attributevalue>
			</saml:attribute>
			<saml:attribute name="mail" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:attributevalue>xxxxxxxxxxxx</saml:attributevalue>
			</saml:attribute>
			<saml:attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:attributevalue>member@uea.ac.uk</saml:attributevalue>
				<saml:attributevalue>employee@uea.ac.uk</saml:attributevalue>
				<saml:attributevalue>staff@uea.ac.uk</saml:attributevalue>
			</saml:attribute>
			<saml:attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:attributevalue>member@uea.ac.uk</saml:attributevalue>
				<saml:attributevalue>employee@uea.ac.uk</saml:attributevalue>
				<saml:attributevalue>staff@uea.ac.uk</saml:attributevalue>
			</saml:attribute>
			<saml:attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:attributevalue>member</saml:attributevalue>
				<saml:attributevalue>employee</saml:attributevalue>
				<saml:attributevalue>staff</saml:attributevalue>
			</saml:attribute>
			<saml:attribute name="eduPersonTargetedID" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:attributevalue>PpiUBF11Nak/b86AqJUQiAVs8xs=</saml:attributevalue>
			</saml:attribute>
			<saml:attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:attributevalue>member</saml:attributevalue>
				<saml:attributevalue>employee</saml:attributevalue>
				<saml:attributevalue>staff</saml:attributevalue>
			</saml:attribute>
		</saml:attributestatement>
	</saml:assertion>
</samlp:response>

Mika Koivisto, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

Ahaa. I see what the issue is. Your Subject contains the transient value and that's what we use. There's currently no support for picking up the principal name from SAML attributes. I'm planning on adding that feature for the next major version of SAML plugin but in the mean time you can modify SamlSpAutoLoginHook class to dig the NameID from the attributes instead of using the one that's taken from subject.

Chris Mount, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 11 Beitrittsdatum: 06.04.12 Neueste Beiträge

Hey Mika and Matthew thanks so much for this dialog. The timeliness could not be more perfect. I was having the same problem and was able to modify the SamlSpAutoLoginHook class to get the NameID to populate from the saml attributes. If this makes sense, in my situation, I believe it is federal requirement that only persistent, transient, or unspecified are used, so when I specify unspecified as the format, in our case the NameID field was populated with an email address, but that gets interpreted as the screenName. Our login is set to screenName is mapped to an LDAP user id attribute. So in short the code change I made allowed me to specify via a property setting what attribute to authenticate by.

Matthew Stevenson, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 12 Beitrittsdatum: 17.05.12 Neueste Beiträge

Hi, I've done something similar - making it pick out the nameIdValue from an attribute, which seems to be working.

I still haven't managed to work out the cause of the errors which occur on every page request:

09:26:01,785 ERROR [AutoLoginFilter:239] Current URL / generates exception: java.lang.NullPointerException
09:26:03,585 ERROR [AutoLoginFilter:239] Current URL /web/guest/home generates exception: java.lang.NullPointerException

Do you get these errors too?

Mika, does the SAML portlet insert itself into the Authentication Pipeline, or only the auto-login filter? The reason I ask is that I have also set up Facebook authentication, and when I click on the Facebook icon in the login portlet, I can authenticate at Facebook, but then Liferay redirects me to the SAML IdP. If I then press the back button in the browser, I find that I am logged into the portal ok (using my Facebook account).

I'm not sure why I'm ending up at the SAML IdP after clicking the Facebook login page - any ideas?

Matthew Stevenson, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 12 Beitrittsdatum: 17.05.12 Neueste Beiträge

Don't worry about the error lines - I've found the cause (my fault), just happened to be the same error that I was getting at the beginning, but the cause was different then.

Query about the Auth Pipeline still applies though.

Mika Koivisto, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

SAML SP doesn't work with the other authentication mechanisms but that is something I have in the roadmap.

Matthew Stevenson, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 12 Beitrittsdatum: 17.05.12 Neueste Beiträge

Ah ok, I think this should be quite high on the list of enhancement priorities.

Do you know what the timescales are for including some of these extra features?

In our scenario, we are looking for SAML authentication for our internal users, but to allow guests to log in via facebook, OpenID or other SAML IdP etc. I would like to know what you think is the best way of altering the sign-in process to allow this. In particular, if someone visits a private page (e.g. intranet), we would like to attempt to detect if someone is on an internal IP address and if so attempt a SAML autologin. If that fails, then we should present them with a screen where they can choose which authentication method to use. I was thinking of writing a replacement AutoLogin filter to achieve this, but because you would end up requiring user input (choose auth method) I'm not sure this is the best thing to do. Any thoughts?

Thanks,
Matt

Oleg Cohen, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 3 Beitrittsdatum: 28.01.13 Neueste Beiträge

Matthew Stevenson:

Ah ok, I think this should be quite high on the list of enhancement priorities.

Do you know what the timescales are for including some of these extra features?

In our scenario, we are looking for SAML authentication for our internal users, but to allow guests to log in via facebook, OpenID or other SAML IdP etc. I would like to know what you think is the best way of altering the sign-in process to allow this. In particular, if someone visits a private page (e.g. intranet), we would like to attempt to detect if someone is on an internal IP address and if so attempt a SAML autologin. If that fails, then we should present them with a screen where they can choose which authentication method to use. I was thinking of writing a replacement AutoLogin filter to achieve this, but because you would end up requiring user input (choose auth method) I'm not sure this is the best thing to do. Any thoughts?

Thanks,
Matt

The AssureBridge Liferay connector works as a service with our Unified Authentication Gateway to allow guests to log in via facebook,, OpenID, SAML Idp, , ws-federation LDAP, Active Directory or any combination. The gateway will present a screen allowing the user to automatically pick the authentication method they would like to use.

Thanks,

Oleg

Dave Pierovich, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

I am configuring the SAML 2 plugin as an SP and attempting to use it with a Shibboleth IDP. So far, I've got a working config on the plugin where it is able to load and refer an AuthnRequest to Shibboleth, where the login actually happens. The Shibboleth IDP then generates a SAML response as follows after successful login:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://xxxxxxxxxxxxxxx.com:8080/c/portal/saml/acs"
ID="_50f9ae953638fbc3c970f3ad9585d35b"
InResponseTo="_80f0ebd4e2061df90ebe7e6d3a8298591042bb5e"
IssueInstant="2012-10-16T17:30:55.867Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>lrhddev.hdna.hunterdouglas.com</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_3018ef5505b30baa32dc64fb063d7783"
IssueInstant="2012-10-16T17:30:55.867Z"
Version="2.0"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">xxxxxxxxxxxxxxx.com</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_3018ef5505b30baa32dc64fb063d7783">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds emoticon

igestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds emoticon

igestValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</ds emoticon

igestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="xxxxxxxxxxxxxxx.com"
SPNameQualifier="xxxxxxxxxxxxxxx.com"
>MyUserName</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="172.31.6.23"
InResponseTo="_80f0ebd4e2061df90ebe7e6d3a8298591042bb5e"
NotOnOrAfter="2012-10-16T17:35:55.867Z"
Recipient="http://portal.xxxxxxxxxxxxxxx.com:8080/c/portal/saml/acs"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2012-10-16T17:30:55.867Z"
NotOnOrAfter="2012-10-16T17:35:55.867Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>xxxxxxxxxxxxxxx.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2012-10-16T17:30:55.463Z"
SessionIndex="15e62d8afa22592858f7deb4a140773b1b322a04eebf05e9eede3f9df3d37bc6"
>
<saml2:SubjectLocality Address="172.31.6.23" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes emoticon

asswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>

This looks to be a properly formatted SAML response, but instead of doing the auto-login as expected, the SAML 2 plugin throws the following errors:

12:29:44,360 INFO [http-bio-8080-exec-9][AbstractReloadingMetadataProvider:122] New metadata succesfully loaded for '/usr/local/liferay/data/saml/idp-metadata.xml'
12:29:44,360 INFO [http-bio-8080-exec-9][AbstractReloadingMetadataProvider:142] Next refresh cycle for metadata provider '/usr/local/liferay/data/saml/idp-metadata.xml' will occur on '2012-10-16T15:29:44.348Z' ('2012-10-16T15:29:44.348Z' local time)
12:29:51,492 INFO [http-bio-8080-exec-9][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:114] SAML protocol message was not signed, skipping XML signature processing
12:29:51,492 ERROR [http-bio-8080-exec-9][MandatoryAuthenticatedMessageRule:76] Inbound message issuer was not authenticated.
12:29:51,567 ERROR [http-bio-8080-exec-9][status_jsp:665] com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:149)
at com.liferay.saml.profile.WebSsoProfileUtil.processResponse(WebSsoProfileUtil.java:43)
at com.liferay.saml.hook.action.AssertionConsumerServiceAction.execute(AssertionConsumerServiceAction.java:40)
...
Caused by: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
at org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule.evaluate(MandatoryAuthenticatedMessageRule.java:38)
at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73)
at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:385)
at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:139)
... 90 more

What is the plugin expecting to validate the AuthnRequest was successful, does it not use message status <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />? What am I missing?

Is there any way to correct this seemingly odd behavior?

Mika Koivisto, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

Following lines says it all. The SAML message wasn't signed by your IdP. Do you have signing keys in the SAML metadata on both sides?

12:29:51,492 INFO [http-bio-8080-exec-9][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:114] SAML protocol message was not signed, skipping XML signature processing
12:29:51,492 ERROR [http-bio-8080-exec-9][MandatoryAuthenticatedMessageRule:76] Inbound message issuer was not authenticated.

Dave Pierovich, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

Yes, signing keys are in the metadata on both sides. I have signing and encryption for assertions and responses configured off while I'm getting the wires connected. Is this a requirement for SAML 2?

Dave Pierovich, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

Hi Mika - I reconfigured to turn on signing. There is a new exception as follows:

12:59:49,067 INFO [http-bio-8080-exec-8][AbstractReloadingMetadataProvider:122] New metadata succesfully loaded for '/usr/local/liferay/data/saml/idp-metadata.xml'
12:59:49,068 INFO [http-bio-8080-exec-8][AbstractReloadingMetadataProvider:142] Next refresh cycle for metadata provider '/usr/local/liferay/data/saml/idp-metadata.xml' will occur on '2012-10-17T15:59:49.053Z' ('2012-10-17T15:59:49.053Z' local time)
14:31:04,913 INFO [http-bio-8080-exec-4][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:122] Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
14:31:04,985 ERROR [http-bio-8080-exec-4][status_jsp:665] com.liferay.saml.SamlException: java.lang.NullPointerException
com.liferay.saml.SamlException: java.lang.NullPointerException
at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:149)
at com.liferay.saml.profile.WebSsoProfileUtil.processResponse(WebSsoProfileUtil.java:43)
at com.liferay.saml.hook.action.AssertionConsumerServiceAction.execute(AssertionConsumerServiceAction.java:40)
at com.liferay.portal.kernel.struts.BaseStrutsAction.execute(BaseStrutsAction.java:37)
...
Caused by: java.lang.NullPointerException
at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:78)
at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:385)
at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:139)
... 90 more

========================================================
The SAML response sent by the IDP is now ...
========================================================

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://xxxxxxxxxxxxxxx.com:8080/c/portal/saml/acs"
ID="_b5c69b6bedf58f73571e53f85439cbfa"
InResponseTo="_82d39866bf10d4e4d8c838414aacf49d28bd75df"
IssueInstant="2012-10-17T14:31:02.299Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>xxxxxxxxxxxxxxx.com</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_b5c69b6bedf58f73571e53f85439cbfa">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds emoticon

igestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds emoticon

igestValue>6rrN2p0+UvtBnZ00mbSYYrnSs4g=</ds emoticon

igestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds emoticon

igestValue>7xgYDDZgvDRZupVMURtBZM5iTa0=</ds emoticon

igestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxxxxxxxxxxxxx</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>xxxxxxxxxxxxxxx</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="xxxxxxxxxxxxxxx.com"
SPNameQualifier="xxxxxxxxxxxxxxx.com"
>DAPIEROV</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="172.31.6.23"
InResponseTo="_82d39866bf10d4e4d8c838414aacf49d28bd75df"
NotOnOrAfter="2012-10-17T14:36:02.299Z"
Recipient="http://lrhddev.hdna.hunterdouglas.com:8080/c/portal/saml/acs"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2012-10-17T14:31:02.299Z"
NotOnOrAfter="2012-10-17T14:36:02.299Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>xxxxxxxxxxxxxxx.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2012-10-17T14:31:02.142Z"
SessionIndex="f5c15dcd8e565c7497925fdd373e0cdc8e35b8412ea4c140385ae38935750ce2"
>
<saml2:SubjectLocality Address="172.31.6.23" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes emoticon

asswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>

Mika Koivisto, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

The nullpointer is coming because it can't resolve the peer metadata. I would assume that your SP doesn't have the metadata of your IDP or the entity id doesn't match the one that's on the SAML Response. You should enable debug logging for the opensaml library in the saml plugin and that'll probably help you figure out what's wrong with your configuration.

Dave Pierovich, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

Hi Mika, Thanks for the info.

The SAML plugin is definitely configured to have access to the IDP's metadata (saml.metadata.paths=/usr/local/liferay/data/saml/idp-metadata.xml), so that should be OK.

On Entity ID ...
The Sibboleth IDP is configured for SP/Liferay with its own relying party, attribute filter, and attribute resolver setup. This allows me to tailor the response specifically to the needs of the SP/Liferay requests. I reference the SP's credentials for signing responses to the SP, so the Entity ID's for the issuer and signing are the same, and the SP definitely has the credentials to read it.

I've also tried using the IDP's credentials to sign the response, but it yields the same result.

Which party's credential is the SAML plugin expecting the response to be signed by, its own or the IDP's? Also, where can I access the source for the project? I looked on the Liferay SVN but couldn't find it. It may be necessary for me to "tweak" the code to make it work with Shibboleth so I'd like to start looking into the code is possible.

The SAML response is below.
========================================================================================
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://svrName.xxxxxxxxxxxxxxx.com:8080/c/portal/saml/acs"
ID="_6650205f8809826a2fa499130c38cf30"
InResponseTo="_1bd4c307bb12e48f0429fe98300e6e7cd5ae72a7"
IssueInstant="2012-10-18T22:54:44.008Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>svrName.xxxxxxxxxxxxxxx.com.com</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_6650205f8809826a2fa499130c38cf30">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds emoticon

igestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds emoticon

igestValue>212ycFy0YqX1N/Djw1kuFdKBEsc=</ds emoticon

igestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxxxxxxxxxxxxx</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>xxxxxxxxxxxxxxx</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_6d5ab9acdd8c44a1b4a38c662a368c66"
IssueInstant="2012-10-18T22:54:44.008Z"
Version="2.0"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">svrName.xxxxxxxxxxxxxxx.com</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="svrName.xxxxxxxxxxxxxxx.com"
SPNameQualifier="svrName.xxxxxxxxxxxxxxx.com"
>dave.pierovich@hd-assets.info</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="172.31.6.23"
InResponseTo="_1bd4c307bb12e48f0429fe98300e6e7cd5ae72a7"
NotOnOrAfter="2012-10-18T22:59:44.008Z"
Recipient="http://svrName.xxxxxxxxxxxxxxx.com:8080/c/portal/saml/acs"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2012-10-18T22:54:44.008Z"
NotOnOrAfter="2012-10-18T22:59:44.008Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>svrName.xxxxxxxxxxxxxxx.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2012-10-18T22:54:43.859Z"
SessionIndex="8320f72c6a653c5a8e42225dfb8d17a1b65375948fa540d2b19bc212ba94ba23"
>
<saml2:SubjectLocality Address="172.31.6.23" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes emoticon

asswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>

Dave Pierovich, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

Hi Mika,
Thanks for your patience and help in working through this. I finally got the SP to function properly with the Shibboleth IDP and login if working well. It's definitely doable, but I gotta say it would have been a whole lot easier if there were documentation available. The forum posts helped to a point, but aren't really a replacement. While I've been working through getting this configured, I've roughed out some documentation that describes all the things on both sides that needed to be configured for the process to work. Is this something you'd be interested in?

Also, at the moment, the only way to kick off the Shibboleth IDP based login is to click the Sign In link typically found in the default theme in the upper right corner of the screen. Does the SAML plugin provide for an auto-redirect to the same URL if the user is not authenticated and has no SAML authn response or is this something I'd need do? I ask because we're not using the default theme and the link doesn't exist.

Best Regards,
Dave

Mika Koivisto, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

I'm glad you've gotten it working. Yeah, documentation is a must and our documentation team is working on it.

The SP will kick off the SAML authentication when ever you access /c/portal/login. That's usually when you click the login link or try to access a document that's not viewable by guest or you try to access any private pages.

Hemant Kumar Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Hi ,

I am trying to connect to ADFS(Idp) and Liferay as SP.I have followed the steps as per the below URL,
http://blogs.xtivia.com/home/-/blogs/configuring-liferay-6-1-ee-as-saml-identity-provider-and-service-provider
but I am getting the below error,

Caused by: org.opensaml.ws.message.encoder.MessageEncodingException: The signing credential's algorithm URI could not be derived
at org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder.getSignatureAlgorithmURI(HTTPRedirectDeflateEncoder.java:223)
at org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder.buildRedirectURL(HTTPRedirectDeflateEncoder.java:188)
at org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder.doEncode(HTTPRedirectDeflateEncoder.java:104)
at org.opensaml.ws.message.encoder.BaseMessageEncoder.encode(BaseMessageEncoder.java:52)
at com.liferay.saml.profile.BaseProfile.sendSamlMessage(BaseProfile.java:232)
... 55 more
Can any help me on this?

Thanks
Hemany

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Hi Mika,

Can you please help me on this?

Peter J Shields, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

Did you share certificate info between the SP and IDP?

Mika Koivisto, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

There's a problem with your configuration. Make sure your IdP metadata has the signing certificate.

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

I followed the below steps,

I created
keytool -genkey -alias samlsp -keystore keystoresp.jks -keyalg RSA -validity 360 -keysize 2048
I did not import Certificate from Idp.

Now when i click on Sign in button, its going to ADFS login page , but after giving user/pwd its NOT redirecting to the Portal?

Do I need to share certificate info while generating keystore at SP?

Thanks
Hemant

Peter J Shields, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication wit

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

It will depend on what you have configured on the IDP side. Usually, both
sides of the AUTHN request (IDP and SP) must be configured for how they
communicate . and both sides should have the Public key shared with the
servers they communicate with. By default, servers communicate using PKI.
Without the keys being shared, Liferay cannot decrypt the response to get
the user principle and auto-log them in. If you configured this to not use
encryption (you shouldn't) then shared keys is not necessary.

-Pete

From: Hemant Behera from liferay.com [mailto:forums@liferay.com]
Sent: Monday, May 20, 2013 11:31 AM
To: forums@liferay.com
Subject: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication
with existing IdP - user mapping issue?

I followed the below steps,

I created
keytool -genkey -alias samlsp -keystore keystoresp.jks -keyalg RSA -validity
360 -keysize 2048
I did not import Certificate from Idp.

Now when i click on Sign in button, its going to ADFS login page , but after
giving user/pwd its NOT redirecting to the Portal?

Do I need to share certificate info while generating keystore at SP?

Thanks
Hemant

To view the thread, follow the link below:
http://www.liferay.com/community/forums/-/message_boards/view_message/248870
38
--
Thanks, Liferay.com Forums <http://http:/www.liferay.com>

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Thanks Peter for the info.

Now i am getting below error after logging through ADFS

An error occurred while accessing the requested resource.

https://dld04cappgeh:8443/c/portal/saml/acs

Thanks
Hemant

Peter J Shields, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication wit

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

Hemant,

Since I have no idea what you've set up and how it's configured it's
impossible for me to help you further. What plugin are you using on the
Liferay side to enable SAML interactions? How is it configured? What
version of EE are you running 6.0 or 6.1?

Regards,

Pete

From: Hemant Behera from liferay.com [mailto:forums@liferay.com]
Sent: Monday, May 20, 2013 6:30 PM
To: forums@liferay.com
Subject: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication
with existing IdP - user mapping issue?

Thanks Peter for the info.

Now i am getting below error after logging through ADFS

An error occurred while accessing the requested resource.

https://dld04cappgeh:8443/c/portal/saml/acs

Thanks
Hemant

To view the thread, follow the link below:
http://www.liferay.com/community/forums/-/message_boards/view_message/248959
18
--
Thanks, Liferay.com Forums <http://http:/www.liferay.com>

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

I am using Liferay 6.1 GA2 and the Plugin: saml-portlet-6.1.20.1-ee-ga2-20120731110418084. I have configured as per the below steps,
http://blogs.xtivia.com/home/-/blogs/configuring-liferay-6-1-ee-as-saml-identity-provider-and-service-provider

More Info:
While I click on sign in and it redirects to ADFS login and I give user name and password , it redirects to /c/portal/saml/acs
I am using the same user name pwd for Liferay Portal and as well as ADFS.

Thanks
Hemant

Peter J Shields, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication wit

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

You've given me little new information and you still haven't provided YOUR
configuration. I don't see any value in reading what Xtivia posted, as it
isn't the same as your configuration and that's where your problem is.
Without your configuration I can't help you.

-pete

From: Hemant Behera from liferay.com [mailto:forums@liferay.com]
Sent: Tuesday, May 21, 2013 3:11 PM
To: forums@liferay.com
Subject: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication
with existing IdP - user mapping issue?

I am using Liferay 6.1 GA2 and the Plugin:
saml-portlet-6.1.20.1-ee-ga2-20120731110418084. I have configured as per the
below steps,
http://blogs.xtivia.com/home/-/blogs/configuring-liferay-6-1-ee-as-saml-iden
tity-provider-and-service-provider

More Info:
While I click on sign in and it redirects to ADFS login and I give user name
and password , it redirects to /c/portal/saml/acs
I am using the same user name pwd for Liferay Portal and as well as ADFS.

Thanks
Hemant

To view the thread, follow the link below:
http://www.liferay.com/community/forums/-/message_boards/view_message/249315
95
--
Thanks, Liferay.com Forums <http://http:/www.liferay.com>

Hemant Behera, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication wit

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Now I am getting the below error,
com.liferay.saml.SamlException: Assertion failed urn:oasis:names:tc:SAML:2.0:status:Requester

Can anyone help me out.

Thanks
Hemant

Peter J Shields, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: [Liferay Forums][6. Portal Fr

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

Without your settings how are we supposed to help. We have no idea what
you've set so we can't help you fix it.

-pete

From: Hemant Behera from liferay.com [mailto:forums@liferay.com]
Sent: Wednesday, May 22, 2013 8:15 PM
To: forums@liferay.com
Subject: [Liferay Forums][6. Portal Framework] RE: [Liferay Forums][6.
Portal Framework] RE: Using SAML authentication wit

Now I am getting the below error,
com.liferay.saml.SamlException: Assertion failed
urn:oasis:names:tc:SAML:2.0:status:Requester

Can anyone help me out.

Thanks
Hemant

To view the thread, follow the link below:
http://www.liferay.com/community/forums/-/message_boards/view_message/249787
85
--
Thanks, Liferay.com Forums <http://http:/www.liferay.com>

Mika Koivisto, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication wit

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

That error tells me that ADFS rejected the AuthnRequest so you need to dig it's logs to see why.

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Thanks Mike for the response.

Here is the logs,

<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"></samlp:StatusCode></samlp:StatusCode></samlp:Status></samlp:Response>
13:52:43,060 DEBUG [Reference:?] Verification successful for URI "#_ed1bab1e-e1b6-47db-b26d-811282c74625"
13:52:43,061 DEBUG [Manifest:?] The Reference has Type
13:52:43,061 INFO [http-bio-8443-exec-3][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:122] Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
13:52:43,133 ERROR [http-bio-8443-exec-3][status_jsp:665] com.liferay.saml.SamlException: Assertion failed urn:oasis:names:tc:SAML:2.0:status:Requester
com.liferay.saml.SamlException: Assertion failed urn:oasis:names:tc:SAML:2.0:status:Requester
at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:398)

I am suspecting nameid-format is incorrect at Idp side.

Your quick help is highly appreciated.

Thanks
Hemant

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

DO we need to set the below property
saml.sp.name.id.format in portal-ext.properties file. As i know, by default it send emailAddress. Please correct me if i am wrong.

Thanks
Hemant

Mika Koivisto, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

No need to set it unless you want something else than emailAddress.

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Hi Mika,
Any idea, what would be root cause of this issue?
Please refer to the above error logs.

Thanks
Hemant

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Hi Mika,

As i can see error InvalidNameIDPolicy.
Do ADFS need to specify the exact NameID Policy?

Thanks
Hemant

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Hi Mika,

I want to set nameid-format to unspecified, I changed to
saml.sp.name.id.format=urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
is this the right way to change the nameid-format?
Request to respond

Peter J Shields, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication wit

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

I was only able to get it to work with a
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress format. Everything
else failed

-pete

From: Hemant Behera from liferay.com [mailto:forums@liferay.com]
Sent: Friday, May 24, 2013 12:17 PM
To: forums@liferay.com
Subject: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication
with existing IdP - user mapping issue?

Hi Mika,

I want to set nameid-format to unspecified, I changed to
saml.sp.name.id.format=urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified

is this the right way to change the nameid-format?
Request to respond

To view the thread, follow the link below:
http://www.liferay.com/community/forums/-/message_boards/view_message/250463
59
--
Thanks, Liferay.com Forums <http://http:/www.liferay.com>

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Thanks Peter.
Does it mean that idp has to set emailAddress to authenticate?

Thanks
Hemant

Peter J Shields, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication wit

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

Yes it does. I tried every other option, but only email format would work.
I think the SAML plugin is only enabled for that.

-pete

From: Hemant Behera from liferay.com [mailto:forums@liferay.com]
Sent: Friday, May 24, 2013 12:53 PM
To: forums@liferay.com
Subject: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication
with existing IdP - user mapping issue?

Thanks Peter.
Does it mean that idp has to set emailAddress to authenticate?

Thanks
Hemant

To view the thread, follow the link below:
http://www.liferay.com/community/forums/-/message_boards/view_message/250467
91
--
Thanks, Liferay.com Forums <http://http:/www.liferay.com>

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Thanks Peter. I appreciated that.

Any idea why it shows InvalidNameIDPolicy?
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"></samlp:StatusCode></samlp:StatusCode></samlp:Status></samlp:Response>

Thanks
Hemant

Mika Koivisto, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication wit

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

It meas that your IdP doesn't accept the NameIDPolicy sent by the SP. The SP does send SPNameQualifier within the NameIDPolicy of AuthnRequest but that should be fine. The only time that will not work is when it tries to logout because then it fails to send the SPNameQualifier. There's a fix for it in LPS-32707.

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Hi Mika,

Thanks for the response.
What are the NameIDPolicy , the Liferay SP does send by default? I know, it sends emailAddress for Authentication. What are the others?

Thanks
Hemant

Hemant Behera, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication wit

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

I have set the NameIDPolicy to emailAddress

saml.sp.user.attribute.mappings=nemailAddress=emailAddress
saml.sp.name.id.format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

But its giving me below error,

17:44:55,721 INFO [http-bio-8443-exec-14][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:114] SAML protocol message was not signed, skipping XML signature processing
17:44:55,721 ERROR [http-bio-8443-exec-14][MandatoryAuthenticatedMessageRule:76] Inbound message issuer was not authenticated.
17:44:55,747 ERROR [http-bio-8443-exec-14][status_jsp:665] com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.

Any idea, why its showing the below error,

Any response on this is highly appreciated.

Thanks
Hemant

Mika Koivisto, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication wit

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

The error message is self evident. The protocol message was not signed so no trust can be established.

Hemant Behera, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication wit

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Thanks Mika for the quick reply

Do we need to change something in ADFS side?
What could be the root cause?

Thanks
Hemant

Peter J Shields, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: [Liferay Forums][6. Portal Fr

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

"SAML protocol message was not signed" This means the ADFS server didn't
encrypt (sign) the SAML assertion it returned . what the SAML plugin
expected. Your ADFS server really should sign the assertions it returns, or
you lose the ability to trust that the message actually came from your ADFS
server and not somewhere else. If you allow this, your system becomes
inherently unsafe and easily breached.

Check the configuration of ADFS to ensure you have shared public keys
between the two systems and that ADFS is set to respond to requests from
Liferay with assertions signed with its public key.

-pete

From: Hemant Behera from liferay.com [mailto:forums@liferay.com]
Sent: Wednesday, May 29, 2013 7:04 PM
To: forums@liferay.com
Subject: [Liferay Forums][6. Portal Framework] RE: [Liferay Forums][6.
Portal Framework] RE: Using SAML authentication wit

Thanks Mika for the quick reply

Do we need to change something in ADFS side?
What could be the root cause?

Thanks
Hemant

To view the thread, follow the link below:
http://www.liferay.com/community/forums/-/message_boards/view_message/252177
28
--
Thanks, Liferay.com Forums <http://http:/www.liferay.com>

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Thanks Peter for the clarification.

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Hi Peter,

Can you confirm that Liferay is not expecting the SAML message to be encrypted (in addition to being signed)?

Thanks
Hemant

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Peter/Mika,

Now I am getting this error,

11:24:42,867 INFO [http-bio-8443-exec-24][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:122] Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
11:24:42,919 ERROR [http-bio-8443-exec-25][AutoLoginFilter:245] Current URL / generates exception: java.lang.NullPointerException
Any idea, what need to be changed to be working?

Thanks
Hemant

Mika Koivisto, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

Please include your saml Response xml.

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Mike,

Can you please confirm is the below is right Configuration,

saml.sp.user.attribute.mappings=emailAddress=emailaddress\nfirstName=givenname\nlastName=surname

I mean do I need to put n, like

saml.sp.user.attribute.mappings=nemailAddress=emailaddress\nfirstName=givenname\nlastName=surname

Thanks
Hemant

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Mika-
Sorry I miss spelled your name.

Thanks
Hemant

Mika Koivisto, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

The attribute mapping is a newline separated property list so you could do it like this too:

saml.sp.user.attribute.mappings=\
emailAddress=emailaddress\
firstName=givenname\
lastName=surname

Also seems like it's missing screenName which is required. Also you need to make sure that the mapped attribute name is really the attribute name in the SAML response. Otherwise it will map it to null which will cause NullPointerException when it is trying to add the user.

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Mika,

i just mapped as per the SAML Response to this
saml.sp.user.attribute.mappings=screenName=employeeNumber\nemailAddress=emailaddress

Getting the same exception. But Do we need to have the same email id for both at Liferay and ADFS? In SAML response I am getting different email id. which is not there in Liferay.
<AttributeValue>XXX@abc.com</AttributeValue>

Thanks
Hemant

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Mika/Peter

Does it need to match the emailaddress and employeeNumber of ADFS to Liferay
i.e. ADFS emailaddress = Liferay emaillAddress
ADFS employeeNumber= Liferay sceenName

Liferay does not allow screenName to Number. It should start with some character+Numner, like a12345.

Request you to Clarify

Thanks
Hemant

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Now I am not getting, Current URL / generates exception: java.lang.NullPointerException
But its not Signing into Liferay.

Hemant Behera, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

hi Mika,

I am getting the simlar exception as mention by peter,
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://svrName.xxxxxxxxxxxxxxx.com:8080/c/portal/saml/acs"
ID="_6650205f8809826a2fa499130c38cf30"
InResponseTo="_1bd4c307bb12e48f0429fe98300e6e7cd5ae72a7"
IssueInstant="2012-10-18T22:54:44.008Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>svrName.xxxxxxxxxxxxxxx.com.com</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_6650205f8809826a2fa499130c38cf30">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<dsemoticonigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsemoticonigestValue>212ycFy0YqX1N/Djw1kuFdKBEsc=</dsemoticonigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxxxxxxxxxxxxx</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>xxxxxxxxxxxxxxx</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_6d5ab9acdd8c44a1b4a38c662a368c66"
IssueInstant="2012-10-18T22:54:44.008Z"
Version="2.0"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">svrName.xxxxxxxxxxxxxxx.com</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="svrName.xxxxxxxxxxxxxxx.com"
SPNameQualifier="svrName.xxxxxxxxxxxxxxx.com"
>dave.pierovich@hd-assets.info</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="172.31.6.23"
InResponseTo="_1bd4c307bb12e48f0429fe98300e6e7cd5ae72a7"
NotOnOrAfter="2012-10-18T22:59:44.008Z"
Recipient="http://svrName.xxxxxxxxxxxxxxx.com:8080/c/portal/saml/acs"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2012-10-18T22:54:44.008Z"
NotOnOrAfter="2012-10-18T22:59:44.008Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>svrName.xxxxxxxxxxxxxxx.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2012-10-18T22:54:43.859Z"
SessionIndex="8320f72c6a653c5a8e42225dfb8d17a1b65375948fa540d2b19bc212ba94ba23"
>
<saml2:SubjectLocality Address="172.31.6.23" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classesemoticonasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>

Mika Koivisto, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

Your Assertion doesn't contain any attributes so if the user with emailAddress in NameID doesn't exist already the authentication fails.

Mika Koivisto, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication wit

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

If you are using any other nameId format than emailAddress the saml sp implementation will interpret it as screenName.

tarina e e, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 23 Beitrittsdatum: 15.11.09 Neueste Beiträge

Hi Dave,
Do you still have the documentation of the configuration / steps that needs to be done on both sides to enable liferay SAML SSO with external IDP? if so can you please share it?
Thanks a lot!
Tarina

Dave Pierovich, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

One more thing ...

The SAML assertion passed to the IDP specifies the following:

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://xxxxxxxxxxxxxxx.com:8080/c/portal/saml/acs"
Destination="https://xxxxxxxxxxxxxxx.com/idp/profile/SAML2/Redirect/SSO"
ForceAuthn="false"
ID="_e35b665028c22e155a8a47186d972fa540ac5698"
IsPassive="false"
IssueInstant="2012-10-16T18:44:25.786Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">xxxxxxxxxxxxxxx.com</saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
SPNameQualifier="xxxxxxxxxxxxxxx.com"
/>
</saml2p:AuthnRequest>

In previous posts you stated "If you use email address for the nameid the idp needs to set the nameid format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress anything else will be interpreted as screenName."

I've tried configuring the IDP to return the screen name (cn) as NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", expecting that this will be correctly interpreted as a screen name. Unfortunately, if the format is anything but “emailAddress”, regardless of the kind of value returned, the IDP will return an error because the required NameID format is unavailable. The following was generated by attempting to return the screenName (cn) using the “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” NameID format.

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://xxxxxxxxxxxxxxx.com:8080/c/portal/saml/acs"
ID="_b1a139ed3b109a9e70c7938b229e3e69"
InResponseTo="_7c2d9c2133360df694a90fd5324ea1a1489d0bc3"
IssueInstant="2012-10-16T12:47:24.134Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>xxxxxxxxxxxxxxx.com</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
</saml2p:StatusCode>
<saml2p:StatusMessage>Required NameID format not supported</saml2p:StatusMessage>
</saml2p:Status>
</saml2p:Response>

Is there something missing in my SAML 2 config that would allow for a non-emailAddress formatted response?

Matthew Stevenson, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 12 Beitrittsdatum: 17.05.12 Neueste Beiträge

Mika, has any more development gone into the portlet yet to make it work alongside other auth methods?

Mika Koivisto, geändert vor 10 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication wit

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

Matthew, no progress on that front yet other than some backend changes that will eventually allow us to implement it. If that's important feature for you I'd recommend you get in touch with your Liferay account manager or sales rep.

Oleg Cohen, geändert vor 11 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beiträge: 3 Beitrittsdatum: 28.01.13 Neueste Beiträge

Mika Koivisto:

The SP implementation is currently very limited and only supports one NameID which has to be either a emailAddress or screenName and it has to not change between logins. It will use the assertion which has subject confirmation method urn:oasis:names:tc:SAML:2.0:cm:bearer.

Can you post you full saml response? Just X out any sensitive data. I'm interested to see if it's a bug or if it's just a limitation that I can address in a future version.

AssureBridge has an implementation of a Liferay SP that supports transient NameIDs and ids of any type. It can then map them to the Liferay email address. It can also support the email being passed as a SAML attribute.

Check here for more information

Kazim Merchant, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

New Member Beitrag: 1 Beitrittsdatum: 28.06.13 Neueste Beiträge

where do I find the source for SamlSpAutoLoginHook?

Mika Koivisto, geändert vor 10 Jahren.

RE: Using SAML authentication with existing IdP - user mapping issue?

Liferay Legend Beiträge: 1519 Beitrittsdatum: 07.08.06 Neueste Beiträge

Kazim please don't resurrect a old topic with a new question. You'll get the source from the same place you got the plugin. Here's a link to the marketplace app. Please note that the plugin is only available to EE subscribers.

Peter J Shields, geändert vor 8 Jahren.

RE: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication wit

Junior Member Beiträge: 26 Beitrittsdatum: 30.06.09 Neueste Beiträge

I used a decompiler. It wasn't perfect, but it was enough.

What I found was that there was nothing wrong with the SAML plugin or its
code, just in how I was trying to configure my Shibboleth IDP to work with
it. With Shibboleth, it's really important to RTFM. Once you think you
understand it . RTFM again, you don't.

Shibboleth is an amazingly powerful tool and when combined with Liferay
provides top of the line functionality. It is, however, not easy to do and
should not be taken on by the faint of heart or people who don't have the
time to work through the process of learning about SAML, SSO, Shibboleth,
and how its configuration works.

Check your configs. Once you have them right . it works.

Pete

From: Kazim Merchant from liferay.com [mailto:forums@liferay.com]
Sent: Monday, July 15, 2013 12:10 AM
To: forums@liferay.com
Subject: [Liferay Forums][6. Portal Framework] RE: Using SAML authentication
with existing IdP - user mapping issue?

where do I find the source for SamlSpAutoLoginHook?

To view the thread, follow the link below:
http://www.liferay.com/community/forums/-/message_boards/view_message/264474
61
--
Thanks, Liferay.com Forums <http://http:/www.liferay.com>

Peter J Shields, geändert vor 8 Jahren.