Vista combinada Visión Plana Vista de árbol
Discusiones [ Anterior | Siguiente ]
toggle
Carlos Andonaegui
Saml plugin exception Unknown peer entity id
9 de enero de 2013 13:23
Respuesta

Carlos Andonaegui

Ranking: New Member

Mensajes: 6

Fecha de incorporación: 11 de diciembre de 2012

Mensajes recientes

Hello

Im trying to setup a liferay SP to work with an existing Idp (simplesamlphp)

This is the exception Im getting when I click in "sign in"

18:06:31,529 ERROR [http-bio-8080-exec-5][SamlSpSsoFilter:81] com.liferay.saml.SamlException: Unknown peer entity ID idpentityid
com.liferay.saml.SamlException: Unknown peer entity ID idpentityid

I allready read this post set the log4j on debug mode but it doesn't send me any information after or before the exception, no saml response.

I'm sure the entity id is the right one, this is my portal-ext.properties, I don't know if I'm missing something

## SAML
saml.enabled=true
saml.role=sp
saml.entity.id=liferaysamlspdemo
saml.metadata.path="url to idp metadata usign https"
saml.require.ssl=true
saml.sign.metadata=true

## KEYSTORE
saml.keystore.type=jks
saml.keystore.path=${liferay.home}/data/keystore.jks
saml.keystore.password=liferay
saml.keystore.credential.password[liferaysamlspdemo]=liferay

## Service Provider
saml.sp.default.idp.entity.id=idpentityid
saml.sp.sign.authn.request=true
saml.sp.assertion.signature.required=false
saml.sp.clock.skew=3000
saml.sp.user.attribute.mappings=screenName=screenName
Mika Koivisto
RE: Saml plugin exception Unknown peer entity id
9 de enero de 2013 14:23
Respuesta

Mika Koivisto

LIFERAY STAFF

Ranking: Liferay Legend

Mensajes: 1513

Fecha de incorporación: 7 de agosto de 2006

Mensajes recientes

The exception says it all. It doesn't seem to have metadata for ipdentityid so either your idp entity id is different or it has failed to retrieve metadata for it. Can you post the metadata for your idp?
Carlos Andonaegui
RE: Saml plugin exception Unknown peer entity id
9 de enero de 2013 14:41
Respuesta

Carlos Andonaegui

Ranking: New Member

Mensajes: 6

Fecha de incorporación: 11 de diciembre de 2012

Mensajes recientes

I don't think so the idp is the production one in the company that I work for, maybe I can explain what im doing.

when I consult the metadata in the browser https://hostname/simplesaml/saml2/idp/metadata.php
It asked me for a password an then shows me the metadata and the entityID that comes in the metadata is the one I'm using.

I think the password is the part I'm missing but I don't know whats the name of that property in the portal-ext.properties
Mika Koivisto
RE: Saml plugin exception Unknown peer entity id
10 de enero de 2013 9:30
Respuesta

Mika Koivisto

LIFERAY STAFF

Ranking: Liferay Legend

Mensajes: 1513

Fecha de incorporación: 7 de agosto de 2006

Mensajes recientes

There is no property for that. If the metadata is not accessible without password then you need to download it and place it in ${liferay.home}/data/saml/ for instance and refer to it in your saml.metadata.path property.
Carlos Andonaegui
RE: Saml plugin exception Unknown peer entity id
10 de enero de 2013 10:53
Respuesta

Carlos Andonaegui

Ranking: New Member

Mensajes: 6

Fecha de incorporación: 11 de diciembre de 2012

Mensajes recientes

Ok I do what you say
downloaded the metadata, put it in ${liferay.home}/data/saml/simplesaml-metadata.xml
and modify my portal-ext.properties
saml.enabled=true
saml.role=sp
saml.entity.id=liferaysamlspdemo
saml.metadata.path=${liferay.home}/data/saml/simplesaml-metadata.xml
saml.require.ssl=true
saml.sign.metadata=true

copy and paste the entityID that comes in the simplesaml-metadata.xml to my properties file and still get the same exception

I redeploy the plugin and restart liferay and still get the same.
Mika Koivisto
RE: Saml plugin exception Unknown peer entity id
10 de enero de 2013 12:26
Respuesta

Mika Koivisto

LIFERAY STAFF

Ranking: Liferay Legend

Mensajes: 1513

Fecha de incorporación: 7 de agosto de 2006

Mensajes recientes

Ah I see the problem. The property name is saml.metadata.paths not saml.metadata.path see the missing S.
Carlos Andonaegui
RE: Saml plugin exception Unknown peer entity id
10 de enero de 2013 15:38
Respuesta

Carlos Andonaegui

Ranking: New Member

Mensajes: 6

Fecha de incorporación: 11 de diciembre de 2012

Mensajes recientes

Thank you Mika that was the problem.
Carlos Andonaegui
RE: Saml plugin exception Unknown peer entity id
14 de enero de 2013 15:46
Respuesta

Carlos Andonaegui

Ranking: New Member

Mensajes: 6

Fecha de incorporación: 11 de diciembre de 2012

Mensajes recientes

Hi Mika I'm finally not getting errors on the call and the response of the login, but the portal is not authenticating the user on the redirect goes back to the welcome page in liferay.

this is the final log i get

I hope you can give me any idea

23:34:12,013 DEBUG [DigesterOutputStream:?] <xml response>
23:34:12,013 DEBUG [Reference:?] Verification successful for URI "#_51c1fd6028546c87d63b816c6b990ee82c2027e2d3"
23:34:12,013 DEBUG [Manifest:?] The Reference has Type

here is the response if you need it
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_51c1fd6028546c87d63b816c6b990ee82c2027e2d3" IssueInstant="2013-01-14T23:34:56Z" Version="2.0"><saml:Issuer>https://googlesso.xxxxx.com/simplesaml/saml2/idp/metadata.php</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent" SPNameQualifier="liferaysamlspdemo">user.name@xxxxx.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_1b13ec635586acee99b34eda437027633df28faf" NotOnOrAfter="2013-01-14T23:39:56Z" Recipient="http://172.24.91.117:8080/c/portal/saml/acs">
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2013-01-14T23:34:26Z" NotOnOrAfter="2013-01-14T23:39:56Z">
<saml:AudienceRestriction><saml:Audience>liferaysamlspdemo</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2013-01-14T19:01:47Z" SessionIndex="_5291d785a4533fd608eb01d78de8374d3126396e7d" SessionNotOnOrAfter="2013-01-15T07:34:56Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classesemoticonassword</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">name</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="extensionAttribute5" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.name@xxxxx.com</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="sAMAccountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user_name</saml:AttributeValue></saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
Mika Koivisto
RE: Saml plugin exception Unknown peer entity id
14 de enero de 2013 22:54
Respuesta

Mika Koivisto

LIFERAY STAFF

Ranking: Liferay Legend

Mensajes: 1513

Fecha de incorporación: 7 de agosto de 2006

Mensajes recientes

The problem is the NameID it's email address but it says the format is urn:oasis:names:tc:SAML:1.1:nameid-format:persistent which means the SP interprets it as screenName. You can either change the format to emailAddress or you can change the NameID value to the screenName. Those are the only options currently without modifying code. I've planned to add more flexibility to the SP configuration in future versions.
Carlos Andonaegui
RE: Saml plugin exception Unknown peer entity id
15 de enero de 2013 9:12
Respuesta

Carlos Andonaegui

Ranking: New Member

Mensajes: 6

Fecha de incorporación: 11 de diciembre de 2012

Mensajes recientes

I check the two cases but still no login and adding the user also I'm not getting any error in the logs.

perhaps can be the attributes names and who I'm mapping them

saml-responce

<saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">name</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="extensionAttribute5" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.name@xxxxx.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sAMAccountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user_name</saml:AttributeValue></saml:Attribute>

portal-ext.properties

saml.sp.user.attribute.mappings=screenName=sAMAccountName\nemailAddress=extensionAttribute5\nfirstName=givenName\nlastName=sn

i'm keep reading about attribute mapping and simplesamlphp configuration.
Kapil Burange
RE: Saml plugin exception Unknown peer entity id
22 de octubre de 2014 0:22
Respuesta

Kapil Burange

Ranking: New Member

Mensajes: 4

Fecha de incorporación: 4 de septiembre de 2014

Mensajes recientes

Hi Mika

I want to add the service provider in my liferay idp.
And on the Service Provider end they are not generating the metadata.xml
in that case how we can generate metadata.xml of service provider on liferay and then configure it for sso.


we are stuck in this and waiting for response........
Please reply.......

thanks
Kapil