On Tue, Oct 20, 2015 at 2:21 PM, Nadeesha Meegoda <nadees...@wso2.com> wrote:
> Hi all, > > I have done the same setup in tenant mode (IDP and travelocity SP are in > tenant mode) > Could you be able to resolve the issue in super tenant mode ? > and enabled assertion encryption. The SP created for the IDP is in super > tenant mode that is the 2nd IS. Now I am getting error in IS side. I have > exported the external IS private key and imported it to IDP. Any reason > behind this exception that I have missed doing? (Testing in the > wso2is-5.1.0-kernel-4.2.0-SNAPSHOT given on 14th Oct) > > Note - I can successfully log in when assertion encryption is disabled. > > > [1] - > https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer&spaceKey=IS510 > > [2015-10-20 13:50:00,139] ERROR {org.opensaml.xml.encryption.Decrypter} - > Failed to decrypt EncryptedKey, valid decryption key could not be resolved > [2015-10-20 13:50:00,140] ERROR > {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} > - Unable to decrypt the SAML Assertion > org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: > Unable to decrypt the SAML Assertion > at > org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:202) > at > org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:65) > at > org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:426) > at > org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:400) > at > org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:114) > at > org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:171) > at > org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:111) > at > org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:119) > at > org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:53) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > at > org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) > at > org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) > at > org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) > at > org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > at > org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.wso2.carbon.ui.filters.CSRFPreventionFilter.doFilter(CSRFPreventionFilter.java:88) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.wso2.carbon.ui.filters.CRLFPreventionFilter.doFilter(CRLFPreventionFilter.java:59) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at > org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) > at > org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) > at > org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57) > at > org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) > at > org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) > at > org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at > org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > Caused by: > org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: > Unable to decrypt the SAML Assertion > at > org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSSOResponse(DefaultSAML2SSOManager.java:431) > at > org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processResponse(DefaultSAML2SSOManager.java:312) > at > org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:157) > ... 53 more > Caused by: org.opensaml.xml.encryption.DecryptionException: Valid > decryption key for EncryptedKey could not be resolved > at > org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:623) > at > org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.getDecryptedAssertion(DefaultSAML2SSOManager.java:897) > at > org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSSOResponse(DefaultSAML2SSOManager.java:429) > ... 55 more > > Thanks! > > On Fri, Oct 9, 2015 at 4:12 PM, Gayan Gunawardana <ga...@wso2.com> wrote: > >> #Alias of the IdP's public certificate >> IdPPublicCertAlias=wso2carbon >> >> seems this is not present in travelocity.properties file. Can you please >> try with latest travelocity app ? >> >> On Thu, Oct 8, 2015 at 5:53 PM, Nadeesha Meegoda <nadees...@wso2.com> >> wrote: >> >>> Hi all, >>> >>> I'm continuously getting this error when assertion encryption is >>> enabled. I have attached the traveolcity.properties file for your >>> reference. I can give the travelocity.war on request. >>> >>> On Sun, Oct 4, 2015 at 1:43 PM, Gayan Gunawardana <ga...@wso2.com> >>> wrote: >>> >>>> Hi Nadeesha, >>>> >>>> I just checked Federated SSO scenario (product-is build 02/10/2015) >>>> you mentioned in the initial mail. It works fine for me except I had to >>>> replace commons-collections-3.1.jar with commons-collections-3.2.1.jar >>>> inside travelocity.com web app. >>>> >>>> Thanks, >>>> Gayan >>>> >>>> On Fri, Oct 2, 2015 at 9:11 PM, Nadeesha Meegoda <nadees...@wso2.com> >>>> wrote: >>>> >>>>> Hi Tharindu, >>>>> >>>>> When I tested this with single IS for SAML SSO (not the federated >>>>> scenario) everything worked fine for super tenant. I doubt this is related >>>>> to the federated scenario. Please have a look and let me know. >>>>> >>>>> Thanks! >>>>> >>>>> On Fri, Oct 2, 2015 at 8:52 PM, Tharindu Edirisinghe < >>>>> tharin...@wso2.com> wrote: >>>>> >>>>>> Hi Nadeesha, >>>>>> >>>>>> For super tenant, sso.agent should be able to decrypt the encrypted >>>>>> saml assertion. However there was an issue [1] where for a tenant, when >>>>>> the >>>>>> tenant encrypts the SAML assertion from the public certificate of the >>>>>> client (i.e travelocity app), then sso.agent could not decrypt the >>>>>> assertion because in the code, the private key of travelocity's key store >>>>>> was not getting picked up because of the particular method called in open >>>>>> saml library. This was patched sometimes back for sso.agent 1.2 version >>>>>> but >>>>>> we need to check whether the same fix got correctly merged to higher >>>>>> versions (i.e 1.4). Ideally this should anyway work for super tenant, but >>>>>> we'll check the same scenario more and let you know. >>>>>> >>>>>> [1] https://wso2.org/jira/browse/IDENTITY-3186 >>>>>> >>>>>> Regards, >>>>>> TharinduE >>>>>> >>>>>> On Fri, Oct 2, 2015 at 3:34 PM, Nadeesha Meegoda <nadees...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Darshana, >>>>>>> >>>>>>> Yes the response is encrypted. Sending the SAML sso trace attached >>>>>>> with the mail. >>>>>>> >>>>>>> @Ishara I used wso2carbon as the certificate alias since I'm using >>>>>>> the default key stores and also I'm testing this in super tenant mode. >>>>>>> Do >>>>>>> I need to import the public certificate of the private key of >>>>>>> travelocity >>>>>>> app to IS keystores in super tenant mode? >>>>>>> >>>>>>> On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathna < >>>>>>> isha...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi Nadeesha, >>>>>>>> >>>>>>>> On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana < >>>>>>>> darsh...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi Nadeesha, >>>>>>>>> >>>>>>>>> Have you checked whether the assertion is encrypted in the >>>>>>>>> response IS send back to travelocity app? >>>>>>>>> >>>>>>>>> And please provide the SSO Trace (save as a text file and attach >>>>>>>>> in the mail) for the whole flow. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Darshana >>>>>>>>> >>>>>>>>> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda < >>>>>>>>> nadees...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi. >>>>>>>>>> >>>>>>>>>> I have configured the setup to Login to the Identity Server Using >>>>>>>>>> Another Identity Server as per the details in [1] in Super tenant >>>>>>>>>> mode. >>>>>>>>>> With the happy scenario according to the documentation this works >>>>>>>>>> fine. But >>>>>>>>>> I have enabled some additional properties in IDP and SP used for IDP >>>>>>>>>> as >>>>>>>>>> following : >>>>>>>>>> >>>>>>>>>> *Properties enabled for Federated Authenticators* - SAML2 Web >>>>>>>>>> SSO Configuration >>>>>>>>>> >>>>>>>>>> 1. Enabled Assertion Encryption >>>>>>>>>> 2. Enable Assertion Signing >>>>>>>>>> 3. Enable Authentication Response Signing >>>>>>>>>> >>>>>>>>>> *Properties enabled fo SP used for IDP * >>>>>>>>>> >>>>>>>>>> 1. Enabled Assertion Encryption >>>>>>>>>> 2. Enabled Response Signing >>>>>>>>>> >>>>>>>>>> *Properties enabled fo SP used for travelocity app* >>>>>>>>>> >>>>>>>>>> 1. Enabled Assertion Encryption >>>>>>>>>> >>>>>>>>> What is the Certificate Alias you used here ? >>>>>>>> is that the public key in travelocity app ? >>>>>>>> >>>>>>>>> 2. Enabled Response Signing >>>>>>>>>> >>>>>>>>>> In the travelocity.properties file also I have enabled Assertion >>>>>>>>>> Encryption,Response signing and Assertion signing. I have already >>>>>>>>>> imported >>>>>>>>>> the Identity Provider Public Certificate to IDP >>>>>>>>>> >>>>>>>>>> When I'm signing in to travelocity.com I get Unable to decrypt >>>>>>>>>> the SAML Assertion error and error in [2] in tomcat. >>>>>>>>>> >>>>>>>>>> Note that only enabling "assertion signing" in IDP I was >>>>>>>>>> successfully able to login and no error was displayed. When I >>>>>>>>>> enabled the >>>>>>>>>> Assertion Encryption this error occurred. Why is this error occurred >>>>>>>>>> when I >>>>>>>>>> enable this property as mentioned above? >>>>>>>>>> >>>>>>>>>> Any help regarding this is highly appreciated! >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [1] - >>>>>>>>>> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer&spaceKey=IS510 >>>>>>>>>> >>>>>>>>>> [2] - Oct 02, 2015 2:10:47 PM >>>>>>>>>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter >>>>>>>>>> SEVERE: An error has occurred >>>>>>>>>> org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: >>>>>>>>>> Unable to decrypt the SAML Assertion >>>>>>>>>> at >>>>>>>>>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254) >>>>>>>>>> at >>>>>>>>>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198) >>>>>>>>>> at >>>>>>>>>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) >>>>>>>>>> at >>>>>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) >>>>>>>>>> at >>>>>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) >>>>>>>>>> at >>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>>>>>>>>> at >>>>>>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks! >>>>>>>>>> -- >>>>>>>>>> *Nadeesha Meegoda* >>>>>>>>>> Software Engineer - QA >>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>> lean.enterprise.middleware >>>>>>>>>> email : nadees...@wso2.com >>>>>>>>>> mobile: +94783639540 >>>>>>>>>> <%2B94%2077%202273555> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Regards, >>>>>>>>> >>>>>>>>> >>>>>>>>> *Darshana Gunawardana*Senior Software Engineer >>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>> >>>>>>>>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>* >>>>>>>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . >>>>>>>>> Middleware >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Ishara Karunarathna >>>>>>>> Senior Software Engineer >>>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>>> >>>>>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, >>>>>>>> mobile: +94717996791 >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Nadeesha Meegoda* >>>>>>> Software Engineer - QA >>>>>>> WSO2 Inc.; http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> email : nadees...@wso2.com >>>>>>> mobile: +94783639540 >>>>>>> <%2B94%2077%202273555> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> Dev@wso2.org >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Tharindu Edirisinghe >>>>>> Software Engineer | WSO2 Inc >>>>>> Identity Server Team >>>>>> Blog : tharindue.blogspot.com >>>>>> mobile : +94 775 181586 >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Nadeesha Meegoda* >>>>> Software Engineer - QA >>>>> WSO2 Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> email : nadees...@wso2.com >>>>> mobile: +94783639540 >>>>> <%2B94%2077%202273555> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Gayan Gunawardana >>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>> Email: ga...@wso2.com >>>> Mobile: +94 (71) 8020933 >>>> >>> >>> >>> >>> -- >>> *Nadeesha Meegoda* >>> Software Engineer - QA >>> WSO2 Inc.; http://wso2.com >>> lean.enterprise.middleware >>> email : nadees...@wso2.com >>> mobile: +94783639540 >>> <%2B94%2077%202273555> >>> >> >> >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: ga...@wso2.com >> Mobile: +94 (71) 8020933 >> > > > > -- > *Nadeesha Meegoda* > Software Engineer - QA > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > email : nadees...@wso2.com > mobile: +94783639540 > <%2B94%2077%202273555> > -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev