I'm currently stuck in implementing SSO in RightNow using SAML 2.0.From what I have read in the RightNow documents, it supports SAML 2.0 but with little caveats like, sending the signing certificate with the SAML response and not supporting importing the metadata into RightNow.
I'm integrating RightNow with Oracle Identity Federation (11.1.1.6) and am a little stuck with the way forward. Ideally while integrating an application for SSO, we have the metadata that helps in setting the Service Provider (this is ideally an application that requires the SSO service). But I am unable to figure out how to set RightNow application as a Service Provider in the absence of a Provider Metadata! Is there a way in RightNow to generate and download the metadata!? If not, how to go about configuring it? Are there any examples you can point me to that showcase how to do it?
Appreciate your time and effort guys. Thank you in advance.
#Andy - the metadata file
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://myorg--test.custhelp.com/fed/sp" validUntil="2023-05-07T16:44:40.193Z">
<ds:Signature></ds:Signature>
<md:SPSSODescriptor WantAssertionsSigned="false" AuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>X509_CERTIFICATE</ds:X509Certificate>
<ds:X509IssuerSerial>
<ds:X509IssuerName>
X509_ISSUER_NAME</ds:X509IssuerName>
<ds:X509SerialNumber>X509_SERIAL_NUMBER</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509SubjectName>X509_SUBJECT_NAME</ds:X509SubjectName>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myorg--test.custhelp.com/cgi-bin/myorg.cfg/php/admin/sso_launch.php?p_subject=Account.Login" index="0" isDefault="true"/>
<md:AttributeConsumingService index="0" isDefault="true">
<md:ServiceName xml:lang="en">https://myorg--test.custhelp.com/cgi-bin/myorg.cfg/php/admin/sso_launch.php</md:ServiceName>
<md:RequestedAttribute Name="uid" isRequired="true"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">My Organization RightNow Customer Experience Site</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">My Organization RightNow Customer Experience</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">http://www.my-org.com</md:OrganizationURL>
</md:Organization>
</md:EntityDescriptor>
Upon hitting the SSO URL in Oracle RightNow, I do not get a response back. I verified this using the SAML tracer plug-in for FireFox and also there is no error code returned. I have also configured the SAML_ERROR_URL with %error_code% and %session% variable.
The X509 certificate has been uploaded to RightNow and USE_KNOWN_ROOT_CAS has been set.
My hunch is that the end-point URL has something to do with it. Where to move forward from here?
Again, thanks for your help Andy.
RightNow + SAML is a pain, impossible to debug, but possible to do. After much trial and error I've been able to get it to work with OIF in the past.
There should be a manual way to create a service provider in OIF. RightNow doesn't have any way to generate the OIF metadata automatically, but here is a stub that you can use as a start point. There are a few replacement's you'll need to make for your specific site:
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="RightNow-Site" validUntil="2023-05-07T16:44:40.193Z">
<md:SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>YOUR_PUBLIC_CERT_HERE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my-url.custhelp.com/cgi-bin/my-interface.cfg/php/admin/sso_launch.php?p_subject=Account.Login" index="0" isDefault="true"/>
<md:AttributeConsumingService index="0" isDefault="true">
<md:ServiceName xml:lang="en">MY_SERVICE_NAME</md:ServiceName>
<md:RequestedAttribute Name="mail" isRequired="true"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Other notes from my previous attempts:
The Cert usages on your signing cert seem to matter. I was never certain which usages were required by RN, but it did seem to play a factor
The metadata above assumes you are using Login as your NamedID. You can change this per the RN instructions
Related
I am trying to setup saml sso configuration for my application which is deployed in websphere.
Idp- Azure AD
SP - Websphere application server when my target application deployed
Done TAI configuration as per the Ibm document . But when I hit the test button from idp I could see the saml response in network tab. but i couldn't login to my application and also didn't get any trace related to saml in log files also however i have enabled logs for saml in Troubleshoot. My doubt is sometimes am getting trace which are related to TAI during server stop. For each request should i be getting TAI trace ? and why my saml response not getting intercepted in TAI. How exactly the interception happen with saml response and how do we get to know that saml response got validated.
[15/4/21 16:18:42:855 IST] 00000096 TrustAssociat A SECJ0121I: Trust Association Init class com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor loaded successfully
acs url -> https://localhost:/browserTest (which is my actual target application url)
metadata and signing certificates also imported correctly.
Thanks for your help.
The acs URL has format like this:
https://<hostname>:<sslport>/samlsps/<any URI pattern string>
if you want to use your application URL
https://localhost:/browserTest
as acs URL, this UR must be able to accept HTTP POST.
I'm trying to use the same salesforce app with multiple SAML service providers. All of the service providers have the same identifiers, the only things that I need from sales force is to send the SAMLResponses to Assertion Consumer Service(ACS) that I specify when I construct the authNresponse request.
When I construct the SP initiated an authentication request to SF I include the ACS URL(as AssertionConsumerServiceURL field) in the SAMLRequest token, but it doesn't seem to override the ACS URL that is mandatory in the connected apps SAML settings.
Maybe there is a way to override the ACS URL?
Not sure about SalesForce but in general, yes we can. Just add the AssertionConsumerServiceURL="xxx" tag to the AuthNRequest. I just tried this myself (with Optimal IdM). Unless SalesForce has restrictions in place that don't accept overriding, this is possible.
So a sample AuthNRequest would look like:
<samlp:AuthnRequest Version="2.0" IssueInstant="2018-06-29T14:46:11.33Z" ForceAuthn="false" IsPassive="false" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="xxxxxxx">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">xxxxxxx</saml:Issuer>
</samlp:AuthnRequest>
PS: I know it's an old thread, but answering anyway for the sake of others.
I am attempting to use SP-initiated SLO with SalesForce (trying Redirect and POST) with the following LogoutRequest:
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_1583fa34b3e9426ba5885849204d6f8d" Version="2.0" IssueInstant="2017-11-14T18:42:25Z" Destination="https://myorg-dev-ed.my.salesforce.com/services/auth/idp/saml2/logout">
<saml:Issuer>myorg</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">me#myorg</saml:NameID>
</samlp:LogoutRequest>
I am using my SP entity ID for Issuer. I also tried using it for NameID SPNameQualifier. My Redirect and POST logic work for AuthnRequest. This SLO is working with OneLogin.
The error I get back is:
We are unable to log you out. Please contact your administrator for
more information.
I can not find any relevant log entries.
Which tool are you using to generate the XML?
Add the tag SessionIndex, which you can get from the login.
We have an OpenSSO (OpenAM) instance set up at our end to work as a Service Provider (SP). It's been working well so far in an SP Initiated SSO scenario, however, I recently had to set it up for an IDP initiated scenario and am unable to get it to work successfully. To explain, in this scenario, the IDP would like to send the SAMLResponse directly to the Assertion consumer service at my end and our OpenAM instance should be able successfully digest the response and send the user to our underlying application. My questions are:
Is there any other configuration required in this scenario except for exchanging/uploading the metadata between the IDP and us (SP)?
Can I upload the metadata of the iDP in the same COT as the other IDPs that are currently working in the SP Initiate Scenario? Or should there be a new COT for each IDP provider?
What URL should I provide to the IDP to send the SAMLResponse to? Is it the AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" from our metadata? I tried this a few days back and OpenAM reported an error - "this is not the right consumer service for this request" or something.
I got an answer for this on an OpenAM forum -
http://lists.forgerock.org/pipermail/openam/2012-August/007872.html
I am trying to do the following;
From salesforce.com I call http get or post and post a json object using httpRequest system class. but I am getting following exception (it is https):
java.security.cert.CertificateException: No name matching issue mywebsite.com found
I have configured this website in the remote host already. Does anyone have some idea what could be wrong here?
Are you missing a call to req.setClientCertificateName?
I have APEX code where Salesforce calls out to a web service on my site. I protected it with client-side SSL. My website, the host, authorizes the client cert from Salesforce.com (vs traditional web SSL where the browser client authorizes the server cert). You can create a self-signed certificate in Salesforce Admin under Certificate and Key Management and then reference it with a call to req.setClientCertificateName. Here is some code from my production org:
HttpRequest req = new HttpRequest();
req.setMethod('POST');
req.setHeader('Host', 'www.mywebsite.com');
req.setEndpoint('https://www.mywebsite.com/post.asp');
try {
req.setClientCertificateName('Cert_For_MyWebSite');
} catch (System.CalloutException e) {
// The cert doesn't make it to the sandbox
}
req.setHeader('Connection', 'keep-alive');
req.setHeader('content-type', 'text/plain');
req.setHeader('Content-Length', body.length().format());
req.setBody(body);
Http http = new Http();
HttpResponse res = http.send(req);
System.debug(res.toString());
System.debug('STATUS:' + res.getStatus());
System.debug('STATUS_CODE:' + res.getStatusCode());
On the server (IIS 7.5) I enabled the self-signed cert with this web.config:
<configuration>
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
<authentication>
<iisClientCertificateMappingAuthentication enabled="true" oneToOneCertificateMappingsEnabled="true">
<oneToOneMappings>
<!-- production salesforce -->
<add enabled="true"
userName="salesforce"
password="[enc:AesProvider:aaa...aaa:enc]"
certificate="MIIEaaa...aaa=" />
</oneToOneMappings>
</iisClientCertificateMappingAuthentication>
</authentication>
</security>
</system.webServer>
</configuration>
In my other answer I was thinking about the Salesforce client cert because I remember having headaches sorting it out originally, but maybe the error is with your web server's cert. This might be a simple name matching issue. For example, the cert your server presented to Salesforce was issued to a.company.com but you're trying to use it at b.company.com. That produces a very similar java error message as talked about here and here. Does your browser give any errors when you try your service over SSL?
If you think Salesforce isn't verifying your web server's cert you can try some of the tricks suggested over here for a similar javax.net.ssl.SSLPeerUnverifiedException error. They even point to a list of CAs that are trusted by Salesforce.