Foros de discusión

  1. Inicio
  2. Development
  3. Liferay as SAML SL and WSO2 IDP

Liferay as SAML SL and WSO2 IDP

Martijn Jongen, modificado hace 7 años.

Liferay as SAML SL and WSO2 IDP

New Member Mensajes: 9 Fecha de incorporación: 1/06/16 Mensajes recientes
Hi All,

I'm trying to configure liferay as saml SP connected to a WSO2 IDP in a test environment. The issue I'm facing is that the SAML response signature validation fails, however when I validate the response using an online tool (https://www.samltool.com/validate_response.php) the signature validates fine. (there are two other errors, Invalid issuer in the Assertion/Response and Reference validation failed but I plan to worry about that later).

The log says this:
06:33:14,422 ERROR [http-bio-8080-exec-3][BaseSamlStrutsAction:45] com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed
com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed
at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:167)
at com.liferay.saml.profile.WebSsoProfileUtil.processResponse(WebSsoProfileUtil.java:50)

Any clue what I'm missing here?

oops: wrong category.. can I most posts?

thanks,

martijn

Archivos adjuntos:

thumbnail
Mika Koivisto, modificado hace 7 años.

RE: Liferay as SAML SL and WSO2 IDP

Liferay Legend Mensajes: 1519 Fecha de incorporación: 7/08/06 Mensajes recientes
The whole response has to be signed not just the assertion. The error message is saying it wasn't able to verify the sender of the message and that verification is done via Response signature.
Martijn Jongen, modificado hace 7 años.

RE: Liferay as SAML SL and WSO2 IDP

New Member Mensajes: 9 Fecha de incorporación: 1/06/16 Mensajes recientes
Hi,

Response signing is enabled at the IDP, what I now did is import the root certificate of the IDP in the keystore of the SP, that worked. In that way, I am now facing the next error:

09:40:32,259 INFO [http-bio-8080-exec-9][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:134] Validation of protocol message signature succeeded, messag
e type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
09:40:32,274 ERROR [http-bio-8080-exec-9][BaseSamlStrutsAction:45] com.liferay.saml.SamlException: Unable to resolve metadata for issuer localhost
com.liferay.saml.SamlException: Unable to resolve metadata for issuer localhost

Is this the same metadata as what is stored in the db? Because there the id is wso2idp and not localhost...

Thanks
thumbnail
Mika Koivisto, modificado hace 7 años.

RE: Liferay as SAML SL and WSO2 IDP

Liferay Legend Mensajes: 1519 Fecha de incorporación: 7/08/06 Mensajes recientes
Your IdP is sending the issuer as localhost not as wso2idp
<saml2:issuer format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:issuer>


That is why it's not able to resolve the metadata.