留言板
Integrating DXP 7 with WSO2 Identity Server for SAML authentication
Raihaan Cassim,修改在7 年前。
Integrating DXP 7 with WSO2 Identity Server for SAML authentication
New Member 帖子: 14 加入日期: 16-8-31 最近的帖子
Hi all,
I'm trying to integrate Liferay DXP7 (7.0 ga1) with WSO2's Identity Server 5.2.0 using the Liferay SAML 2.0 Provider.
Obviously since I'm posting here I've not had any joy in getting this to work. I've referenced a number of blogs in trying to set this up without any success. The main ones being:-
Yenlo blog
WSO2 IS Tutorial
I've set up the Identity Provider and the Service Provider within IS as described on the referenced sites. I've then created the keystore and copied over the certificate as well. I've updated the portal-ext.properties file to contain the new config lines.
Both apps start up without incident. What happens is that when I click the 'Sign In' link in Liferay I'm presented with a blank page and an error in Liferay. The stack trace is as follows:-
Clearly something is missing - but the question is what? Anyone have any ideas as to what's amiss? I've been plugging away at this for quite some time and I'm not making any headway.
Would greatly appreciate any assistance in debugging and resolving this.
Thanks
I'm trying to integrate Liferay DXP7 (7.0 ga1) with WSO2's Identity Server 5.2.0 using the Liferay SAML 2.0 Provider.
Obviously since I'm posting here I've not had any joy in getting this to work. I've referenced a number of blogs in trying to set this up without any success. The main ones being:-
Yenlo blog
WSO2 IS Tutorial
I've set up the Identity Provider and the Service Provider within IS as described on the referenced sites. I've then created the keystore and copied over the certificate as well. I've updated the portal-ext.properties file to contain the new config lines.
Both apps start up without incident. What happens is that when I click the 'Sign In' link in Liferay I'm presented with a blank page and an error in Liferay. The stack trace is as follows:-
2016-10-18 11:18:02 ERROR SamlSpSsoFilter:61 - com.liferay.saml.SamlException: org.opensaml.saml2.metadata.provider.MetadataProviderException: java.lang.NullPointerException
com.liferay.saml.SamlException: org.opensaml.saml2.metadata.provider.MetadataProviderException: java.lang.NullPointerException
at com.liferay.saml.profile.WebSsoProfileImpl.sendAuthnRequest(WebSsoProfileImpl.java:188)
at com.liferay.saml.profile.WebSsoProfileUtil.sendAuthnRequest(WebSsoProfileUtil.java:55)
at com.liferay.saml.hook.filter.SamlSpSsoFilter.login(SamlSpSsoFilter.java:124)
at com.liferay.saml.hook.filter.SamlSpSsoFilter.processFilter(SamlSpSsoFilter.java:146)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.liferay.portal.kernel.bean.ClassLoaderBeanHandler.invoke(ClassLoaderBeanHandler.java:67)
at com.sun.proxy.$Proxy660.doFilter(Unknown Source)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394)
at com.liferay.portal.servlet.filters.urlrewrite.UrlRewriteFilter.processFilter(UrlRewriteFilter.java:65)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:115)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: java.lang.NullPointerException
at com.liferay.saml.metadata.MetadataManagerImpl.getEntityDescriptor(MetadataManagerImpl.java:180)
at com.liferay.saml.metadata.MetadataManagerUtil.getEntityDescriptor(MetadataManagerUtil.java:52)
at com.liferay.saml.profile.BaseProfile.getSamlMessageContext(BaseProfile.java:167)
at com.liferay.saml.profile.BaseProfile.getSamlMessageContext(BaseProfile.java:221)
at com.liferay.saml.profile.WebSsoProfileImpl.doSendAuthnRequest(WebSsoProfileImpl.java:624)
at com.liferay.saml.profile.WebSsoProfileImpl.sendAuthnRequest(WebSsoProfileImpl.java:178)
... 47 more
Caused by: java.lang.NullPointerException
at org.opensaml.xml.security.keyinfo.KeyInfoGeneratorManager.getFactory(KeyInfoGeneratorManager.java:77)
at com.liferay.saml.util.OpenSamlUtil.buildKeyInfo(OpenSamlUtil.java:591)
at com.liferay.saml.metadata.MetadataGeneratorUtil.buildSpSsoDescriptor(MetadataGeneratorUtil.java:197)
at com.liferay.saml.metadata.MetadataGeneratorUtil.buildSpEntityDescriptor(MetadataGeneratorUtil.java:153)
at com.liferay.saml.metadata.MetadataManagerImpl.getEntityDescriptor(MetadataManagerImpl.java:171)
... 52 more
2016-10-18 11:18:03 DEBUG PoolingHttpClientConnectionManager:133 - Closing expired connections
Clearly something is missing - but the question is what? Anyone have any ideas as to what's amiss? I've been plugging away at this for quite some time and I'm not making any headway.
Would greatly appreciate any assistance in debugging and resolving this.
Thanks
Raihaan Cassim,修改在7 年前。
RE: Integrating DXP 7 with WSO2 Identity Server for SAML authentication
New Member 帖子: 14 加入日期: 16-8-31 最近的帖子
To answer my own question :-) ...
I was able to get this working eventually. I can't say for sure what the exact cause of my troubles was but I managed to solve my problems by configuring the SAML plugin via the UI rather than using portal-ext.properties. It appears to me that the two main problems were
1) plugin didn't like the idea of the metadata URL being HTTP as opposed to HTTPS.
2) metadata.xml was not being read from the location as set in the portal-ext.properties file.
Once I corrected these two points I was able to make progress and have now managed to successfully authenticate and log in.
I was able to get this working eventually. I can't say for sure what the exact cause of my troubles was but I managed to solve my problems by configuring the SAML plugin via the UI rather than using portal-ext.properties. It appears to me that the two main problems were
1) plugin didn't like the idea of the metadata URL being HTTP as opposed to HTTPS.
2) metadata.xml was not being read from the location as set in the portal-ext.properties file.
Once I corrected these two points I was able to make progress and have now managed to successfully authenticate and log in.
Albin M.,修改在7 年前。
RE: Integrating DXP 7 with WSO2 Identity Server for SAML authentication
New Member 帖子: 2 加入日期: 16-2-10 最近的帖子
Hi Cassim,
I have problem with Attribute Mapping added trough SAML Admin UI. This is my current mapping:
screenName=http://wso2.org/claims/givenname
emailAddress=http://wso2.org/claims/emailaddress
firstName=http://wso2.org/claims/givenname
lastName=http://wso2.org/claims/lastname
but it doesn't work. I got an error: com.liferay.portal.kernel.exception.UserScreenNameException$MustNotBeNull: Screen name must not be null for user 34527
Can you please post your working Attribute Mapping?
Thanks!
Albin
I have problem with Attribute Mapping added trough SAML Admin UI. This is my current mapping:
screenName=http://wso2.org/claims/givenname
emailAddress=http://wso2.org/claims/emailaddress
firstName=http://wso2.org/claims/givenname
lastName=http://wso2.org/claims/lastname
but it doesn't work. I got an error: com.liferay.portal.kernel.exception.UserScreenNameException$MustNotBeNull: Screen name must not be null for user 34527
Can you please post your working Attribute Mapping?
Thanks!
Albin
Raihaan Cassim,修改在7 年前。
RE: Integrating DXP 7 with WSO2 Identity Server for SAML authentication
New Member 帖子: 14 加入日期: 16-8-31 最近的帖子
Hi,
My mapping looks like this:-
I think your problem is that there's no value for givenName for that user in Identity Server. You can verify this by viewing the users' profile inside IS.
Fill in all fields for the user in IS and then try logging in again.
My mapping looks like this:-
im=http://wso2.org/claims/im
emailAddress=http://wso2.org/claims/emailaddress
firstName=http://wso2.org/claims/givenname
lastName=http://wso2.org/claims/lastnameI think your problem is that there's no value for givenName for that user in Identity Server. You can verify this by viewing the users' profile inside IS.
Fill in all fields for the user in IS and then try logging in again.
Raihaan Cassim,修改在7 年前。
RE: Integrating DXP 7 with WSO2 Identity Server for SAML authentication
New Member 帖子: 14 加入日期: 16-8-31 最近的帖子
Sorry, looks like I spoke too soon. I get the below error for any user other than the test user that's created at start up time.
Still looking into it and will update this thread if I figure out more.
11:17:48,173 ERROR [http-nio-8080-exec-9][BaseSamlStrutsAction:46] com.liferay.portal.kernel.exception.UserScreenNameException$MustNotBeNull: Screen name must not be null for user 40600
com.liferay.portal.kernel.exception.UserScreenNameException$MustNotBeNull: Screen name must not be null for user 40600Still looking into it and will update this thread if I figure out more.
Jan Rodan,修改在6 年前。
RE: Integrating DXP 7 with WSO2 Identity Server for SAML authentication
New Member 帖子: 7 加入日期: 12-6-1 最近的帖子Raihaan Cassim:
Sorry, looks like I spoke too soon. I get the below error for any user other than the test user that's created at start up time.11:17:48,173 ERROR [http-nio-8080-exec-9][BaseSamlStrutsAction:46] com.liferay.portal.kernel.exception.UserScreenNameException$MustNotBeNull: Screen name must not be null for user 40600 com.liferay.portal.kernel.exception.UserScreenNameException$MustNotBeNull: Screen name must not be null for user 40600
Still looking into it and will update this thread if I figure out more.
Hi,
have you figured the reason out? Getting currently the same error. I think we have an issue with some SAML settings.
Thanks
Jan
Naresh Reddy Kallamadi,修改在6 年前。
RE: Integrating DXP 7 with WSO2 Identity Server for SAML authentication
Regular Member 帖子: 120 加入日期: 14-7-9 最近的帖子
Hi Jan,
Map first attribute like below :
screenName=http://wso2.org/claims/im
emailAddress=http://wso2.org/claims/emailaddress
firstName=http://wso2.org/claims/givenname
lastName=http://wso2.org/claims/lastname
or try reverse :
http://wso2.org/claims/im=screenName
http://wso2.org/claims/emailaddress=emailAddress
http://wso2.org/claims/givenname=firstName
http://wso2.org/claims/lastname=lastName
Thanks,
Naresh kallamadi.
Map first attribute like below :
screenName=http://wso2.org/claims/im
emailAddress=http://wso2.org/claims/emailaddress
firstName=http://wso2.org/claims/givenname
lastName=http://wso2.org/claims/lastname
or try reverse :
http://wso2.org/claims/im=screenName
http://wso2.org/claims/emailaddress=emailAddress
http://wso2.org/claims/givenname=firstName
http://wso2.org/claims/lastname=lastName
Thanks,
Naresh kallamadi.