Not Authorized response on OIDC -> SAML Transformation

Tagged: , , , , ,

This topic contains 1 voice and has 0 replies.

  • Author
    Posts
  • #22462
     danbrodsky 
    Participant

    I followed the OIDC -> SAML token conversion guide on the KB here:
    https://backstage.forgerock.com/knowledge/kb/article/a33982583?book=b20113070

    Aside from not these 2 issues:
    – not being able to get an OIDC token when setting “client_secret_post” under the OIDC client configuration and using “client_secret_basic” instead
    – not being able to get an OIDC token when setting client ID to my url and setting it to “test” instead

    I followed the instructions exactly. Then, when I make a request to get the OIDC and access tokens, it succeeds like so:

    curl -k --request POST --user "testClient:testclient" --data "grant_type=password&username=test&password=test&scope=openid profile" https://my.openam-domain.com:8443/testoauth/oauth2/realms/auth/oauth2/access_token

    {"access_token":"27a5031e-ee76-49b7-ba4c-277ad5dcade3","scope":"openid profile","id_token":"eyJ0eXAiOiJKV1QiLCJr...ozT8cG_83tfeA","token_type":"Bearer","expires_in":3599}

    However, when I then take the OIDC token I receive and run the transformation request, I get the following:

    curl -k -X POST -H "Content-Type: application/json" -d '{ 
         "input_token_state": { "token_type": "OPENIDCONNECT", "oidc_id_token": "eyJ0eXAiOiJKV1QiLCJr...ozT8cG_83tfeA" }, 
         "output_token_state": { "token_type": "SAML2", "subject_confirmation": "BEARER", "service_provider_assertion_consumer_service_url": "https://my.openam-domain.com:8443/test-oauth/Consumer/metaAlias/sp" } 
    }' 'https://my.openam-domain.com:8443/test-oauth/rest-sts/auth/oidc2saml?_action=translate'

    {"code":500,"reason":"Internal Server Error","message":"Exception caught posting OIDC token to rest authN: org.forgerock.openam.sts.TokenValidationException: Non-200 response from posting OIDC token to rest authN: {\"code\":401,\"reason\":\"Unauthorized\",\"message\":\"Authentication Failed\"}\n"}

    Anyone know what could be causing this issue? I’m assuming it’s because my token wasn’t signed correctly, but I followed the KB instructions almost exactly and there weren’t any steps to configure this.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?