Trouble getting FusionAuth as IDP to pass samltest.id.
FusionAuth installed on test.example.com upstream of NGINX with SSL, all on Ubuntu 18.04.
Create application in FusionAuth
Name: SamlTest
Id: 1214aabe-5697-44bd-a271-511d43b63913
In SAML tab set [1]
Issuer: https://samltest.id/saml/sp
ACS: https://samltest.id/Shibboleth.sso/SAML2/POST
View application, under SAML v2 Integration details
Metadata URL: https://test.example.com/samlv2/metadata/63326230-3433-3661-3939-626632386436
Provide Metadata URL to samltest.id [2] and get following errors
moment.metadata:1: element EntityDescriptor: Schemas validity error : Element '{urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor', attribute 'ID': '64643134-3530-3365-6433-393236336261' is not a valid value of the atomic type 'xs:ID'.
moment.metadata:1: element IDPSSODescriptor: Schemas validity error : Element '{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor': The attribute 'protocolSupportEnumeration' is required but missing.
moment.metadata fails to validate
Is it possible that the ID needs to start with something other than a number [3]?
EDIT1 - start
Fairly certain that the issue identified in [3] is what's triggering the first error. Manually modified XML file, prepended ID with an _ (underscore) and submitted it to a local Shibboleth SP install and that got rid of the 'xs:ID' error.
I don't think we can resolve the 'protocolSupportEnumeration' missing error.
EDIT 1 - end*
Any help would be appreciated.
[1] https://samltest.id/download/#SAMLtest_Metadata
[2] https://samltest.id/upload.php
[3] https://docs.secureauth.com/pages/viewpage.action?pageId=6226279
Issue fixed by developer with patch to fusionauth-samlv2-X.Y.Z.jar.
See discussion here: Github
Related
I am facing the following issue:
org.mule.session.SerializeAndEncodeSessionHandler - Trying to deserialize a session but no signature validation key specified
what results in session variable not being deserialized, thus I can't access them
The issue exists when I run the project on mule kernel 3.9.0.
It works fine on 3.9.0 runtime in AnyPointStudio.
You need to specify a secret key in Java property mule.session.sign.secretKey to sign the session variables that are created by the collection splitter. This is a consequence of security patch: https://help.mulesoft.com/s/article/Runtime-Security-Patch-31-October-2019
For example:
-Dmule.session.sign.secretKey=REPLACE_BY_SECRET_VALUE
See section 'Patch Configuration' of above article for details.
Went thru the following steps but getting issue reaching the UserStoreConfigAdminService?wsdl
https://docs.wso2.com/display/IS530/Calling+Admin+Services
Getting the following error:
The endpoint reference (EPR) for the Operation not found is /services/UserStoreConfigAdminService/ and the WSA Action = null. If this EPR was previously reachable, please contact the server administrator.
Also it says the service is available in
osgi in the list of AdminServices
Is there issues using this with Identity Server 5.8?
Missing a step?
Thanks for your help
If you are using IS 5.8.0 pack then you need to,
Change the value of the configuration '' to false in carbon.xml
Restart the server
Use the following URL to access the WSDL file.
https://localhost:9443/services/RemoteUserStoreManagerService?wsdl
If you re using IS 5.9.0 please refer to the document [1].
What you need to do is,
Open the deployment.toml file in the /repository/conf directory and add the admin_service.WSDL element and set it to false as below.
[admin_service.wsdl] enable = "false"
Restart WSO2 Identity Server.
Use the following URL to access the WSDL file.
https://localhost:9443/services/RemoteUserStoreManagerService?wsdl
[1] https://is.docs.wso2.com/en/5.9.0/develop/managing-user-stores-with-apis/
I'm configuring the keystone (as SP) for federation, and I have a question about the setup shibboleth [1]. I need edit the shibboleth2.xml file, and add the SP entity ID:
<ApplicationDefaults entityID="http://mysp.example.com/shibboleth">
In my case, would be:
<ApplicationDefaults entityID="http://10.7.49.47:5000/shibboleth">
I don't know if this is the right value. When I try access 10.7.49.47:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth, I receive the error:
Unable to locate metadata for 'http://10.7.49.47:5000/shibboleth'
I want understand better how the shibboleth work with keystone, and how get this Keystone SP entityID. I don't know if I need configure something to make '/shibboleth' works.
I need get this entityID to configure my IdP SimpleSamlPHP, and add the SP there [2].
[1] https://docs.openstack.org/developer/keystone/federation/shibboleth.html
[2] https://simplesamlphp.org/docs/1.5/simplesamlphp-idp#section_5
One I recommend you use HTTPS to connect with shibboleth. If it is you case then ignore.
Two entityId do not need to match with your host or IP. So if you want you can ignore port from entityId. You can use any string for that matter.
Now answer to your question, see my this answer to see steps to integrate shibooleth. Though this is java application steps but it is mostly done in apache http so it is relevant to anybody.
See the step 3 from that post, that is where your apache server knows that this location to protect.
P.S. The path your application listens is /Shibboleth.sso/ not /shibboleth
I recently upgraded Shibboleth from versionShibboleth-sp-2.5.6.0-win64 to Shibboleth-sp-2.6.0.0-win64 and Apache web server from 2.4.16 to 2.4.23.
Post the upgrade, when I try to access my application I get the following error:
shibsp::ConfigurationException
The system encountered an error at Fri Oct 14 20:19:51 2016
To report this problem, please contact the site administrator at root#localhost.
Please include the following message in any email:
shibsp::ConfigurationException at (https://xxxxxx.xxxx/)
No MetadataProvider available.
When I access, https:/xxxxx.xxxxx/Shibboleth.sso/Metadata, the metadata file is downloaded and the details seems correct.
Does any one know why does this error occur and how can we solve it?
If it can be of help, I was writing this:
<MetadataProvider type="XML" validate="true" file="/etc/shibboleth/idp-metadata.xml" />
instead of this:
<MetadataProvider type="XML" validate="true" path="/etc/shibboleth/idp-metadata.xml" />
The XML attribute is path. I'm using Shibboleth SP version 3.
Ensure that you have a section in the default as well as an override if there exists. For me, even though there was a section properly created for the override, it needed one in the defaults
Just for the record. Most configuration of your SP takes place in shibboleth2.xml. Locate this file on your server and edit settings to your comfort.
For Linux installations:
Be sure not to edit this file from your installation path, but in your distribution path (i.e. /etc/shibboleth/shibboleth2.xml), otherwise your changes will not be visible ...
A restart of shibd (systemctl restart shibd) is mandatory after changing shibboleth2.xml.
Try the following steps:
1) Go to shar.log and check what is the entity ID returning from the IDP's assertion message.
2) Go to the corresponding IDP'S metadata in SP side, compare both entity ID's.
3) Sure there must be some mismatch between the files, so that's why SP is unable to find the IDP to which it is talking and not able to proceed further.
Finally, update the entity ID in the IDP's metadata and restart shibd. It should work.
I would like to enable the export of the users from Liferay into my OpenLDAP server.
So I enabled the ceckbox on the configuration page and I set the parameters in the LDAP export.
Now, when I try to create a user in Liferay I get:
Login is temporarily unavailable.
any suggestions?
this is the bt in java console:
Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - object
class: value #1 invalid per syntax]; remaining name 'cn=myname,dc=myTest,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3054)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:397)
at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:354)
at com.sun.jndi.toolkit.ctx.ComponentContext.p_bind(ComponentContext.java:596)
at com.sun.jndi.toolkit.ctx.PartialCompositeContext.bind(PartialCompositeContext.java:1
83)
at javax.naming.InitialContext.bind(InitialContext.java:404)
at com.liferay.portal.security.ldap.PortalLDAPExporterImpl.addUser(PortalLDAPExporterIm
pl.java:360)
at com.liferay.portal.security.ldap.PortalLDAPExporterImpl.exportToLDAP(PortalLDAPExpor
terImpl.java:252)
at com.liferay.portal.security.ldap.PortalLDAPExporterUtil.exportToLDAP(PortalLDAPExpor
terUtil.java:62)
at com.liferay.portal.model.UserListener.exportToLDAP(UserListener.java:96)
at com.liferay.portal.model.UserListener.onAfterUpdate(UserListener.java:72)
... 91 more
Either you have wrong configuration, or you're stuck on a Liferay - LDAP bug.
Here's the list of unresolved issues.
Please provide us an English error message next time, because all I see in your screenshot is... an error message.
If you're using Liferay 6.1 Community there are a few unresolved LDAP related bugs in that version. I faced a number of problems and ultimately it worked by
Disbaling LDAP export in the LDAP wizard.
Creating a custom hook which is triggered at user login, creation or any other change to the user object. The hook problematically through Java JNDI look up library exports users into the external AD through LDAP. You can find the hook related code here: http://abhirampal.com/2014/12/20/liferay-ldap-export-to-active-directory-disabled-user-bug/
Feel free to ask if anyone's got any questions.