SAML protocol signature issue in Liferay SP

掲示板

9年前に Rahul Jaiswal によって更新されました。

SAML protocol signature issue in Liferay SP

New Member 投稿: 10 参加年月日: 11/07/06 最新の投稿

Hello,

I am configuring Liferay 6.1 EE sp3 as a service provider(SP) and TFIM as Identity provider(IDP).

I have used Liferay's SAML plugin for EE.

When I click on sign-in page, it is taking me to TFIM login page.

After authentication it is redirecting me back to Liferay but not signing me in.

I am getting following error message in log:

18:20:24,951 INFO [http-bio-8080-exec-16][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:125] SAML protocol message was not signed, skipping XML signature processing
18:20:24,952 ERROR [http-bio-8080-exec-16][MandatoryAuthenticatedMessageRule:82] Inbound message issuer was not authenticated.
18:20:24,953 ERROR [http-bio-8080-exec-16][BaseSamlStrutsAction:45] com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:165)
at com.liferay.saml.profile.WebSsoProfileUtil.processResponse(WebSsoProfileUtil.java:50)

This is expecting signature on SAML protocol message.

Is this signature mandatory? can we not configure SAML plugin to ignore signature.

What will be the best way to fix this issue

9年前に Rahul Jaiswal によって更新されました。

RE: SAML protocol signature issue in Liferay SP

New Member 投稿: 10 参加年月日: 11/07/06 最新の投稿

My TFIM as IDP is generating signature at assertion level but not on SAML response level.

But Liferay's SAML plugin is always expecting signature on SAML response.

There is no effect of setting saml.sp.sign.authn.request=false

If I use Liferay as IDP then Liferay is always generating signature on SAML response, no matter whether saml.sp.sign.authn.request is set to true or false.

It will be great help, if anyone can share any idea or resolution.

9年前に Tomas Dusek によって更新されました。

RE: SAML protocol signature issue in Liferay SP

New Member 投稿: 2 参加年月日: 14/06/11 最新の投稿

Hello,
did anyone find a sollution to this issue? Thus we are facing the same problem?

Thanks in advance

9年前に Corné Aussems によって更新されました。

RE: SAML protocol signature issue in Liferay SP

Liferay Legend 投稿: 1313 参加年月日: 06/10/03 最新の投稿

I suffer from the same, it suddenly popped up apparently after changing the "Name Identifier Format" to "Persistant"


09:05:30,058 INFO  [http-bio-8080-exec-5][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:125] SAML protocol message was not signed, skipping XML signature processing
09:05:30,058 ERROR [http-bio-8080-exec-5][MandatoryAuthenticatedMessageRule:82] Inbound message issuer was not authenticated.
09:05:30,058 ERROR [http-bio-8080-exec-5][BaseSamlStrutsAction:45] com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
	at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:166)
	at com.liferay.saml.profile.WebSsoProfileUtil.processResponse(WebSsoProfileUtil.java:50)
	at com.liferay.saml.hook.action.AssertionConsumerServiceAction.doExecute(AssertionConsumerServiceAction.java:38)

Hmm quite strange behaviour because i can't set anything straight anymore.

9年前に Tomas Polesovsky によって更新されました。

RE: SAML protocol signature issue in Liferay SP

Liferay Master 投稿: 676 参加年月日: 09/02/13 最新の投稿

Hi guys, try to configure IdP to sign whole SAML message. I think Liferay SAML plugin doesn't take into account assertion signatures.

9年前に Rahul Jaiswal によって更新されました。

RE: SAML protocol signature issue in Liferay SP

New Member 投稿: 10 参加年月日: 11/07/06 最新の投稿

I was able to fix this by turning ON all signature on SAML message at IDP side.

Liferay SAML plugin always expects signature on all message. I could not find way to turn-off this signature check from any configuration.

9年前に Corné Aussems によって更新されました。

RE: SAML protocol signature issue in Liferay SP

Liferay Legend 投稿: 1313 参加年月日: 06/10/03 最新の投稿

Thanks Tomas and Rahul,

Due to holiday and work i was not able to continue on this and respond properly.

So i will now try to find out how i can force my Idp Shibboleth to sign all messages.
There are a lot of config files so one should be it emoticon

Keep you posted.

Regards
Corné

9年前に Corné Aussems によって更新されました。

RE: SAML protocol signature issue in Liferay SP

Liferay Legend 投稿: 1313 参加年月日: 06/10/03 最新の投稿

Hi guys,
Just want to let you know that after several hours of trial and error i finally succeed in seting up Sibboleth as Saml2 IDP.

Indeed as Tomas suggested the first was to sign all responses.
Secondly encryptAssertions should be put on never.

<rp:profileconfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true" assertionLifetime="PT5M" assertionProxyCount="0" signResponses="always" signAssertions="never" encryptAssertions="never" encryptNameIds="never" /> 
.

One i will type a blog about the whole endeavour.

Once again thanks for the very useful push in the right direction.

C.heers

9年前に Rahul Jaiswal によって更新されました。

RE: SAML protocol signature issue in Liferay SP

New Member 投稿: 10 参加年月日: 11/07/06 最新の投稿

Thanks Corné, for sharing your workaround on Sibboleth.