By: Annouar LAIFA user 21 Mar 2017 at 4:25 p.m. CDT

4 Responses

Hello support ! I am currently trying to implement the inbound SAML describes here : https://gluu.org/docs/ce/2.4.4/admin-guide/saml/ For now, the Asimba Discovery page displays well, but when I choose the Nest IDP, I got redirected to https://nest.gluu.org/idp/profile/SAML2/POST/SSO (I guess it's well)but instead of displaying the Nest login page, it displays me the following error : ``` Error Message: Message did not meet security requirements ``` any idea why ? Thank you !

OS Version : N/A

closed

By Aliaksandr Samuseu staff 21 Mar 2017 at 4:31 p.m. CDT

Copy

Hi, Annouar. Please make sure clocks are synchronised on all your vms. If it won't help you'll need to proceed to checking Gluu/Shibboleth IdP logs on the vm that returns this error page for additional clues.

By Mohib Zico staff 22 Mar 2017 at 12:49 a.m. CDT

Copy

>> (I guess it's well)but instead of displaying the Nest login page, it displays me the following error : Error Message: Message did not meet security requirements Please check idp-process.log of nest server; it should have indication of this failure. Also this is related to Shibboleth of nest; so if you google with this error.. you will get lot of responses on what to check and how to check.

By Annouar LAIFA user 22 Mar 2017 at 4:49 a.m. CDT

Copy

Hi ! So, I have installed NTP on both on my VMs but it doesn't fix the problem. HEre is my Nest Shibboleth logs : 09:42:33.963 - INFO [Shibboleth-Access:73] - 20170322T094233Z|192.168.1.53|nest.gluu.org:443|/profile/SAML2/POST/SSO| 09:42:34.131 - ERROR [org.opensaml.xml.security.x509.BasicX509CredentialNameEvaluator:273] - Credential failed name check: [subjectName='1.2.840.113549.1.9.1=#161b616e6e6f7561722e6c61696661406d6574726f6e6c61622e636f6d,CN=test.gluu.org,O=metron,L=Paris,ST=PA,C=FR'] 09:42:34.137 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:406] - Message did not meet security requirements org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:138) ~[opensaml-2.6.6.jar:na] at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107) ~[opensaml-2.6.6.jar:na] at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51) ~[openws-1.5.6.jar:na] at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132) ~[openws-1.5.6.jar:na] at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83) ~[openws-1.5.6.jar:na] at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) ~[opensaml-2.6.6.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:386) [shibboleth-identityprovider-2.4.5.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:211) [shibboleth-identityprovider-2.4.5.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:189) [shibboleth-identityprovider-2.4.5.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:90) [shibboleth-identityprovider-2.4.5.jar:na] at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83) [shibboleth-common-1.4.5.jar:na] at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) [servlet-api.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) [catalina.jar:7.0.65] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.65] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat7-websocket.jar:7.0.65] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.65] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.65] at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.4.5.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.65] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.65] at unimr.shib2.UniMrMemcachedServletFilter.doFilter(UniMrMemcachedServletFilter.java:53) [unimr-memcached-idp2.4-rev218.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.65] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.65] at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87) [shibboleth-identityprovider-2.4.5.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.65] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.65] at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.4.5.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.65] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.65] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:203) [catalina.jar:7.0.65] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) [catalina.jar:7.0.65] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) [catalina.jar:7.0.65] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) [catalina.jar:7.0.65] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) [catalina.jar:7.0.65] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) [catalina.jar:7.0.65] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) [catalina.jar:7.0.65] at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) [tomcat-coyote.jar:7.0.65] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) [tomcat-coyote.jar:7.0.65] at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) [tomcat-coyote.jar:7.0.65] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_03-Ubuntu] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_03-Ubuntu] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-coyote.jar:7.0.65] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_03-Ubuntu] Thanks you !

By Annouar LAIFA user 22 Mar 2017 at 5:37 a.m. CDT

Copy

I've found my issue. Before installing NTP I had an issue on clocks were not synchronised on all your vms. For the issue, I put a bad certificate in my test.gluu.org metadata ! Thank you !

You need to Login in order to post an answer

Inbound SAML : Error Message: Message did not meet security requirements

By: Annouar LAIFA user 21 Mar 2017 at 4:25 p.m. CDT

Answers

By Aliaksandr Samuseu staff 21 Mar 2017 at 4:31 p.m. CDT

By Mohib Zico staff 22 Mar 2017 at 12:49 a.m. CDT

By Annouar LAIFA user 22 Mar 2017 at 4:49 a.m. CDT

By Annouar LAIFA user 22 Mar 2017 at 5:37 a.m. CDT

Post an answer