2 Replies Latest reply on Feb 19, 2014 4:44 PM by Qaiser Malik

    Saml SSO - JBP is not loading the keystore and cert given by the IDP (imported in the keystore)

    Qaiser Malik Newbie

      I am trying to configure JBoss portal 6.1 (that include gatein) to implement SAML 2.0 SSO using our own IDP. I am planning to use JBP as SP. After doing all the configuration as mentioned here (SAML2 - GateIn Portal 3.7 - Project Documentation Editor), the Jboss portal is not loading my custom keystore. As a result, the IDP is throwing error that the portal is not trusted. I am using Dell One Identity Cloud Access Manager as IDP.

       

      I did create my own keystore and imported the cert given by the IDP with alias "emmportal". The content of /jboss-jpp-6.1.0/jboss-jpp-6.1/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-sp.xml is below:

       

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

        <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0"

                      ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true" LogOutPage="/">

          <IdentityURL>https://abc.com/CloudAccessManager/RPSTS/Saml2/Default.aspx</IdentityURL>

          <ServiceURL>${gatein.sso.sp.url}</ServiceURL>

       

          <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">

            <Auth Key="KeyStoreURL" Value="/sso/saml/secure-keystore.jks"/>

            <Auth Key="KeyStorePass" Value="Abc1234"/>

            <Auth Key="SigningKeyPass" Value="Abc1234"/>

            <Auth Key="SigningKeyAlias" Value="secure-key"/>

            <ValidatingAlias Key="*.abc.com" Value="emmportal"/>

          </KeyProvider>

       

        </PicketLinkSP>

       

        <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

          <Handler

              class="org.gatein.sso.agent.saml.PortalSAML2LogOutHandler"/>

          <Handler

              class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>

          <Handler

              class="org.picketlink.identity.federation.web.handlers.saml2.SAML2InResponseToVerificationHandler"/>

          <Handler

              class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>

          <Handler

              class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler"/>

          <Handler

              class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler"/>

        </Handlers>

      </PicketLink>

       

      The SSO setting in /jboss-jpp-6.1.0/jboss-jpp-6.1/standalone/configuration/gatein/configuration.properties file is:

       

      # SSO

      gatein.sso.enabled=true

      gatein.sso.callback.enabled=${gatein.sso.enabled}

      gatein.sso.login.module.enabled=${gatein.sso.enabled}

      gatein.sso.login.module.class=org.gatein.sso.agent.login.SAML2IntegrationLoginModule

      gatein.sso.filter.login.sso.url=/@@portal.container.name@@/dologin

      gatein.sso.filter.logout.enabled=true

      gatein.sso.filter.logout.class=org.gatein.sso.agent.filter.SAML2LogoutFilter

      gatein.sso.filter.initiatelogin.enabled=false

      gatein.sso.valve.enabled=true

      gatein.sso.valve.class=org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator

      gatein.sso.saml.config.file=/WEB-INF/conf/sso/saml/picketlink-sp.xml

      gatein.sso.idp.host=abc.com

      gatein.sso.idp.url=https://abc.com/CloudAccessManager/RPSTS/Saml2/Default.aspx

      gatein.sso.sp.url=http://localhost:8080/portal/dologin

      # WARNING: This bundled keystore is only for testing purposes. You should generate and use your own keystore!

      gatein.sso.picketlink.keystore=/sso/saml/secure-keystore.jks

       

      The error I am getting from IDP is "The application (http://localhost:8080/portal/dologin) is not trusted by Cloud Access Manager".

       

      I used SAML tracer to see the SAML request and look like there is no cert going in the SAML request as you can see the SAML request below:

       

      <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

        xmlns="urn:oasis:names:tc:SAML:2.0:assertion"

        AssertionConsumerServiceURL="http://localhost:8080/portal/dologin"

        Destination="https://abc.com/CloudAccessManager/RPSTS/Saml2/Default.aspx"

        ID="ID_c0fb8ab6-5e61-48a1-b035-f785f0863946"

        IssueInstant="2014-02-19T17:00:58.393Z"

        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

        Version="2.0"

        >

        <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/portal/dologin</saml:Issuer>

        <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

        <dsig:SignedInfo>

        <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />

        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

        <dsig:Reference URI="#ID_c0fb8ab6-5e61-48a1-b035-f785f0863946">

        <dsig:Transforms>

        <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

        <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

        </dsig:Transforms>

        <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

        <dsig:DigestValue>DMnc7UdOFkTMiBokTS6toGaAKFc=</dsig:DigestValue>

        </dsig:Reference>

        </dsig:SignedInfo>

        <dsig:SignatureValue>c2PlJjfnG82B1TGx2Ar6zj8pOc/baPEMQB5Tq7Hm4k2DKMbMzn6Ns90/VueHQC3Qrjv3NF2EDeNKlwerrQA4cU4RS5/c8oK8nm2fM1uEkqHNP68fvWKl9/Cy1bfsW4ZEHs4fr0r7U=</dsig:SignatureValue>

        <dsig:KeyInfo>

        <dsig:KeyValue>

        <dsig:RSAKeyValue>

        <dsig:Modulus>laYRz9BnOnUTuDNCbKJbHtPJGIjMoedyrXIUWymvmMxgsdmNu715LchGvqffaWRRkOn4pgNEOvVKXAzbdKQtS2IHe9Ex8mvmMasddqqQjMkeadhHVOOd14tSkNx3ztrves+7DjHs95WKHv0poqmD/m6mCMvnzuzJumUtR8=</dsig:Modulus>

        <dsig:Exponent>AQAB</dsig:Exponent>

        </dsig:RSAKeyValue>

        </dsig:KeyValue>

        </dsig:KeyInfo>

        </dsig:Signature>

        <samlp:NameIDPolicy AllowCreate="true"

        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

        />

      </samlp:AuthnRequest>