Saml SSO - JBP is not loading the keystore and cert given by the IDP (imported in the keystore)
qaiser.malik Feb 20, 2014 3:33 PMI am trying to configure JBoss portal 6.1 (that include gatein) to implement SAML 2.0 SSO using our own IDP. I am planning to use JBP as SP. After doing all the configuration as mentioned here (SAML2 - GateIn Portal 3.7 - Project Documentation Editor), the Jboss portal is not loading my custom keystore. As a result, the IDP is throwing error that the portal is not trusted. I am using Dell One Identity Cloud Access Manager as IDP.
I did create my own keystore and imported the cert given by the IDP with alias "emmportal". The content of /jboss-jpp-6.1.0/jboss-jpp-6.1/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-sp.xml is below:
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0"
ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true" LogOutPage="/">
<IdentityURL>https://abc.com/CloudAccessManager/RPSTS/Saml2/Default.aspx</IdentityURL>
<ServiceURL>${gatein.sso.sp.url}</ServiceURL>
<KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="/sso/saml/secure-keystore.jks"/>
<Auth Key="KeyStorePass" Value="Abc1234"/>
<Auth Key="SigningKeyPass" Value="Abc1234"/>
<Auth Key="SigningKeyAlias" Value="secure-key"/>
<ValidatingAlias Key="*.abc.com" Value="emmportal"/>
</KeyProvider>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.gatein.sso.agent.saml.PortalSAML2LogOutHandler"/>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2InResponseToVerificationHandler"/>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler"/>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler"/>
</Handlers>
</PicketLink>
The SSO setting in /jboss-jpp-6.1.0/jboss-jpp-6.1/standalone/configuration/gatein/configuration.properties file is:
# SSO
gatein.sso.enabled=true
gatein.sso.callback.enabled=${gatein.sso.enabled}
gatein.sso.login.module.enabled=${gatein.sso.enabled}
gatein.sso.login.module.class=org.gatein.sso.agent.login.SAML2IntegrationLoginModule
gatein.sso.filter.login.sso.url=/@@portal.container.name@@/dologin
gatein.sso.filter.logout.enabled=true
gatein.sso.filter.logout.class=org.gatein.sso.agent.filter.SAML2LogoutFilter
gatein.sso.filter.initiatelogin.enabled=false
gatein.sso.valve.enabled=true
gatein.sso.valve.class=org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator
gatein.sso.saml.config.file=/WEB-INF/conf/sso/saml/picketlink-sp.xml
gatein.sso.idp.host=abc.com
gatein.sso.idp.url=https://abc.com/CloudAccessManager/RPSTS/Saml2/Default.aspx
gatein.sso.sp.url=http://localhost:8080/portal/dologin
# WARNING: This bundled keystore is only for testing purposes. You should generate and use your own keystore!
gatein.sso.picketlink.keystore=/sso/saml/secure-keystore.jks
The error I am getting from IDP is "The application (http://localhost:8080/portal/dologin) is not trusted by Cloud Access Manager".
I used SAML tracer to see the SAML request and look like there is no cert going in the SAML request as you can see the SAML request below:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
AssertionConsumerServiceURL="http://localhost:8080/portal/dologin"
Destination="https://abc.com/CloudAccessManager/RPSTS/Saml2/Default.aspx"
ID="ID_c0fb8ab6-5e61-48a1-b035-f785f0863946"
IssueInstant="2014-02-19T17:00:58.393Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/portal/dologin</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#ID_c0fb8ab6-5e61-48a1-b035-f785f0863946">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>DMnc7UdOFkTMiBokTS6toGaAKFc=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>c2PlJjfnG82B1TGx2Ar6zj8pOc/baPEMQB5Tq7Hm4k2DKMbMzn6Ns90/VueHQC3Qrjv3NF2EDeNKlwerrQA4cU4RS5/c8oK8nm2fM1uEkqHNP68fvWKl9/Cy1bfsW4ZEHs4fr0r7U=</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>laYRz9BnOnUTuDNCbKJbHtPJGIjMoedyrXIUWymvmMxgsdmNu715LchGvqffaWRRkOn4pgNEOvVKXAzbdKQtS2IHe9Ex8mvmMasddqqQjMkeadhHVOOd14tSkNx3ztrves+7DjHs95WKHv0poqmD/m6mCMvnzuzJumUtR8=</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
/>
</samlp:AuthnRequest>