SAML SSO with Salesforce

By: Alex Mayanov user 06 May 2016 at 6:33 a.m. CDT

21 Responses
Alex Mayanov gravatar
Hello! Seems I have the same problem as described in [this ticket](https://support.gluu.org/integrations/saml-sso-with-salesforce-is-not-working-2480). I use Gluu 2.4.3 and try to setup Salesfoce as decribed [here](https://www.gluu.org/docs/integrate/salesforce-sso/). But I can't login into Salesforce. There is part of my Log. ``` 10:56:26.417 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:927] - Could not resolve a key encryption credential for peer entity: https://mydomain.my.salesforce.com 10:56:26.419 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:289] - Unable to construct encrypter org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential at edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.getEncrypter(AbstractSAML2ProfileHandler.java:928) ~[shibboleth-identityprovider-2.4.5.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.buildResponse(AbstractSAML2ProfileHandler.java:286) ~[shibboleth-identityprovider-2.4.5.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.completeAuthenticationRequest(SSOProfileHandler.java:319) [shibboleth-identityprovider-2.4.5.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:173) [shibboleth-identityprovider-2.4.5.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:90) [shibboleth-identityprovider-2.4.5.jar:na] at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83) [shibboleth-common-1.4.5.jar:na] at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) [servlet-api.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) [catalina.jar:7.0.65] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.65] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat7-websocket.jar:7.0.65] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.65] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.65] at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.4.5.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.65] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.65] at unimr.shib2.UniMrMemcachedServletFilter.doFilter(UniMrMemcachedServletFilter.java:53) [unimr-memcached-idp2.4-rev218.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.65] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.65] at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87) [shibboleth-identityprovider-2.4.5.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.65] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.65] at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.4.5.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.65] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.65] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:203) [catalina.jar:7.0.65] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) [catalina.jar:7.0.65] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) [catalina.jar:7.0.65] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) [catalina.jar:7.0.65] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) [catalina.jar:7.0.65] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) [catalina.jar:7.0.65] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) [catalina.jar:7.0.65] at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) [tomcat-coyote.jar:7.0.65] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) [tomcat-coyote.jar:7.0.65] at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) [tomcat-coyote.jar:7.0.65] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_95] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_95] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-coyote.jar:7.0.65] at java.lang.Thread.run(Thread.java:745) [na:1.7.0_95] ``` Encryption is disabled on Relying Party configuration. I also tried to disable signing. But result is the same. Any help will be appreciated!
None
closed

Answers

By Aliaksandr Samuseu staff 06 May 2016 at 7:23 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Alex. > There is part of my Log. Which log is it? Do you have any other problems with this Gluu instance? Are you able to setup SAML TRs with SPs other then Salesforce?

By Alex Mayanov user 06 May 2016 at 8:01 a.m. CDT

Copy
Alex Mayanov gravatar
Hi, Aliaksandr! It is /opt/idp/logs/idp-process.log. No, I have no other problems. I also tested my Gluu instance on [http://www.testshib.org/](http://www.testshib.org/) and it works. As I mentioned before, Gauri Shirsath had the same problem in ticket #2480. But I don't know how he resolved it.

By Alex Mayanov user 06 May 2016 at 8:12 a.m. CDT

Copy
Alex Mayanov gravatar
I made some experiments and changed two files /opt/apache-tomcat-7.0.65/conf/shibboleth2/idp/ProfileConfiguration/SAML2SSOProfileConfiguration.xml.vm and /opt/idp/conf/relying-party.xml I changed xsi:type="saml:SAML2SSOProfile" property "encryptAssertions" from "conditional" to "never". After this I can login onto Salesforce. But I'm not sure that it is correct decision. And it is interesting why my RP setting didn't apply for this RP? Because I disabled encryption through oxTrust interface during RP creation.

By Aliaksandr Samuseu staff 06 May 2016 at 8:17 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Seems that guide recommends some edits to Salesforce's metadata. I think it hasn't been tried for a while, something could be changed on their side. May I ask you to do the following? 1. Install SAML tracing browser plugins like [this](https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/) or [this](https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en), or any other tool of your liking capable of displaying SAML requests/responses in clear-text. Another option could be rising idp-process.log verbosity level. 2. Retry your SSO attempt once again and save all inter-exchange in clear-text (it should be in cleartext if you disabled encryption) somewhere and provide it to us (better use something like [pastebin.com](pastebin.com)) Please also share your edited Salesforce metadata you used to create the TR.

By Aliaksandr Samuseu staff 06 May 2016 at 8:30 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
> And it is interesting why my RP setting didn't apply for this RP? Because I disabled encryption through oxTrust interface during RP creation. May be you just tried once, and it was too soon after the change had been made? There is a delay (may be even several minutes) before the changes made in web UI will be taken up by Shibboleth component of Gluu. First, the template will be modified. Then a configuration file must be re-generated from it in Shib's conf directory. Then Shibboleth must reload it. May I ask you to reset what settings you changed directly in templates/conf files, and try to disable encryption from web UI again? You can make sure the change is made it to the Shib's configuration by monitoring state of the `/opt/idp/conf/relying-party.xml` file. When you will create a custom configuration for some SP, a `RelyingParty` element with corresponding `provider` property (set to this SP's entityID usually) should appear there. It will contain custom profile configurations you made, such as disabled encryption. When it's made there, it should be taken up by Shib very soon. Please let us know if even after that encryption is still won't be disabled for this SP. You can use different monitoring plugins I mentioned to check it in the wild.

By Alex Mayanov user 06 May 2016 at 8:50 a.m. CDT

Copy
Alex Mayanov gravatar
This is for modified templates. There is my [Salesforce metadata](http://pastebin.com/6LcZWutU) There is my [SAML requests/responses](http://pastebin.com/MvPedRie). I'm not sure that all of this is needed, but this all is captured during authentication.

By Aliaksandr Samuseu staff 06 May 2016 at 8:58 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Thanks. Still, as the cause of the issue is known now, it would be better to try again the web UI approach, as direct editing to the templates is recommended against, aside from very special cases. Custom profile settings must work from web UI, otherwise it's a bug.

By Alex Mayanov user 06 May 2016 at 9:40 a.m. CDT

Copy
Alex Mayanov gravatar
> May be you just tried once No, I tried it many times before ask your help. > May I ask you to reset what settings you changed directly in templates/conf files, and try to disable encryption from web UI again? I return changes in templates and update RP configuration in TR . In **/opt/idp/conf/relying-party.xml** I found **RelyingParty** corresponding to my RP. But I'm not sure in one thing. **provider** field had value of my Gluu IDP entityID (https://<my Gluu server>/idp/shibboleth), not SP entityID. I tried to login and it was failed. Then I tried to change **provider** to entityID of SP (as in Salesforce metadata file), wait few minutes (I saw in **/opt/idp/logs/idp-process.log** lines that config is reloaded) and tried to login again. But still fail. And log says about the same problem with encryption.

By Alex Mayanov user 06 May 2016 at 9:49 a.m. CDT

Copy
Alex Mayanov gravatar
Also in **/opt/idp/logs/idp-process.log** I see the line ``` No metadata for relying party https://mydomain.my.salesforce.com, treating party as anonymous for security policy ``` But I loded metadata in TR configuration.

By Aliaksandr Samuseu staff 06 May 2016 at 10:08 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
> I return changes in templates and update RP configuration in TR . In /opt/idp/conf/relying-party.xml I found RelyingParty corresponding to my RP. But I'm not sure in one thing. provider field had value of my Gluu IDP entityID (https://<my Gluu server>/idp/shibboleth), not SP entityID No, that's not it. This entry is always there and its Gluu's own internal feature, needed for Shib's integration in the framework. You shouldn't ever modify it. There must appear the entry of the same type just for your Salesforce SP too, under normal conditions. The fact that it didn't and "anonymous party" workflow is used is an issue. Please try the following: 1. Open your TR's settings in web UI again, add some attribute to the list, click the "Update" button, then remove it again, and click "Update" button again. That should ensure changes to template are applied. 2. Restart the tomcat service from within the container `# service tomcat restart` Please also let us know the full version of the Gluu CE package, and your Linux distro's version. I've just tested it in my 2.4.3 instance and entry appears in the file.

By Alex Mayanov user 06 May 2016 at 10:39 a.m. CDT

Copy
Alex Mayanov gravatar
> Please try the following I've done it but in **/opt/idp/conf/relying-party.xml** I still see only this for my Salesforce TR: ``` <rp:RelyingParty id="$trustRelationship.entityId" provider="https://<my Gluu domain>/idp/shibboleth" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" defaultSigningCredentialRef="IdPCredential"> <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true" assertionLifetime="300000" assertionProxyCount="0" signResponses="conditional" signAssertions="never" signRequests="conditional" encryptAssertions="never" encryptNameIds="never" ></rp:ProfileConfiguration> </rp:RelyingParty> ``` > Please also let us know the full version of the Gluu CE package, and your Linux distro's version. I use Ubuntu 14.04.4 LTS (GNU/Linux 2.6.32-042stab113.11 x86_64), gluu-server-2.4.3 1-3 amd64.

By Aliaksandr Samuseu staff 06 May 2016 at 10:47 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
What status is shown for this TR in the list of TRs you can see in web UI?

By Alex Mayanov user 06 May 2016 at 10:49 a.m. CDT

Copy
Alex Mayanov gravatar
Status is Active.

By Aliaksandr Samuseu staff 06 May 2016 at 11:03 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Do you see any recent errors in `/opt/tomcat/logs/velocity.log`? Mb you broke some template while editing it? The best thing would be to reinstall from scratch (I suppose it's just a clean test instance anyway) and re-try the whole process from web UI alone again. As I said, my test TR in 2.4.3 works just fine.

By Alex Mayanov user 06 May 2016 at 11:13 a.m. CDT

Copy
Alex Mayanov gravatar
> Do you see any recent errors in /opt/tomcat/logs/velocity.log? I see this 4 times ``` 2016-05-05 11:26:14,263 - Left side ($trustParams.trustEntityIds.get($trustRelationship.inum).size()) of '>' operation has null value at attribute-filter.xml.vm[line 11, column 93] ``` > Mb you broke some template while editing it? First time I didn't edit any templates and all the work was done throught the web UI. I reinstalled TR twice through the web. I only edited **/opt/idp/conf/relying-party.xml** and **/opt/apache-tomcat-7.0.65/conf/shibboleth2/idp/relying-party.xml.vm** trying to find the source of the problem . But I'm sure I returned it back. > The best thing would be to reinstall from scratch Do you mean reinstall Gluu server?

By Aliaksandr Samuseu staff 06 May 2016 at noon CDT

Copy
Aliaksandr Samuseu gravatar
> Do you mean reinstall Gluu server? Yes, if it's possible. If you'll be able to reproduce it feel free to file a bug report on github. I can't reproduce it for the SP I have at my disposal atm.

By Aliaksandr Samuseu staff 06 May 2016 at 1:20 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Must correct myself. Property `id` must contain entityid of your SP, and `provider` is your IdP's entityid. The fact you are seeing something like `"$trustRelationship.entityId"` in any file in `/opt/idp/conf/` usually means that template wasn't processed correctly. If you'll be able to reproduce all steps that lead to that, please report it as a bug. I tried to create a TR with your metadata and it worked fine for me again.

By Alex Mayanov user 06 May 2016 at 3:53 p.m. CDT

Copy
Alex Mayanov gravatar
Aliaksandr, I changed **id** property form **$trustRelationship.entityId** to entityID of SP and successfully logedin into Salesforce. I will try to reinstall Gluu server and to reproduce this again. Thanks for help and time!

By Michael Schwartz Account Admin 13 May 2016 at 1:05 p.m. CDT

Copy
Michael Schwartz gravatar
Closed this [issue on github]( https://github.com/GluuFederation/oxAuth/issues/214) because we can't reproduce it. Must be something with his config. Please post `setup.properties.last` so we can see if anything looks out of place. Also I don't see anything about the operating system version or system resources in this ticket. If we still can't figure what's going on, maybe Shekhar can get access to the system and check it out.

By Aliaksandr Samuseu staff 13 May 2016 at 1:15 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Alex. Thanks for the info: ``` dn: inum=@!5302.FE40.EA53.038F!0002!F1A2.32D7!0006!3B37.FDDE,ou=trustRelationships,inum=@!5302.FE40.EA53.038F!0002!F1A2.32D7,ou=appliances,o=gluu displayName: Salesforce ``` That's what I wanted to confirm. The TR entry in Gluu has empty `gluuEntityId` attribute. It was the same for the case I was observing myself, and after issue resolved by itself, this attribute finally got a value. The cause is still unknown.

By Michael Schwartz Account Admin 13 May 2016 at 1:32 p.m. CDT

Copy
Michael Schwartz gravatar
1. What OS are you using 2. How much RAM? How many CPU's? 3. If you can duplicate, please attach the relevant logs from /opt/tomcat/logs. There is probably a stacktrace in there.

Post an answer