Forum Replies Created

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #14785
     ytheva
    Participant

    Thanks Peter,

    works :)

    #14740
     ytheva
    Participant

    Thanks Peter,

    I will look at this topic much in detail…
    Thanks for response

    #14739
     ytheva
    Participant

    Same for me….

    I changed the OpenAM Login/Logout URL within the realm / agents / OpenAM servives to :

    http://example.com/openam/UI/Login?realm=/myrealm

    and also checked the agent.config on the Agent but nothing happends. Still a redirect to the top level like faraon79 and Thomas mentioned.

    Any ideas?

    OpenAM 13.5
    Apache WPA 4.0.1

    #14504
     ytheva
    Participant

    Thanks Peter for your response. I need the federatet user in my database :)

    So what about when I create the user in the database within the first authentication. Log-in afterwards the user gets authenticated directly?

    Any idea how i can configure this in the tool?

    Many thanks and a great weekend!

    #14476
     ytheva
    Participant

    Hi,

    I am currently facing some issues with my SAML configuration and I would appreciate any kind of support or hints.

    Following starting point:

    I configured OpenAM (13.5.0) as a SP and an ADFS3 as IdP.

    My aim is that the user authenticates with SAML and get stored to my database (OpenDJ) after successful authentication.

    Actually my situation is that the SP initiates the authentication request and a response is coming back from the IdP and I am facing with a “HTTP Status 500 – Single Sign On failed”

    Following configurations are done:

    AuthenticationSettings  User Profile: Dynamic  Alias Attribute Search name: UID

    Following were created:

    Module 1 – LDAP with an OpenDJ

    Module 2 – SAML

    Chain 1 contains an SAML module and the “Linking authentication chain” is a chain 2 and Chain 2 contains the LDAPmodule

    Following “NameID Format” were agreed by the ADFS Team  „urn:oasis:names:tc:SAML:2.0:nameid-format:persistent“

    In the Federation Tab I configured the Entities as well as a CoT

    Following setting were also done: Global  Configure  Authentication  Realm Authentication Defaults “Core Attributes”  User Profile: Dynamic: Alias Attribute Search name: UID

    Test 1: I invoked the authentication chain from a client pc and I got a HTTP Status 500 – Single Sign On failed.

    I placed an extract from the log at the end…

    Test 2: If I create the AD account manually – SSO succeeds.

    Test 3: If I set up the user profile to „ignored“ – SSO succeeds

    Anyway “Test 1” is desired where the users are created on the first time to the database dynamically

    The <AuthResponse> from the AD contains following information: NameID as well as following AttributeStatements: „pnr“, „givenname“, „name“, „emailaddress“

    I mapped these in the LDAP module as follows: uid|NameID sn|name mail|mailadress givenName|givenname employeeNumber|pnr

    Where else do I have to map the attributes and how? Did I missed any settings?

    I appreciate any kind of support and or hints.

    Best regards,
    Yathu

    Federation Log extract:

    libSAML2:11/24/2016 06:33:02:747 PM MEZ: Thread[http-nio-80-exec-6,5,main]: TransactionId[789fc740-325b-4bc2-805c-0027e0dad637-13211]
    ERROR: spAssertionConsumer.jsp: SSO failed.
    com.sun.identity.saml2.common.SAML2Exception: Login failed with unknown reason.
    at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1279)
    at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:337)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:443)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
    at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
    at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
    at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Unknown Source)
    Caused by: com.sun.identity.plugin.session.SessionException: Login failed with unknown reason.
    at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:284)
    at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1258)
    … 38 more

    libSAML:11/24/2016 06:33:02:747 PM MEZ: Thread[http-nio-80-exec-6,5,main]: TransactionId[789fc740-325b-4bc2-805c-0027e0dad637-13211]
    SAMLUtils.sendError: error page/saml2/jsp/saml2error.jsp

    Best regards,
    Yathursan Theva

Viewing 5 posts - 1 through 5 (of 5 total)