Service Provider without Metadata - Unsupported Request - SAML

By: Kevin Achilles user 15 Jan 2019 at 1:07 a.m. CST

8 Responses
Kevin Achilles gravatar
Hello, I've got a problem using a Service Provider for SAML, which doesn't offer a metadata to me. When i want to log in I've got the issue "Unsupported request" and the idp-process.log says this: ``` 2019-01-15 07:57:34,327 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for d2test in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2019-01-15 07:57:34,336 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID d2test) 2019-01-15 07:57:34,342 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration ``` I created the metadata on my own, which looks like this: ``` <?xml version="1.0"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2019-01-12T07:27:46Z" cacheDuration="PT604800S" entityID="d2test"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://172.30.16.184:8443/D2" index="1" /> </md:SPSSODescriptor> </md:EntityDescriptor> ``` Then configuration in Gluu looks like this: Display Name: D2TEST Description: d2test Entity Type: Single SP Metadata Location: File Configure Relying Party: SAML2SSO with default settings Released: Display Name The configuration in the Service Provider looks like this: ``` X3-SAML=com.emc.x3.portal.server.filters.authc.X3SAMLHttpAuthenticationFilter X3-SAML.defaultRepository=<dmrepo1> # URL of Identity Provider (IdP) which will generate the SAML Assertion X3-SAML.idpUrl=https://idp.local/idp/profile/SAML2/Redirect/SSO # This has to be configured in Endpoint tab of the relying trust party. X3-SAML.assertionConsumerServiceUrl=https://172.30.16.184:8443/D2/ # Value of the issuer in the relying party identifier X3-SAML.issuer=d2test # The IdP signs the SAML response. Specifiy the absolute path of the IdP # certificate used to verify if the SAML response is actually coming from the IdP. #X3-SAML.idpTokenSigningCertificate=/home/tomcat/Downloads/IPTS.cer ``` Firefox SAML extension shows this: ``` GET https://idp.local/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZFdT4Mw**************************1PhMEmgxZ4y%2FPkiaDReeNO06fl43%2Bddrt%2FryjujpdLoBLjPwEOdmbzUpwTu0%2BtJBOvVklRdiUZuWveq7%2FCtRXJe36hJjj8JtFZLo6gkqVWNJF0mj5v9TgqfycYaZzJTgb**************************fCH8kPl87vNoKqPpNAyuRADetbEZDhISKFRFCN72KoFnERc5Ttk8YjnLkSFb5GEkogKLF1TzuOjL6KCIyjP%2BNBK1uNXklHYJCMbjCeMTPkvZQrJQcubPZosn8A5f0i9KPSL5z%2BfLWETyJk0Pk8PtMQXv4Rut%2BEQ7MuvP0W1vtus6vwt9Y0%2FB434X8DiOgmFyozIcGuRwTaCx2MM7I4xxyMGC%2FRXD%2F%2BLUN3pY5cL1AS6DX2NW4%2BtPxqsP&RelayState=%2FD2%2F#d2 HTTP/1.1 Host: vm-dctm67-cs-win.fme.local User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: JSESSIONID=node01rl8u87i022uf1hie5gb3bxcx011.node0; org.gluu.i18n.Locale=en; session_id=73cba58c-857b-4e92-9750-78e0d66c63e4; session_state=fd0e91b9-1e46-45a3-8e72-5b31c70ff601 Upgrade-Insecure-Requests: 1 HTTP/1.1 400 Bad Request Date: Tue, 15 Jan 2019 07:03:11 GMT Server: Jetty(9.4.12.v20180830) X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-store Content-Type: text/html;charset=utf-8 Content-Length: 901 Connection: close ``` Before I tried an SAML implementation with Windows Server 2016 and ADFS. This worked really well. So where is my mistake here? Greetings Kevin
CentOS 7.0
closed

Answers

By Michael Schwartz Account Admin 20 Jan 2019 at 4:04 a.m. CST

Copy
Michael Schwartz gravatar
Just a guess, but maybe set the NameID format to transientid, which is the default for the Gluu Server?

By Kevin Achilles user 21 Jan 2019 at 1:40 a.m. CST

Copy
Kevin Achilles gravatar
Great, got a connection now. But the next problem appeard... My SP needs a reply like this: ``` <Subject> <NameID>dmadmin</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> ... <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"> <AttributeValue>dmadmin</AttributeValue> </Attribute> ... <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef> ... ``` but Gluu sends a reply like that: ``` <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="displayName" ** ### Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue>dmadmin</saml2:AttributeValue> ** </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> ``` How can i fix this?

By Michael Schwartz Account Admin 21 Jan 2019 at 1:59 a.m. CST

Copy
Michael Schwartz gravatar
Have you read [my book](https://gluu.co/book) on SAML? Chapter 3? You can use discount code **FOSSIAM2019** for the next few weeks. You should maybe try to setup some of the examples in that chapter, and then compare / contrast the respective metadata.

By Aliaksandr Samuseu staff 21 Jan 2019 at 6:19 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Kevin. You should really consider Michael's suggestion, the book is very thorough :) Regarding your issue: not sure what do you mean exactly by "My SP needs a reply like this" part, as I see two potential issues in it: type of nameid and attribute's names. If you need a custom nameid created, it's recommended to follow **manual** way of defining it described in [this doc](https://gluu.org/docs/ce/3.1.4/admin-guide/saml/#manual-configuration) (you shouldn't use the web UI approach, as it may have issues in version 3.1.4). When it comes to attribute names in assertions, it gets more tricky. I would try to add a new custom attribute as described [here](https://gluu.org/docs/ce/3.1.4/admin-guide/attribute/#opendj) just for the sake of storing a copy of username value, and use that `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname` string as "SAML2 URI" property when you'll be registering your new attribute in web UI. You also could opt to change this property for existing default "Username" attribute, but this will have global effect on all SPs which may use it. It's either one of these ways, or manual editing of tempates used to generate config files, which isn't covered by Community support, unfortunately.

By Kevin Achilles user 22 Jan 2019 at 1:37 a.m. CST

Copy
Kevin Achilles gravatar
Hey, I already created a NameID called "NameID" in SAML2 URI. ``` <saml2:Attribute FriendlyName="NameID" Name="urn:oid:1.3.6.1.4.1.48710.1.3.1400" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue>maxmuster</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response> 2019-01-22 08:25:58 [DEBUG] [https-jsse-nio-8443-exec-46] - c.e.x.p.s.f.a.X3SAMLHttpAuthenticationFilter[ ] : Response status: urn:oasis:names:tc:SAML:2.0:status:Success 2019-01-22 08:25:58 [DEBUG] [https-jsse-nio-8443-exec-46] - c.e.x.p.s.f.a.X3SAMLHttpAuthenticationFilter[ ] : Validating signature with certificate: /home/tomcat/Downloads/idp-signing.crt 2019-01-22 08:25:58 [DEBUG] [https-jsse-nio-8443-exec-46] - c.e.x.p.s.f.a.X3SAMLHttpAuthenticationFilter[ ] : Signature verification: Success 2019-01-22 08:25:58 [ERROR] [https-jsse-nio-8443-exec-46] - c.e.x.p.s.f.a.X3SAMLHttpAuthenticationFilter[ ] : Problem retrieving NameID from Assertion's subject ``` Thats the log from my SP. So it really needs the NameID to look like <NameID>nameid</NameID> This isn't possible without much editing, I think

By Aliaksandr Samuseu staff 22 Jan 2019 at 2:12 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Please note we don't provide support for SP configuration/issues. First of all, you need to figure out what type of attributes and nameid your SP requires. Without this data we won't be able to provide any further support. That XML element you shared in your last post is regular attribute statement, not a nameid element - just FYI. That's how regular attributes are passed. Nameid is passed via separate element, like this: ``` <saml:Subject> <saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z" Recipient="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"></saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> ``` nameid is a different element entirely. You need to manually add certain structures to template files to support anything except "transient" format (the process is decribed in docs, please check my previous post for link) Also, it doesn't seem like correct way to define regular attribute: >I already created a NameID called "NameID" in SAML2 URI. This field must normally carry an uri string of some sort. In your case, for username it seems it may look like this (you need to check with the SP's docs/support): `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname` Gluu doesn't support setting any other attribute name formats from web UI. Though they are rarely needed, if you really must use format like "Basic", or have a custom "FriendlyName", it will require manual edits to template files (not covered by Community Support normally, but those are under `opt/gluu/jetty/identity/conf/shibboleth3/idp/`, so you could experiment on your own; they are Apache Velocity templates and are used to generate real files under `/opt/shibboleth-idp/conf/`)

By Aliaksandr Samuseu staff 29 Jan 2019 at 8:26 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Kevin. Was it helpful? Do you still need this ticket to stay open?

By Kevin Achilles user 29 Jan 2019 at 5:07 p.m. CST

Copy
Kevin Achilles gravatar
Was helpful, thanks for the support! :-) I know what to to and will realize it the next time. U can close this ticket now.

Post an answer