[Unity-idm-discuss] Authentication fails

[Gerben V. <ger...@su...>]

Dear all,

I am having difficulties in setting up Unity for federated access. What I have done thus far is make use of an external SAML IdP, which provides federated authentication. The external IdP is SURFconext. My configuration seems to be working in so far that I am able to see and use the WAYF page. This is still within a test environment. After having selected an IdP from the WAYF page, I am asked for credentials. This also works as expected. When I return however, Unity logs the below lines:

2015-06-11 11:20:00,838 [qtp406265225-43] DEBUG unity.server.saml.RedirectRequestHandler  - Starting SAML HTTP Redirect binding exchange with IdP https://engine.surfconext.nl/authentication/idp/single-sign-on
2015-06-11 11:20:16,973 [qtp406265225-44] DEBUG unity.server.saml.SamlHttpServlet  - Got SAML response using the HTTP POST binding
2015-06-11 11:20:17,233 [qtp406265225-44] WARN  unity.server.saml.SAMLRetrievalUI  - SAML response verification or processing failed
pl.edu.icm.unity.server.authn.AuthenticationException: The SAML response is either invalid or is issued by an untrusted identity provider.

Looking at the HTTP response, I can received the following:
POST https://unity.sara.cloudlet.sara.nl:2443/unitygw/spSAMLResponseConsumer HTTP/1.1
Host: unity.sara.cloudlet.sara.nl:2443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://engine.surfconext.nl/authentication/sp/consume-assertion
Cookie: lastAuthenticationUsed=samlWeb_remoteIdp.1.
Content-Type: application/x-www-form-urlencoded
Content-Length: 7755

HTTP/?.? 302 Found
X-Frame-Options: DENY
Location: https://unity.sara.cloudlet.sara.nl:2443/home/home/
Content-Length: 0
What I am trying to do is to have a user login in a federated manner as a test to see if my configuration works. The SAML response lists the requested attributes, so that seems fine.

What I can make of the debug info is that the certificate is not trusted. I am not sure which certificate that is. The federated IdP  should work with self signed certificates, this I checked with the service itself. It puzzels me why I also see the DENY for the redirect. Is that based on the fact of the untrusted certificate? This seems likely and what do I need to do to get a trusted certificate, i.e. what part of the configuration did I do not get right?

Many thanks,
Gerben Venekamp