OpenAM SSO SAML AuthnRequestsSigned error

This topic contains 1 reply, has 1 voice, and was last updated by  ricardosaracino 2 weeks, 4 days ago.

  • Author
    Posts
  • #26160
     ricardosaracino 
    Participant

    I am trying to set the _signing and encryption_ option on my SP metadata to have AuthnRequestsSigned="true" but my AM server keeps throwing the below Error in the /debug/Federation log

    _Authentication Requests Signed_ option is the only one giving me issues.

    Im running
    > ForgeRock Access Management 6.5.2
    > Tomcat 8.0.35
    > openjdk version “1.8.0_212”

    **AM Settings**

    [![enter image description here][1]][1]

    **Error Message**

    `
    libSAML2:08/02/2019 03:16:50:299 PM UTC: Thread[http-nio-80-exec-8,5,main]: TransactionId[f1638b0a-6687-4953-ae04-8ce8c9299079-62363]
    ERROR: UtilProxySAMLAuthenticator.authenticate: authn request destination verification failed for
    IdpEntity: http://x.canadacentral.cloudapp.azure.com:80/opensso
    MetaAlias: /idp Destination: http://x.canadacentral.cloudapp.azure.com/opensso/SSORedirect/metaAlias/idp
    Location: http://x.canadacentral.cloudapp.azure.com:80/opensso/SSORedirect/metaAlias/idp
    `

    **SP Meta-data**

    `xml
    <?xml version=”1.0″?>
    <md:EntityDescriptor xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata” validUntil=”2019-08-02T12:04:36Z”
    cacheDuration=”PT604800S” entityID=”nestjs-sp-signed-0090″>

    <md:SPSSODescriptor AuthnRequestsSigned=”false” WantAssertionsSigned=”true”
    protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”>
    <md:KeyDescriptor use=”signing”>
    <ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>
    <ds:X509Data>
    <ds:X509Certificate>…
    </ds:X509Certificate>
    </ds:X509Data>
    </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use=”encryption”>
    <ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>
    <ds:X509Data>
    <ds:X509Certificate>…
    </ds:X509Certificate>
    </ds:X509Data>
    </ds:KeyInfo>
    <md:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-1_5″/>
    </md:KeyDescriptor>

    <md:NameIDFormat>
    urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    </md:NameIDFormat>

    <md:SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”
    Location=”http://localhost:3000/auth/logout/callback”/>

    <md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
    Location=”http://localhost:3000/auth/login/callback” index=”0″/>
    <md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:1.0:profiles:browser-post”
    Location=”http://localhost:3000/auth/login/callback” index=”1″/>
    <md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact”
    Location=”http://localhost:3000/auth/login/callback” index=”2″/>
    <md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:1.0:profiles:artifact-01″
    Location=”http://localhost:3000/auth/login/callback” index=”3″/>
    <md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser”
    Location=”http://localhost:3000/auth/login/callback” index=”4″/>
    </md:SPSSODescriptor>

    </md:EntityDescriptor>
    `

    **Passport Settings**

    `js
    export const samlPassportConf = {
    issuer: ‘nestjs-sp-signed-0070’, // match metadata entityID

    identifierFormat: ‘urn:oasis:names:tc:SAML:2.0:nameid-format:persistent’,

    callbackUrl: ‘http://localhost:3000/auth/login/callback’,
    entryPoint: ‘http://idp5.canadacentral.cloudapp.azure.com/opensso/SSORedirect/metaAlias/idp’,
    logoutUrl: ‘http://idp5.canadacentral.cloudapp.azure.com/opensso/IDPSloRedirect/metaAlias/idp’,

    privateCert: fs.readFileSync(‘cert/privatekey.pem’, ‘utf-8’),
    decryptionPvk: fs.readFileSync(‘cert/privatekey.pem’, ‘utf-8’),
    };

    `

    [1]: https://i.stack.imgur.com/zQIOo.png

    #26161
     ricardosaracino 
    Participant
Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?