Foros de discusión

Saml plugin exception Unknown peer entity id

Carlos Andonaegui, modificado hace 11 años.

Saml plugin exception Unknown peer entity id

New Member Mensajes: 6 Fecha de incorporación: 11/12/12 Mensajes recientes
Hello

Im trying to setup a liferay SP to work with an existing Idp (simplesamlphp)

This is the exception Im getting when I click in "sign in"

18:06:31,529 ERROR [http-bio-8080-exec-5][SamlSpSsoFilter:81] com.liferay.saml.SamlException: Unknown peer entity ID idpentityid
com.liferay.saml.SamlException: Unknown peer entity ID idpentityid

I allready read this post set the log4j on debug mode but it doesn't send me any information after or before the exception, no saml response.

I'm sure the entity id is the right one, this is my portal-ext.properties, I don't know if I'm missing something

## SAML
saml.enabled=true
saml.role=sp
saml.entity.id=liferaysamlspdemo
saml.metadata.path="url to idp metadata usign https"
saml.require.ssl=true
saml.sign.metadata=true

## KEYSTORE
saml.keystore.type=jks
saml.keystore.path=${liferay.home}/data/keystore.jks
saml.keystore.password=liferay
saml.keystore.credential.password[liferaysamlspdemo]=liferay

## Service Provider
saml.sp.default.idp.entity.id=idpentityid
saml.sp.sign.authn.request=true
saml.sp.assertion.signature.required=false
saml.sp.clock.skew=3000
saml.sp.user.attribute.mappings=screenName=screenName
thumbnail
Mika Koivisto, modificado hace 11 años.

RE: Saml plugin exception Unknown peer entity id

Liferay Legend Mensajes: 1519 Fecha de incorporación: 7/08/06 Mensajes recientes
The exception says it all. It doesn't seem to have metadata for ipdentityid so either your idp entity id is different or it has failed to retrieve metadata for it. Can you post the metadata for your idp?
Carlos Andonaegui, modificado hace 11 años.

RE: Saml plugin exception Unknown peer entity id

New Member Mensajes: 6 Fecha de incorporación: 11/12/12 Mensajes recientes
I don't think so the idp is the production one in the company that I work for, maybe I can explain what im doing.

when I consult the metadata in the browser https://hostname/simplesaml/saml2/idp/metadata.php
It asked me for a password an then shows me the metadata and the entityID that comes in the metadata is the one I'm using.

I think the password is the part I'm missing but I don't know whats the name of that property in the portal-ext.properties
thumbnail
Mika Koivisto, modificado hace 11 años.

RE: Saml plugin exception Unknown peer entity id

Liferay Legend Mensajes: 1519 Fecha de incorporación: 7/08/06 Mensajes recientes
There is no property for that. If the metadata is not accessible without password then you need to download it and place it in ${liferay.home}/data/saml/ for instance and refer to it in your saml.metadata.path property.
Carlos Andonaegui, modificado hace 11 años.

RE: Saml plugin exception Unknown peer entity id

New Member Mensajes: 6 Fecha de incorporación: 11/12/12 Mensajes recientes
Ok I do what you say
downloaded the metadata, put it in ${liferay.home}/data/saml/simplesaml-metadata.xml
and modify my portal-ext.properties
saml.enabled=true
saml.role=sp
saml.entity.id=liferaysamlspdemo
saml.metadata.path=${liferay.home}/data/saml/simplesaml-metadata.xml
saml.require.ssl=true
saml.sign.metadata=true

copy and paste the entityID that comes in the simplesaml-metadata.xml to my properties file and still get the same exception

I redeploy the plugin and restart liferay and still get the same.
thumbnail
Mika Koivisto, modificado hace 11 años.

RE: Saml plugin exception Unknown peer entity id

Liferay Legend Mensajes: 1519 Fecha de incorporación: 7/08/06 Mensajes recientes
Ah I see the problem. The property name is saml.metadata.paths not saml.metadata.path see the missing S.
Carlos Andonaegui, modificado hace 11 años.

RE: Saml plugin exception Unknown peer entity id

New Member Mensajes: 6 Fecha de incorporación: 11/12/12 Mensajes recientes
Thank you Mika that was the problem.
Carlos Andonaegui, modificado hace 11 años.

RE: Saml plugin exception Unknown peer entity id

New Member Mensajes: 6 Fecha de incorporación: 11/12/12 Mensajes recientes
Hi Mika I'm finally not getting errors on the call and the response of the login, but the portal is not authenticating the user on the redirect goes back to the welcome page in liferay.

this is the final log i get

I hope you can give me any idea

23:34:12,013 DEBUG [DigesterOutputStream:?] <xml response>
23:34:12,013 DEBUG [Reference:?] Verification successful for URI "#_51c1fd6028546c87d63b816c6b990ee82c2027e2d3"
23:34:12,013 DEBUG [Manifest:?] The Reference has Type

here is the response if you need it
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_51c1fd6028546c87d63b816c6b990ee82c2027e2d3" IssueInstant="2013-01-14T23:34:56Z" Version="2.0"><saml:Issuer>https://googlesso.xxxxx.com/simplesaml/saml2/idp/metadata.php</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent" SPNameQualifier="liferaysamlspdemo">user.name@xxxxx.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_1b13ec635586acee99b34eda437027633df28faf" NotOnOrAfter="2013-01-14T23:39:56Z" Recipient="http://172.24.91.117:8080/c/portal/saml/acs">
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2013-01-14T23:34:26Z" NotOnOrAfter="2013-01-14T23:39:56Z">
<saml:AudienceRestriction><saml:Audience>liferaysamlspdemo</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2013-01-14T19:01:47Z" SessionIndex="_5291d785a4533fd608eb01d78de8374d3126396e7d" SessionNotOnOrAfter="2013-01-15T07:34:56Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classesemoticonassword</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">name</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="extensionAttribute5" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.name@xxxxx.com</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="sAMAccountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user_name</saml:AttributeValue></saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
thumbnail
Mika Koivisto, modificado hace 11 años.

RE: Saml plugin exception Unknown peer entity id

Liferay Legend Mensajes: 1519 Fecha de incorporación: 7/08/06 Mensajes recientes
The problem is the NameID it's email address but it says the format is urn:oasis:names:tc:SAML:1.1:nameid-format:persistent which means the SP interprets it as screenName. You can either change the format to emailAddress or you can change the NameID value to the screenName. Those are the only options currently without modifying code. I've planned to add more flexibility to the SP configuration in future versions.
Carlos Andonaegui, modificado hace 11 años.

RE: Saml plugin exception Unknown peer entity id

New Member Mensajes: 6 Fecha de incorporación: 11/12/12 Mensajes recientes
I check the two cases but still no login and adding the user also I'm not getting any error in the logs.

perhaps can be the attributes names and who I'm mapping them

saml-responce

<saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">name</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="extensionAttribute5" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.name@xxxxx.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sAMAccountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user_name</saml:AttributeValue></saml:Attribute>

portal-ext.properties

saml.sp.user.attribute.mappings=screenName=sAMAccountName\nemailAddress=extensionAttribute5\nfirstName=givenName\nlastName=sn

i'm keep reading about attribute mapping and simplesamlphp configuration.
Kapil Burange, modificado hace 9 años.

RE: Saml plugin exception Unknown peer entity id

New Member Mensajes: 4 Fecha de incorporación: 4/09/14 Mensajes recientes
Hi Mika

I want to add the service provider in my liferay idp.
And on the Service Provider end they are not generating the metadata.xml
in that case how we can generate metadata.xml of service provider on liferay and then configure it for sso.


we are stuck in this and waiting for response........
Please reply.......

thanks
Kapil