By: ved singh user 10 Aug 2017 at 11:05 p.m. CDT

2 Responses

Hi, I'm trying to establish TR which is failing. Log file (/opt/gluu/jetty/identity/logs/oxtrust.log) has an entry: " 2017-08-11 03:36:32,332 INFO [qtp274064559-15] [org.gluu.oxtrust.action.UpdateTrustRelationshipAction] (UpdateTrustRelationshipAction.java:304) - There is no resource found Uri : https://ec2-52-3-227-235.compute-1.amazonaws.com/webcm/rest/metadata " Not sure as to why Gluu is not able to find the resource. Just to ensure that there is no environment/connection related issue between SP and Gluu, i was able to telnet to the SP host/port from within the Gluu container. I was also able to verify SSL connectivity between SP and Gluu using command openssl s_client -connect <SERVICE_PROVIDER_HOST>:<PORT> -debug Here's SP saml metadat - ``` <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2017-08-12T15:04:34Z" cacheDuration="PT604800S" entityID="www.ew.com"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIDczCCAzGgAwIBAgIEXYDk9DALBgcqhkjOOAQDBQAwgYoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTELMAkGA1UEBxMCTlkxGTAXBgNVBAoTEFNhcGllbnRSYXpvcmZpc2gxEzARBgNVBAsTClRlY2hub2xvZ3kxMTAvBgNVBAMTKGVjMi01Mi0zLTIyNy0yMzUuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20wHhcNMTcwNzE4MjIxMzEwWhcNMTcxMDE2MjIxMzEwWjCBijELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMQswCQYDVQQHEwJOWTEZMBcGA1UEChMQU2FwaWVudFJhem9yZmlzaDETMBEGA1UECxMKVGVjaG5vbG9neTExMC8GA1UEAxMoZWMyLTUyLTMtMjI3LTIzNS5jb21wdXRlLTEuYW1hem9uYXdzLmNvbTCCAbgwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDnYcdITDJ51nWJQkQmxwy/V7uuE1ZQoooKHYfCuk9P5iHq7vYMbX1jNmE+97K6egHVhE64V/NUw+I2OgO9BE4wwUL2Ple/eAybuwr9X59eY8lpOQHzA9mpinNA6D1flWzpzep0ZfKqRQZ4WG/drjv9xm3b3dQc8gwYE2oTxM9TMKMhMB8wHQYDVR0OBBYEFMCeDWej4fL6WYGyLYMH4YnTSNG4MAsGByqGSM44BAMFAAMvADAsAhRlo8XGwK7u340gduPNzQa2TQ9ZUAIUVrMxHu8s8HpAtOucyUD3zO8AKz4=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIDczCCAzGgAwIBAgIEXYDk9DALBgcqhkjOOAQDBQAwgYoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTELMAkGA1UEBxMCTlkxGTAXBgNVBAoTEFNhcGllbnRSYXpvcmZpc2gxEzARBgNVBAsTClRlY2hub2xvZ3kxMTAvBgNVBAMTKGVjMi01Mi0zLTIyNy0yMzUuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20wHhcNMTcwNzE4MjIxMzEwWhcNMTcxMDE2MjIxMzEwWjCBijELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMQswCQYDVQQHEwJOWTEZMBcGA1UEChMQU2FwaWVudFJhem9yZmlzaDETMBEGA1UECxMKVGVjaG5vbG9neTExMC8GA1UEAxMoZWMyLTUyLTMtMjI3LTIzNS5jb21wdXRlLTEuYW1hem9uYXdzLmNvbTCCAbgwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDnYcdITDJ51nWJQkQmxwy/V7uuE1ZQoooKHYfCuk9P5iHq7vYMbX1jNmE+97K6egHVhE64V/NUw+I2OgO9BE4wwUL2Ple/eAybuwr9X59eY8lpOQHzA9mpinNA6D1flWzpzep0ZfKqRQZ4WG/drjv9xm3b3dQc8gwYE2oTxM9TMKMhMB8wHQYDVR0OBBYEFMCeDWej4fL6WYGyLYMH4YnTSNG4MAsGByqGSM44BAMFAAMvADAsAhRlo8XGwK7u340gduPNzQa2TQ9ZUAIUVrMxHu8s8HpAtOucyUD3zO8AKz4=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8090/webcm/logout.do"></md:SingleLogoutService> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8090/webcm/login.do" index="1"></md:AssertionConsumerService> </md:SPSSODescriptor> </md:EntityDescriptor> ```

CentOS72

closed

By Mohib Zico staff 11 Aug 2017 at 1:18 a.m. CDT

Copy

Somehow its related to network for sure. Sp's self signed cert is another point. Use 'File' method instead of Uri to create trust relationship.

By ved singh user 11 Aug 2017 at 12:55 p.m. CDT

Copy

Hi Mohib - Thanks for the response. Using 'File' method worked but 'URI' approach is still failing with same error message. On digging further in to the code "UpdateTrustRelationshipAction.java" and simulating it outside Gluu container (by calling the url from a standalone class using the same approach) ``` public boolean existsResourceUri(String URLName) { try { HttpURLConnection.setFollowRedirects(false); // note : you may also need // HttpURLConnection.setInstanceFollowRedirects(false) HttpURLConnection con = (HttpURLConnection) new URL(URLName).openConnection(); con.setRequestMethod("HEAD"); return (con.getResponseCode() == HttpURLConnection.HTTP_OK); } catch (Exception e) { e.printStackTrace(); return false; } } ``` I see the it returns response code as 500. That's the reason why it should be failing for Gluu as well. Now question here is why the url is working fine through browser(returns Response code 200) and failing for java(returns Response code 500)? I'm debugging at my end but any guidance you can provide will be very great and highly appreciated.

You need to Login in order to post an answer

Trust relationship - Issue with SP Metadata URL

By: ved singh user 10 Aug 2017 at 11:05 p.m. CDT

Answers

By Mohib Zico staff 11 Aug 2017 at 1:18 a.m. CDT

By ved singh user 11 Aug 2017 at 12:55 p.m. CDT

Post an answer