Re: [Unity-idm-discuss] Authentication fails

[Krzysztof B. <go...@ic...>]

Dear Gerben,

W dniu 11.06.2015 o 11:50, Gerben Venekamp pisze:
> Dear all,
>
> I am having difficulties in setting up Unity for federated access. What
> I have done thus far is make use of an external SAML IdP, which provides
> federated authentication. The external IdP is SURFconext. My
> configuration seems to be working in so far that I am able to see and
> use the WAYF page. This is still within a test environment. After having
> selected an IdP from the WAYF page, I am asked for credentials. This
> also works as expected. When I return however, Unity logs the below lines:
>
> 2015-06-11 11:20:00,838 [qtp406265225-43] DEBUG
> unity.server.saml.RedirectRequestHandler  - Starting SAML HTTP Redirect
> binding exchange with IdP
> https://engine.surfconext.nl/authentication/idp/single-sign-on
> 2015-06-11 11:20:16,973 [qtp406265225-44] DEBUG
> unity.server.saml.SamlHttpServlet  - Got SAML response using the HTTP
> POST binding
> 2015-06-11 11:20:17,233 [qtp406265225-44] WARN
> unity.server.saml.SAMLRetrievalUI  - SAML response verification or
> processing failed
> pl.edu.icm.unity.server.authn.AuthenticationException: The SAML response
> is either invalid or is issued by an untrusted identity provider.
>
> Looking at the HTTP response, I can received the following:
>
> *POSThttps://unity.sara.cloudlet.sara.nl:2443/unitygw/spSAMLResponseConsumer  HTTP/1.1
> **Host*:unity.sara.cloudlet.sara.nl  <http://unity.sara.cloudlet.sara.nl>:2443
> *User-Agent*: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0
> *Accept*: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> *Accept-Language*: en-US,en;q=0.5
> *Accept-Encoding*: gzip, deflate
> *Referer*:https://engine.surfconext.nl/authentication/sp/consume-assertion
> *Cookie*: lastAuthenticationUsed=samlWeb_remoteIdp.1.
> *Content-Type*: application/x-www-form-urlencoded
> *Content-Length*: 7755
>
> *HTTP/?.? 302 Found
> **X-Frame-Options*: DENY
> *Location*:https://unity.sara.cloudlet.sara.nl:2443/home/home/
> *Content-Length*: 0
>
> What I am trying to do is to have a user login in a federated manner as
> a test to see if my configuration works. The SAML response lists the
> requested attributes, so that seems fine.
>
> What I can make of the debug info is that the certificate is not
> trusted. I am not sure which certificate that is. The federated IdP
>   should work with self signed certificates, this I checked with the
> service itself. It puzzels me why I also see the DENY for the redirect.
> Is that based on the fact of the untrusted certificate? This seems
> likely and what do I need to do to get a trusted certificate, i.e. what
> part of the configuration did I do not get right?

To debug in more details the Shiraz suggestion:
log4j.logger.unity.server.saml=DEBUG

is what you need to do. Or even set it to TRACE, than you will see 
everything that goes on the wire. Furthermore with the lines of the 
stack trace, that should be in your log file just below what you have 
pasted it should be possible to give some hints even now.

In general there are tons of possibilities why verification fails, most 
probably it is configuration problem. So your *remote saml authenticator 
settings* are relevant. Maybe this is that the certificate of the 
surfconext service that is not trusted as you guess.

Regarding the 'DENY' in
*X-Frame-Options*: DENY
it is security measure to prevent clickjacking attacks, nothing related.

Best,
Krzysztof