Menu
▾
▴
Re: [Unity-idm-discuss] Authentication fails
|
From: Shiraz M. <a....@fz...> - 2015-06-11 14:23:15
|
Hi Gerben, I would like to know which Unity version are you running and what is the SURFConext's remote IdP configuration inside the remoteSamlAuth.properties? A tip: use the metadataSource style of configuration: unity.saml.requester.metadataSource.surfconext.url=https://url_to_your_idp_metadata_file unity.saml.requester.metadataSource.surfconext.perMetadataTranslationProfile=some_InputAttributeTranslationProfile (optional) unity.saml.requester.metadataSource.surfconext.perMetadataRegistrationForm=some_RegistrationForm (optional) set the following property in log4j.properties file to see more detailed saml specific exchanges log4j.logger.unity.server.saml=DEBUG Furthermore, you may enable signature verification by, unity.saml.requester.metadataSource.surfconext.signaturVerification=require unity.saml.requester.metadataSource.surfconext.signatureVerificationCertificate=SURFCONEXT_IDP_CERTIFICATE (should be defined in the conf/pki.properties file) Finally refresh the authenticators and endpoints. Cheers, Shiraz On Thu, Jun 11, 2015 at 11:50 AM, Gerben Venekamp <ger...@su...<mailto:ger...@su...>> wrote: Dear all, I am having difficulties in setting up Unity for federated access. What I have done thus far is make use of an external SAML IdP, which provides federated authentication. The external IdP is SURFconext. My configuration seems to be working in so far that I am able to see and use the WAYF page. This is still within a test environment. After having selected an IdP from the WAYF page, I am asked for credentials. This also works as expected. When I return however, Unity logs the below lines: 2015-06-11 11:20:00,838 [qtp406265225-43] DEBUG unity.server.saml.RedirectRequestHandler - Starting SAML HTTP Redirect binding exchange with IdP https://engine.surfconext.nl/authentication/idp/single-sign-on 2015-06-11 11:20:16,973 [qtp406265225-44] DEBUG unity.server.saml.SamlHttpServlet - Got SAML response using the HTTP POST binding 2015-06-11 11:20:17,233 [qtp406265225-44] WARN unity.server.saml.SAMLRetrievalUI - SAML response verification or processing failed pl.edu.icm.unity.server.authn.AuthenticationException: The SAML response is either invalid or is issued by an untrusted identity provider. Looking at the HTTP response, I can received the following: POST https://unity.sara.cloudlet.sara.nl:2443/unitygw/spSAMLResponseConsumer HTTP/1.1 Host: unity.sara.cloudlet.sara.nl<http://unity.sara.cloudlet.sara.nl>:2443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://engine.surfconext.nl/authentication/sp/consume-assertion Cookie: lastAuthenticationUsed=samlWeb_remoteIdp.1. Content-Type: application/x-www-form-urlencoded Content-Length: 7755 HTTP/?.? 302 Found X-Frame-Options: DENY Location: https://unity.sara.cloudlet.sara.nl:2443/home/home/ Content-Length: 0 What I am trying to do is to have a user login in a federated manner as a test to see if my configuration works. The SAML response lists the requested attributes, so that seems fine. What I can make of the debug info is that the certificate is not trusted. I am not sure which certificate that is. The federated IdP should work with self signed certificates, this I checked with the service itself. It puzzels me why I also see the DENY for the redirect. Is that based on the fact of the untrusted certificate? This seems likely and what do I need to do to get a trusted certificate, i.e. what part of the configuration did I do not get right? Many thanks, Gerben Venekamp ------------------------------------------------------------------------------ _______________________________________________ Unity-idm-discuss mailing list Uni...@li...<mailto:Uni...@li...> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Ahmed Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899 Fax: +49 2461 61 6656 ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
