ForgeRock as Service Provider in federation

Tagged: ,

This topic has 1 reply, 2 voices, and was last updated 1 month ago by Jatinder Singh.

  • Author
    Posts
  • #28327
     praveenpasi
    Participant

    Hi,
    I am trying to establish the federation configuration between ForgeRock(Version 6.5) and Oracle IDCS with ForgeRock as Service Provider(SP) and IDCS as Identity Provider(IdP).

    When trying to test the federation the following errors are observed in the logs.

    ForgeRock Debug logs
    ===================
    amAuthSAML2:10/21/2020 06:30:13:619 AM PDT: Thread[http-nio-8001-exec-8,5,main]: TransactionId[bccc06ad-ddfc-4de7-8e2d-592ae0119502-15350]
    ERROR: SAML2Proxy: An error occurred while verifying the SAML response
    com.sun.identity.saml2.common.InvalidStatusCodeSaml2Exception: Invalid Status code in Response.
    at com.sun.identity.saml2.common.SAML2Utils.verifyResponse(SAML2Utils.java:425)
    at org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.getUrl(SAML2Proxy.java:192)
    at org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.processSamlResponse(SAML2Proxy.java:127)
    at org.apache.jsp.saml2.jsp.saml2AuthAssertionConsumer_jsp._jspService(saml2AuthAssertionConsumer_jsp.java:120)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:71)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:477)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

    IDCS logs
    =========
    NameID policy urn:oasis:names:tc:SAML:2.0:nameid-format:persistent is not supported for partner

    SAML Request
    ============
    <samlp:AuthnRequest xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol”
    ID=”s2122e8bde9d8b4e89df386f660d3c2679d98fab02″
    Version=”2.0″
    IssueInstant=”2020-10-21T13:33:37Z”
    Destination=”https://idcs-host/fed/v1/idp/sso&#8221;
    ForceAuthn=”false”
    IsPassive=”false”
    ProtocolBinding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
    AssertionConsumerServiceURL=”http://abc:8001/openam/AuthConsumer/metaAlias/sp&#8221;
    >
    <saml:Issuer xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>http://abc:8001/openam</saml:Issuer&gt;
    <samlp:NameIDPolicy xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol”
    Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:persistent”
    SPNameQualifier=”http://abc:8001/openam&#8221;
    AllowCreate=”true”
    />
    <samlp:RequestedAuthnContext xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol”
    Comparison=”exact”
    >
    <saml:AuthnContextClassRef xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
    </samlp:AuthnRequest>

    SAML Response
    =============
    <samlp:Response xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol”
    xmlns:dsig=”http://www.w3.org/2000/09/xmldsig#&#8221;
    xmlns:enc=”http://www.w3.org/2001/04/xmlenc#&#8221;
    xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”
    xmlns:x500=”urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500″
    xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221;
    Destination=”http://abc:8001/openam/AuthConsumer/metaAlias/sp&#8221;
    ID=”id-8-15yepoznUqug2A-cOqhl1SVPQ-”
    InResponseTo=”s2122e8bde9d8b4e89df386f660d3c2679d98fab02″
    IssueInstant=”2020-10-21T13:33:37Z”
    Version=”2.0″
    >
    <saml:Issuer Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:entity”>https://idcs-host/fed</saml:Issuer&gt;
    <dsig:Signature>
    <dsig:SignedInfo>
    <dsig:CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#&#8221; />
    <dsig:SignatureMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha256&#8243; />
    <dsig:Reference URI=”#id-8-15yepoznUqug2A-cOqhl1SVPQ-“>
    <dsig:Transforms>
    <dsig:Transform Algorithm=”http://www.w3.org/2000/09/xmldsig#enveloped-signature&#8221; />
    <dsig:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#&#8221; />
    </dsig:Transforms>
    <dsig:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#sha256&#8243; />
    <dsig:DigestValue>I8SSILe1C2hqvRj6y3WKbafzrlQqZL0+s71tSMAH0vA=</dsig:DigestValue>
    </dsig:Reference>
    </dsig:SignedInfo>
    <dsig:SignatureValue>qCmvb74WoXdmc7Iu0nh9/t6Hkhi6v3gJFuiy81WTSI3psUotMf9F4jtgCLOGVAnk
    tHEEEXTOZYKNXh9hKHV6hHKrhwFnCfONiEZjuZtXtYNK/OiPPXcjw1lbeUjYfTj4
    5quJCIE/fs3r8UEq3SQGThYFjupn/UTgLgWhwmBC8rWp2kbBPt/HxSHIkOSKDg+4
    z+p8tgSlgl7nngkL8w9NSIRv8m7xQyRjeNkVoIzIELiPZ8epY+bdZBDeBEfj1JUl
    /S7SQSC/RfkNE+Xt6bIx2sR5ZhgtzvVp5OlprCVUe+ez1uC3P8tTP1L/js46QWDK
    Rg4Qlmxxm+XoO7DeO00+wA==</dsig:SignatureValue>
    </dsig:Signature>
    <samlp:Status>
    <samlp:StatusCode Value=”urn:oasis:names:tc:SAML:2.0:status:Requester”>
    <samlp:StatusCode Value=”urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy” />
    </samlp:StatusCode>
    </samlp:Status>
    </samlp:Response>

    From the logs I could make that there is issue with the configuration with NameIDPolicy.Can anyone please help on how to configure the same in ForgeRock to rectify this error.

    Thanks,
    Praveen

    #28328
     Jatinder Singh
    Participant

    In your flow (SP initiated), the SP (ForgeRock) has requested the “persistent” identifier to be used to identify an authenticated user in its communication with the IDP (IDCS). Looking at the message, the IDP doesn’t seem to like the identifier being requested by SP. Can you check your NameID Format settings in IDCS and see if persistent identifier is present in the NameID Format list?

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?