Menu
▾
▴
Re: [Unity-idm-discuss] Authentication fails
|
From: Gerben V. <ger...@su...> - 2015-06-12 10:18:29
|
Running the latest version of Unity: 1.6.0 I tried to configure it with the metadatasource, however this gives me the following warning: 2015-06-12 11:44:30,376 [pool-1-thread-1] DEBUG unity.server.saml.MetaDownloadManager - Downloading metadata from https://engine.surfconext.nl/authentication/idp/metadata to /var/lib/unity-idm/workspace/downloadedMetadata/75681424e34ca7710fa9a3bf0b398bd2_part 2015-06-12 11:44:31,454 [pool-1-thread-1] DEBUG unity.server.saml.MetaDownloadManager - Downloaded metadata from https://engine.surfconext.nl/authentication/idp/metadata to final file /var/lib/unity-idm/workspace/downloadedMetadata/75681424e34ca7710fa9a3bf0b398bd2 2015-06-12 11:44:31,495 [pool-1-thread-1] WARN unity.server.saml.RemoteMetaManager - Metadata from https://engine.surfconext.nl/authentication/idp/metadata was downloaded, but can not be parsed org.apache.xmlbeans.XmlException: Element EntityDescriptor@urn:oasis:names:tc:SAML:2.0:metadata is not a valid EntitiesDescriptor@urn:oasis:names:tc:SAML:2.0:metadata document or a valid substitution. I have encountered it in version 1.5.0 as well and decided to use manual configuration instead: unity.saml.requester.remoteIdp.1.name=SURFconext IdP unity.saml.requester.remoteIdp.1.address=https://engine.surfconext.nl/authentication/idp/single-sign-on unity.saml.requester.remoteIdp.1.samlId=https://engine.surfconext.nl/authentication/idp/single-sign-on unity.saml.requester.remoteIdp.1.certificate=SURFconext unity.saml.requester.remoteIdp.1.groupMembershipAttribute=urn:oid:1.3.6.1.4.1.5923.1.1.1.1 unity.saml.requester.remoteIdp.1.requestedNameFormat=urn:oasis:names:tc:SAML:2.0:nameid-ormat:transient unity.saml.requester.remoteIdp.1.translationProfile=SURFconext Regads, Gerben > On 11 Jun 2015, at 16:22, Shiraz Memon <a....@fz...> wrote: > > Hi Gerben, > > I would like to know which Unity version are you running and what is the SURFConext's remote IdP configuration inside the remoteSamlAuth.properties? > > A tip: use the metadataSource style of configuration: > > unity.saml.requester.metadataSource.surfconext.url=https://url_to_your_idp_metadata_file <https://url_to_your_idp_metadata_file/> > unity.saml.requester.metadataSource.surfconext.perMetadataTranslationProfile=some_InputAttributeTranslationProfile (optional) > unity.saml.requester.metadataSource.surfconext.perMetadataRegistrationForm=some_RegistrationForm (optional) > > set the following property in log4j.properties file to see more detailed saml specific exchanges > log4j.logger.unity.server.saml=DEBUG > > Furthermore, you may enable signature verification by, > > unity.saml.requester.metadataSource.surfconext.signaturVerification=require > unity.saml.requester.metadataSource.surfconext.signatureVerificationCertificate=SURFCONEXT_IDP_CERTIFICATE (should be defined in the conf/pki.properties file) > > Finally refresh the authenticators and endpoints. > > Cheers, > Shiraz > > > On Thu, Jun 11, 2015 at 11:50 AM, Gerben Venekamp <ger...@su... <mailto:ger...@su...>> wrote: > Dear all, > > I am having difficulties in setting up Unity for federated access. What I have done thus far is make use of an external SAML IdP, which provides federated authentication. The external IdP is SURFconext. My configuration seems to be working in so far that I am able to see and use the WAYF page. This is still within a test environment. After having selected an IdP from the WAYF page, I am asked for credentials. This also works as expected. When I return however, Unity logs the below lines: > > 2015-06-11 11:20:00,838 [qtp406265225-43] DEBUG unity.server.saml.RedirectRequestHandler - Starting SAML HTTP Redirect binding exchange with IdPhttps://engine.surfconext.nl/authentication/idp/single-sign-on <https://engine.surfconext.nl/authentication/idp/single-sign-on> > 2015-06-11 11:20:16,973 [qtp406265225-44] DEBUG unity.server.saml.SamlHttpServlet - Got SAML response using the HTTP POST binding > 2015-06-11 11:20:17,233 [qtp406265225-44] WARN unity.server.saml.SAMLRetrievalUI - SAML response verification or processing failed > pl.edu.icm.unity.server.authn.AuthenticationException: The SAML response is either invalid or is issued by an untrusted identity provider. > > Looking at the HTTP response, I can received the following: > POST https://unity.sara.cloudlet.sara.nl:2443/unitygw/spSAMLResponseConsumer <https://unity.sara.cloudlet.sara.nl:2443/unitygw/spSAMLResponseConsumer> HTTP/1.1 > Host: unity.sara.cloudlet.sara.nl <http://unity.sara.cloudlet.sara.nl/>:2443 > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Referer: https://engine.surfconext.nl/authentication/sp/consume-assertion <https://engine.surfconext.nl/authentication/sp/consume-assertion> > Cookie: lastAuthenticationUsed=samlWeb_remoteIdp.1. > Content-Type: application/x-www-form-urlencoded > Content-Length: 7755 > > HTTP/?.? 302 Found > X-Frame-Options: DENY > Location: https://unity.sara.cloudlet.sara.nl:2443/home/home/ <https://unity.sara.cloudlet.sara.nl:2443/home/home/> > Content-Length: 0 > What I am trying to do is to have a user login in a federated manner as a test to see if my configuration works. The SAML response lists the requested attributes, so that seems fine. > > What I can make of the debug info is that the certificate is not trusted. I am not sure which certificate that is. The federated IdP should work with self signed certificates, this I checked with the service itself. It puzzels me why I also see the DENY for the redirect. Is that based on the fact of the untrusted certificate? This seems likely and what do I need to do to get a trusted certificate, i.e. what part of the configuration did I do not get right? > > Many thanks, > Gerben Venekamp > > ------------------------------------------------------------------------------ > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... <mailto:Uni...@li...> > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss <https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss> > > > > > -- > Ahmed Shiraz Memon > Federated Systems and Data > Jülich Supercomputing Centre (JSC) > > Phone: +49 2461 61 6899 > Fax: +49 2461 61 6656 > > > ------------------------------------------------------------------------------------------------ > ------------------------------------------------------------------------------------------------ > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, > Prof. Dr. Sebastian M. Schmidt > ------------------------------------------------------------------------------------------------ > ------------------------------------------------------------------------------------------------ > |
