By: Darel Solon user 11 Nov 2018 at 1:52 p.m. CST

4 Responses

Background: I'm implementing SAML SSO for a client and they've request specifically to use GLUU as their IDP. I've already tried implementing SAML SSO for their SP using SSOCircle as IDP and it is working properly. However when I try to integrate it to GLUU, I'm getting a weird error (see below details). Issue: SP is returning 401 Unauthorized error after authentication success from Gluu. oxauth.log: ``` 2018-11-11 19:27:32,011 INFO [qtp804611486-18] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:365) - Authentication success for User: 'first2.last2@gmail.com' 2018-11-11 19:27:32,194 INFO [qtp804611486-18] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:224) - Authentication success for Client: '@!DB7F.B8F9.6380.E983!0001!0216.40E4!0008!461A.DEE1' ``` Saml Response: ``` <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response Destination="https://localhost:9002/samlsinglesignon/saml/SSO" ID="_c6d62aa89835b8511bd3b5c4d3f9e75f" InResponseTo="a289fe1c8762794j3g8884h0b0594e5" IssueInstant="2018-11-11T19:28:05.496Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://psidp.southeastasia.cloudapp.azure.com/idp/shibboleth</saml2:Issuer> <saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status> <saml2:Assertion ID="_9394055e17af6317d530996f59c2bb60" IssueInstant="2018-11-11T19:28:05.496Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Issuer>https://psidp.southeastasia.cloudapp.azure.com/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_9394055e17af6317d530996f59c2bb60"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>3EfMwHJXoVcoxobQo3ZV0uXAb8CLjyRosr3g9wp9i/k=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> By9YNEz6XpoDda6tUjnPwH251oKkhjBr7YSBXxUkq/upk0glxCC1zzeu63yPU2tCnBO6cjQg7ffi Gp12S5OEYIfEVsrfi9aaC2gpy8IQhMD1hhqqyB5eTE8ORrcwkhV65x42t2D0xAgm83B0FMSeluJT fqSQGN/NhbAMSzsX4qJgG4qZDR+Q4udlPmSnAaDf9+oEVHQ1Pytdu3hub3L0Gb/QJ0yBAiEJpa4l 6BPD0Kg7I/1W5Mn0a6uDqyoiAvrWoNgu8ZHIBUIkE9SFk/TdFnfCXJM3eqDqAc1wqmU5/iE9Mwh1 QlgBYgC6faWoQjlvGwsTztUa+XjSGoa7JAFesQ== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDwDCCAqgCCQCDDDxhp/JFGDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCUEgxCzAJBgNV BAgMAk1NMRUwEwYDVQQHDAxNZXRybyBNYW5pbGExFzAVBgNVBAoMDkRYQy50ZWNobm9sb2d5MS8w LQYDVQQDDCZwc2lkcC5zb3V0aGVhc3Rhc2lhLmNsb3VkYXBwLmF6dXJlLmNvbTEkMCIGCSqGSIb3 DQEJARYVZWxkYXJlbC5zb2xvbkBkeGMuY29tMB4XDTE4MTEwNjA0MDIwM1oXDTE5MTEwNjA0MDIw M1owgaExCzAJBgNVBAYTAlBIMQswCQYDVQQIDAJNTTEVMBMGA1UEBwwMTWV0cm8gTWFuaWxhMRcw FQYDVQQKDA5EWEMudGVjaG5vbG9neTEvMC0GA1UEAwwmcHNpZHAuc291dGhlYXN0YXNpYS5jbG91 ZGFwcC5henVyZS5jb20xJDAiBgkqhkiG9w0BCQEWFWVsZGFyZWwuc29sb25AZHhjLmNvbTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMzTGdhW3Qt9X0ficfWkesWU0Reqd0Dnvx6sxQiW UKHoGE+yRPdN3PskxI+x/p/tnP+bF93nlLltbn+XlQ8Ykw2QzyllKXbLBEDH9U/+G6GnLH+1cjjI c7HVji5AJQkaoQLvj77mGV3VqTM1GzxeJ9YAYQrAVm+lS9z0H08VzllgSklTINqHfGHUMm07S6tQ UdTFAxD4gogZz4dgiTFgI5YB/jlPN97n/5aGHBmXY1VvQR3yC4oxs8umhdvAaZtbHDnWwLJMv1ZI N6/U6EVjiDxinG6n5Q3wnbAPKuEMgJ8QqSwRXKVqTQ4wiV0PEQiB2kGQ6Fcxr2OAY2k0NkGtstcC AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcRfMPn3StljsKnDfFulgal6NUZqR2ELM94UWiKWEgER6 uxT04y+llPXNP+6x8WyYT7rYGy5nNa1a4RzwlgAHKFTaPQrCFmeDlQzYBE5Fhf2ETryI7il2+Ffq id28/IBjHgAYgr+HBTDiA44tmy8N/M4XnQtfx1/dpDjoWwrywMUF+8CW54fGXMISc5/yjVG6Ehtw nZvBEHPlE96hpDFiH+rS/pytc7Oa23qA10OsHpMOcKfWO2RiQpzEWeaNPBqVc9I2X0I+KmTgSdou gc4hCeHRgQBUPm6Ih/rgmUlvPUZi2JTR4ou9ui2zE+3DwCv4dBHmZM1a42dFncFgj5UhPg==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData Address="120.29.112.104" InResponseTo="a289fe1c8762794j3g8884h0b0594e5" NotOnOrAfter="2018-11-11T19:33:05.508Z" Recipient="https://localhost:9002/samlsinglesignon/saml/SSO"/></saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2018-11-11T19:28:05.496Z" NotOnOrAfter="2018-11-11T19:33:05.496Z"> <saml2:AudienceRestriction> <saml2:Audience>urn:ssoextension:publicsector:ph</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2018-11-11T19:27:32.325Z" SessionIndex="_b40860cad2dc21ea8bc2cd0786c849a8"><saml2:SubjectLocality Address="120.29.112.104"/> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue>first2.last2@gmail.com</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue>first2.last2@gmail.com</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue>first2</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue>last2</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response> ``` The SP is set to create new user if the user from SAML response is not existing in the database. It is working properly using SSOCircle as IDP. However, when using GLUU it is not happening. So, I'm quite sure that the error is not about authentication of user in SP. My guess is that I'm using the wrong certificate as signinKey in my SP. I'm currently using the certificate from signing attribute of my IDP metadata ("https://hostname/idp/shibboleth"), but it is not working. I've been working on this for at least 5 days already. Hope you can help me. Thanks in advance!

Ubuntu 16.04

closed

By Michael Schwartz Account Admin 11 Nov 2018 at 2:37 p.m. CST

Copy

A few questions: 1. Are you releasing the `transientID` attribute to this SP? That is normally necessary because `transientID` is the default nameID. 2. Can you include screenshot of the modal window when you configure SAML2 SSO? (You'll need to post it somewhere and provide a link) 3. Was the previous IDP also configured for `SignatureMethod Algorithm` = `rsa-sha256` ? ``` <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> ```

By Darel Solon user 11 Nov 2018 at 4:05 p.m. CST

Copy

Hi Michael, Thank you very much for quick response. To answer your questions: 1. No, I'm not releasing the transientID attribute to SP because I'm not putting any value on it when creating a user in Gluu side. Do I need to? What should be the value of the transientID? 2. I'm not sure what screenshot are you looking for. Is it the login page of Gluu or in the SP? 3. The previous IDP was using the below Algorithm ``` <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod> ``` What should I change in the SP to allow rsa-sha256 algorithm? Or how do I change the algorithm of Gluu to be rsa-sha1? [UPDATE] I checked my certificate in SP and it is using SHA256WITHRSA algorithm also. Sorry for too many questions. I'm new to using GLUU and SAML protocol. Thanks!

By Aliaksandr Samuseu staff 12 Nov 2018 at 1:33 p.m. CST

Copy

Hi, Darel. >I'm not sure what screenshot are you looking for. Is it the login page of Gluu or in the SP? I'm pretty sure Michael meant a screenshot (from Gluu Server's web UI) of the page of the Trust Relationship you configured for this SP. >No, I'm not releasing the transientID attribute to SP because I'm not putting any value on it when creating a user in Gluu side. Do I need to? What should be the value of the transientID? `trainsientID` is autogenerated value. You just need to log in to web UI, move to "SAML -> Update Trust Relationship" page, find your TR, and add "transientid" to the list of released attributes. After a few minutes IDP should pick up the changed configuration and start sending it (atm I don't see any nameid in your SAML response) It may also be that SP in question expects a specific type of nameid, like "emailAddress" or "unspecified", in which a user's id should be passed. In such case you'll have to add it manually. As you mentioned that some other IDP works well with this SP, could you provide a SAML response this IDP sends to it? We could compare it to the one Gluu sends and figure out what differences cause this. Regarding the certificate: >My guess is that I'm using the wrong certificate as signinKey in my SP. I'm currently using the certificate from signing attribute of my IDP metadata ("https://hostname/idp/shibboleth"), but it is not working. The certificate you see in Gluu's IDP's metadata is the correct one and is the one you should upload to SP (unless SP can parse it from the metadata automatically). It also can be found in `/etc/certs/idp-signing.crt` file inside Gluu's container. >I checked my certificate in SP and it is using SHA256WITHRSA algorithm also. What Michael was talking about is algorythm used to sign the assertion in SAML response, not the one used to sign certificate. >What should I change in the SP to allow rsa-sha256 algorithm? We can't provide support for SP configuration within scope of Community Support. Also hard to suggest anything without knowing which SP it is (I don't think you've mentioned it yet). Can you check the SP's logs for any error messages at the moment when it processes a response from Gluu? I would say incorrect type of nameid is the most likely cause, then probably the difference in signing methods.

By Aliaksandr Samuseu staff 12 Nov 2018 at 1:41 p.m. CST

Copy

Please also provide metadata of that SP, the one you used to create TR in Gluu Server.

You need to Login in order to post an answer

SAML Reponse - 401 Unauthorized

By: Darel Solon user 11 Nov 2018 at 1:52 p.m. CST

Answers

By Michael Schwartz Account Admin 11 Nov 2018 at 2:37 p.m. CST

By Darel Solon user 11 Nov 2018 at 4:05 p.m. CST

By Aliaksandr Samuseu staff 12 Nov 2018 at 1:33 p.m. CST

By Aliaksandr Samuseu staff 12 Nov 2018 at 1:41 p.m. CST

Post an answer