By: Johan Kotze user 02 Mar 2017 at 3:20 a.m. CST

4 Responses

Hi I am evaluating GLUU as a possible SAML IDP for our environment and the first app I am trying to get to work is NetIQ Access Review. I have GLUU setup with authentication against Active Directory and it is all working - I can log in with my Active Directory user. I then setup a SAML trus relationship with NetIQ AR and the trust relationship validated sucessfully. When I connect to NetIQ AR it redirects to the GLUU IDP with aSAML post, but the post returns "Error 400: Bad Request". I have not imported any certs into iether GLUU or NetIQ AR as I could not find any documentation on how to import certs into GLUU - afaik it is also not required for SAML to act as IDP. I did import the metadata from NetIQ AR into GLUU as part of the SAML config. I used the SAML Tracer plugin for Firefox to capture the SAML POST. **HTTP** ``` POST https://idp.artest.sanlam.co.za/idp/profile/SAML2/POST/SSO HTTP/1.1 Host: idp.artest.sanlam.co.za User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ig.artest.sanlam.co.za:8443/osp/a/idm/auth/oauth2/grant?response_type=token&redirect_uri=https://ig.artest.sanlam.co.za:8443/oauth.html&client_id=iac&state=gromitstate0.1341846710930047 Cookie: JSESSIONID=2knrpt2pz100rbrnhsrvlrlk Content-Type: application/x-www-form-urlencoded Content-Length: 1162 HTTP/?.? 400 Bad Request Date: Thu, 02 Mar 2017 08:14:32 GMT Server: Jetty(9.3.15.v20161220) X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block x-content-type-options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-store Content-Type: text/html;charset=utf-8 Content-Length: 811 Connection: close ``` **SAML** ``` <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" Destination="https://idp.artest.sanlam.co.za/idp/profile/SAML2/POST/SSO" ForceAuthn="false" ID="idcfKdvzXib-SaWRkwM9jypww_pWc" IsPassive="false" IssueInstant="2017-03-02T08:17:12Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" intro="false" refresh="false" > <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" SPProvidedID="https://ig.artest.sanlam.co.za:8443/osp/a/idm/auth/saml2/metadata" >https://ig.artest.sanlam.co.za:8443/osp/a/idm/auth/saml2/metadata</saml:Issuer> <samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> </samlp:AuthnRequest> ``` In the shibboleth process log I see the following: ``` 2017-03-02 10:14:32,680 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for https://ig.artest.sanlam.co.za:8443/osp/a/idm/auth/saml2/metadata in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2017-03-02 10:14:32,683 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for relying party configuration shibboleth.UnverifiedRelyingParty 2017-03-02 10:14:32,684 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: InvalidProfileConfiguration ``` Any help will be appreciated Johan

Gluu Other CentOS72

closed

By Mohib Zico staff 02 Mar 2017 at 4:32 a.m. CST

Copy

>> An error event occurred while processing the request: InvalidProfileConfiguration Can you please try to configure SAML2SSO profile for relying party?

By Johan Kotze user 02 Mar 2017 at 5:28 a.m. CST

Copy

Hi I configured the relaying party, but now I have a different issue. It seems like the SAML POST now goes through, but I do not get a login prompt on the GLUU side. Using the SAML Tracer I get the following: **SAML POST** ``` POST https://idp.artest.sanlam.co.za/idp/profile/SAML2/POST/SSO HTTP/1.1 Host: idp.artest.sanlam.co.za User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ig.artest.sanlam.co.za:8443/osp/a/idm/auth/oauth2/grant?response_type=token&redirect_uri=https://ig.artest.sanlam.co.za:8443/oauth.html&client_id=iac&state=gromitstate0.0006725695683482691 Cookie: JSESSIONID=1t22o97nvf2kmmnohnojiwja3; session_state=f3867448-3c47-4621-86c7-2e1537128720 Content-Type: application/x-www-form-urlencoded Content-Length: 1162 HTTP/?.? 302 Found Date: Thu, 02 Mar 2017 11:19:10 GMT Server: Jetty(9.3.15.v20161220) X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block x-content-type-options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-store Location: https://idp.artest.sanlam.co.za/idp/profile/SAML2/POST/SSO?execution=e1s1 Content-Length: 0 Set-Cookie: JSESSIONID=kh9cq43dp7m61nffw6pm2gn98;Path=/idp;Secure;HttpOnly Connection: close ``` Then I get the following: ``` GET https://idp.artest.sanlam.co.za/idp/profile/SAML2/POST/SSO?execution=e1s1 HTTP/1.1 Host: idp.artest.sanlam.co.za User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ig.artest.sanlam.co.za:8443/osp/a/idm/auth/oauth2/grant?response_type=token&redirect_uri=https://ig.artest.sanlam.co.za:8443/oauth.html&client_id=iac&state=gromitstate0.0006725695683482691 Cookie: JSESSIONID=kh9cq43dp7m61nffw6pm2gn98; session_state=f3867448-3c47-4621-86c7-2e1537128720 HTTP/?.? 302 Found Date: Thu, 02 Mar 2017 11:19:10 GMT Server: Jetty(9.3.15.v20161220) X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block x-content-type-options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-store Location: https://idp.artest.sanlam.co.za/idp/Authn/RemoteUser?conversation=e1s1 Content-Length: 0 Connection: close ``` Followed by ``` GET https://idp.artest.sanlam.co.za/idp/Authn/RemoteUser?conversation=e1s1 HTTP/1.1 Host: idp.artest.sanlam.co.za User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ig.artest.sanlam.co.za:8443/osp/a/idm/auth/oauth2/grant?response_type=token&redirect_uri=https://ig.artest.sanlam.co.za:8443/oauth.html&client_id=iac&state=gromitstate0.0006725695683482691 Cookie: JSESSIONID=kh9cq43dp7m61nffw6pm2gn98; session_state=f3867448-3c47-4621-86c7-2e1537128720 HTTP/?.? 302 Found Date: Thu, 02 Mar 2017 11:19:10 GMT Server: Jetty(9.3.15.v20161220) X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block x-content-type-options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Location: https://idp.artest.sanlam.co.za/oxauth/seam/resource/restv1/oxauth/authorize?scope=openid+profile+email+user_name&response_type=code+id_token&redirect_uri=https%3A%2F%2Fidp.artest.sanlam.co.za%2Fidp%2Fauth-code.jsp&nonce=nonce&client_id=%40%21CB94.D7B0.DB10.875F%210001%215341.9D26%210008%216031.3667 Content-Length: 0 Connection: close ``` Followed by ``` GET https://idp.artest.sanlam.co.za/oxauth/seam/resource/restv1/oxauth/authorize?scope=openid+profile+email+user_name&response_type=code+id_token&redirect_uri=https%3A%2F%2Fidp.artest.sanlam.co.za%2Fidp%2Fauth-code.jsp&nonce=nonce&client_id=%40%21CB94.D7B0.DB10.875F%210001%215341.9D26%210008%216031.3667 HTTP/1.1 Host: idp.artest.sanlam.co.za User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ig.artest.sanlam.co.za:8443/osp/a/idm/auth/oauth2/grant?response_type=token&redirect_uri=https://ig.artest.sanlam.co.za:8443/oauth.html&client_id=iac&state=gromitstate0.0006725695683482691 Cookie: JSESSIONID=16o50uyk530488efta8n3aaf5; javax.faces.ClientToken=zapDTxBpKPzdFaqhupfczAGH4BgMDHSXxbhImhrrYDiCyNx1rH; session_state=f3867448-3c47-4621-86c7-2e1537128720 HTTP/?.? 302 Found Date: Thu, 02 Mar 2017 11:19:10 GMT Server: Jetty(9.3.15.v20161220) X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block x-content-type-options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Location: https://idp.artest.sanlam.co.za/idp/auth-code.jsp#code=c5d03fae-c3dc-4bd8-86d9-14a616348bb4&scope=openid+user_name+profile+email&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2lkcC5hcnRlc3Quc2FubGFtLmNvLnphIiwiYXVkIjoiQCFDQjk0LkQ3QjAuREIxMC44NzVGITAwMDEhNTM0MS45RDI2ITAwMDghNjAzMS4zNjY3IiwiZXhwIjoxNDg4NDU3MTUwLCJpYXQiOjE0ODg0NTM1NTAsIm5vbmNlIjoibm9uY2UiLCJhdXRoX3RpbWUiOjE0ODg0NTIwODIsImNfaGFzaCI6Imo0UjJkZVIzVDZqb0Yzc3FzN0FIbGciLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2lkcC5hcnRlc3Quc2FubGFtLmNvLnphL294YXV0aC9vcGlmcmFtZSIsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsInN1YiI6IkAhQ0I5NC5EN0IwLkRCMTAuODc1RiEwMDAxITUzNDEuOUQyNiEwMDAwIUIyRDguNEE5NCJ9.JUQxLMnRVpH18sNrwpEEAJsmI7yCQnB_KpBiSkFqnvE&state&session_state=f3867448-3c47-4621-86c7-2e1537128720 Content-Length: 0 access-control-allow-origin: * Connection: close ``` and finally ``` GET https://idp.artest.sanlam.co.za/idp/auth-code.jsp#code=c5d03fae-c3dc-4bd8-86d9-14a616348bb4&scope=openid+user_name+profile+email&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2lkcC5hcnRlc3Quc2FubGFtLmNvLnphIiwiYXVkIjoiQCFDQjk0LkQ3QjAuREIxMC44NzVGITAwMDEhNTM0MS45RDI2ITAwMDghNjAzMS4zNjY3IiwiZXhwIjoxNDg4NDU3MTUwLCJpYXQiOjE0ODg0NTM1NTAsIm5vbmNlIjoibm9uY2UiLCJhdXRoX3RpbWUiOjE0ODg0NTIwODIsImNfaGFzaCI6Imo0UjJkZVIzVDZqb0Yzc3FzN0FIbGciLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2lkcC5hcnRlc3Quc2FubGFtLmNvLnphL294YXV0aC9vcGlmcmFtZSIsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsInN1YiI6IkAhQ0I5NC5EN0IwLkRCMTAuODc1RiEwMDAxITUzNDEuOUQyNiEwMDAwIUIyRDguNEE5NCJ9.JUQxLMnRVpH18sNrwpEEAJsmI7yCQnB_KpBiSkFqnvE&state&session_state=f3867448-3c47-4621-86c7-2e1537128720 HTTP/1.1 Host: idp.artest.sanlam.co.za User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ig.artest.sanlam.co.za:8443/osp/a/idm/auth/oauth2/grant?response_type=token&redirect_uri=https://ig.artest.sanlam.co.za:8443/oauth.html&client_id=iac&state=gromitstate0.0006725695683482691 Cookie: JSESSIONID=kh9cq43dp7m61nffw6pm2gn98; session_state=f3867448-3c47-4621-86c7-2e1537128720 HTTP/?.? 200 OK Date: Thu, 02 Mar 2017 11:19:10 GMT Server: Jetty(9.3.15.v20161220) X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block x-content-type-options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Type: text/html;charset=utf-8 Content-Length: 1496 Connection: close ``` If I log into the GLUU server at https://idp.artest.sanlam.co.za/oxauth/login and then hit the NetIQ AR url it works and I am logged into NetIQ AR. So it seems like GLUU is not showing me the login screen or something is misconfigured. I have tried both Firefox and Chrome.

By Mohib Zico staff 08 Mar 2017 at 5:06 a.m. CST

Copy

>> If I log into the GLUU server at https://idp.artest.sanlam.co.za/oxauth/login and then hit the NetIQ AR url it works and I am logged into NetIQ AR. So it seems like GLUU is not showing me the login screen or something is misconfigured. I am suspecting some misconfiguration there from SP side. When you are redirected from SP to Gluu Server, which login page you see ( or no login page at all )? Please feel free to share the screenshot.

By Michael Schwartz Account Admin 10 Mar 2017 at 4:12 p.m. CST

Copy

Johan, Sorry for the delayed response. I'd like to better understand your requirements. If you can find some overlap with US Central Time, my calendar is available on [http://gluu.org/booking](http://gluu.org/booking) If not, please email sales@gluu.org and suggest a convenient time. Regarding your SAML issue, if you are acquiring the SP metadata via a URL, you will need to import the certificate (if it's self-signed) into the Jetty jks truststore. It may be easier to just use the File method to upload the metadata if the SP is not using https certificates signed by a well known CA. SAML itself doesn't require the import of certs because metadata is traditionally signed with self-signed certs, and the keys are included in the XML metadata. In any case, I think we can help you, but we need to get a better understanding of your goals. - Mike

You need to Login in order to post an answer

Getting Error 400 bad Request on SAML POST

By: Johan Kotze user 02 Mar 2017 at 3:20 a.m. CST

Answers

By Mohib Zico staff 02 Mar 2017 at 4:32 a.m. CST

By Johan Kotze user 02 Mar 2017 at 5:28 a.m. CST

By Mohib Zico staff 08 Mar 2017 at 5:06 a.m. CST

By Michael Schwartz Account Admin 10 Mar 2017 at 4:12 p.m. CST

Post an answer