If SAML Response has the status as "status:Responder",
According SAML spec:
urn:oasis:names:tc:SAML:2.0:status:Responder The request could not be performed due to an error on the part of the SAML responder or SAML authority.
We expect the IDP should send the error message along with the response.
In ADFS event viewer, we can find out why SAML request failed, however we don't have access to ADFS sever in production environment.
Is it possible to get the error message inside SAML response in case if the authentication fails?
Related
We have a basic IdentityServer implementation using ClientCredentials. When a token is requested with an invalid secret, we're receiving an invalid_client error with a 400 BadRequest status. What is the best way to override this response and return a 401 unauthorized? We have a remote device accessing our api which expects a 401 for authentication errors.
One option is to work with another project that works as a facade in the middle, connects to the /connect/token methods and then gives a different response having 401. Here are some links:
https://microservices.io/patterns/apigateway.html
How to setup a Web API Facade pattern
I am trying to integrate my spinnaker application with Okta. I created application in Okta.
Spinnaker Dashboard Application configuration:
I have configured my gate-local.yml file accordingly.
saml:
enabled: true
metadataUrl: file:/opt/spinnaker/config/metadata.xml
keyStore: file:/opt/spinnaker/config/saml.jks
keyStorePassword: <password>
keyStoreAliasName: saml
issuerId: <issuerId>
When I hit url http://localhost:8084 i am getting redirect to Okta login page. Once I successfully logged in I am getting error message as
{"error":"Unauthorized","message":"Authentication Failed: Incoming SAML message is invalid","status":401,"timestamp":1524402208502}
This is SAML flow. You are likely hitting step 4 and not passing it.
You should use SAML Tracer to check.
I'm configuring a PingFederate IdP with a Shibboleth Service Provider. When I click on the SSO Application Endpoint in the SP connection of Ping, after entering the username password I get this error message in my SP logs:
ERROR: InResponseTo does not match any of the possible request IDs (expected [])
The response does not have an InResponseTo attribute. What could be causing this error?
Using the link at the top of the SP connection will start an IdP-initiated SSO transaction. By spec, IdP-initiated responses are considered "unsolicited responses", and cannot contain InResponseTo. You will need to fix your SP so that it requires InResponseTo only when your SP initiates the transaction.
The SAML Response will be posted to the following url:
https://domain/sp/ACS.SAML2
But when I try to hit the url, I am not able to see the response.
Anything wrong in my approach?
Thanks & Regards,
Aswini J
A few things assuming you are setting up SAML 2.0 Web SSO Profile -
What do you mean you can't "see" the Response? Are you successfully logging into the IDP and having it redirect the Browser to the PF ACS URL?
With PingFederate, the application and protocol end-points are case sensitive. You should use http(s)://www.server.com:<PF runtime port>/sp/ACS.saml2. If you simply request this value from your browser with a GET request and no SAML data, PingFed will show you a generic error template page.
If you have successfully POST'd the SAMLResponse to the right endpoint, you will see the actual SAMLResponse logged in the /pingfederate/log/server.log.
I got SAML assertion from TrustAuthorityClient API. with below Public API code
securityToken = client.getSecurityToken("default", endpointURL, mexEndpointURL,
(java.lang.Object)ssoToken, SecurityMechanism.STS_SECURITY_URI,
(getServletConfig()).getServletContext());
But this is created with SunSTS.
When I test this Assertion to retrieve access token from SalseForce. it gives me invalid Assertion.
Is there any way retrieve SAML response from OpenAM for SalesForce?
When I test IDP initiates SSO with SalesForce. In Debug log I can see SAML Response is created for SSO.
How should I retrieve this SAML response from OpenAM?
You may need to grab the SAML Response via JavaScript at the front end. The full response will be in a SAMLResponse object after SSO, so your Assertion Consumer Service URL (SP SSO URL) that would receive this would need to check for that parameter, save it and somehow submit to SFDC for OAuth token exchange. Alternatively, take the Assertion from SunSTS and make your SAMLP Response wrapper yourself.
I believe this is due to SFDC implementing an earlier draft of the SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 (see: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-saml2-bearer-10).
The latest draft of that spec does not require the Response wrapper - likely just the Assertion itself from SunSTS will work, provided SFDC updates to support it.