steven zhao Vor 12 Jahren Where can I download the SAML Portlet WAR? -- Thanks Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto steven zhao Vor 12 Jahren It's available in Customer Portal like all EE plugins. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren Hi Mika,thanks for your post.i am able to use the single sign on functionality with salesforce with the admin user test@liferay.combut whenever i try to sign in with another user(imported from LDAP) this functionality is not working i am getting error "your login attempt with single sign on account have failed,please contact your salesforce administrator" Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren Hi,One more question i want to ask is the user which is getting authenticated using liferay sign up this particular user have to be registered on saleforce.com means my use case is we have a liferay integrated with LDAP and we would like SSO LDAP users in salesforce.com without registering those users in salesforce.com we just want to create authentication certificate for salesforce.com how can we achieve above functionality.thanks kapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Kapil Burange Vor 9 Jahren You'd need to provision the users from your LDAP to Salesforce or to configure Salesforce to automatically create users from attributes provided in SAML Assertion. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren is this the only way to register ldap user in sales force or can we generate the keystore with ldap group which contains all the users and register that certificate in salesforce.... Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren we cannot allow LDAP connectivity to Salesforce and would like to use SAML assertion for creating users. How to do that?and one thing we want to add some custom fields from LDAP to be inserted in the SAML how can we do that.please suggestthanks Kapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren Hi Mika,can you please tell how to pass RelayState in the linkmy relay state value will be(tc=E1001)/c/portal/saml/sso?entityId=https://saml.salesforce.com&RelayState=tc=E1001RegardsKapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren Hi Mika,thanks for the reply.i just want to ask that on salesforce end how can we check the field firstname lastname email uuid and screenname and on liferay end we have configured saml.idp.metadata.attribute.names[https://saml.salesforce.com]=screenName,firstName,lastName,emailAddress,uuid this propertyplease reply because i am kind of stuck on this. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto steven zhao Vor 12 Jahren It's available in Customer Portal like all EE plugins. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren Hi Mika,thanks for your post.i am able to use the single sign on functionality with salesforce with the admin user test@liferay.combut whenever i try to sign in with another user(imported from LDAP) this functionality is not working i am getting error "your login attempt with single sign on account have failed,please contact your salesforce administrator" Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren Hi,One more question i want to ask is the user which is getting authenticated using liferay sign up this particular user have to be registered on saleforce.com means my use case is we have a liferay integrated with LDAP and we would like SSO LDAP users in salesforce.com without registering those users in salesforce.com we just want to create authentication certificate for salesforce.com how can we achieve above functionality.thanks kapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Kapil Burange Vor 9 Jahren You'd need to provision the users from your LDAP to Salesforce or to configure Salesforce to automatically create users from attributes provided in SAML Assertion. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren is this the only way to register ldap user in sales force or can we generate the keystore with ldap group which contains all the users and register that certificate in salesforce.... Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren we cannot allow LDAP connectivity to Salesforce and would like to use SAML assertion for creating users. How to do that?and one thing we want to add some custom fields from LDAP to be inserted in the SAML how can we do that.please suggestthanks Kapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren Hi Mika,can you please tell how to pass RelayState in the linkmy relay state value will be(tc=E1001)/c/portal/saml/sso?entityId=https://saml.salesforce.com&RelayState=tc=E1001RegardsKapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren Hi Mika,thanks for the reply.i just want to ask that on salesforce end how can we check the field firstname lastname email uuid and screenname and on liferay end we have configured saml.idp.metadata.attribute.names[https://saml.salesforce.com]=screenName,firstName,lastName,emailAddress,uuid this propertyplease reply because i am kind of stuck on this. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Kapil Burange Mika Koivisto Vor 9 Jahren Hi Mika,thanks for your post.i am able to use the single sign on functionality with salesforce with the admin user test@liferay.combut whenever i try to sign in with another user(imported from LDAP) this functionality is not working i am getting error "your login attempt with single sign on account have failed,please contact your salesforce administrator" Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Kapil Burange Mika Koivisto Vor 9 Jahren Hi,One more question i want to ask is the user which is getting authenticated using liferay sign up this particular user have to be registered on saleforce.com means my use case is we have a liferay integrated with LDAP and we would like SSO LDAP users in salesforce.com without registering those users in salesforce.com we just want to create authentication certificate for salesforce.com how can we achieve above functionality.thanks kapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Kapil Burange Vor 9 Jahren You'd need to provision the users from your LDAP to Salesforce or to configure Salesforce to automatically create users from attributes provided in SAML Assertion. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren is this the only way to register ldap user in sales force or can we generate the keystore with ldap group which contains all the users and register that certificate in salesforce.... Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren we cannot allow LDAP connectivity to Salesforce and would like to use SAML assertion for creating users. How to do that?and one thing we want to add some custom fields from LDAP to be inserted in the SAML how can we do that.please suggestthanks Kapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren Hi Mika,can you please tell how to pass RelayState in the linkmy relay state value will be(tc=E1001)/c/portal/saml/sso?entityId=https://saml.salesforce.com&RelayState=tc=E1001RegardsKapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto Kapil Burange Vor 9 Jahren You'd need to provision the users from your LDAP to Salesforce or to configure Salesforce to automatically create users from attributes provided in SAML Assertion. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren is this the only way to register ldap user in sales force or can we generate the keystore with ldap group which contains all the users and register that certificate in salesforce.... Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren we cannot allow LDAP connectivity to Salesforce and would like to use SAML assertion for creating users. How to do that?and one thing we want to add some custom fields from LDAP to be inserted in the SAML how can we do that.please suggestthanks Kapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 9 Jahren Hi Mika,can you please tell how to pass RelayState in the linkmy relay state value will be(tc=E1001)/c/portal/saml/sso?entityId=https://saml.salesforce.com&RelayState=tc=E1001RegardsKapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Kapil Burange Mika Koivisto Vor 9 Jahren is this the only way to register ldap user in sales force or can we generate the keystore with ldap group which contains all the users and register that certificate in salesforce.... Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Kapil Burange Mika Koivisto Vor 9 Jahren we cannot allow LDAP connectivity to Salesforce and would like to use SAML assertion for creating users. How to do that?and one thing we want to add some custom fields from LDAP to be inserted in the SAML how can we do that.please suggestthanks Kapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Kapil Burange Mika Koivisto Vor 9 Jahren Hi Mika,can you please tell how to pass RelayState in the linkmy relay state value will be(tc=E1001)/c/portal/saml/sso?entityId=https://saml.salesforce.com&RelayState=tc=E1001RegardsKapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Kapil Burange Mika Koivisto Vor 9 Jahren Hi Mika,thanks for the reply.i just want to ask that on salesforce end how can we check the field firstname lastname email uuid and screenname and on liferay end we have configured saml.idp.metadata.attribute.names[https://saml.salesforce.com]=screenName,firstName,lastName,emailAddress,uuid this propertyplease reply because i am kind of stuck on this. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Jonas Yuan Vor 12 Jahren Cool! Thanks Mika! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Steven Zhao Vor 12 Jahren Thanks Mika. I got the SAML WAR and it works like a charm!. Just one more question. How do I use Liferay as IdP to connect to two SPs? say one is Salesforce and another is Google App. And I would use different Liferay user fields other than email address as SSO subject, or two different email addresses, one for Salesforce, one for Google App. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Jay Patel Vor 12 Jahren Cool..thnx Mika for sharing this.. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Roger CARHUATOCTO Jay Patel Vor 12 Jahren great job! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Roger CARHUATOCTO Jay Patel Vor 12 Jahren great job! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Ankit Srivastava Vor 12 Jahren Thanks Mika, Very useful blog..... Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Paul . Ankit Srivastava Vor 12 Jahren Works very well, however on logout from salesforce, it's redirected to /c/portal/logout Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Paul . Vor 12 Jahren Paul, that's because Salesforce does not support SAML Single Logout profile. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Anand Anandan Mika Koivisto Vor 12 Jahren Liferay SAML 2.0 IdP support is it only for EE edition. Is it not available for CE.Can CE be part of SP? Please let us know. Thank you.-Anand Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Anand Anandan Vor 12 Jahren The SAML plugin is for EE only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen divya goyal Mika Koivisto Vor 7 Jahren Hi Mika,we have a use case where we have to connect with one of the share point application which does not support SAML, so for that we have bring forward the ADFS as the broker between the liferay and share point application.We have configure the ADFS metadata in liferay and sending the userprinciplename as the name id to adfs, and we are able to send the saml response successfully. In ADFS liferay has been configured as the claim provider and share point application has been configured as the relying party.When we are posting the saml response to ADFS, it reaches the ADFS successfully but the application is not able to redirect to relying party , it stays on the ADFS only. Can you please help if you have came across such use case. Thanks in advance..It will be a great help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Paul . Ankit Srivastava Vor 12 Jahren Works very well, however on logout from salesforce, it's redirected to /c/portal/logout Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Paul . Vor 12 Jahren Paul, that's because Salesforce does not support SAML Single Logout profile. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Anand Anandan Mika Koivisto Vor 12 Jahren Liferay SAML 2.0 IdP support is it only for EE edition. Is it not available for CE.Can CE be part of SP? Please let us know. Thank you.-Anand Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Anand Anandan Vor 12 Jahren The SAML plugin is for EE only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen divya goyal Mika Koivisto Vor 7 Jahren Hi Mika,we have a use case where we have to connect with one of the share point application which does not support SAML, so for that we have bring forward the ADFS as the broker between the liferay and share point application.We have configure the ADFS metadata in liferay and sending the userprinciplename as the name id to adfs, and we are able to send the saml response successfully. In ADFS liferay has been configured as the claim provider and share point application has been configured as the relying party.When we are posting the saml response to ADFS, it reaches the ADFS successfully but the application is not able to redirect to relying party , it stays on the ADFS only. Can you please help if you have came across such use case. Thanks in advance..It will be a great help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto Paul . Vor 12 Jahren Paul, that's because Salesforce does not support SAML Single Logout profile. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Anand Anandan Mika Koivisto Vor 12 Jahren Liferay SAML 2.0 IdP support is it only for EE edition. Is it not available for CE.Can CE be part of SP? Please let us know. Thank you.-Anand Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Anand Anandan Vor 12 Jahren The SAML plugin is for EE only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen divya goyal Mika Koivisto Vor 7 Jahren Hi Mika,we have a use case where we have to connect with one of the share point application which does not support SAML, so for that we have bring forward the ADFS as the broker between the liferay and share point application.We have configure the ADFS metadata in liferay and sending the userprinciplename as the name id to adfs, and we are able to send the saml response successfully. In ADFS liferay has been configured as the claim provider and share point application has been configured as the relying party.When we are posting the saml response to ADFS, it reaches the ADFS successfully but the application is not able to redirect to relying party , it stays on the ADFS only. Can you please help if you have came across such use case. Thanks in advance..It will be a great help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Anand Anandan Mika Koivisto Vor 12 Jahren Liferay SAML 2.0 IdP support is it only for EE edition. Is it not available for CE.Can CE be part of SP? Please let us know. Thank you.-Anand Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Anand Anandan Vor 12 Jahren The SAML plugin is for EE only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen divya goyal Mika Koivisto Vor 7 Jahren Hi Mika,we have a use case where we have to connect with one of the share point application which does not support SAML, so for that we have bring forward the ADFS as the broker between the liferay and share point application.We have configure the ADFS metadata in liferay and sending the userprinciplename as the name id to adfs, and we are able to send the saml response successfully. In ADFS liferay has been configured as the claim provider and share point application has been configured as the relying party.When we are posting the saml response to ADFS, it reaches the ADFS successfully but the application is not able to redirect to relying party , it stays on the ADFS only. Can you please help if you have came across such use case. Thanks in advance..It will be a great help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto Anand Anandan Vor 12 Jahren The SAML plugin is for EE only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen divya goyal Mika Koivisto Vor 7 Jahren Hi Mika,we have a use case where we have to connect with one of the share point application which does not support SAML, so for that we have bring forward the ADFS as the broker between the liferay and share point application.We have configure the ADFS metadata in liferay and sending the userprinciplename as the name id to adfs, and we are able to send the saml response successfully. In ADFS liferay has been configured as the claim provider and share point application has been configured as the relying party.When we are posting the saml response to ADFS, it reaches the ADFS successfully but the application is not able to redirect to relying party , it stays on the ADFS only. Can you please help if you have came across such use case. Thanks in advance..It will be a great help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
divya goyal Mika Koivisto Vor 7 Jahren Hi Mika,we have a use case where we have to connect with one of the share point application which does not support SAML, so for that we have bring forward the ADFS as the broker between the liferay and share point application.We have configure the ADFS metadata in liferay and sending the userprinciplename as the name id to adfs, and we are able to send the saml response successfully. In ADFS liferay has been configured as the claim provider and share point application has been configured as the relying party.When we are posting the saml response to ADFS, it reaches the ADFS successfully but the application is not able to redirect to relying party , it stays on the ADFS only. Can you please help if you have came across such use case. Thanks in advance..It will be a great help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Doug Storms Vor 12 Jahren I cannot find the SAML portlet war. I looked for the Customer Portal, but could not find that either. Is this available with the 30 day free trial of 6.1 EE? I found the liferay-asb-sso-hook-1.0.1.war, is this what I need? Whenever I hit, http://localhost:8080/c/portal/saml/metadata, it redirects me to http://localhost:8080. Thanks. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Doug Storms Doug Storms Vor 12 Jahren Sorry, I didn't realize the customer portal was for actual customers and not trial users. The sales office gave me access to the necessary jar. Thanks again. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Armaz Mellati Doug Storms Vor 12 Jahren We tried to use it. It worked nicely, but not for us We need to have both SAML and plain-authentication available for users. Users must get forwarded to the login-page where they can choose. This was not possible (read: we didn't find out how) to set-up with SAML-plugin. When activated, all logins, are redirected right to the SAML (federatedt) in-logging-page only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen vipin bardia Armaz Mellati Vor 11 Jahren Can some one walk me thru the steps if we want to use our AD as the identity provider and use Liferay as the Service provider. This may help us to resolve our LDAP issue. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto vipin bardia Vor 11 Jahren I don't think AD by itself can be SAML IdP but with Microsoft's Active Directory Federation Server (ADFS) 2.0 I think you could do that. The principals are the same but I can't help you with ADFS configuration as I've never used it. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Vipin Bardia Mika Koivisto Vor 11 Jahren Hi Mika,Thanks for prompt response.I will try your suggestion with my seniors and if we succeed , will also update you.Thanks,Vipin Bardiahttp://vkbardia.blogspot.in Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Muru Annamalai Vipin Bardia Vor 11 Jahren Good Information.Thank you Mika Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Muru Annamalai Vor 11 Jahren Armaz Mellati, yeah the current version of the SP is very limited. I'll keep that in mind for the next version as I already had thought about adding support for multiple IdPs so that would fit right in with it.Thanks everyone for your feedback. I'm always interested in hearing how and with what other SAML IdP or SP you are using it with. Also I'm very interested in hearing what features you think it's missing. Feel free to post here or email me firstname.lastname @ liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Petr Zalesky Mika Koivisto Vor 11 Jahren Mika, do you have a timeline for adding support for multiple IdPs? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Christopher Dawson Petr Zalesky Vor 11 Jahren To clarify what "multiple IDPs" mean, Mika are you referring to the ability of a single LR server in IDP mode to support using different certificates for signing assertions to different service providers? The SAML plugin in its current state allows me to configure multiple SPs for an IDP Initiated Web SSO scenario - but even if I configure 50 different SPs I would be signing all of those assertions with the same single certificate, right? I have a client that is requiring that I provide them with a unique certificate for each of their SP entityIDs.What I believe I would need is a way to configure multiple IDP entity IDs - each with their own keystore certificate - and then a way to associate that specific entityID with a specific SP entityID. That way I could utilize a different certificate for each SSO "route". Example portal-ext.properties with proposed config changes:saml.enabled=truesaml.role=idpsaml.metadata.paths=\ /first.service.provider.metadata.xml, \ /second.service.provider.metadata.xml?? saml.entity.id=https://generic.identity.provider.entity.id ??saml.idp.enabled=true# First IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password># Second IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password>Mika: Is this something that is in the works at all? Or should I accept the fact that I'll need to roll my own to get this kind of functionality. Will try contacting you via email also.Cheers! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen sanjay datta Christopher Dawson Vor 8 Jahren Did you every got to configure Multiple Idp ?. Did you have to develop custom code to achieve this feature Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Doug Storms Doug Storms Vor 12 Jahren Sorry, I didn't realize the customer portal was for actual customers and not trial users. The sales office gave me access to the necessary jar. Thanks again. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Armaz Mellati Doug Storms Vor 12 Jahren We tried to use it. It worked nicely, but not for us We need to have both SAML and plain-authentication available for users. Users must get forwarded to the login-page where they can choose. This was not possible (read: we didn't find out how) to set-up with SAML-plugin. When activated, all logins, are redirected right to the SAML (federatedt) in-logging-page only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen vipin bardia Armaz Mellati Vor 11 Jahren Can some one walk me thru the steps if we want to use our AD as the identity provider and use Liferay as the Service provider. This may help us to resolve our LDAP issue. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto vipin bardia Vor 11 Jahren I don't think AD by itself can be SAML IdP but with Microsoft's Active Directory Federation Server (ADFS) 2.0 I think you could do that. The principals are the same but I can't help you with ADFS configuration as I've never used it. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Vipin Bardia Mika Koivisto Vor 11 Jahren Hi Mika,Thanks for prompt response.I will try your suggestion with my seniors and if we succeed , will also update you.Thanks,Vipin Bardiahttp://vkbardia.blogspot.in Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Muru Annamalai Vipin Bardia Vor 11 Jahren Good Information.Thank you Mika Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Muru Annamalai Vor 11 Jahren Armaz Mellati, yeah the current version of the SP is very limited. I'll keep that in mind for the next version as I already had thought about adding support for multiple IdPs so that would fit right in with it.Thanks everyone for your feedback. I'm always interested in hearing how and with what other SAML IdP or SP you are using it with. Also I'm very interested in hearing what features you think it's missing. Feel free to post here or email me firstname.lastname @ liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Petr Zalesky Mika Koivisto Vor 11 Jahren Mika, do you have a timeline for adding support for multiple IdPs? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Christopher Dawson Petr Zalesky Vor 11 Jahren To clarify what "multiple IDPs" mean, Mika are you referring to the ability of a single LR server in IDP mode to support using different certificates for signing assertions to different service providers? The SAML plugin in its current state allows me to configure multiple SPs for an IDP Initiated Web SSO scenario - but even if I configure 50 different SPs I would be signing all of those assertions with the same single certificate, right? I have a client that is requiring that I provide them with a unique certificate for each of their SP entityIDs.What I believe I would need is a way to configure multiple IDP entity IDs - each with their own keystore certificate - and then a way to associate that specific entityID with a specific SP entityID. That way I could utilize a different certificate for each SSO "route". Example portal-ext.properties with proposed config changes:saml.enabled=truesaml.role=idpsaml.metadata.paths=\ /first.service.provider.metadata.xml, \ /second.service.provider.metadata.xml?? saml.entity.id=https://generic.identity.provider.entity.id ??saml.idp.enabled=true# First IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password># Second IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password>Mika: Is this something that is in the works at all? Or should I accept the fact that I'll need to roll my own to get this kind of functionality. Will try contacting you via email also.Cheers! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen sanjay datta Christopher Dawson Vor 8 Jahren Did you every got to configure Multiple Idp ?. Did you have to develop custom code to achieve this feature Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Armaz Mellati Doug Storms Vor 12 Jahren We tried to use it. It worked nicely, but not for us We need to have both SAML and plain-authentication available for users. Users must get forwarded to the login-page where they can choose. This was not possible (read: we didn't find out how) to set-up with SAML-plugin. When activated, all logins, are redirected right to the SAML (federatedt) in-logging-page only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen vipin bardia Armaz Mellati Vor 11 Jahren Can some one walk me thru the steps if we want to use our AD as the identity provider and use Liferay as the Service provider. This may help us to resolve our LDAP issue. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto vipin bardia Vor 11 Jahren I don't think AD by itself can be SAML IdP but with Microsoft's Active Directory Federation Server (ADFS) 2.0 I think you could do that. The principals are the same but I can't help you with ADFS configuration as I've never used it. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Vipin Bardia Mika Koivisto Vor 11 Jahren Hi Mika,Thanks for prompt response.I will try your suggestion with my seniors and if we succeed , will also update you.Thanks,Vipin Bardiahttp://vkbardia.blogspot.in Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Muru Annamalai Vipin Bardia Vor 11 Jahren Good Information.Thank you Mika Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Muru Annamalai Vor 11 Jahren Armaz Mellati, yeah the current version of the SP is very limited. I'll keep that in mind for the next version as I already had thought about adding support for multiple IdPs so that would fit right in with it.Thanks everyone for your feedback. I'm always interested in hearing how and with what other SAML IdP or SP you are using it with. Also I'm very interested in hearing what features you think it's missing. Feel free to post here or email me firstname.lastname @ liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Petr Zalesky Mika Koivisto Vor 11 Jahren Mika, do you have a timeline for adding support for multiple IdPs? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Christopher Dawson Petr Zalesky Vor 11 Jahren To clarify what "multiple IDPs" mean, Mika are you referring to the ability of a single LR server in IDP mode to support using different certificates for signing assertions to different service providers? The SAML plugin in its current state allows me to configure multiple SPs for an IDP Initiated Web SSO scenario - but even if I configure 50 different SPs I would be signing all of those assertions with the same single certificate, right? I have a client that is requiring that I provide them with a unique certificate for each of their SP entityIDs.What I believe I would need is a way to configure multiple IDP entity IDs - each with their own keystore certificate - and then a way to associate that specific entityID with a specific SP entityID. That way I could utilize a different certificate for each SSO "route". Example portal-ext.properties with proposed config changes:saml.enabled=truesaml.role=idpsaml.metadata.paths=\ /first.service.provider.metadata.xml, \ /second.service.provider.metadata.xml?? saml.entity.id=https://generic.identity.provider.entity.id ??saml.idp.enabled=true# First IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password># Second IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password>Mika: Is this something that is in the works at all? Or should I accept the fact that I'll need to roll my own to get this kind of functionality. Will try contacting you via email also.Cheers! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen sanjay datta Christopher Dawson Vor 8 Jahren Did you every got to configure Multiple Idp ?. Did you have to develop custom code to achieve this feature Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
vipin bardia Armaz Mellati Vor 11 Jahren Can some one walk me thru the steps if we want to use our AD as the identity provider and use Liferay as the Service provider. This may help us to resolve our LDAP issue. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto vipin bardia Vor 11 Jahren I don't think AD by itself can be SAML IdP but with Microsoft's Active Directory Federation Server (ADFS) 2.0 I think you could do that. The principals are the same but I can't help you with ADFS configuration as I've never used it. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Vipin Bardia Mika Koivisto Vor 11 Jahren Hi Mika,Thanks for prompt response.I will try your suggestion with my seniors and if we succeed , will also update you.Thanks,Vipin Bardiahttp://vkbardia.blogspot.in Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Muru Annamalai Vipin Bardia Vor 11 Jahren Good Information.Thank you Mika Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Muru Annamalai Vor 11 Jahren Armaz Mellati, yeah the current version of the SP is very limited. I'll keep that in mind for the next version as I already had thought about adding support for multiple IdPs so that would fit right in with it.Thanks everyone for your feedback. I'm always interested in hearing how and with what other SAML IdP or SP you are using it with. Also I'm very interested in hearing what features you think it's missing. Feel free to post here or email me firstname.lastname @ liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Petr Zalesky Mika Koivisto Vor 11 Jahren Mika, do you have a timeline for adding support for multiple IdPs? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Christopher Dawson Petr Zalesky Vor 11 Jahren To clarify what "multiple IDPs" mean, Mika are you referring to the ability of a single LR server in IDP mode to support using different certificates for signing assertions to different service providers? The SAML plugin in its current state allows me to configure multiple SPs for an IDP Initiated Web SSO scenario - but even if I configure 50 different SPs I would be signing all of those assertions with the same single certificate, right? I have a client that is requiring that I provide them with a unique certificate for each of their SP entityIDs.What I believe I would need is a way to configure multiple IDP entity IDs - each with their own keystore certificate - and then a way to associate that specific entityID with a specific SP entityID. That way I could utilize a different certificate for each SSO "route". Example portal-ext.properties with proposed config changes:saml.enabled=truesaml.role=idpsaml.metadata.paths=\ /first.service.provider.metadata.xml, \ /second.service.provider.metadata.xml?? saml.entity.id=https://generic.identity.provider.entity.id ??saml.idp.enabled=true# First IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password># Second IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password>Mika: Is this something that is in the works at all? Or should I accept the fact that I'll need to roll my own to get this kind of functionality. Will try contacting you via email also.Cheers! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen sanjay datta Christopher Dawson Vor 8 Jahren Did you every got to configure Multiple Idp ?. Did you have to develop custom code to achieve this feature Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto vipin bardia Vor 11 Jahren I don't think AD by itself can be SAML IdP but with Microsoft's Active Directory Federation Server (ADFS) 2.0 I think you could do that. The principals are the same but I can't help you with ADFS configuration as I've never used it. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Vipin Bardia Mika Koivisto Vor 11 Jahren Hi Mika,Thanks for prompt response.I will try your suggestion with my seniors and if we succeed , will also update you.Thanks,Vipin Bardiahttp://vkbardia.blogspot.in Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Muru Annamalai Vipin Bardia Vor 11 Jahren Good Information.Thank you Mika Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Muru Annamalai Vor 11 Jahren Armaz Mellati, yeah the current version of the SP is very limited. I'll keep that in mind for the next version as I already had thought about adding support for multiple IdPs so that would fit right in with it.Thanks everyone for your feedback. I'm always interested in hearing how and with what other SAML IdP or SP you are using it with. Also I'm very interested in hearing what features you think it's missing. Feel free to post here or email me firstname.lastname @ liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Petr Zalesky Mika Koivisto Vor 11 Jahren Mika, do you have a timeline for adding support for multiple IdPs? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Christopher Dawson Petr Zalesky Vor 11 Jahren To clarify what "multiple IDPs" mean, Mika are you referring to the ability of a single LR server in IDP mode to support using different certificates for signing assertions to different service providers? The SAML plugin in its current state allows me to configure multiple SPs for an IDP Initiated Web SSO scenario - but even if I configure 50 different SPs I would be signing all of those assertions with the same single certificate, right? I have a client that is requiring that I provide them with a unique certificate for each of their SP entityIDs.What I believe I would need is a way to configure multiple IDP entity IDs - each with their own keystore certificate - and then a way to associate that specific entityID with a specific SP entityID. That way I could utilize a different certificate for each SSO "route". Example portal-ext.properties with proposed config changes:saml.enabled=truesaml.role=idpsaml.metadata.paths=\ /first.service.provider.metadata.xml, \ /second.service.provider.metadata.xml?? saml.entity.id=https://generic.identity.provider.entity.id ??saml.idp.enabled=true# First IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password># Second IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password>Mika: Is this something that is in the works at all? Or should I accept the fact that I'll need to roll my own to get this kind of functionality. Will try contacting you via email also.Cheers! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen sanjay datta Christopher Dawson Vor 8 Jahren Did you every got to configure Multiple Idp ?. Did you have to develop custom code to achieve this feature Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Vipin Bardia Mika Koivisto Vor 11 Jahren Hi Mika,Thanks for prompt response.I will try your suggestion with my seniors and if we succeed , will also update you.Thanks,Vipin Bardiahttp://vkbardia.blogspot.in Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Muru Annamalai Vipin Bardia Vor 11 Jahren Good Information.Thank you Mika Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Muru Annamalai Vor 11 Jahren Armaz Mellati, yeah the current version of the SP is very limited. I'll keep that in mind for the next version as I already had thought about adding support for multiple IdPs so that would fit right in with it.Thanks everyone for your feedback. I'm always interested in hearing how and with what other SAML IdP or SP you are using it with. Also I'm very interested in hearing what features you think it's missing. Feel free to post here or email me firstname.lastname @ liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Petr Zalesky Mika Koivisto Vor 11 Jahren Mika, do you have a timeline for adding support for multiple IdPs? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Christopher Dawson Petr Zalesky Vor 11 Jahren To clarify what "multiple IDPs" mean, Mika are you referring to the ability of a single LR server in IDP mode to support using different certificates for signing assertions to different service providers? The SAML plugin in its current state allows me to configure multiple SPs for an IDP Initiated Web SSO scenario - but even if I configure 50 different SPs I would be signing all of those assertions with the same single certificate, right? I have a client that is requiring that I provide them with a unique certificate for each of their SP entityIDs.What I believe I would need is a way to configure multiple IDP entity IDs - each with their own keystore certificate - and then a way to associate that specific entityID with a specific SP entityID. That way I could utilize a different certificate for each SSO "route". Example portal-ext.properties with proposed config changes:saml.enabled=truesaml.role=idpsaml.metadata.paths=\ /first.service.provider.metadata.xml, \ /second.service.provider.metadata.xml?? saml.entity.id=https://generic.identity.provider.entity.id ??saml.idp.enabled=true# First IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password># Second IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password>Mika: Is this something that is in the works at all? Or should I accept the fact that I'll need to roll my own to get this kind of functionality. Will try contacting you via email also.Cheers! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen sanjay datta Christopher Dawson Vor 8 Jahren Did you every got to configure Multiple Idp ?. Did you have to develop custom code to achieve this feature Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Muru Annamalai Vipin Bardia Vor 11 Jahren Good Information.Thank you Mika Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Muru Annamalai Vor 11 Jahren Armaz Mellati, yeah the current version of the SP is very limited. I'll keep that in mind for the next version as I already had thought about adding support for multiple IdPs so that would fit right in with it.Thanks everyone for your feedback. I'm always interested in hearing how and with what other SAML IdP or SP you are using it with. Also I'm very interested in hearing what features you think it's missing. Feel free to post here or email me firstname.lastname @ liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Petr Zalesky Mika Koivisto Vor 11 Jahren Mika, do you have a timeline for adding support for multiple IdPs? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Christopher Dawson Petr Zalesky Vor 11 Jahren To clarify what "multiple IDPs" mean, Mika are you referring to the ability of a single LR server in IDP mode to support using different certificates for signing assertions to different service providers? The SAML plugin in its current state allows me to configure multiple SPs for an IDP Initiated Web SSO scenario - but even if I configure 50 different SPs I would be signing all of those assertions with the same single certificate, right? I have a client that is requiring that I provide them with a unique certificate for each of their SP entityIDs.What I believe I would need is a way to configure multiple IDP entity IDs - each with their own keystore certificate - and then a way to associate that specific entityID with a specific SP entityID. That way I could utilize a different certificate for each SSO "route". Example portal-ext.properties with proposed config changes:saml.enabled=truesaml.role=idpsaml.metadata.paths=\ /first.service.provider.metadata.xml, \ /second.service.provider.metadata.xml?? saml.entity.id=https://generic.identity.provider.entity.id ??saml.idp.enabled=true# First IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password># Second IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password>Mika: Is this something that is in the works at all? Or should I accept the fact that I'll need to roll my own to get this kind of functionality. Will try contacting you via email also.Cheers! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen sanjay datta Christopher Dawson Vor 8 Jahren Did you every got to configure Multiple Idp ?. Did you have to develop custom code to achieve this feature Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto Muru Annamalai Vor 11 Jahren Armaz Mellati, yeah the current version of the SP is very limited. I'll keep that in mind for the next version as I already had thought about adding support for multiple IdPs so that would fit right in with it.Thanks everyone for your feedback. I'm always interested in hearing how and with what other SAML IdP or SP you are using it with. Also I'm very interested in hearing what features you think it's missing. Feel free to post here or email me firstname.lastname @ liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Petr Zalesky Mika Koivisto Vor 11 Jahren Mika, do you have a timeline for adding support for multiple IdPs? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Christopher Dawson Petr Zalesky Vor 11 Jahren To clarify what "multiple IDPs" mean, Mika are you referring to the ability of a single LR server in IDP mode to support using different certificates for signing assertions to different service providers? The SAML plugin in its current state allows me to configure multiple SPs for an IDP Initiated Web SSO scenario - but even if I configure 50 different SPs I would be signing all of those assertions with the same single certificate, right? I have a client that is requiring that I provide them with a unique certificate for each of their SP entityIDs.What I believe I would need is a way to configure multiple IDP entity IDs - each with their own keystore certificate - and then a way to associate that specific entityID with a specific SP entityID. That way I could utilize a different certificate for each SSO "route". Example portal-ext.properties with proposed config changes:saml.enabled=truesaml.role=idpsaml.metadata.paths=\ /first.service.provider.metadata.xml, \ /second.service.provider.metadata.xml?? saml.entity.id=https://generic.identity.provider.entity.id ??saml.idp.enabled=true# First IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password># Second IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password>Mika: Is this something that is in the works at all? Or should I accept the fact that I'll need to roll my own to get this kind of functionality. Will try contacting you via email also.Cheers! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen sanjay datta Christopher Dawson Vor 8 Jahren Did you every got to configure Multiple Idp ?. Did you have to develop custom code to achieve this feature Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Petr Zalesky Mika Koivisto Vor 11 Jahren Mika, do you have a timeline for adding support for multiple IdPs? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Christopher Dawson Petr Zalesky Vor 11 Jahren To clarify what "multiple IDPs" mean, Mika are you referring to the ability of a single LR server in IDP mode to support using different certificates for signing assertions to different service providers? The SAML plugin in its current state allows me to configure multiple SPs for an IDP Initiated Web SSO scenario - but even if I configure 50 different SPs I would be signing all of those assertions with the same single certificate, right? I have a client that is requiring that I provide them with a unique certificate for each of their SP entityIDs.What I believe I would need is a way to configure multiple IDP entity IDs - each with their own keystore certificate - and then a way to associate that specific entityID with a specific SP entityID. That way I could utilize a different certificate for each SSO "route". Example portal-ext.properties with proposed config changes:saml.enabled=truesaml.role=idpsaml.metadata.paths=\ /first.service.provider.metadata.xml, \ /second.service.provider.metadata.xml?? saml.entity.id=https://generic.identity.provider.entity.id ??saml.idp.enabled=true# First IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password># Second IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password>Mika: Is this something that is in the works at all? Or should I accept the fact that I'll need to roll my own to get this kind of functionality. Will try contacting you via email also.Cheers! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen sanjay datta Christopher Dawson Vor 8 Jahren Did you every got to configure Multiple Idp ?. Did you have to develop custom code to achieve this feature Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Christopher Dawson Petr Zalesky Vor 11 Jahren To clarify what "multiple IDPs" mean, Mika are you referring to the ability of a single LR server in IDP mode to support using different certificates for signing assertions to different service providers? The SAML plugin in its current state allows me to configure multiple SPs for an IDP Initiated Web SSO scenario - but even if I configure 50 different SPs I would be signing all of those assertions with the same single certificate, right? I have a client that is requiring that I provide them with a unique certificate for each of their SP entityIDs.What I believe I would need is a way to configure multiple IDP entity IDs - each with their own keystore certificate - and then a way to associate that specific entityID with a specific SP entityID. That way I could utilize a different certificate for each SSO "route". Example portal-ext.properties with proposed config changes:saml.enabled=truesaml.role=idpsaml.metadata.paths=\ /first.service.provider.metadata.xml, \ /second.service.provider.metadata.xml?? saml.entity.id=https://generic.identity.provider.entity.id ??saml.idp.enabled=true# First IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password># Second IDP Entity ID Configsaml.idp.entity.id[https\://first.service.provider.entity.id]=https\://first.identity.provider.entity.idsaml.keystore.credential.password[https\://first.identity.provider.entity.id]=<key-password>Mika: Is this something that is in the works at all? Or should I accept the fact that I'll need to roll my own to get this kind of functionality. Will try contacting you via email also.Cheers! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen sanjay datta Christopher Dawson Vor 8 Jahren Did you every got to configure Multiple Idp ?. Did you have to develop custom code to achieve this feature Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
sanjay datta Christopher Dawson Vor 8 Jahren Did you every got to configure Multiple Idp ?. Did you have to develop custom code to achieve this feature Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
ryan baldwin Vor 11 Jahren - Bearbeitet Is the download for the WAR In the "Official Plugins"? When I do a search for SAML I can't find it. I can find the AssureBridge SAML war in the community plugins, but can't find the official one... Point me in the right direction? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto ryan baldwin Vor 11 Jahren Ryan, this is a EE only plugin so you need to be EE subscriber to get it. For EE subscribers it's found in the customer portal where you download EE version of the portal etc. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Harish Kumar Mika Koivisto Vor 11 Jahren I have followed the steps to setup liferay as idp but when I try to access http://localhost:8080/c/portal/saml/metadataIts redirecting me to home page instead of displaying metadata. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Steven Zhao Harish Kumar Vor 11 Jahren Did you login to Liferay before accessing the page? The URL pointed to a private page I believe Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Aaron Weikle Steven Zhao Vor 11 Jahren I followed these steps to a T and I keep getting:Error [KeyStoreManagerImpl:122] Unable to load Keystorejava.io.IOException: Keystore was tampered with, or password was incorrectI have checked numerous times to make sure all information in my portal-ext.properties file is correct and it is. So not sure why I am getting this error. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Imad T. Harish Kumar Vor 10 Jahren I have followed the steps but when I try to access the url "http://localhost:8080/c/portal/saml/metadata" I got "Internal Server Error"Any suggestions ? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Anup Arya Imad T. Vor 9 Jahren Has it worked for you, i am getting the following errors " Unable to process SAML request "when i try to access the URL http://localhost:8080/c/portal/saml/metadata, in the logs the error is "Credential is Required" Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto ryan baldwin Vor 11 Jahren Ryan, this is a EE only plugin so you need to be EE subscriber to get it. For EE subscribers it's found in the customer portal where you download EE version of the portal etc. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Harish Kumar Mika Koivisto Vor 11 Jahren I have followed the steps to setup liferay as idp but when I try to access http://localhost:8080/c/portal/saml/metadataIts redirecting me to home page instead of displaying metadata. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Steven Zhao Harish Kumar Vor 11 Jahren Did you login to Liferay before accessing the page? The URL pointed to a private page I believe Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Aaron Weikle Steven Zhao Vor 11 Jahren I followed these steps to a T and I keep getting:Error [KeyStoreManagerImpl:122] Unable to load Keystorejava.io.IOException: Keystore was tampered with, or password was incorrectI have checked numerous times to make sure all information in my portal-ext.properties file is correct and it is. So not sure why I am getting this error. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Imad T. Harish Kumar Vor 10 Jahren I have followed the steps but when I try to access the url "http://localhost:8080/c/portal/saml/metadata" I got "Internal Server Error"Any suggestions ? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Anup Arya Imad T. Vor 9 Jahren Has it worked for you, i am getting the following errors " Unable to process SAML request "when i try to access the URL http://localhost:8080/c/portal/saml/metadata, in the logs the error is "Credential is Required" Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Harish Kumar Mika Koivisto Vor 11 Jahren I have followed the steps to setup liferay as idp but when I try to access http://localhost:8080/c/portal/saml/metadataIts redirecting me to home page instead of displaying metadata. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Steven Zhao Harish Kumar Vor 11 Jahren Did you login to Liferay before accessing the page? The URL pointed to a private page I believe Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Aaron Weikle Steven Zhao Vor 11 Jahren I followed these steps to a T and I keep getting:Error [KeyStoreManagerImpl:122] Unable to load Keystorejava.io.IOException: Keystore was tampered with, or password was incorrectI have checked numerous times to make sure all information in my portal-ext.properties file is correct and it is. So not sure why I am getting this error. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Imad T. Harish Kumar Vor 10 Jahren I have followed the steps but when I try to access the url "http://localhost:8080/c/portal/saml/metadata" I got "Internal Server Error"Any suggestions ? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Anup Arya Imad T. Vor 9 Jahren Has it worked for you, i am getting the following errors " Unable to process SAML request "when i try to access the URL http://localhost:8080/c/portal/saml/metadata, in the logs the error is "Credential is Required" Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Steven Zhao Harish Kumar Vor 11 Jahren Did you login to Liferay before accessing the page? The URL pointed to a private page I believe Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Aaron Weikle Steven Zhao Vor 11 Jahren I followed these steps to a T and I keep getting:Error [KeyStoreManagerImpl:122] Unable to load Keystorejava.io.IOException: Keystore was tampered with, or password was incorrectI have checked numerous times to make sure all information in my portal-ext.properties file is correct and it is. So not sure why I am getting this error. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Aaron Weikle Steven Zhao Vor 11 Jahren I followed these steps to a T and I keep getting:Error [KeyStoreManagerImpl:122] Unable to load Keystorejava.io.IOException: Keystore was tampered with, or password was incorrectI have checked numerous times to make sure all information in my portal-ext.properties file is correct and it is. So not sure why I am getting this error. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Imad T. Harish Kumar Vor 10 Jahren I have followed the steps but when I try to access the url "http://localhost:8080/c/portal/saml/metadata" I got "Internal Server Error"Any suggestions ? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Anup Arya Imad T. Vor 9 Jahren Has it worked for you, i am getting the following errors " Unable to process SAML request "when i try to access the URL http://localhost:8080/c/portal/saml/metadata, in the logs the error is "Credential is Required" Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Anup Arya Imad T. Vor 9 Jahren Has it worked for you, i am getting the following errors " Unable to process SAML request "when i try to access the URL http://localhost:8080/c/portal/saml/metadata, in the logs the error is "Credential is Required" Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Venkatesh Prasad Vor 11 Jahren how do i access the source code for SAML portlet plugin? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Al Faller Vor 11 Jahren HI, Thanks for the plugin - in Service Provider mode, is it capable of getting a user's groups from attributes? I am an EE user, and am potentially interested in using this plugin.Thanks,Al Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
haikel thamri Vor 10 Jahren I need it for WSRP (remote portlets) - How to make it work? does liferay support that? Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto haikel thamri Vor 10 Jahren Haikel, we don't currently support SAML with WSRP although it is on our future roadmap. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Mika,I went through the setup steps you outlined, but I am getting a null pointer exception. The authnRequest is coming back null after this line in: com.liferay.saml.profile.WebSsoProfileImpl:AuthnRequest authnRequest = samlMessageContext.getInboundSAMLMessage();I am trying to debug why and have this question: do I need to generate a keystore.js from the command line AS WELL AS in the SAML UI? They both seem to be doing the same exactly thing so do I need to do both of them or just from the command line?Thank you. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren If you got UI then use it only because using both will just make a mess. Make sure your Idp knows about your SP and vise versa. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren MIka,Thanks for the quick response.Just to be clear, I am talking about the form to generate a Certificate and Private Key in the General tab of the SAML portlet. I ask because you didn't mention that in your initial instructions, and it seems to require the same inputs as the command line you mentioned. I did submitted the form, but will that cause a mess if I also specify the jeystore.jks file in portal-ext.properties as you said?Thanks again,ClintThank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren When this blog post was written there was no UI. The UI writes to the same keystore specified in the portal-ext.properties if FileSystemKeyStoreManagerImpl is in use and it is the default one for backwards compatibility. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika, that helps.After submitting the form, restarting Tomcat and refreshing the page:com.liferay.saml.SamlException: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:127) at com.liferay.saml.profile.WebSsoProfileUtil.processAuthnRequest(WebSsoProfileUtil.java:36)2Am I missing a parameter somewhere?Here's the saml props from my portal-ext.properties:saml.enabled=truesaml.role=idpsaml.entity.id=liferaysamlidpdemosaml.require.ssl=falsesaml.sign.metadata=truesaml.idp.authn.request.signature.required=truesaml.keystore.path=${liferay.home}/SAML-DATA/keystore.jkssaml.keystore.password=liferaysaml.keystore.type=jkssaml.keystore.credential.password[liferaysamlidpdemo]=liferaysaml.metadata.paths=${liferay.home}/SAML-DATA/salesforce-metadata.xmlThanks,Clint Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Do you know when was the UI introduced? I'm on 3.1.20 ee ga2 and I don't have UI. I have configured SAML sso between 2 instances of LR (IdP and SP) and it seems to be working well to an extent (can't seem to get custom user fields working) but I can't even see SAML portlet anywhere in the portal, except for in portal properties in system administration. Now wondering if my installion is ok or If I'm missing something.Thanks Ash Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ash Gupta Vor 10 Jahren The UI should be included in the next release. When it will be made generally available I don't know the latest should be with 6.2 EE. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Thanks for the quick reply! Can I also draw your attention to another question I posted related to SAML here -https://www.liferay.com/community/forums/-/message_boards/view_message/28886644Apologies for crossposting! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Mika,I apologize in advance for cross-posting, but I wanted to ask an urgent question about this:Original link here:https://www.liferay.com/web/armin.dahncke/blog/-/blogs/setting-up-liferay-portal-6-1-ee-as-a-spWe have a client who needs to implement Liferay as an SP for BOTH user login *and application login. We are already implementing SAML plugin for user login. The Application login will be Liferay(SP) logging in to the IDP as an application user, not as a specific user so we need both. Does the SAML plugin have any support for this out of the box?If not, would we need a BOTH a SAML metadata IDP XML for the user login *AND another SAML metadata IDP XML for the application login?Is this completely out of the use case of SAML to do an application login? Please tell me we are not the first ones to be asked to use SAML to do this?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Well it depends what you mean by application login. We don't support ECP profile yet which is something you'd need for example to do SAML based authentication to WSRP. You could use JAAS with SAML but that depends on your use case whether that works or not. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I just received more clarification. Does the SAML portlet support doing an AttributeQuery and getting a specific attribute from the IDP?Thanks Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren AttributeQuery is not supported at this point. You can include attributes in the Response only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren ughh... Thanks. General question to gage difficulty: can you give me a rough estimate on how long you would expect a good java java developer (with no knowledge of this plugin and limited knowledge of SAML) to get in and make those changes to support AttributeQuery and are there any external roadblocks that would prevent us from adding that? Again, I appreciate your help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren I took a quick look at the spec to refresh my memory on AttributeQuery and it seems that implementing just that part shouldn't be all that difficult. I'd say that a week should be more than enough for someone that knows SAML. I don't see any roadblocks from adding it and the plugin is fairly extendable. If you don't mind sharing more details on your use case I'd be interested in hearing. You can do that privately by emailing me directly. My email is firstname.lastname at liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I may take you up on that when we get closer to implementation.We have another issue related to setting up an IDP:18:25:44,140 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Intended message destination endpoint: https://idp.sample.org/c/portal/saml/sso18:25:44,141 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Actual message receiver endpoint: http://idp.sample.org/c/portal/saml/ssoBoth SP and IDP are Liferay. When both servers were only listening on HTTP, the connection worked fine, but we just enabled https on the servers and now we are getting this error. We did set saml.require.ssl=true, but we are still seeing the same error. What do we need to do to get past this error?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Clint Wilde Vor 10 Jahren Hi Mika,We are also getting this Exception in the logs of the IDP. They don't appear to be related:Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:284) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:309) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:119)Do you have any idea what is causing this? Any tips would be very appreciated!Thank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Make sure you are consuming the metadata from https url otherwise it will generate the urls with http. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 8 Jahren HI Mika,Please reply as i am stuck on this since a long time.besides that does liferay support http redirect binding.in my case the request is coming from the Service provider in the query string with request method as GET. can you please confirm.Thanks & RegardsKapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen divya goyal Kapil Burange Vor 7 Jahren Hi Mika,Quite an informative blog, i am able to setup the idp sso successfully, just quick query in the saml response the signature tag is not getting generated, besides that all the other tags are generated correctly.Please let me know if any other property needs to be added in the saml configuration to add the signature in the saml response.RegardsDivya Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto haikel thamri Vor 10 Jahren Haikel, we don't currently support SAML with WSRP although it is on our future roadmap. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Mika,I went through the setup steps you outlined, but I am getting a null pointer exception. The authnRequest is coming back null after this line in: com.liferay.saml.profile.WebSsoProfileImpl:AuthnRequest authnRequest = samlMessageContext.getInboundSAMLMessage();I am trying to debug why and have this question: do I need to generate a keystore.js from the command line AS WELL AS in the SAML UI? They both seem to be doing the same exactly thing so do I need to do both of them or just from the command line?Thank you. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren If you got UI then use it only because using both will just make a mess. Make sure your Idp knows about your SP and vise versa. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren MIka,Thanks for the quick response.Just to be clear, I am talking about the form to generate a Certificate and Private Key in the General tab of the SAML portlet. I ask because you didn't mention that in your initial instructions, and it seems to require the same inputs as the command line you mentioned. I did submitted the form, but will that cause a mess if I also specify the jeystore.jks file in portal-ext.properties as you said?Thanks again,ClintThank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren When this blog post was written there was no UI. The UI writes to the same keystore specified in the portal-ext.properties if FileSystemKeyStoreManagerImpl is in use and it is the default one for backwards compatibility. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika, that helps.After submitting the form, restarting Tomcat and refreshing the page:com.liferay.saml.SamlException: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:127) at com.liferay.saml.profile.WebSsoProfileUtil.processAuthnRequest(WebSsoProfileUtil.java:36)2Am I missing a parameter somewhere?Here's the saml props from my portal-ext.properties:saml.enabled=truesaml.role=idpsaml.entity.id=liferaysamlidpdemosaml.require.ssl=falsesaml.sign.metadata=truesaml.idp.authn.request.signature.required=truesaml.keystore.path=${liferay.home}/SAML-DATA/keystore.jkssaml.keystore.password=liferaysaml.keystore.type=jkssaml.keystore.credential.password[liferaysamlidpdemo]=liferaysaml.metadata.paths=${liferay.home}/SAML-DATA/salesforce-metadata.xmlThanks,Clint Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Do you know when was the UI introduced? I'm on 3.1.20 ee ga2 and I don't have UI. I have configured SAML sso between 2 instances of LR (IdP and SP) and it seems to be working well to an extent (can't seem to get custom user fields working) but I can't even see SAML portlet anywhere in the portal, except for in portal properties in system administration. Now wondering if my installion is ok or If I'm missing something.Thanks Ash Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ash Gupta Vor 10 Jahren The UI should be included in the next release. When it will be made generally available I don't know the latest should be with 6.2 EE. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Thanks for the quick reply! Can I also draw your attention to another question I posted related to SAML here -https://www.liferay.com/community/forums/-/message_boards/view_message/28886644Apologies for crossposting! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Mika,I apologize in advance for cross-posting, but I wanted to ask an urgent question about this:Original link here:https://www.liferay.com/web/armin.dahncke/blog/-/blogs/setting-up-liferay-portal-6-1-ee-as-a-spWe have a client who needs to implement Liferay as an SP for BOTH user login *and application login. We are already implementing SAML plugin for user login. The Application login will be Liferay(SP) logging in to the IDP as an application user, not as a specific user so we need both. Does the SAML plugin have any support for this out of the box?If not, would we need a BOTH a SAML metadata IDP XML for the user login *AND another SAML metadata IDP XML for the application login?Is this completely out of the use case of SAML to do an application login? Please tell me we are not the first ones to be asked to use SAML to do this?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Well it depends what you mean by application login. We don't support ECP profile yet which is something you'd need for example to do SAML based authentication to WSRP. You could use JAAS with SAML but that depends on your use case whether that works or not. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I just received more clarification. Does the SAML portlet support doing an AttributeQuery and getting a specific attribute from the IDP?Thanks Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren AttributeQuery is not supported at this point. You can include attributes in the Response only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren ughh... Thanks. General question to gage difficulty: can you give me a rough estimate on how long you would expect a good java java developer (with no knowledge of this plugin and limited knowledge of SAML) to get in and make those changes to support AttributeQuery and are there any external roadblocks that would prevent us from adding that? Again, I appreciate your help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren I took a quick look at the spec to refresh my memory on AttributeQuery and it seems that implementing just that part shouldn't be all that difficult. I'd say that a week should be more than enough for someone that knows SAML. I don't see any roadblocks from adding it and the plugin is fairly extendable. If you don't mind sharing more details on your use case I'd be interested in hearing. You can do that privately by emailing me directly. My email is firstname.lastname at liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I may take you up on that when we get closer to implementation.We have another issue related to setting up an IDP:18:25:44,140 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Intended message destination endpoint: https://idp.sample.org/c/portal/saml/sso18:25:44,141 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Actual message receiver endpoint: http://idp.sample.org/c/portal/saml/ssoBoth SP and IDP are Liferay. When both servers were only listening on HTTP, the connection worked fine, but we just enabled https on the servers and now we are getting this error. We did set saml.require.ssl=true, but we are still seeing the same error. What do we need to do to get past this error?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Clint Wilde Vor 10 Jahren Hi Mika,We are also getting this Exception in the logs of the IDP. They don't appear to be related:Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:284) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:309) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:119)Do you have any idea what is causing this? Any tips would be very appreciated!Thank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Make sure you are consuming the metadata from https url otherwise it will generate the urls with http. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Kapil Burange Mika Koivisto Vor 8 Jahren HI Mika,Please reply as i am stuck on this since a long time.besides that does liferay support http redirect binding.in my case the request is coming from the Service provider in the query string with request method as GET. can you please confirm.Thanks & RegardsKapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen divya goyal Kapil Burange Vor 7 Jahren Hi Mika,Quite an informative blog, i am able to setup the idp sso successfully, just quick query in the saml response the signature tag is not getting generated, besides that all the other tags are generated correctly.Please let me know if any other property needs to be added in the saml configuration to add the signature in the saml response.RegardsDivya Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Clint Wilde Mika Koivisto Vor 10 Jahren Mika,I went through the setup steps you outlined, but I am getting a null pointer exception. The authnRequest is coming back null after this line in: com.liferay.saml.profile.WebSsoProfileImpl:AuthnRequest authnRequest = samlMessageContext.getInboundSAMLMessage();I am trying to debug why and have this question: do I need to generate a keystore.js from the command line AS WELL AS in the SAML UI? They both seem to be doing the same exactly thing so do I need to do both of them or just from the command line?Thank you. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren If you got UI then use it only because using both will just make a mess. Make sure your Idp knows about your SP and vise versa. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren MIka,Thanks for the quick response.Just to be clear, I am talking about the form to generate a Certificate and Private Key in the General tab of the SAML portlet. I ask because you didn't mention that in your initial instructions, and it seems to require the same inputs as the command line you mentioned. I did submitted the form, but will that cause a mess if I also specify the jeystore.jks file in portal-ext.properties as you said?Thanks again,ClintThank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren When this blog post was written there was no UI. The UI writes to the same keystore specified in the portal-ext.properties if FileSystemKeyStoreManagerImpl is in use and it is the default one for backwards compatibility. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika, that helps.After submitting the form, restarting Tomcat and refreshing the page:com.liferay.saml.SamlException: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:127) at com.liferay.saml.profile.WebSsoProfileUtil.processAuthnRequest(WebSsoProfileUtil.java:36)2Am I missing a parameter somewhere?Here's the saml props from my portal-ext.properties:saml.enabled=truesaml.role=idpsaml.entity.id=liferaysamlidpdemosaml.require.ssl=falsesaml.sign.metadata=truesaml.idp.authn.request.signature.required=truesaml.keystore.path=${liferay.home}/SAML-DATA/keystore.jkssaml.keystore.password=liferaysaml.keystore.type=jkssaml.keystore.credential.password[liferaysamlidpdemo]=liferaysaml.metadata.paths=${liferay.home}/SAML-DATA/salesforce-metadata.xmlThanks,Clint Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Do you know when was the UI introduced? I'm on 3.1.20 ee ga2 and I don't have UI. I have configured SAML sso between 2 instances of LR (IdP and SP) and it seems to be working well to an extent (can't seem to get custom user fields working) but I can't even see SAML portlet anywhere in the portal, except for in portal properties in system administration. Now wondering if my installion is ok or If I'm missing something.Thanks Ash Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ash Gupta Vor 10 Jahren The UI should be included in the next release. When it will be made generally available I don't know the latest should be with 6.2 EE. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Thanks for the quick reply! Can I also draw your attention to another question I posted related to SAML here -https://www.liferay.com/community/forums/-/message_boards/view_message/28886644Apologies for crossposting! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Mika,I apologize in advance for cross-posting, but I wanted to ask an urgent question about this:Original link here:https://www.liferay.com/web/armin.dahncke/blog/-/blogs/setting-up-liferay-portal-6-1-ee-as-a-spWe have a client who needs to implement Liferay as an SP for BOTH user login *and application login. We are already implementing SAML plugin for user login. The Application login will be Liferay(SP) logging in to the IDP as an application user, not as a specific user so we need both. Does the SAML plugin have any support for this out of the box?If not, would we need a BOTH a SAML metadata IDP XML for the user login *AND another SAML metadata IDP XML for the application login?Is this completely out of the use case of SAML to do an application login? Please tell me we are not the first ones to be asked to use SAML to do this?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Well it depends what you mean by application login. We don't support ECP profile yet which is something you'd need for example to do SAML based authentication to WSRP. You could use JAAS with SAML but that depends on your use case whether that works or not. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I just received more clarification. Does the SAML portlet support doing an AttributeQuery and getting a specific attribute from the IDP?Thanks Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren AttributeQuery is not supported at this point. You can include attributes in the Response only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren ughh... Thanks. General question to gage difficulty: can you give me a rough estimate on how long you would expect a good java java developer (with no knowledge of this plugin and limited knowledge of SAML) to get in and make those changes to support AttributeQuery and are there any external roadblocks that would prevent us from adding that? Again, I appreciate your help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren I took a quick look at the spec to refresh my memory on AttributeQuery and it seems that implementing just that part shouldn't be all that difficult. I'd say that a week should be more than enough for someone that knows SAML. I don't see any roadblocks from adding it and the plugin is fairly extendable. If you don't mind sharing more details on your use case I'd be interested in hearing. You can do that privately by emailing me directly. My email is firstname.lastname at liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I may take you up on that when we get closer to implementation.We have another issue related to setting up an IDP:18:25:44,140 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Intended message destination endpoint: https://idp.sample.org/c/portal/saml/sso18:25:44,141 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Actual message receiver endpoint: http://idp.sample.org/c/portal/saml/ssoBoth SP and IDP are Liferay. When both servers were only listening on HTTP, the connection worked fine, but we just enabled https on the servers and now we are getting this error. We did set saml.require.ssl=true, but we are still seeing the same error. What do we need to do to get past this error?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Clint Wilde Vor 10 Jahren Hi Mika,We are also getting this Exception in the logs of the IDP. They don't appear to be related:Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:284) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:309) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:119)Do you have any idea what is causing this? Any tips would be very appreciated!Thank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Make sure you are consuming the metadata from https url otherwise it will generate the urls with http. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto Clint Wilde Vor 10 Jahren If you got UI then use it only because using both will just make a mess. Make sure your Idp knows about your SP and vise versa. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren MIka,Thanks for the quick response.Just to be clear, I am talking about the form to generate a Certificate and Private Key in the General tab of the SAML portlet. I ask because you didn't mention that in your initial instructions, and it seems to require the same inputs as the command line you mentioned. I did submitted the form, but will that cause a mess if I also specify the jeystore.jks file in portal-ext.properties as you said?Thanks again,ClintThank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren When this blog post was written there was no UI. The UI writes to the same keystore specified in the portal-ext.properties if FileSystemKeyStoreManagerImpl is in use and it is the default one for backwards compatibility. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika, that helps.After submitting the form, restarting Tomcat and refreshing the page:com.liferay.saml.SamlException: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:127) at com.liferay.saml.profile.WebSsoProfileUtil.processAuthnRequest(WebSsoProfileUtil.java:36)2Am I missing a parameter somewhere?Here's the saml props from my portal-ext.properties:saml.enabled=truesaml.role=idpsaml.entity.id=liferaysamlidpdemosaml.require.ssl=falsesaml.sign.metadata=truesaml.idp.authn.request.signature.required=truesaml.keystore.path=${liferay.home}/SAML-DATA/keystore.jkssaml.keystore.password=liferaysaml.keystore.type=jkssaml.keystore.credential.password[liferaysamlidpdemo]=liferaysaml.metadata.paths=${liferay.home}/SAML-DATA/salesforce-metadata.xmlThanks,Clint Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Do you know when was the UI introduced? I'm on 3.1.20 ee ga2 and I don't have UI. I have configured SAML sso between 2 instances of LR (IdP and SP) and it seems to be working well to an extent (can't seem to get custom user fields working) but I can't even see SAML portlet anywhere in the portal, except for in portal properties in system administration. Now wondering if my installion is ok or If I'm missing something.Thanks Ash Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ash Gupta Vor 10 Jahren The UI should be included in the next release. When it will be made generally available I don't know the latest should be with 6.2 EE. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Thanks for the quick reply! Can I also draw your attention to another question I posted related to SAML here -https://www.liferay.com/community/forums/-/message_boards/view_message/28886644Apologies for crossposting! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Mika,I apologize in advance for cross-posting, but I wanted to ask an urgent question about this:Original link here:https://www.liferay.com/web/armin.dahncke/blog/-/blogs/setting-up-liferay-portal-6-1-ee-as-a-spWe have a client who needs to implement Liferay as an SP for BOTH user login *and application login. We are already implementing SAML plugin for user login. The Application login will be Liferay(SP) logging in to the IDP as an application user, not as a specific user so we need both. Does the SAML plugin have any support for this out of the box?If not, would we need a BOTH a SAML metadata IDP XML for the user login *AND another SAML metadata IDP XML for the application login?Is this completely out of the use case of SAML to do an application login? Please tell me we are not the first ones to be asked to use SAML to do this?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Well it depends what you mean by application login. We don't support ECP profile yet which is something you'd need for example to do SAML based authentication to WSRP. You could use JAAS with SAML but that depends on your use case whether that works or not. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I just received more clarification. Does the SAML portlet support doing an AttributeQuery and getting a specific attribute from the IDP?Thanks Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren AttributeQuery is not supported at this point. You can include attributes in the Response only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren ughh... Thanks. General question to gage difficulty: can you give me a rough estimate on how long you would expect a good java java developer (with no knowledge of this plugin and limited knowledge of SAML) to get in and make those changes to support AttributeQuery and are there any external roadblocks that would prevent us from adding that? Again, I appreciate your help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren I took a quick look at the spec to refresh my memory on AttributeQuery and it seems that implementing just that part shouldn't be all that difficult. I'd say that a week should be more than enough for someone that knows SAML. I don't see any roadblocks from adding it and the plugin is fairly extendable. If you don't mind sharing more details on your use case I'd be interested in hearing. You can do that privately by emailing me directly. My email is firstname.lastname at liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I may take you up on that when we get closer to implementation.We have another issue related to setting up an IDP:18:25:44,140 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Intended message destination endpoint: https://idp.sample.org/c/portal/saml/sso18:25:44,141 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Actual message receiver endpoint: http://idp.sample.org/c/portal/saml/ssoBoth SP and IDP are Liferay. When both servers were only listening on HTTP, the connection worked fine, but we just enabled https on the servers and now we are getting this error. We did set saml.require.ssl=true, but we are still seeing the same error. What do we need to do to get past this error?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Clint Wilde Vor 10 Jahren Hi Mika,We are also getting this Exception in the logs of the IDP. They don't appear to be related:Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:284) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:309) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:119)Do you have any idea what is causing this? Any tips would be very appreciated!Thank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Make sure you are consuming the metadata from https url otherwise it will generate the urls with http. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Clint Wilde Mika Koivisto Vor 10 Jahren MIka,Thanks for the quick response.Just to be clear, I am talking about the form to generate a Certificate and Private Key in the General tab of the SAML portlet. I ask because you didn't mention that in your initial instructions, and it seems to require the same inputs as the command line you mentioned. I did submitted the form, but will that cause a mess if I also specify the jeystore.jks file in portal-ext.properties as you said?Thanks again,ClintThank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren When this blog post was written there was no UI. The UI writes to the same keystore specified in the portal-ext.properties if FileSystemKeyStoreManagerImpl is in use and it is the default one for backwards compatibility. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika, that helps.After submitting the form, restarting Tomcat and refreshing the page:com.liferay.saml.SamlException: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:127) at com.liferay.saml.profile.WebSsoProfileUtil.processAuthnRequest(WebSsoProfileUtil.java:36)2Am I missing a parameter somewhere?Here's the saml props from my portal-ext.properties:saml.enabled=truesaml.role=idpsaml.entity.id=liferaysamlidpdemosaml.require.ssl=falsesaml.sign.metadata=truesaml.idp.authn.request.signature.required=truesaml.keystore.path=${liferay.home}/SAML-DATA/keystore.jkssaml.keystore.password=liferaysaml.keystore.type=jkssaml.keystore.credential.password[liferaysamlidpdemo]=liferaysaml.metadata.paths=${liferay.home}/SAML-DATA/salesforce-metadata.xmlThanks,Clint Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Do you know when was the UI introduced? I'm on 3.1.20 ee ga2 and I don't have UI. I have configured SAML sso between 2 instances of LR (IdP and SP) and it seems to be working well to an extent (can't seem to get custom user fields working) but I can't even see SAML portlet anywhere in the portal, except for in portal properties in system administration. Now wondering if my installion is ok or If I'm missing something.Thanks Ash Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ash Gupta Vor 10 Jahren The UI should be included in the next release. When it will be made generally available I don't know the latest should be with 6.2 EE. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Thanks for the quick reply! Can I also draw your attention to another question I posted related to SAML here -https://www.liferay.com/community/forums/-/message_boards/view_message/28886644Apologies for crossposting! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Mika,I apologize in advance for cross-posting, but I wanted to ask an urgent question about this:Original link here:https://www.liferay.com/web/armin.dahncke/blog/-/blogs/setting-up-liferay-portal-6-1-ee-as-a-spWe have a client who needs to implement Liferay as an SP for BOTH user login *and application login. We are already implementing SAML plugin for user login. The Application login will be Liferay(SP) logging in to the IDP as an application user, not as a specific user so we need both. Does the SAML plugin have any support for this out of the box?If not, would we need a BOTH a SAML metadata IDP XML for the user login *AND another SAML metadata IDP XML for the application login?Is this completely out of the use case of SAML to do an application login? Please tell me we are not the first ones to be asked to use SAML to do this?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Well it depends what you mean by application login. We don't support ECP profile yet which is something you'd need for example to do SAML based authentication to WSRP. You could use JAAS with SAML but that depends on your use case whether that works or not. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I just received more clarification. Does the SAML portlet support doing an AttributeQuery and getting a specific attribute from the IDP?Thanks Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren AttributeQuery is not supported at this point. You can include attributes in the Response only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren ughh... Thanks. General question to gage difficulty: can you give me a rough estimate on how long you would expect a good java java developer (with no knowledge of this plugin and limited knowledge of SAML) to get in and make those changes to support AttributeQuery and are there any external roadblocks that would prevent us from adding that? Again, I appreciate your help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren I took a quick look at the spec to refresh my memory on AttributeQuery and it seems that implementing just that part shouldn't be all that difficult. I'd say that a week should be more than enough for someone that knows SAML. I don't see any roadblocks from adding it and the plugin is fairly extendable. If you don't mind sharing more details on your use case I'd be interested in hearing. You can do that privately by emailing me directly. My email is firstname.lastname at liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I may take you up on that when we get closer to implementation.We have another issue related to setting up an IDP:18:25:44,140 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Intended message destination endpoint: https://idp.sample.org/c/portal/saml/sso18:25:44,141 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Actual message receiver endpoint: http://idp.sample.org/c/portal/saml/ssoBoth SP and IDP are Liferay. When both servers were only listening on HTTP, the connection worked fine, but we just enabled https on the servers and now we are getting this error. We did set saml.require.ssl=true, but we are still seeing the same error. What do we need to do to get past this error?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Clint Wilde Vor 10 Jahren Hi Mika,We are also getting this Exception in the logs of the IDP. They don't appear to be related:Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:284) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:309) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:119)Do you have any idea what is causing this? Any tips would be very appreciated!Thank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Make sure you are consuming the metadata from https url otherwise it will generate the urls with http. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto Clint Wilde Vor 10 Jahren When this blog post was written there was no UI. The UI writes to the same keystore specified in the portal-ext.properties if FileSystemKeyStoreManagerImpl is in use and it is the default one for backwards compatibility. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika, that helps.After submitting the form, restarting Tomcat and refreshing the page:com.liferay.saml.SamlException: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:127) at com.liferay.saml.profile.WebSsoProfileUtil.processAuthnRequest(WebSsoProfileUtil.java:36)2Am I missing a parameter somewhere?Here's the saml props from my portal-ext.properties:saml.enabled=truesaml.role=idpsaml.entity.id=liferaysamlidpdemosaml.require.ssl=falsesaml.sign.metadata=truesaml.idp.authn.request.signature.required=truesaml.keystore.path=${liferay.home}/SAML-DATA/keystore.jkssaml.keystore.password=liferaysaml.keystore.type=jkssaml.keystore.credential.password[liferaysamlidpdemo]=liferaysaml.metadata.paths=${liferay.home}/SAML-DATA/salesforce-metadata.xmlThanks,Clint Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Do you know when was the UI introduced? I'm on 3.1.20 ee ga2 and I don't have UI. I have configured SAML sso between 2 instances of LR (IdP and SP) and it seems to be working well to an extent (can't seem to get custom user fields working) but I can't even see SAML portlet anywhere in the portal, except for in portal properties in system administration. Now wondering if my installion is ok or If I'm missing something.Thanks Ash Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ash Gupta Vor 10 Jahren The UI should be included in the next release. When it will be made generally available I don't know the latest should be with 6.2 EE. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Thanks for the quick reply! Can I also draw your attention to another question I posted related to SAML here -https://www.liferay.com/community/forums/-/message_boards/view_message/28886644Apologies for crossposting! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Mika,I apologize in advance for cross-posting, but I wanted to ask an urgent question about this:Original link here:https://www.liferay.com/web/armin.dahncke/blog/-/blogs/setting-up-liferay-portal-6-1-ee-as-a-spWe have a client who needs to implement Liferay as an SP for BOTH user login *and application login. We are already implementing SAML plugin for user login. The Application login will be Liferay(SP) logging in to the IDP as an application user, not as a specific user so we need both. Does the SAML plugin have any support for this out of the box?If not, would we need a BOTH a SAML metadata IDP XML for the user login *AND another SAML metadata IDP XML for the application login?Is this completely out of the use case of SAML to do an application login? Please tell me we are not the first ones to be asked to use SAML to do this?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Well it depends what you mean by application login. We don't support ECP profile yet which is something you'd need for example to do SAML based authentication to WSRP. You could use JAAS with SAML but that depends on your use case whether that works or not. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I just received more clarification. Does the SAML portlet support doing an AttributeQuery and getting a specific attribute from the IDP?Thanks Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren AttributeQuery is not supported at this point. You can include attributes in the Response only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren ughh... Thanks. General question to gage difficulty: can you give me a rough estimate on how long you would expect a good java java developer (with no knowledge of this plugin and limited knowledge of SAML) to get in and make those changes to support AttributeQuery and are there any external roadblocks that would prevent us from adding that? Again, I appreciate your help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren I took a quick look at the spec to refresh my memory on AttributeQuery and it seems that implementing just that part shouldn't be all that difficult. I'd say that a week should be more than enough for someone that knows SAML. I don't see any roadblocks from adding it and the plugin is fairly extendable. If you don't mind sharing more details on your use case I'd be interested in hearing. You can do that privately by emailing me directly. My email is firstname.lastname at liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I may take you up on that when we get closer to implementation.We have another issue related to setting up an IDP:18:25:44,140 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Intended message destination endpoint: https://idp.sample.org/c/portal/saml/sso18:25:44,141 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Actual message receiver endpoint: http://idp.sample.org/c/portal/saml/ssoBoth SP and IDP are Liferay. When both servers were only listening on HTTP, the connection worked fine, but we just enabled https on the servers and now we are getting this error. We did set saml.require.ssl=true, but we are still seeing the same error. What do we need to do to get past this error?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Clint Wilde Vor 10 Jahren Hi Mika,We are also getting this Exception in the logs of the IDP. They don't appear to be related:Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:284) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:309) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:119)Do you have any idea what is causing this? Any tips would be very appreciated!Thank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Make sure you are consuming the metadata from https url otherwise it will generate the urls with http. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika, that helps.After submitting the form, restarting Tomcat and refreshing the page:com.liferay.saml.SamlException: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:127) at com.liferay.saml.profile.WebSsoProfileUtil.processAuthnRequest(WebSsoProfileUtil.java:36)2Am I missing a parameter somewhere?Here's the saml props from my portal-ext.properties:saml.enabled=truesaml.role=idpsaml.entity.id=liferaysamlidpdemosaml.require.ssl=falsesaml.sign.metadata=truesaml.idp.authn.request.signature.required=truesaml.keystore.path=${liferay.home}/SAML-DATA/keystore.jkssaml.keystore.password=liferaysaml.keystore.type=jkssaml.keystore.credential.password[liferaysamlidpdemo]=liferaysaml.metadata.paths=${liferay.home}/SAML-DATA/salesforce-metadata.xmlThanks,Clint Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Do you know when was the UI introduced? I'm on 3.1.20 ee ga2 and I don't have UI. I have configured SAML sso between 2 instances of LR (IdP and SP) and it seems to be working well to an extent (can't seem to get custom user fields working) but I can't even see SAML portlet anywhere in the portal, except for in portal properties in system administration. Now wondering if my installion is ok or If I'm missing something.Thanks Ash Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ash Gupta Vor 10 Jahren The UI should be included in the next release. When it will be made generally available I don't know the latest should be with 6.2 EE. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Thanks for the quick reply! Can I also draw your attention to another question I posted related to SAML here -https://www.liferay.com/community/forums/-/message_boards/view_message/28886644Apologies for crossposting! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto Ash Gupta Vor 10 Jahren The UI should be included in the next release. When it will be made generally available I don't know the latest should be with 6.2 EE. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Thanks for the quick reply! Can I also draw your attention to another question I posted related to SAML here -https://www.liferay.com/community/forums/-/message_boards/view_message/28886644Apologies for crossposting! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Ash Gupta Mika Koivisto Vor 10 Jahren Hi Mika,Thanks for the quick reply! Can I also draw your attention to another question I posted related to SAML here -https://www.liferay.com/community/forums/-/message_boards/view_message/28886644Apologies for crossposting! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Clint Wilde Mika Koivisto Vor 10 Jahren Mika,I apologize in advance for cross-posting, but I wanted to ask an urgent question about this:Original link here:https://www.liferay.com/web/armin.dahncke/blog/-/blogs/setting-up-liferay-portal-6-1-ee-as-a-spWe have a client who needs to implement Liferay as an SP for BOTH user login *and application login. We are already implementing SAML plugin for user login. The Application login will be Liferay(SP) logging in to the IDP as an application user, not as a specific user so we need both. Does the SAML plugin have any support for this out of the box?If not, would we need a BOTH a SAML metadata IDP XML for the user login *AND another SAML metadata IDP XML for the application login?Is this completely out of the use case of SAML to do an application login? Please tell me we are not the first ones to be asked to use SAML to do this?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Well it depends what you mean by application login. We don't support ECP profile yet which is something you'd need for example to do SAML based authentication to WSRP. You could use JAAS with SAML but that depends on your use case whether that works or not. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I just received more clarification. Does the SAML portlet support doing an AttributeQuery and getting a specific attribute from the IDP?Thanks Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren AttributeQuery is not supported at this point. You can include attributes in the Response only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren ughh... Thanks. General question to gage difficulty: can you give me a rough estimate on how long you would expect a good java java developer (with no knowledge of this plugin and limited knowledge of SAML) to get in and make those changes to support AttributeQuery and are there any external roadblocks that would prevent us from adding that? Again, I appreciate your help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren I took a quick look at the spec to refresh my memory on AttributeQuery and it seems that implementing just that part shouldn't be all that difficult. I'd say that a week should be more than enough for someone that knows SAML. I don't see any roadblocks from adding it and the plugin is fairly extendable. If you don't mind sharing more details on your use case I'd be interested in hearing. You can do that privately by emailing me directly. My email is firstname.lastname at liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I may take you up on that when we get closer to implementation.We have another issue related to setting up an IDP:18:25:44,140 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Intended message destination endpoint: https://idp.sample.org/c/portal/saml/sso18:25:44,141 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Actual message receiver endpoint: http://idp.sample.org/c/portal/saml/ssoBoth SP and IDP are Liferay. When both servers were only listening on HTTP, the connection worked fine, but we just enabled https on the servers and now we are getting this error. We did set saml.require.ssl=true, but we are still seeing the same error. What do we need to do to get past this error?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Clint Wilde Vor 10 Jahren Hi Mika,We are also getting this Exception in the logs of the IDP. They don't appear to be related:Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:284) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:309) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:119)Do you have any idea what is causing this? Any tips would be very appreciated!Thank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Make sure you are consuming the metadata from https url otherwise it will generate the urls with http. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto Clint Wilde Vor 10 Jahren Well it depends what you mean by application login. We don't support ECP profile yet which is something you'd need for example to do SAML based authentication to WSRP. You could use JAAS with SAML but that depends on your use case whether that works or not. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I just received more clarification. Does the SAML portlet support doing an AttributeQuery and getting a specific attribute from the IDP?Thanks Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren AttributeQuery is not supported at this point. You can include attributes in the Response only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren ughh... Thanks. General question to gage difficulty: can you give me a rough estimate on how long you would expect a good java java developer (with no knowledge of this plugin and limited knowledge of SAML) to get in and make those changes to support AttributeQuery and are there any external roadblocks that would prevent us from adding that? Again, I appreciate your help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren I took a quick look at the spec to refresh my memory on AttributeQuery and it seems that implementing just that part shouldn't be all that difficult. I'd say that a week should be more than enough for someone that knows SAML. I don't see any roadblocks from adding it and the plugin is fairly extendable. If you don't mind sharing more details on your use case I'd be interested in hearing. You can do that privately by emailing me directly. My email is firstname.lastname at liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I may take you up on that when we get closer to implementation.We have another issue related to setting up an IDP:18:25:44,140 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Intended message destination endpoint: https://idp.sample.org/c/portal/saml/sso18:25:44,141 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Actual message receiver endpoint: http://idp.sample.org/c/portal/saml/ssoBoth SP and IDP are Liferay. When both servers were only listening on HTTP, the connection worked fine, but we just enabled https on the servers and now we are getting this error. We did set saml.require.ssl=true, but we are still seeing the same error. What do we need to do to get past this error?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Clint Wilde Vor 10 Jahren Hi Mika,We are also getting this Exception in the logs of the IDP. They don't appear to be related:Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:284) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:309) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:119)Do you have any idea what is causing this? Any tips would be very appreciated!Thank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Make sure you are consuming the metadata from https url otherwise it will generate the urls with http. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I just received more clarification. Does the SAML portlet support doing an AttributeQuery and getting a specific attribute from the IDP?Thanks Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren AttributeQuery is not supported at this point. You can include attributes in the Response only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren ughh... Thanks. General question to gage difficulty: can you give me a rough estimate on how long you would expect a good java java developer (with no knowledge of this plugin and limited knowledge of SAML) to get in and make those changes to support AttributeQuery and are there any external roadblocks that would prevent us from adding that? Again, I appreciate your help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren I took a quick look at the spec to refresh my memory on AttributeQuery and it seems that implementing just that part shouldn't be all that difficult. I'd say that a week should be more than enough for someone that knows SAML. I don't see any roadblocks from adding it and the plugin is fairly extendable. If you don't mind sharing more details on your use case I'd be interested in hearing. You can do that privately by emailing me directly. My email is firstname.lastname at liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I may take you up on that when we get closer to implementation.We have another issue related to setting up an IDP:18:25:44,140 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Intended message destination endpoint: https://idp.sample.org/c/portal/saml/sso18:25:44,141 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Actual message receiver endpoint: http://idp.sample.org/c/portal/saml/ssoBoth SP and IDP are Liferay. When both servers were only listening on HTTP, the connection worked fine, but we just enabled https on the servers and now we are getting this error. We did set saml.require.ssl=true, but we are still seeing the same error. What do we need to do to get past this error?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Clint Wilde Vor 10 Jahren Hi Mika,We are also getting this Exception in the logs of the IDP. They don't appear to be related:Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:284) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:309) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:119)Do you have any idea what is causing this? Any tips would be very appreciated!Thank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Make sure you are consuming the metadata from https url otherwise it will generate the urls with http. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto Clint Wilde Vor 10 Jahren AttributeQuery is not supported at this point. You can include attributes in the Response only. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren ughh... Thanks. General question to gage difficulty: can you give me a rough estimate on how long you would expect a good java java developer (with no knowledge of this plugin and limited knowledge of SAML) to get in and make those changes to support AttributeQuery and are there any external roadblocks that would prevent us from adding that? Again, I appreciate your help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren I took a quick look at the spec to refresh my memory on AttributeQuery and it seems that implementing just that part shouldn't be all that difficult. I'd say that a week should be more than enough for someone that knows SAML. I don't see any roadblocks from adding it and the plugin is fairly extendable. If you don't mind sharing more details on your use case I'd be interested in hearing. You can do that privately by emailing me directly. My email is firstname.lastname at liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I may take you up on that when we get closer to implementation.We have another issue related to setting up an IDP:18:25:44,140 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Intended message destination endpoint: https://idp.sample.org/c/portal/saml/sso18:25:44,141 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Actual message receiver endpoint: http://idp.sample.org/c/portal/saml/ssoBoth SP and IDP are Liferay. When both servers were only listening on HTTP, the connection worked fine, but we just enabled https on the servers and now we are getting this error. We did set saml.require.ssl=true, but we are still seeing the same error. What do we need to do to get past this error?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Clint Wilde Vor 10 Jahren Hi Mika,We are also getting this Exception in the logs of the IDP. They don't appear to be related:Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:284) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:309) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:119)Do you have any idea what is causing this? Any tips would be very appreciated!Thank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Make sure you are consuming the metadata from https url otherwise it will generate the urls with http. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Clint Wilde Mika Koivisto Vor 10 Jahren ughh... Thanks. General question to gage difficulty: can you give me a rough estimate on how long you would expect a good java java developer (with no knowledge of this plugin and limited knowledge of SAML) to get in and make those changes to support AttributeQuery and are there any external roadblocks that would prevent us from adding that? Again, I appreciate your help. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren I took a quick look at the spec to refresh my memory on AttributeQuery and it seems that implementing just that part shouldn't be all that difficult. I'd say that a week should be more than enough for someone that knows SAML. I don't see any roadblocks from adding it and the plugin is fairly extendable. If you don't mind sharing more details on your use case I'd be interested in hearing. You can do that privately by emailing me directly. My email is firstname.lastname at liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I may take you up on that when we get closer to implementation.We have another issue related to setting up an IDP:18:25:44,140 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Intended message destination endpoint: https://idp.sample.org/c/portal/saml/sso18:25:44,141 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Actual message receiver endpoint: http://idp.sample.org/c/portal/saml/ssoBoth SP and IDP are Liferay. When both servers were only listening on HTTP, the connection worked fine, but we just enabled https on the servers and now we are getting this error. We did set saml.require.ssl=true, but we are still seeing the same error. What do we need to do to get past this error?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Clint Wilde Vor 10 Jahren Hi Mika,We are also getting this Exception in the logs of the IDP. They don't appear to be related:Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:284) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:309) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:119)Do you have any idea what is causing this? Any tips would be very appreciated!Thank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Make sure you are consuming the metadata from https url otherwise it will generate the urls with http. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto Clint Wilde Vor 10 Jahren I took a quick look at the spec to refresh my memory on AttributeQuery and it seems that implementing just that part shouldn't be all that difficult. I'd say that a week should be more than enough for someone that knows SAML. I don't see any roadblocks from adding it and the plugin is fairly extendable. If you don't mind sharing more details on your use case I'd be interested in hearing. You can do that privately by emailing me directly. My email is firstname.lastname at liferay.com Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I may take you up on that when we get closer to implementation.We have another issue related to setting up an IDP:18:25:44,140 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Intended message destination endpoint: https://idp.sample.org/c/portal/saml/sso18:25:44,141 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Actual message receiver endpoint: http://idp.sample.org/c/portal/saml/ssoBoth SP and IDP are Liferay. When both servers were only listening on HTTP, the connection worked fine, but we just enabled https on the servers and now we are getting this error. We did set saml.require.ssl=true, but we are still seeing the same error. What do we need to do to get past this error?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Clint Wilde Vor 10 Jahren Hi Mika,We are also getting this Exception in the logs of the IDP. They don't appear to be related:Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:284) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:309) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:119)Do you have any idea what is causing this? Any tips would be very appreciated!Thank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Make sure you are consuming the metadata from https url otherwise it will generate the urls with http. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Clint Wilde Mika Koivisto Vor 10 Jahren Thanks Mika. I may take you up on that when we get closer to implementation.We have another issue related to setting up an IDP:18:25:44,140 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Intended message destination endpoint: https://idp.sample.org/c/portal/saml/sso18:25:44,141 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Actual message receiver endpoint: http://idp.sample.org/c/portal/saml/ssoBoth SP and IDP are Liferay. When both servers were only listening on HTTP, the connection worked fine, but we just enabled https on the servers and now we are getting this error. We did set saml.require.ssl=true, but we are still seeing the same error. What do we need to do to get past this error?Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Clint Wilde Clint Wilde Vor 10 Jahren Hi Mika,We are also getting this Exception in the logs of the IDP. They don't appear to be related:Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:284) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:309) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:119)Do you have any idea what is causing this? Any tips would be very appreciated!Thank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren Make sure you are consuming the metadata from https url otherwise it will generate the urls with http. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Clint Wilde Clint Wilde Vor 10 Jahren Hi Mika,We are also getting this Exception in the logs of the IDP. They don't appear to be related:Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:284) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:309) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:119)Do you have any idea what is causing this? Any tips would be very appreciated!Thank you! Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto Clint Wilde Vor 10 Jahren This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Ajit Gauli Mika Koivisto Vor 10 Jahren Hi Mika, I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy00MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA==</NameID>But still getting this exception on our side (we are SP):00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subjectcom.liferay.saml.SamlException: Name ID not present in subject at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:486)Your insight would be much appreciated. Thanks in advance. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto Ajit Gauli Vor 10 Jahren First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Salman Jan Clint Wilde Vor 9 Jahren Did u get this error resolved? If so plz advise. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Mika Koivisto Clint Wilde Vor 10 Jahren Make sure you are consuming the metadata from https url otherwise it will generate the urls with http. Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
Kapil Burange Mika Koivisto Vor 8 Jahren HI Mika,Please reply as i am stuck on this since a long time.besides that does liferay support http redirect binding.in my case the request is coming from the Service provider in the query string with request method as GET. can you please confirm.Thanks & RegardsKapil Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen divya goyal Kapil Burange Vor 7 Jahren Hi Mika,Quite an informative blog, i am able to setup the idp sso successfully, just quick query in the saml response the signature tag is not getting generated, besides that all the other tags are generated correctly.Please let me know if any other property needs to be added in the saml configuration to add the signature in the saml response.RegardsDivya Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen
divya goyal Kapil Burange Vor 7 Jahren Hi Mika,Quite an informative blog, i am able to setup the idp sso successfully, just quick query in the saml response the signature tag is not getting generated, besides that all the other tags are generated correctly.Please let me know if any other property needs to be added in the saml configuration to add the signature in the saml response.RegardsDivya Melden Sie sich an, um auf diesen Beitrag zu antworten. Antworten als... Abbrechen