SAML SSO - JBWEB000065: HTTP Status 403 - JBWEB000015: Access to the requested resource has been denied
I am trying to configure SAML SSO on JBoss portal. I am using Dell Identity provider as IDM and JBoss portal 6.1 as SP. After login on the IDM when the request come back to JBoss portal, I am getting this error:
JBWEB000065: HTTP Status 403 - JBWEB000015: Access to the requested resource has been denied
And by looking at the log, my understanding is because useSAMLRoles=false on the Jboss side, I am getting this error.
Is there a way to change this or start using roles coming from my IDP instead of local roles in JBoss portal?
I can see this in the log on JBoss Portal:
org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler@1d09ad6]
16:58:21,122 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Finished Processing handler: org.gatein.sso.agent.saml.PortalSAML2LogOutHandler
16:58:21,139 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler
16:58:21,139 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) ID of authentication request ID_da9b0022-ddaa-4c1b-bedd-b22ebcb1094d saved into HTTP session.
16:58:21,139 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2InResponseToVerificationHandler
16:58:21,139 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler
16:58:21,139 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler
16:58:21,139 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler
16:58:21,145 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) <HTML><HEAD><TITLE>HTTP Post Binding (Request)</TITLE></HEAD><BODY Onload="document.forms[0].submit()"><FORM METHOD="POST" ACTION="https://abc.com/CloudAccessManager/RPSTS/Saml2/Default.aspx"><INPUT TYPE="HIDDEN" NAME="SAMLRequest" VALUE="PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwOi8vbG9jYWxob3N0OjgwODAvcG9ydGFsL2RvbG9naW4iIERlc3RpbmF0aW9uPSJodHRwczovL2NhbXByb3h5LmRtcGRldjEuY29tL0Nsb3VkQWNjZXNzTWFuYWdlci9SUFNUUy9TYW1sMi9EZWZhdWx0LmFzcHgiIElEPSJJRF9kYTliMDAyMi1kZGFhLTRjMWItYmVkZC1iMjJlYmNiMTA5NGQiIElzc3VlSW5zdGFudD0iMjAxNC0wMi0yNlQyMjo1ODoyMS4xMjRaIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9wb3J0YWwvZG9sb2dpbjwvc2FtbDpJc3N1ZXI+PHNhbWxwOk5hbWVJRFBvbGljeSBBbGxvd0NyZWF0ZT0idHJ1ZSIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiLz48L3NhbWxwOkF1dGhuUmVxdWVzdD4="/></FORM></BODY></HTML>
16:58:21,146 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000354: Setting security roles ThreadLocal: null
16:58:29,794 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) SAML Response Document: <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Destination="http://localhost:8080/portal/dologin" ID="_9a31219b-97b8-437b-8bdb-758993119199" InResponseTo="ID_da9b0022-ddaa-4c1b-bedd-b22ebcb1094d" IssueInstant="2014-02-26T22:58:40Z" Version="2.0"><Issuer>urn:camproxy.dmpdev1.com/CloudAccessManager/RPSTS</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#_9a31219b-97b8-437b-8bdb-758993119199"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>vjgxFCGMTvoEwnP7OeXotSdpW2E=</DigestValue></Reference></SignedInfo><SignatureValue>sLp8Tvi30+6+Yg+/v5N8e/APHE9GJG1GcHCuClly2zCDv0EiTcC8Q/zn26A+MfRJqK541AopyKPbe+Q05CJf1+iSja+sHYOMWdY4bg8ZpHNC+MpvNXANqF4Sv+hm6IutIafNKzABqry/q1voVKQ7MD0VV6vXSD+hOX7xIDMK+WOBG08Kqkf4z1PUinO2A4XJrABeVWJRzeNObcE2X6lD3xuVogB+fP731TSbiRZcAfP/e4PWOAd68/UBDfYIN8SnNvq1Xi4SzSmyvdAMhnN8a5p0ek19WHxy97myYqMxesNSYUcQU5EasadasdrcUOkiqA/CTAo//bFw+0R70U7Q==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQAPl42Ar2nzPCkCIMSUgceTANBgkqhkiG9w0BAaasDAzMTEwLwYDVQQDDChEZWxsIENsb3VkIEFjY2VzcyBNYW5hZ2VyIEFwcCBFTU0gUG9ydGFsMCAXDTE0MDIxNTAwMDAwMFoYDzIwNTQwMjE2MDAwMDAwWjAzMTEwLwYDVQQDDChEZWxsIENsb3VkIEFjY2VzcyBNYW5hZ2VyIEFwcCBFTU0gUG9ydGFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu9OHHC51AowAme3J6fwNqkiskWck7F9BxprBCTPAQhFW2HMSgB//55kg5P7B3jwmD+2qaCcrf6x64rkH5I2HLNjmrOrGZzkJLqJaL1sTt+npLn/F0ufChoP0pWxdohDya5MSWxwN617OVP6T90edu4MP3AeNuyxCiVcw9RWsKaFYo8eNpmtYrdtxr5JeTKQxHLYuVxYr9sICmqenOWGM1V4Z+RcPkE+yavs6fpkQ+rhKxmh1zgaZVq2SJo65U7p0wGi+AHjmRbS8jj2Z1DCI8FQes4/BciPCoJQx4WzuAuxLppkukbpqT85ya7SbMPx1OMh6xY2mTSqJM7XxiY1wpwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCqiaxCgyQSyc47z1V8umhUmSpWr/xW0m4CsUxzHAEF2kLzl9UUcDqv5bad16LQOk/iiu74TA3firL2FU4HT/sRou6Jx6sUR2kuOZyFp04AE030SOK4nnu5Pbr1+f+VoZ+vbY8+SjusBafdrJSs3omPTnhqbbuO5BI1tp0MN3IQayhwlp9yn3glGpGfM8yjsHJmVNKt3Hm2fN920gRkbLkyb5uOCdvSppmY50rUxZi1/8YDJKv6MPnRHytQgc2mtIlYt6k+cbA7v4pbsf7TUnOFVb12kZ+Z0mDd9YWBZr/anNykh7JMLHNIXtnMUqYlOWVwhNmM1L8pqCx+5H6sELh0</X509Certificate></X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="_dc245cd2-2e4a-480d-8ae1-046ae937ed6a" IssueInstant="2014-02-26T22:58:40.909Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>urn:camproxy.dmpdev1.com/CloudAccessManager/RPSTS</Issuer><Subject><NameID>testuser@abc.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="ID_da9b0022-ddaa-4c1b-bedd-b22ebcb1094d" NotOnOrAfter="2014-02-27T22:58:40.909Z" Recipient="http://localhost:8080/portal/dologin"/></SubjectConfirmation></Subject><Conditions NotBefore="2014-02-25T22:58:40.909Z" NotOnOrAfter="2014-02-27T22:58:40.909Z"><AudienceRestriction><Audience>http://localhost:8080/portal/dologin</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2014-02-26T22:58:40.909Z" SessionIndex="cc5ef710-34e6-4666-b1aa-9fd30055a020"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
16:58:29,800 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Set Attribute Namespace=http://www.w3.org/2000/xmlns/::Qual=:Signature::Value=http://www.w3.org/2000/09/xmldsig#
16:58:29,801 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Creating an Attribute Namespace=:Algorithm
16:58:29,801 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Creating an Attribute Namespace=:Algorithm
16:58:29,801 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Creating an Attribute Namespace=:URI
16:58:29,801 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Creating an Attribute Namespace=:Algorithm
16:58:29,801 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Creating an Attribute Namespace=:Algorithm
16:58:29,801 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Creating an Attribute Namespace=:PrefixList
16:58:29,801 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Set Attribute Namespace=http://www.w3.org/2000/xmlns/::Qual=:PrefixList::Value=http://www.w3.org/2001/10/xml-exc-c14n#
16:58:29,801 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Creating an Attribute Namespace=:Algorithm
16:58:29,813 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Now=2014-02-26T22:58:29.813Z ::notBefore=2014-02-25T22:58:40.909Z ::notOnOrAfter=2014-02-27T22:58:40.909Z
16:58:29,813 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Successful verification of InResponseTo for request ID_da9b0022-ddaa-4c1b-bedd-b22ebcb1094d
16:58:29,813 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) No response document found
16:58:29,813 TRACE [org.picketlink.identity.federation] (http-/127.0.0.1:8080-1) Roles determined for username=testuser@abc.com=[]
16:58:29,814 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000200: Begin isValid, principal: testuser@abc.com, cache entry: null
16:58:29,815 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000209: defaultLogin, principal: testuser@abc.com
16:58:29,816 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000221: Begin getAppConfigurationEntry(gatein-domain), size: 4
16:58:29,819 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000224: End getAppConfigurationEntry(gatein-domain), AuthInfo: AppConfigurationEntry[]:
[0]
LoginModule Class: org.gatein.security.oauth.jaas.OAuthLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=realmName, value=gatein-domain
name=portalContainerName, value=portal
[1]
LoginModule Class: org.gatein.sso.integration.SSODelegateLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=enabled, value=#{gatein.sso.login.module.enabled}
name=realmName, value=gatein-domain
name=delegateClassName, value=#{gatein.sso.login.module.class}
name=portalContainerName, value=portal
name=password-stacking, value=useFirstPass
[2]
LoginModule Class: org.exoplatform.services.security.j2ee.JBossAS7LoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=realmName, value=gatein-domain
name=portalContainerName, value=portal
16:58:29,822 TRACE [org.gatein.sso.integration.SSOUtils] (http-/127.0.0.1:8080-1) Substituting value from configuration with System properties - input=${gatein.sso.login.module.enabled}, output=true
16:58:29,822 TRACE [org.gatein.sso.integration.SSOUtils] (http-/127.0.0.1:8080-1) Substituting value from configuration with System properties - input=${gatein.sso.login.module.class}, output=org.gatein.sso.agent.login.SAML2IntegrationLoginModule
16:58:29,822 DEBUG [org.gatein.sso.integration.SSODelegateLoginModule] (http-/127.0.0.1:8080-1) Class org.gatein.sso.agent.login.SAML2IntegrationLoginModule loaded successfully
16:58:29,824 TRACE [org.gatein.sso.integration.SSODelegateLoginModule] (http-/127.0.0.1:8080-1) Delegating login module created successfully: org.gatein.sso.agent.login.SAML2IntegrationLoginModule@e89518
16:58:29,824 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000236: Begin initialize method
16:58:29,824 TRACE [org.jboss.security.auth.spi.AbstractServerLoginModule] (http-/127.0.0.1:8080-1) Using options: portalContainerName=portal, useSAMLRoles=false
16:58:29,824 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000240: Begin login method
16:58:29,829 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000241: End login method, isValid: true
16:58:29,829 TRACE [org.jboss.security.auth.spi.AbstractServerLoginModule] (http-/127.0.0.1:8080-1) Found user testuser@abc.com in shared state.
16:58:29,847 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000242: Begin commit method, overall result: true
16:58:29,849 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext@1fdf3b4, subject: Subject(26931397).principals=org.jboss.security.SimplePrincipal@20272098(testuser@abc.com)org.jboss.security.SimpleGroup@1454231(CallerPrincipal(members:testuser@abc.com))org.exoplatform.services.security.jaas.JAASGroup@13641548(Roles)org.exoplatform.services.security.jaas.UserPrincipal@29618706(testuser@abc.com)
16:58:29,850 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000207: updateCache, input subject: Subject(26931397).principals=org.jboss.security.SimplePrincipal@20272098(testuser@abc.com)org.jboss.security.SimpleGroup@1454231(CallerPrincipal(members:testuser@abc.com))org.exoplatform.services.security.jaas.JAASGroup@13641548(Roles)org.exoplatform.services.security.jaas.UserPrincipal@29618706(testuser@abc.com, cached subject: Subject(25474237).principals=org.jboss.security.SimplePrincipal@20272098(testuser@abc.com)org.jboss.security.SimpleGroup@1454231(CallerPrincipal(members:testuser@abc.com))org.exoplatform.services.security.jaas.JAASGroup@13641548(Roles)org.exoplatform.services.security.jaas.UserPrincipal@29618706(testuser@abc.com)
16:58:29,850 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000208: Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@474151
16:58:29,850 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000201: End isValid, result = true
16:58:29,862 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000354: Setting security roles ThreadLocal: null
17:42:50,469 TRACE [org.gatein.sso.saml.plugin.listener.IDPHttpSessionListener] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Portal is not acting as SAML2 IDP. Ignore this listener
17:42:50,473 TRACE [org.jboss.security] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) PBOX000203: Flushing testuser@abc.com from security cache
17:42:50,474 TRACE [org.jboss.security] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) PBOX000243: Begin logout method
I did create a user in JBoss portal by registering the user with username : testuser and this user has privileges to see the portal's content.
Thanks