By: Xuejiao Zhang user 28 Aug 2019 at 6:33 a.m. CDT

6 Responses

I am referring to this now: https://gluu.org/docs/ce/integration/saas/aws/ At the last step "SSO Testing#". it didn't behave as the video. The first try: It complained ``` Web login service – Unsupported Request The application you have accessed is not registered for use with this service. ``` The second try: it complained ``` https://signin.aws.amazon.com/saml Amazon Web Services Sign In Your request included an invalid SAML response. To logout, click here ``` And I checked the "SAML response" via Chrome Developer Tools, it was ``` <saml2p:Response Destination="https://signin.aws.amazon.com/saml" ID="_cc40a10e656732a4d0bf7a8ccfd161c5" IssueInstant="2019-08-28T11:03:16.603Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://ec2-52-81-7-177.cn-north-1.compute.amazonaws.com.cn/idp/shibboleth</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_cc40a10e656732a4d0bf7a8ccfd161c5"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>t1RGUqgkodytKWfLIL6DL7MTAh62RNc6QJReSpkHK8A=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> E1OOsEQaNOgKqZP9MiZiUzzXgLeGQDigOy5aOuJ00akQunXRQDrseYhQNHZz/izyX7djJfJm/hYr Ic4M/ZK5AKIhagCDcDvQia2B2pEEVYKYUEOrqExDy7KA3ypKr7iLc/Lf3krR77pLmev3kx7lHawX iyG96vga6sihNFYyZlzFk2E7NRYDvd7CgW04t5Y48G3RwyI+GnUW6Rv7NDbbyt7YbE+3XH/bcO8Y bXMIT+KXgVYxt/2qZGKS4k5JcoZfDROiwFC4ECzK6iUfrkEIT3WfewU+f1pP8oE8cKUsknqhxEwI zmRulP260W5WeEp4kCKPW6M/8k1PSzxaFtKtgQ== </ds:SignatureValue> <ds:KeyInfo><ds:X509Data> <ds:X509Certificate> ... </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="_ef637d4db3dce69e99b529582002fc6f" IssueInstant="2019-08-28T11:03:16.603Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>https://test/idp/shibboleth</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_ef637d4db3dce69e99b529582002fc6f"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>QEfyz4kPgH2HGfDRFhqMPEGJhAD+Z8x7Y1Mw8+3Qrbg=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> ... </ds:SignatureValue> <ds:KeyInfo><ds:X509Data><ds:X509Certificate> ...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://ec2-52-81-7-177.cn-north-1.compute.amazonaws.com.cn/idp/shibboleth" SPNameQualifier="urn:amazon:webservices" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">...</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData Address="..." NotOnOrAfter="2019-08-28T11:08:16.626Z" Recipient="https://signin.aws.amazon.com/saml"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2019-08-28T11:03:16.603Z" NotOnOrAfter="2019-08-28T11:08:16.603Z"><saml2:AudienceRestriction><saml2:Audience>urn:amazon:webservices</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2019-08-28T11:03:16.515Z" SessionIndex="_768aaba7d1aa246555ceaf1cb434e4e3"><saml2:SubjectLocality Address="54.222.61.40"/><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>admin</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>admin@test.com</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response> ``` Does anyone have clue about the issue? Thanks in advance.

CentOS 7.6

closed

By Mohib Zico Account Admin 28 Aug 2019 at 9:48 a.m. CDT

Copy

Is your Gluu Server's hostname/FQDN accessible from Internet? Can AWS read with proper ip_address?

By Xuejiao Zhang user 28 Aug 2019 at 8 p.m. CDT

Copy

@Mohib.Zico Thanks for your reply. Yes. The Gluu Server is accessible from Internet, though I am using the default public DNS of the EC2 server where the Gluu server was installed.

By Mohib Zico Account Admin 31 Aug 2019 at 3:31 a.m. CDT

Copy

>> though I am using the default public DNS of the EC2 server where the Gluu server was installed. What is the hostname of your Gluu Server?

By Xuejiao Zhang user 31 Aug 2019 at 5:27 a.m. CDT

Copy

Hi @Mohib.Zico it's https://ec2-52-81-7-177.cn-north-1.compute.amazonaws.com.cn

By Mohib Zico Account Admin 31 Aug 2019 at 5:43 a.m. CDT

Copy

Hello Zhang, Thanks. I prefer to use some proper registered hostname ( i.e. test.company.com ) which has signed apache cert as well. From experience, names like `ec2-52-81-7-177.cn-north-1` without SSL cert created issues in public cloud services like AWS. Also, `ec2-52-81-7-177.cn-north-1.compute.amazonaws.com.cn` name might create issue while creating SAML cert inside Gluu Server. Please try with registered hostname and SSL cert, if even that doesn't work... I'll re-test doc with 3.1.6 and will share screencast.

By Xuejiao Zhang user 31 Aug 2019 at 9:07 a.m. CDT

Copy

@Mohib.Zico Thanks you for suggestions.

You need to Login in order to post an answer

Failed to SSO to Amazon AWS

By: Xuejiao Zhang user 28 Aug 2019 at 6:33 a.m. CDT

Answers

By Mohib Zico Account Admin 28 Aug 2019 at 9:48 a.m. CDT

By Xuejiao Zhang user 28 Aug 2019 at 8 p.m. CDT

By Mohib Zico Account Admin 31 Aug 2019 at 3:31 a.m. CDT

By Xuejiao Zhang user 31 Aug 2019 at 5:27 a.m. CDT

By Mohib Zico Account Admin 31 Aug 2019 at 5:43 a.m. CDT

By Xuejiao Zhang user 31 Aug 2019 at 9:07 a.m. CDT

Post an answer