By: khilo jammal user 15 May 2024 at 5:17 p.m. CDT

2 Responses
khilo jammal gravatar
I am getting the Web Login Service - Message Security Error , once trying to authentication with Gluu IDP. logs are not clear, how can I see relevant logs , or maybe debug logs ? I see in network a SAML assertion request was called : Idp/profile/SAML2/POST/SSO with bad request response. url : <SP url>/authorize/saml2/login?idp_id=https://sso-test.philips-ispm.com/idp/shibboleth&client_id=sp&api-version=1&redirect_uri=https%3A%2F%2F<my_app_url>%2Fauth%2Fsaml%2Finit%3FpatientId%3D1001%26redirect_method%3Dpost%26appname%3Dop I have attached the xml for idp/shibboleth and screenshot of the trusted relation ( maybe I need to add a new one ?) please note : it was working all the time, since the last two weeks it is stopped , with no configuraiton change. xml conf; https://sso-test.philips-ispm.com/idp/shibboleth

By Mohib Zico Account Admin 15 May 2024 at 10:37 p.m. CDT

Mohib Zico gravatar
Hi, >> Web Login Service - Message Security Error , once trying to authentication with Gluu IDP. Most probably someone's ( either Gluu Server or SP ) signing or encryption certificate/s changed / updated. You can check more specific logs inside `/opt/shibboleth-idp/logs/idp-process.log` with DEBUG logging level. BTW, Gluu CE is now behind a paywall. If you're interested, you can follow [these](https://github.com/GluuFederation/docs-gluu-server-prod/wiki/Getting-Access-to-Gluu-4-Binaries) instructions. Alternatively, we have Jans, a community edition. Please visit [here](https://docs.jans.io/v1.1.1/) to learn more.

By khilo jammal user 16 May 2024 at 4:34 a.m. CDT

khilo jammal gravatar
Thanks for your fast response, the logs where helpfull, I got the following signature failure : ERROR [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:301] - Credential failed name check: [subject name] 2024-05-16 12:23:35,454 - DEBUG [org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler:142] - Message Handler: Validation of protocol message signature failed for context issuer my issuer', message type: {urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest 2024-05-16 12:23:35,455 - WARN [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:202] - Profile Action WebFlowMessageHandlerAdaptor: Exception handling message org.opensaml.messaging.handler.MessageHandlerException: Validation of protocol message signature failed at org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityHandler.java:145) 2024-05-16 12:23:35,457 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: MessageAuthenticationError 2024-05-16 12:23:35,457 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:154] - No SAMLBindingContext or binding URI available, error must be handled locally Shall I create a new Trust Relation ? or maybe to create metada.xml ( is it applicable from gluu admin ?)