Foros de discusión
Liferay IDP SAML plugin - missing 'InResponseTo'
Graham Matthews, modificado hace 11 años.
Liferay IDP SAML plugin - missing 'InResponseTo'
New Member Mensajes: 2 Fecha de incorporación: 26/11/12 Mensajes recientes
Hi,
I've setup the SAML IDP in Liferay 6.1 EE and have it partially working. My SAML Service Provider is Jive SBS, which uses the Spring Security Framework. I'm initiating the Sign On from the SP.
The SP complains of the following when it tries to decode the assertion:-
- Processing Bearer subject confirmation
- Bearer SubjectConfirmation invalidated by missing inResponseTo field
- Assertion invalidated by subject confirmation - can't be confirmed by the bearer method
From looking at JOSSO, it seems they had the same issue with this field being missing. http://www.josso.org/jira/browse/JOSSO-332
Attached is what my SP receives from Liferay. This doesn't have the 'InResponseTo' field within 'SubjectConfirmationData'
Here is what I have configured for the IDP portal-ext.properties.
Also I have managed to get the same SP to work fine with OpenAM. OpenAM does pass the following which includes the 'InResponseTo' field.
Any help on identifying if this is a bug or if I have configured something wrong would be much appreciated.
Thanks
Graham
I've setup the SAML IDP in Liferay 6.1 EE and have it partially working. My SAML Service Provider is Jive SBS, which uses the Spring Security Framework. I'm initiating the Sign On from the SP.
The SP complains of the following when it tries to decode the assertion:-
- Processing Bearer subject confirmation
- Bearer SubjectConfirmation invalidated by missing inResponseTo field
- Assertion invalidated by subject confirmation - can't be confirmed by the bearer method
From looking at JOSSO, it seems they had the same issue with this field being missing. http://www.josso.org/jira/browse/JOSSO-332
Attached is what my SP receives from Liferay. This doesn't have the 'InResponseTo' field within 'SubjectConfirmationData'
Here is what I have configured for the IDP portal-ext.properties.
saml.enabled=true
saml.role=idp
saml.entity.id=liferaysamlidpdemo
saml.require.ssl=false
saml.sign.metadata=true
saml.idp.authn.request.signature.required=true
saml.keystore.path=${liferay.home}/data/keystore.jks
saml.keystore.password=liferay
saml.keystore.type=jks
saml.keystore.credential.password[liferaysamlidpdemo]=liferay
saml.metadata.paths=${liferay.home}/data/saml/jive-metadata.xml
saml.idp.metadata.nameid.resolver=com.liferay.saml.DefaultNameIDResolver
saml.idp.metadata.name.id.format[http://dev102.refpod.net]=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
saml.idp.metadata.attributes.enabled=true
saml.idp.metadata.attributes.enabled[http://dev102.refpod.net]=true
saml.idp.metadata.attribute.names[http://dev102.refpod.net]=screenName,firstName,lastName,emailAddress,uuid
Also I have managed to get the same SP to work fine with OpenAM. OpenAM does pass the following which includes the 'InResponseTo' field.
<saml:subject>
<saml:nameid format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" namequalifier="http://id.example.org:8080/openam">TGDK0eN42EnAGM/ADfyiZH19MZ0X</saml:nameid>
<saml:subjectconfirmation method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:subjectconfirmationdata InResponseTo="a8ij5dii5ceagd4c6bae0ed8db656" NotOnOrAfter="2012-12-04T19:42:56Z" Recipient="http://jive.example.org/saml/sso" />
</saml:subjectconfirmation>
</saml:subject>
Any help on identifying if this is a bug or if I have configured something wrong would be much appreciated.
Thanks
Graham
Archivos adjuntos:
Mika Koivisto, modificado hace 11 años.
RE: Liferay IDP SAML plugin - missing 'InResponseTo'
Liferay Legend Mensajes: 1519 Fecha de incorporación: 7/08/06 Mensajes recientes
That's a bug. It's missing the inresponseto message id from the subjectconfirmationdata even thought we are already adding it in the Response it's missing from SubjectConfimationData. The fix itself is very simple. Can you request a patch for it through your support account and reference this message. The issue will be fixed in LPS-31488
Graham Matthews, modificado hace 11 años.
RE: Liferay IDP SAML plugin - missing 'InResponseTo'
New Member Mensajes: 2 Fecha de incorporación: 26/11/12 Mensajes recientes
Thanks Mike for confirming this is a bug and I see also that a fix has been commited. Fast work!
I'm actually on a 30 day trial of Liferay so I don't have a support account setup yet. I'll make my account manager aware of this issue though.
Thanks
Graham
I'm actually on a 30 day trial of Liferay so I don't have a support account setup yet. I'll make my account manager aware of this issue though.
Thanks
Graham