https://<domain>.com/oauth2/<auth serverid>/.well-known/openid-configuration
curl -v -X POST \
-H "Authorization: Bearer ${access_token}" \
"https://<domain>.com/oauth2/v1/userinfo"
Tuesday, March 26, 2019
OKTA how to check userinfo end point information from custom Authorization server
https://<domain>.com/oauth2/<auth serverid>/.well-known/openid-configuration
curl -v -X POST \
-H "Authorization: Bearer ${access_token}" \
"https://<domain>.com/oauth2/v1/userinfo"
Monday, March 18, 2019
SAML error 400 Bad Request; The 'redirect_uri' parameter must be an absolute URI
The redirect_uri send to IDP is not matching what is in the SP metadata file. Update either your SP metadata or correct your SAML request url
Thursday, March 7, 2019
ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation. com.sun.identity.saml2.common.SAML2Exception: Service provider does not support name identifier format urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified.
Type Status Report
Message Unable to do Single Sign On or Federation.
Description The server encountered an unexpected condition that prevented it from fulfilling the request.
Apache Tomcat/8.0.53
error logs shows
ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
com.sun.identity.saml2.common.SAML2Exception: Service provider does not support name identifier format urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified.
com.sun.identity.saml2.common.SAML2Exception: Service provider does not support name identifier format urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified.
change the nameid format
HTTP Status 500 ? Internal Server Error SAML ERROR: UtilProxySAMLAuthenticator.authenticate: authn request destination verification failed.
on IDP side
ERROR: UtilProxySAMLAuthenticator.authenticate: authn request destination verification failed.
on SP side browser error
HTTP Status 500 ? Internal Server Error
Type Status Report
Message Destination is invalid.
Description The server encountered an unexpected condition that prevented it from fulfilling the request.
Apache Tomcat/8.0.53
Solution:
SP authn request needs to have destination, ProtocolBinding and AssertionConsumerServiceURL
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_8f0030a5d00620c9d9df97f627afe9dcc24" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs">
<saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Openam SAML error Creation of NameID is not allowed per AuthnRequest. from urn:oasis:names:tc:SAML:2.0:status:Requester
error
Creation of NameID is not allowed per AuthnRequest.
from urn:oasis:names:tc:SAML:2.0:
Solution:
Change your SP files parameter from
<ns0:NameIDPolicy AllowCreate="false"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
to
<ns0:NameIDPolicy AllowCreate="true"
mod auth mellon issue with Debian 7
The basic problem is Debian 7's liblasso3 had a bug in it that prevented it from working properly with the mod auth_mellon module.
You can possibly downgrade the libraries in question, or upgrade the Debian 7 OS on the box to Debian 8. Doing this upgrade will make mod auth mellon module to work.
You can possibly downgrade the libraries in question, or upgrade the Debian 7 OS on the box to Debian 8. Doing this upgrade will make mod auth mellon module to work.
Apache mod auth mellon script to generate SAML SP metadata
########################################################################
#####
# This script has been modified to meet the integration requirement
s. #
########################################################################
#####
#!/usr/bin/env bash
set -e
PROG="$(basename "$0")"
printUsage() {
echo "Usage: $PROG ENTITY-ID ENDPOINT-URL CERT-PATH"
echo ""
echo "Example:"
echo " $PROG urn:someservice https://sp.example.org/mellon /opt/cer
t.crt"
echo ""
}
if [ "$#" -lt 2 ]; then
printUsage
exit 1
fi
ENTITYID="$1"
if [ -z "$ENTITYID" ]; then
echo "$PROG: An entity ID is required." >&2
exit 1
fi
BASEURL="$2"
if [ -z "$BASEURL" ]; then
echo "$PROG: The URL to the MellonEndpointPath is required." >&2
exit 1
fi
if ! echo "$BASEURL" | grep -q '^https\?://'; then
echo "$PROG: The URL must start with \"http://\" or \"https://\"." >
&2
exit 1
fi
HOST="$(echo "$BASEURL" | sed 's#^[a-z]*://\([^/]*\).*#\1#')"
BASEURL="$(echo "$BASEURL" | sed 's#/$##')"
CERTFILE="$3"
if [ -z "$CERTFILE" ]; then
echo "$PROG: Cert path is required" >&2
exit 1
fi
OUTFILE="$(echo "$ENTITYID" | sed 's/[^A-Za-z.]/_/g' | sed 's/__*/_/g')"
echo "Output files:"
echo "Private key: $OUTFILE.key"
echo "Certificate: $OUTFILE.cert"
echo "Metadata: $OUTFILE.xml"
echo "Host: $HOST"
echo
echo "Endpoints:"
echo "SingleLogoutService (SOAP): $BASEURL/logout"
echo "SingleLogoutService (HTTP-Redirect): $BASEURL/logout"
echo "AssertionConsumerService (HTTP-POST): $BASEURL/postResponse"
echo "AssertionConsumerService (HTTP-Artifact): $BASEURL/artifactRespons
e"
echo "AssertionConsumerService (PAOS): $BASEURL/paosResponse"
echo
# No files should not be readable by the rest of the world.
umask 0077
CERT="$(grep -v ^----- "$CERTFILE")"
cat >"$OUTFILE.xml" <<EOF
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor
entityID="$ENTITYID"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor
AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>$CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>$CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="$BASEURL/logout" />
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="$BASEURL/logout" />
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</
NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</NameIDFormat>
<AssertionConsumerService
index="0"
isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="$BASEURL/postResponse" />
<AssertionConsumerService
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="$BASEURL/artifactResponse" />
<AssertionConsumerService
index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
Location="$BASEURL/paosResponse" />
</SPSSODescriptor>
</EntityDescriptor>
EOF
umask 0777
chmod go+r "$OUTFILE.xml"
OpenAM error com.onelogin.saml2.exception.Error: SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding
When OneLogin initiates the Single Log Out (in my page sls.jsp), I get this error message:
com.onelogin.saml2.exception.
Solution:
auth.processSLO() processes the logout request, but this request must be generated first with auth.logout().
OpenAM how to export single metadata from AM
https://sso-myserver.com:7443/openam/ssoadm.jsp?cmd=export-entity
Fill the form with EntityID and realm
http://server1.com:8080/openam/saml2/jsp/exportmetadata.jsp?entityid=http://server1.com:8080/openam&realm=/myrealm
http://server1.com:8080/openam/saml2/jsp/exportmetadata.jsp?entityid=http://server1.com:8080/openam&realm=/myrealm
Subscribe to:
Posts (Atom)