I am trying to connect and login to testShib IDP using this Sp Mock the problem is that when i try to login without the option to sign the authnRequest then i am able to login but i get an error upon redirect.
Caused by: java.security.InvalidKeyException: Unwrapping failed
at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:445)
at javax.crypto.Cipher.unwrap(Cipher.java:2549)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1477)
... 70 common frames omitted
Caused by: javax.crypto.BadPaddingException: Decryption error
at sun.security.rsa.RSAPadding.unpadOAEP(RSAPadding.java:502)
at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:296)
at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:363)
at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:440)
... 72 common frames omitted
DEBUG o.opensaml.xml.encryption.Decrypter - Attempt to decrypt EncryptedKey using credential from KEK KeyInfo resolver failed:
org.opensaml.xml.encryption.DecryptionException: Error decrypting encrypted key
ERROR o.o.saml2.encryption.Decrypter - SAML Decrypter encountered an error decrypting element content
org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData
If i try it with the option to sign the authnRequest i get an error in idp
WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:406] - Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed
What am i doing wrong i am new to SAML so i am not very familiar with this
Related
Anybody already used GCP CredentialsControllerService and PublishGCPubSubLite processor from Apache Nifi?
I'm getting errors, and not found a concrete solution to Publish messages on Pub/Sub lite.
Note: GCP json keys are correct.
Caused by: com.google.api.gax.rpc.UnauthenticatedException: io.grpc.StatusRuntimeException: UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
#Yunnosch, Yeah, The solution i got is, add user_authorized key which contains the refresh token can make the connection between nifi and pubsublite.
"type": "authorized_user"
I am trying to integrate a Shibboleth IDPV3.4.1 with my SP which is a server called as ClearPass. I am using the Linux platform of the Shibboleth IDP. I configured the relyingparty.xml, attribute-filter.xml, attribute-resolver.xml,ldap.properties, and also the and uploaded the metadata to the /metadata/sp-metadata.xml also updating the metadata-providers.
I am trying to use the password authentication flow with LDAP, however the issue is that I never get the login page when I initiate the SAML transaction from my SP. I get an error saying "Web Login Service -Stale Request". I have attached the screenshot of the error
Stale Request
I attempt to do a resolver test using the
http://shib.nslab.com:8080/idp/profile/admin/resolvertest?requester=https://chandracppm.nslab.com/networkservices/saml2/sp&principal=chandu
requester "https://chandracppm.nslab.com/networkservices/saml2/sp"
principal "chandu"
attributes
0
name "sAMAccountName"
values
0 "chandu"
and I get the attributes from AD in return, which shows the connection to AD is working.
However the authentication page does not appear from the IDP when I try to access the resource in my SP, I only get the Stale request Error.
The error that I see in the logs/idp-process.log is as follows
2018-12-10 19:26:08,222 - 10.23.20.81 - ERROR [org.opensaml.profile.action.impl.DecodeMessage:73] - Profile Action DecodeMessage: Unable to decode incoming request
org.opensaml.messaging.decoder.MessageDecodingException: Shibboleth Authentication Request message did not contain the providerId query parameter.
at net.shibboleth.idp.saml.profile.impl.BaseIdPInitiatedSSORequestMessageDecoder.getEntityId(BaseIdPInitiatedSSORequestMessageDecoder.java:128)
2018-12-10 19:26:08,223 - 10.23.20.81 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: UnableToDecode
2018-12-10 19:26:08,224 - 10.23.20.81 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:143] - No SAMLBindingContext or binding URI available, error must be handled locally
I am new to setting up Shibboleth IDP, not sure what I am missing.
Any inputs would be appreciated
Shibboleth fails to decode the message. This behavior is to be seen if the AuthnReq is being sent to POST endpoint instead of Redirect or vice versa or if any of both endpoints are not configured properly. On UI, the error you will notice for this is "StaleRequest". I got a similar error in idp-process.log file "org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the HTTP GET method". The issue is pertaining to incorrect or misconfigured endpoints.
I was able to get this working by installing an IDP docker image from here
https://docs.google.com/document/d/1qb5XTde1nulCdA_8QUei48CxDj0lQs7ShD622Ze_4II/edit
The authentication flow is working now
I have configured the OAuth2 authorization server and resource server using spring-cloud-starter-oauth2. The authorization server uses JdbcTokenStore to persist the token (I still have the "Failed to find refresh token for token xxxx" message which seems to be a bug). However, the thing that I wish to resolve here is:
I am able to request for a new token and use it to fetch data from the resource server. However, once the token expires, I cannot refresh the token using the given refresh token.
Using curl:
curl -XPOST foo:secret#localhost:9009/myauthserver/oauth/token -d grant_type=refresh_token -d refresh_token=4187f090-a355-4613-bc17-2e4565ffdc0b
will return:
{"error":"server_error","error_description":"The given id must not be null!; nested exception is java.lang.IllegalArgumentException: The given id must not be null!"}
At the backend, the error is:
2017-02-20 15:47:31.058 WARN 11152 --- [nio-9009-exec-9]
.m.m.a.ExceptionHandlerExceptionResolver : Resolved exception caused
by Handler execution:
org.springframework.dao.InvalidDataAccessApiUsageException: The given
id must not be null!; nested exception is
java.lang.IllegalArgumentException: The given id must not be null!
The interesting thing is if I give an invalid token, it actually returns
{"error":"invalid_grant","error_description":"Invalid refresh token: 4187f090-a355-4613-bc17-2e4565ffdcee"}
I've downloaded the code from Spring's Get Started Guide - Accessing Twitter Data the https://spring.io/guides/gs/accessing-twitter/ .
I set up my credentials in application.properties and made no other changes. I run the app, and when it attempts to connect to Twitter, it fails with an exception on ConnectController line 240:
ResourceAccessException:
org.springframework.web.client.ResourceAccessException: I/O error on
POST request for "https://api.twitter.com/oauth/request_token":cannot
retry due to server authentication, in streaming mode; nested
exception is java.net.HttpRetryException: cannot retry due to server
authentication, in streaming mode
I have checked that the credentials are being read by the app. They are valid - I use them to connect with another application I've written with twitter4j, although in that case I use a Token and Token Secret in addition to the Consumer Key and Consumer Secret.
Any ideas?
Thanks
I had exactly the same issue as you : it happened because I did not set my callback URL in the twitter setting.
Just check in your twitter app settings that the callback field is set (I used the same URL as the website field).
I am implementing shibboleth IDP and SP. I have installed in my machine and tested it with testshib.org , both(IDP&SP) are working fine.
I am trying to use my own IDP with my SP.
Once I access the protected resource, SP redirects to the IDP login page correctly, after authentication is successful, it is redirected to the SP with the SAML encrypted response (With the servlet status code 500) Which shows the following error ,
"opensaml::FatalProfileException at (https://myip.address/Shibboleth.sso/SAML2/POST)
A valid authentication statement was not found in the incoming message."
I checked the native log which shows the following message.
"2013-08-29 20:22:36 ERROR Shibboleth.Listener [28868] shib_handler: remoted message returned an error: A valid authentication statement was not found in the incoming message.
2013-08-29 20:22:36 ERROR Shibboleth.Apache [28868] shib_handler: A valid authentication statement was not found in the incoming message."
How can I rectify this problem?
What do the IdP logs show for the corresponding authentication attempt? You may need to elevate the log levels to DEBUG for IdP, OpenSAML and/or LDAP (conf/logging.xml) to get sufficiently descriptive results.