This topic has 1 reply, 1 voice, and was last updated 4 months, 1 week ago by ricardosaracino.
-
AuthorPosts
-
August 2, 2019 at 8:18 pm #26160
ricardosaracino
ParticipantI am trying to set the _signing and encryption_ option on my SP metadata to have
AuthnRequestsSigned="true"
but my AM server keeps throwing the below Error in the /debug/Federation log_Authentication Requests Signed_ option is the only one giving me issues.
Im running
> ForgeRock Access Management 6.5.2
> Tomcat 8.0.35
> openjdk version “1.8.0_212”**AM Settings**
[![enter image description here][1]][1]
**Error Message**
`
libSAML2:08/02/2019 03:16:50:299 PM UTC: Thread[http-nio-80-exec-8,5,main]: TransactionId[f1638b0a-6687-4953-ae04-8ce8c9299079-62363]
ERROR: UtilProxySAMLAuthenticator.authenticate: authn request destination verification failed for
IdpEntity: http://x.canadacentral.cloudapp.azure.com:80/opensso
MetaAlias: /idp Destination: http://x.canadacentral.cloudapp.azure.com/opensso/SSORedirect/metaAlias/idp
Location: http://x.canadacentral.cloudapp.azure.com:80/opensso/SSORedirect/metaAlias/idp
`
**SP Meta-data**
`xml
<?xml version=”1.0″?>
<md:EntityDescriptor xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata” validUntil=”2019-08-02T12:04:36Z”
cacheDuration=”PT604800S” entityID=”nestjs-sp-signed-0090″><md:SPSSODescriptor AuthnRequestsSigned=”false” WantAssertionsSigned=”true”
protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”>
<md:KeyDescriptor use=”signing”>
<ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>
<ds:X509Data>
<ds:X509Certificate>…
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use=”encryption”>
<ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>
<ds:X509Data>
<ds:X509Certificate>…
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-1_5″/>
</md:KeyDescriptor><md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat><md:SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”
Location=”http://localhost:3000/auth/logout/callback”/><md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
Location=”http://localhost:3000/auth/login/callback” index=”0″/>
<md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:1.0:profiles:browser-post”
Location=”http://localhost:3000/auth/login/callback” index=”1″/>
<md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact”
Location=”http://localhost:3000/auth/login/callback” index=”2″/>
<md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:1.0:profiles:artifact-01″
Location=”http://localhost:3000/auth/login/callback” index=”3″/>
<md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser”
Location=”http://localhost:3000/auth/login/callback” index=”4″/>
</md:SPSSODescriptor></md:EntityDescriptor>
`
**Passport Settings**
`js
export const samlPassportConf = {
issuer: ‘nestjs-sp-signed-0070’, // match metadata entityIDidentifierFormat: ‘urn:oasis:names:tc:SAML:2.0:nameid-format:persistent’,
callbackUrl: ‘http://localhost:3000/auth/login/callback’,
entryPoint: ‘http://idp5.canadacentral.cloudapp.azure.com/opensso/SSORedirect/metaAlias/idp’,
logoutUrl: ‘http://idp5.canadacentral.cloudapp.azure.com/opensso/IDPSloRedirect/metaAlias/idp’,privateCert: fs.readFileSync(‘cert/privatekey.pem’, ‘utf-8’),
decryptionPvk: fs.readFileSync(‘cert/privatekey.pem’, ‘utf-8’),
};`
August 2, 2019 at 8:35 pm #26161 -
AuthorPosts
You must be logged in to reply to this topic.