Tagged: #OpenAM, federation, Salesforce, saml2
This topic has 5 replies, 2 voices, and was last updated 4 years, 5 months ago by Scott Heger.
-
AuthorPosts
-
February 28, 2018 at 6:56 pm #21071
rasarkar
ParticipantI am trying to configure IDP initiated SSO with Salesforce. I have created a separate salesforce domain and exchanged the metadata. My openam URL is https://openam.example.com:8443/openam and salesforce URL is https://forgerockpreview-dev-ed.my.salesforce.com. I am trying to accomplish IDP initiated SSO using the following URL https://openam.example.com:8443/openam/saml2/jsp/idpSSOInit.jsp?spEntityID=https%3A%2F%2Fforgerockpreview-dev-ed.my.salesforce.com&binding=HTTP-POST&metaAlias=/idp
The circle of trust and the corresponding entities are in top level realm. When I hit the URL I am seeing a HTTP 400 error on the screen that says “Error processing AuthnRequest. The receiving entity ID is not valid or not trusted.”. The corresponding exception in the log is-
libSAML2:02/28/2018 10:50:47:832 PM IST: Thread[https-jsse-nio-8443-exec-1,5,main]: TransactionId[87fb73b4-0234-4bd8-85d1-3254dd35f280-1122]
ERROR: Error processing request
com.sun.identity.saml2.common.SAML2Exception: The receiving entity ID is not valid or not trusted.
at com.sun.identity.saml2.profile.IDPSSOUtil.doSSOFederate(IDPSSOUtil.java:303)
at com.sun.identity.saml2.profile.IDPSSOUtil.doSSOFederate(IDPSSOUtil.java:199)
at org.apache.jsp.saml2.jsp.idpSSOInit_jsp._jspService(idpSSOInit_jsp.java:192)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:443)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
libSAML:02/28/2018 10:50:47:835 PM IST: Thread[https-jsse-nio-8443-exec-1,5,main]: TransactionId[87fb73b4-0234-4bd8-85d1-3254dd35f280-1122]
SAMLUtils.sendError: error page/saml2/jsp/saml2error.jspCan somebody help me and point out where exactly I am going wrong?
March 1, 2018 at 2:27 am #21073Scott Heger
ParticipantDid you name your remote SP entity for Salesforce “https://forgerockpreview-dev-ed.my.salesforce.com”? Also, have you verified that it is actually in the CoT?
March 1, 2018 at 2:44 am #21074rasarkar
ParticipantYes I did.
March 1, 2018 at 4:45 am #21075Scott Heger
ParticipantIt is “exactly” that? Meaning you don’t have a trailing “/” or a port number in the entity name? For example:
https://forgerockpreview-dev-ed.my.salesforce.com/
or
https://forgerockpreview-dev-ed.my.salesforce.com:443
or
March 1, 2018 at 7:07 am #21076rasarkar
ParticipantHey Scott,
Thanks for your response. I found what the issue was. The Remote SP was not part of the COT, which it should have been when I imported the metadata. When I tried to add it, I got an error. I had to remove all and add it back to remove the error. Thanks for your helpRegards
RanajoyMarch 1, 2018 at 8:25 am #21077Scott Heger
ParticipantGreat that you got it figured out. Did you include extended metadata with your import? That is where the CoT definition would be included.
-
AuthorPosts
You must be logged in to reply to this topic.