I'm trying to set up SAML2 authentication in a CAS 6.1.3 installation, but I'm having this error and I can't understand where to intervene to fix it:
Error: SAML object [org.opensaml.saml.saml2.core.impl.ResponseImpl type does not match interface org.opensaml.saml.saml2.core.AuthnRequest
Can anyone help me?
Regards
Related
I am using Spring SAML integration. I am getting below error when I tried to SAML logout without SingleLogout point.
I override the SAML method to check metadata has any SingleLogout point or not but it's not working.
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: IDP doesn't contain any SingleLogout endpoints
at org.springframework.security.saml.util.SAMLUtil.getLogoutBinding(SAMLUtil.java:108)
at org.springframework.security.saml.websso.SingleLogoutProfileImpl.sendLogoutRequest(SingleLogoutProfileImpl.java:66)
at org.springframework.security.saml.SAMLLogoutFilter.processLogout(SAMLLogoutFilter.java:140)
To properly override the lack of single logout endpoint in the metadata, you'd have to provide your own implementation of org.springframework.security.saml.websso.SingleLogoutProfile and inject it as a dependency in your application config. Certainly doable but quite a bit of effort for a problem that has a simpler solution: manually modify the metadata you received from the IdP and add the endpoint. (If the metadata is signed, you'll need to remove the signature).
I am getting this openid authernisation error when trying to log into an openid service from a mobile app, could anyone explain to me the possible causes?
Error Domain=org.openid.appauth.general Code=-4
In the documentation it says "general" error, wouldbe good to have more insight on what are the potential causes.
I had the same issue. It is authorisation error and in my case was caused by not setting clientSecret with the request.
I'm facing a problem with validating SAML response where in, its giving digest mismatch. Tried checking it with the certificate's digest value and its showed a different value. I think there is a problem with the certificate or the SAML response but, I'm also wondering whether not having an authentication at the SP level is also a cause for concern since, the client does not want a response back on the IDP, contrary to what the standard setup for SAML dictates. I realize there shouldn't be a setup of this sort due to obvious security concerns but, this was the setup they have requested...
If the SAML assertion is not signed properly, this is a security concern and you should not trust it. By trusting it without validating the digest, you would open your self up to anyone submitting SAML to your ACS URL and being authenticated.
When sending SAML LogoutRequest to ADFS IdP I am getting on ADFS side error :
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7054: The SAML logout did not complete properly.
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSamlLogoutResponse(HttpSamlMessage samlMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SamlLogout()
Message is according with SAML standards and it is signed.
What I have to look for ?
I have finally get more detail log from our partner. The problem was the missing certificate in signing tab of the our RelayParty on pratners ADFS server. Also the problem could be missing permissions for private key of the mentioned certificate for ADFS IIS running process (that is most probably NETWORK SERVICE). SLO is working now properly.
The Federation Service encountered an error while processing the SAML authentication request.
Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadLogoutRequest(XmlReader reader)
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Logout(LogoutRequest logoutRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
I did SSO of OpenAM and SalesForce.com (SFDC)
I have installed OpenAM-Client SDK to retrieve SAML Assertion from OpenAM.
I used this assertion data to generate SAML response required for SalesForce. When I pass this data to SFDC. I got error message for SAML.
“Failed: Signature Invalid/Configured Certificate Mismatch”
I used same certificate and signature data which I got from OpenAM-client SDK public API assertion.
At time of SSO configuration with SDFC. I used default certificate (test cert) provided by OpenAM.
Is there any way to retrieve test certificate and its signature from OpenAM ?
Run one of the failing SAML assertions through the SAML Validation tool inside Single Sign-On Settings in SFDC; you should get a slightly more useful error. The most likely cause of this is that you have not uploaded the correct certificate to SFDC as part of your SSO setup. Make sure the "Identity Provider Certificate" section of "Single Sign-On Settings" matches the cert contained in the assertion.