Fórum

Liferay IDP SAML plugin - missing 'InResponseTo'

Graham Matthews, modificado 11 Anos atrás.

Liferay IDP SAML plugin - missing 'InResponseTo'

New Member Postagens: 2 Data de Entrada: 26/11/12 Postagens Recentes
Hi,

I've setup the SAML IDP in Liferay 6.1 EE and have it partially working. My SAML Service Provider is Jive SBS, which uses the Spring Security Framework. I'm initiating the Sign On from the SP.

The SP complains of the following when it tries to decode the assertion:-

- Processing Bearer subject confirmation
- Bearer SubjectConfirmation invalidated by missing inResponseTo field
- Assertion invalidated by subject confirmation - can't be confirmed by the bearer method


From looking at JOSSO, it seems they had the same issue with this field being missing. http://www.josso.org/jira/browse/JOSSO-332

Attached is what my SP receives from Liferay. This doesn't have the 'InResponseTo' field within 'SubjectConfirmationData'

Here is what I have configured for the IDP portal-ext.properties.

saml.enabled=true
saml.role=idp
saml.entity.id=liferaysamlidpdemo
saml.require.ssl=false
saml.sign.metadata=true
saml.idp.authn.request.signature.required=true

saml.keystore.path=${liferay.home}/data/keystore.jks
saml.keystore.password=liferay
saml.keystore.type=jks
saml.keystore.credential.password[liferaysamlidpdemo]=liferay

saml.metadata.paths=${liferay.home}/data/saml/jive-metadata.xml
saml.idp.metadata.nameid.resolver=com.liferay.saml.DefaultNameIDResolver
saml.idp.metadata.name.id.format[http://dev102.refpod.net]=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

saml.idp.metadata.attributes.enabled=true
saml.idp.metadata.attributes.enabled[http://dev102.refpod.net]=true
saml.idp.metadata.attribute.names[http://dev102.refpod.net]=screenName,firstName,lastName,emailAddress,uuid


Also I have managed to get the same SP to work fine with OpenAM. OpenAM does pass the following which includes the 'InResponseTo' field.

 <saml:subject>
<saml:nameid format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" namequalifier="http://id.example.org:8080/openam">TGDK0eN42EnAGM/ADfyiZH19MZ0X</saml:nameid>
         <saml:subjectconfirmation method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:subjectconfirmationdata InResponseTo="a8ij5dii5ceagd4c6bae0ed8db656" NotOnOrAfter="2012-12-04T19:42:56Z" Recipient="http://jive.example.org/saml/sso" />
         </saml:subjectconfirmation>
</saml:subject>


Any help on identifying if this is a bug or if I have configured something wrong would be much appreciated.

Thanks
Graham
thumbnail
Mika Koivisto, modificado 11 Anos atrás.

RE: Liferay IDP SAML plugin - missing 'InResponseTo'

Liferay Legend Postagens: 1519 Data de Entrada: 07/08/06 Postagens Recentes
That's a bug. It's missing the inresponseto message id from the subjectconfirmationdata even thought we are already adding it in the Response it's missing from SubjectConfimationData. The fix itself is very simple. Can you request a patch for it through your support account and reference this message. The issue will be fixed in LPS-31488
Graham Matthews, modificado 11 Anos atrás.

RE: Liferay IDP SAML plugin - missing 'InResponseTo'

New Member Postagens: 2 Data de Entrada: 26/11/12 Postagens Recentes
Thanks Mike for confirming this is a bug and I see also that a fix has been commited. Fast work!

I'm actually on a 30 day trial of Liferay so I don't have a support account setup yet. I'll make my account manager aware of this issue though.

Thanks
Graham