Liferay as SAML SL and WSO2 IDP

掲示板

7年前に Martijn Jongen によって更新されました。

Liferay as SAML SL and WSO2 IDP

New Member 投稿: 9 参加年月日: 16/06/01 最新の投稿

Hi All,

I'm trying to configure liferay as saml SP connected to a WSO2 IDP in a test environment. The issue I'm facing is that the SAML response signature validation fails, however when I validate the response using an online tool (https://www.samltool.com/validate_response.php) the signature validates fine. (there are two other errors, Invalid issuer in the Assertion/Response and Reference validation failed but I plan to worry about that later).

The log says this:
06:33:14,422 ERROR [http-bio-8080-exec-3][BaseSamlStrutsAction:45] com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed
com.liferay.saml.SamlException: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed
at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:167)
at com.liferay.saml.profile.WebSsoProfileUtil.processResponse(WebSsoProfileUtil.java:50)

Any clue what I'm missing here?

oops: wrong category.. can I most posts?

thanks,

martijn

7年前に Mika Koivisto によって更新されました。

RE: Liferay as SAML SL and WSO2 IDP

Liferay Legend 投稿: 1519 参加年月日: 06/08/07 最新の投稿

The whole response has to be signed not just the assertion. The error message is saying it wasn't able to verify the sender of the message and that verification is done via Response signature.

7年前に Martijn Jongen によって更新されました。

RE: Liferay as SAML SL and WSO2 IDP

New Member 投稿: 9 参加年月日: 16/06/01 最新の投稿

Hi,

Response signing is enabled at the IDP, what I now did is import the root certificate of the IDP in the keystore of the SP, that worked. In that way, I am now facing the next error:

09:40:32,259 INFO [http-bio-8080-exec-9][SAMLProtocolMessageXMLSignatureSecurityPolicyRule:134] Validation of protocol message signature succeeded, messag
e type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
09:40:32,274 ERROR [http-bio-8080-exec-9][BaseSamlStrutsAction:45] com.liferay.saml.SamlException: Unable to resolve metadata for issuer localhost
com.liferay.saml.SamlException: Unable to resolve metadata for issuer localhost

Is this the same metadata as what is stored in the db? Because there the id is wso2idp and not localhost...

Thanks

7年前に Mika Koivisto によって更新されました。

RE: Liferay as SAML SL and WSO2 IDP

Liferay Legend 投稿: 1519 参加年月日: 06/08/07 最新の投稿

Your IdP is sending the issuer as localhost not as wso2idp

<saml2:issuer format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:issuer>

That is why it's not able to resolve the metadata.