Hi All,
I have gone through the steps in [1], to run the *Configuring Single
Sign-On with SAML 2.0 sample *in the IS 5.0.0.
When I try to login using admin/admin I'm getting following error
[image: Inline image 1]
In the IS console
[2015-02-11 17:10:56,627] WARN
{org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}
- *Signature validation for Authentication Request failed*.
Using log4j.logger.org.wso2.carbon.identity=DEBUG
[2015-02-11 17:04:10,856] DEBUG
{org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Query
string :
SAMLRequest=nZPdbtswDIVfxdC9f5sCmRC7yBIUC9BtXuLuoneawiwaZMkT6TR9%2B8l20nnDGgS7FcnDw4%2FU7O5Y6%2BAADpU1OUujhAVgpN0q8z1nj9V9OGV3xQxFrRs%2Bb2lv1vCzBaTA1xnkfSBnrTPcClTIjagBOUm%2BmX984FmU8MZZstJqFswRwZFvtLAG2xrcBtxBSXhcP%2BRsT9TwONZWCr23SHyaTJOYnDiAf1P0Eklbx3tbQ%2FQDGxYsvQllBPW%2Bu2L8o%2FrdZHITd%2B4QLQvurZPQ28%2FZTmgEFqyWOfPDrrAUiOoAvwOILawMkjCUsyxJb8MkC9O0SlN%2BM%2BFpEk1vsycWlKe53isz0LoE4duQhPxDVZVh%2BXlTseDrmbpPYGfGfXd3PV1xZsqKv1jN4rHioJ81%2FJOXWC1Lq5V8GbXJrt%2Bi1vZ54UCQZ0auhR5vLeiyQPeituGuT%2BVNNzsSGGLBpuw8fWmFVjsFLmeDYxa%2Fej7dHGz7FfrrITjSf5lf2LoRTmGHHY5C0gk8HysvtKe6ht2ow9VLuJgmueyk%2FXN3dM%2FWbbsjAuknq5ww2FhHw9r%2B6acYYm8BKc4bH%2F%2FT4hc%3D&SigAlg=http%3A%2F%
2Fwww.w3.org
%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=gjnmwL3nruOUgRGotCoAxR1U3x7dKAw36MFQpn%2FBQbIl%2FlsX20cbQ6TkRBHsmVUYPX6DjTSSykEhkjme1mHsPOfNSTamIA29i%2Fsg8eXWJS47OeFrUaYutmFTNMHm%2F1MP3c92AppLoClLGd7Uza8RgywiXi%2FELvLLWL0qzTvb2O4%3D
[2015-02-11 17:04:10,857] DEBUG
{org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Request message
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://localhost:8080/travelocity.com/home.jsp";
Destination="https://localhost:9443/samlsso"; ForceAuthn="false" ID="0"
IsPassive="false" IssueInstant="2015-02-11T11:34:10.852Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"><samlp:Issuer
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">travelocity.com</samlp:Issuer><saml2p:NameIDPolicy
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="Issuer"/><saml2p:RequestedAuthnContext
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="exact"><saml:AuthnContextClassRef
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml2p:RequestedAuthnContext></samlp:AuthnRequest>
[2015-02-11 17:04:10,858] DEBUG
{org.wso2.carbon.identity.sso.saml.validators.SPInitSSOAuthnRequestValidator}
- Authentication Request Validation is successful..
[2015-02-11 17:04:10,861] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
- Initializing the flow
[2015-02-11 17:04:10,861] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
- The query-string sent by the calling servlet is:
SAMLRequest=nZPdbtswDIVfxdC9f5sCmRC7yBIUC9BtXuLuoneawiwaZMkT6TR9%2B8l20nnDGgS7FcnDw4%2FU7O5Y6%2BAADpU1OUujhAVgpN0q8z1nj9V9OGV3xQxFrRs%2Bb2lv1vCzBaTA1xnkfSBnrTPcClTIjagBOUm%2BmX984FmU8MZZstJqFswRwZFvtLAG2xrcBtxBSXhcP%2BRsT9TwONZWCr23SHyaTJOYnDiAf1P0Eklbx3tbQ%2FQDGxYsvQllBPW%2Bu2L8o%2FrdZHITd%2B4QLQvurZPQ28%2FZTmgEFqyWOfPDrrAUiOoAvwOILawMkjCUsyxJb8MkC9O0SlN%2BM%2BFpEk1vsycWlKe53isz0LoE4duQhPxDVZVh%2BXlTseDrmbpPYGfGfXd3PV1xZsqKv1jN4rHioJ81%2FJOXWC1Lq5V8GbXJrt%2Bi1vZ54UCQZ0auhR5vLeiyQPeituGuT%2BVNNzsSGGLBpuw8fWmFVjsFLmeDYxa%2Fej7dHGz7FfrrITjSf5lf2LoRTmGHHY5C0gk8HysvtKe6ht2ow9VLuJgmueyk%2FXN3dM%2FWbbsjAuknq5ww2FhHw9r%2B6acYYm8BKc4bH%2F%2FT4hc%3D&SigAlg=http%3A%2F%
2Fwww.w3.org
%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=gjnmwL3nruOUgRGotCoAxR1U3x7dKAw36MFQpn%2FBQbIl%2FlsX20cbQ6TkRBHsmVUYPX6DjTSSykEhkjme1mHsPOfNSTamIA29i%2Fsg8eXWJS47OeFrUaYutmFTNMHm%2F1MP3c92AppLoClLGd7Uza8RgywiXi%2FELvLLWL0qzTvb2O4%3D&relyingParty=
travelocity.com
&sessionDataKey=166ec0b0-19b9-4531-b4c6-eb9b6ba0b40d&type=samlsso&commonAuthCallerPath=%2Fsamlsso&forceAuth=false&passiveAuth=false
[2015-02-11 17:04:10,861] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
- Framework contextId: b55b5935-c834-43c9-8c0f-25548ea57da1
[2015-02-11 17:04:10,861] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
- Starting an authentication flow
[2015-02-11 17:04:10,863] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler}
- In authentication flow
[2015-02-11 17:04:10,863] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler}
- Starting the sequence
[2015-02-11 17:04:10,863] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler}
- Force Authenticate: false
[2015-02-11 17:04:10,863] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler}
- Re-Authenticate: false
[2015-02-11 17:04:10,863] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler}
- Passive Authenticate: false
[2015-02-11 17:04:10,863] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler}
- Executing the Step Based Authentication...
[2015-02-11 17:04:10,863] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler}
- Starting Step: 1
[2015-02-11 17:04:10,863] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils}
- Finding already authenticated IdPs of the Step
[2015-02-11 17:04:10,863] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler}
- Step contains only a single IdP. Going to call it directly
[2015-02-11 17:04:10,863] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade}
- Trying to find the IdP for name: LOCAL
[2015-02-11 17:04:10,863] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade}
- A registered IdP was found
[2015-02-11 17:04:10,864] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler}
- BasicAuthenticator returned: INCOMPLETE
[2015-02-11 17:04:10,864] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler}
- BasicAuthenticator is redirecting
[2015-02-11 17:04:10,864] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler}
- Step is not complete yet. Redirecting to outside.
[2015-02-11 17:04:38,821] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler}
- In authentication flow
[2015-02-11 17:04:38,822] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler}
- Executing the Step Based Authentication...
[2015-02-11 17:04:38,822] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler}
- Starting Step: 1
[2015-02-11 17:04:38,822] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils}
- Finding already authenticated IdPs of the Step
[2015-02-11 17:04:38,823] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler}
- Receive a response from the external party
[2015-02-11 17:04:38,823] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler}
- BasicAuthenticator can handle the request.
[2015-02-11 17:04:38,854] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler}
- BasicAuthenticator returned: SUCCESS_COMPLETED
[2015-02-11 17:04:38,854] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler}
- Step 1 is completed. Going to get the next one.
[2015-02-11 17:04:38,854] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler}
- There are no more steps to execute
[2015-02-11 17:04:38,854] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler}
- Request is successfully authenticated
[2015-02-11 17:04:38,854] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler}
- Handling Post Authentication tasks
[2015-02-11 17:04:38,855] DEBUG
{org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil}
- JWT Header :{"typ":"JWT", "alg":"none"}
[2015-02-11 17:04:38,855] DEBUG
{org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil}
- JWT Body
:{"iss":"wso2","exp":14236544788553000,"iat":1423654478855,"idps":[{"idp":"LOCAL","authenticator":"BasicAuthenticator"}]}
[2015-02-11 17:04:38,857] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler}
- Step processing is completed
[2015-02-11 17:04:38,858] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler}
- Concluding the Authentication Flow
[2015-02-11 17:04:38,858] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler}
- Sending response back to: /samlsso...
commonAuthAuthenticated: true
authenticatedUser: admin
authenticatedIdPs:
eyJ0eXAiOiJKV1QiLCAiYWxnIjoibm9uZSJ9.eyJpc3MiOiJ3c28yIiwiZXhwIjoxNDIzNjU0NDc4ODU1MzAwMCwiaWF0IjoxNDIzNjU0NDc4ODU1LCJpZHBzIjpbeyJpZHAiOiJMT0NBTCIsImF1dGhlbnRpY2F0b3IiOiJCYXNpY0F1dGhlbnRpY2F0b3IifV19.
sessionDataKey: 166ec0b0-19b9-4531-b4c6-eb9b6ba0b40d
[2015-02-11 17:04:38,862] DEBUG
{org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Query
string : sessionDataKey=166ec0b0-19b9-4531-b4c6-eb9b6ba0b40d
[2015-02-11 17:04:38,863] DEBUG
{org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Validating SAML
Request signature
[2015-02-11 17:04:38,864] DEBUG
{org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Request message
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://localhost:8080/travelocity.com/home.jsp";
Destination="https://localhost:9443/samlsso"; ForceAuthn="false" ID="0"
IsPassive="false" IssueInstant="2015-02-11T11:34:10.852Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"><samlp:Issuer
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">travelocity.com</samlp:Issuer><saml2p:NameIDPolicy
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="Issuer"/><saml2p:RequestedAuthnContext
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="exact"><saml:AuthnContextClassRef
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml2p:RequestedAuthnContext></samlp:AuthnRequest>
[2015-02-11 17:04:38,865] DEBUG
{org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator}
- Constructing signed content string from URL query string
SAMLRequest=nZPdbtswDIVfxdC9f5sCmRC7yBIUC9BtXuLuoneawiwaZMkT6TR9%2B8l20nnDGgS7FcnDw4%2FU7O5Y6%2BAADpU1OUujhAVgpN0q8z1nj9V9OGV3xQxFrRs%2Bb2lv1vCzBaTA1xnkfSBnrTPcClTIjagBOUm%2BmX984FmU8MZZstJqFswRwZFvtLAG2xrcBtxBSXhcP%2BRsT9TwONZWCr23SHyaTJOYnDiAf1P0Eklbx3tbQ%2FQDGxYsvQllBPW%2Bu2L8o%2FrdZHITd%2B4QLQvurZPQ28%2FZTmgEFqyWOfPDrrAUiOoAvwOILawMkjCUsyxJb8MkC9O0SlN%2BM%2BFpEk1vsycWlKe53isz0LoE4duQhPxDVZVh%2BXlTseDrmbpPYGfGfXd3PV1xZsqKv1jN4rHioJ81%2FJOXWC1Lq5V8GbXJrt%2Bi1vZ54UCQZ0auhR5vLeiyQPeituGuT%2BVNNzsSGGLBpuw8fWmFVjsFLmeDYxa%2Fej7dHGz7FfrrITjSf5lf2LoRTmGHHY5C0gk8HysvtKe6ht2ow9VLuJgmueyk%2FXN3dM%2FWbbsjAuknq5ww2FhHw9r%2B6acYYm8BKc4bH%2F%2FT4hc%3D&SigAlg=http%3A%2F%
2Fwww.w3.org
%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=gjnmwL3nruOUgRGotCoAxR1U3x7dKAw36MFQpn%2FBQbIl%2FlsX20cbQ6TkRBHsmVUYPX6DjTSSykEhkjme1mHsPOfNSTamIA29i%2Fsg8eXWJS47OeFrUaYutmFTNMHm%2F1MP3c92AppLoClLGd7Uza8RgywiXi%2FELvLLWL0qzTvb2O4%3D
[2015-02-11 17:04:38,866] DEBUG
{org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator}
- Constructed signed content string for HTTP-Redirect DEFLATE
SAMLRequest=nZPdbtswDIVfxdC9f5sCmRC7yBIUC9BtXuLuoneawiwaZMkT6TR9%2B8l20nnDGgS7FcnDw4%2FU7O5Y6%2BAADpU1OUujhAVgpN0q8z1nj9V9OGV3xQxFrRs%2Bb2lv1vCzBaTA1xnkfSBnrTPcClTIjagBOUm%2BmX984FmU8MZZstJqFswRwZFvtLAG2xrcBtxBSXhcP%2BRsT9TwONZWCr23SHyaTJOYnDiAf1P0Eklbx3tbQ%2FQDGxYsvQllBPW%2Bu2L8o%2FrdZHITd%2B4QLQvurZPQ28%2FZTmgEFqyWOfPDrrAUiOoAvwOILawMkjCUsyxJb8MkC9O0SlN%2BM%2BFpEk1vsycWlKe53isz0LoE4duQhPxDVZVh%2BXlTseDrmbpPYGfGfXd3PV1xZsqKv1jN4rHioJ81%2FJOXWC1Lq5V8GbXJrt%2Bi1vZ54UCQZ0auhR5vLeiyQPeituGuT%2BVNNzsSGGLBpuw8fWmFVjsFLmeDYxa%2Fej7dHGz7FfrrITjSf5lf2LoRTmGHHY5C0gk8HysvtKe6ht2ow9VLuJgmueyk%2FXN3dM%2FWbbsjAuknq5ww2FhHw9r%2B6acYYm8BKc4bH%2F%2FT4hc%3D&SigAlg=http%3A%2F%
2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
[2015-02-11 17:04:38,866] WARN
{org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}
- Signature validation for Authentication Request failed.
Any help to get around this would be really nice.
[1] -
https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0
Thanks
--
Thusitha Dayaratne
Software Engineer | WSO2 Inc
Email [email protected]
Mobile +94712756809
Blog alokayasoya.blogspot.com
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
