OAuth Plugin / Authorization question
129 views
Skip to first unread message
Martin Hümmerich
May 5, 2021, 8:52:07 AM5/5/21
to dotCMS User Group
Hey everybody,
we are currently doing some tests for authentication and authorization with the OAuth 2 plugin that can be found at
https://github.com/dotcms-plugins/plugin-dotcms-oauth
Our goal is to set up and manage our users in keycloak (and in keycloak only!). Furthermore, depending on the groups / roles that we assign to our keycloak users, the specific user should or should not be authorized to use the admin UI and be able to act as a backend-user.
So far, we have set up a successful authentication, but we struggle with the authorization, i.e. the group / role mapping. We have found out that we can assign a "CMS Administrator" group in keycloak which seems to determine the "CMS Admin" flag in the dotcms (marked as green in the screenshot below). We have, however, not figured out if there might be similar groups for the dotcms "Back-end User" and the "Can Login To Admin UI" flags (marked as red).
Has anybody run into the same authorization problem before and figured out how the group / role mapping works for the above access flags? If not: Is our requirement even valid, or is this just not doable?
Thanks for your time,
looking forward to any kind of answer,
Martin
we are currently doing some tests for authentication and authorization with the OAuth 2 plugin that can be found at
https://github.com/dotcms-plugins/plugin-dotcms-oauth
Our goal is to set up and manage our users in keycloak (and in keycloak only!). Furthermore, depending on the groups / roles that we assign to our keycloak users, the specific user should or should not be authorized to use the admin UI and be able to act as a backend-user.
So far, we have set up a successful authentication, but we struggle with the authorization, i.e. the group / role mapping. We have found out that we can assign a "CMS Administrator" group in keycloak which seems to determine the "CMS Admin" flag in the dotcms (marked as green in the screenshot below). We have, however, not figured out if there might be similar groups for the dotcms "Back-end User" and the "Can Login To Admin UI" flags (marked as red).
Thanks for your time,
looking forward to any kind of answer,
Martin
Nathan Keiter
May 5, 2021, 9:02:49 AM5/5/21
to dotCMS User Group
APILocator.getRoleAPI().addRoleToUser(APILocator.getRoleAPI().loadBackEndUserRole(), userToModify);
Nathan I. Keiter | Lead Network Applications Programmer | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993
https://www.gettysburg.edu<https://www.gettysburg.edu/>
________________________________
From: dot...@googlegroups.com <dot...@googlegroups.com> on behalf of Martin Hümmerich <martin.h...@gmail.com>
Sent: Wednesday, May 5, 2021 7:43 AM
To: dotCMS User Group
Subject: [dotcms] OAuth Plugin / Authorization question
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
________________________________
Has anybody run into the same authorization problem before and figured out how the group / role mapping works for the above access flags? If not: Is our requirement even valid, or is this just not doable?
Thanks for your time,
looking forward to any kind of answer,
Martin
--
http://dotcms.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fdotcms.com&c=E,1,2cCaR-oHvhKPRMiMva7s0zDxjS9LWA2LSr_gL5PaBHxtlQeUhxLeuccaUVl-Yk-tGDeKNUlpdSuv8LQbSX5KBg7pQdFGl1lYEUbMtPaZXyU,&typo=1> - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com<mailto:dotcms+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/b9030069-6ff5-4124-b9e4-4589fead6677n%40googlegroups.com<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fd%2fmsgid%2fdotcms%2fb9030069-6ff5-4124-b9e4-4589fead6677n%2540googlegroups.com%3futm_medium%3demail%26utm_source%3dfooter&c=E,1,GntEtNfY9zLjQ7CB3Khq8oPCpuHJ67zySILveQcXQ37zOGv2FIfn_IJGYvEcrR6tOIMGiaUmWpCIc0rZwTZtM-9vYyli9sjg0qipwmGzG3SvGw3rZoE,&typo=1>.
Nathan I. Keiter | Lead Network Applications Programmer | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993
https://www.gettysburg.edu<https://www.gettysburg.edu/>
________________________________
From: dot...@googlegroups.com <dot...@googlegroups.com> on behalf of Martin Hümmerich <martin.h...@gmail.com>
Sent: Wednesday, May 5, 2021 7:43 AM
To: dotCMS User Group
Subject: [dotcms] OAuth Plugin / Authorization question
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
________________________________
Hey everybody,
we are currently doing some tests for authentication and authorization with the OAuth 2 plugin that can be found at
https://github.com/dotcms-plugins/plugin-dotcms-oauth
Our goal is to set up and manage our users in keycloak (and in keycloak only!). Furthermore, depending on the groups / roles that we assign to our keycloak users, the specific user should or should not be authorized to use the admin UI and be able to act as a backend-user.
So far, we have set up a successful authentication, but we struggle with the authorization, i.e. the group / role mapping. We have found out that we can assign a "CMS Administrator" group in keycloak which seems to determine the "CMS Admin" flag in the dotcms (marked as green in the screenshot below). We have, however, not figured out if there might be similar groups for the dotcms "Back-end User" and the "Can Login To Admin UI" flags (marked as red).
[Image6.png]
we are currently doing some tests for authentication and authorization with the OAuth 2 plugin that can be found at
https://github.com/dotcms-plugins/plugin-dotcms-oauth
Our goal is to set up and manage our users in keycloak (and in keycloak only!). Furthermore, depending on the groups / roles that we assign to our keycloak users, the specific user should or should not be authorized to use the admin UI and be able to act as a backend-user.
So far, we have set up a successful authentication, but we struggle with the authorization, i.e. the group / role mapping. We have found out that we can assign a "CMS Administrator" group in keycloak which seems to determine the "CMS Admin" flag in the dotcms (marked as green in the screenshot below). We have, however, not figured out if there might be similar groups for the dotcms "Back-end User" and the "Can Login To Admin UI" flags (marked as red).
Has anybody run into the same authorization problem before and figured out how the group / role mapping works for the above access flags? If not: Is our requirement even valid, or is this just not doable?
Thanks for your time,
looking forward to any kind of answer,
Martin
http://dotcms.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fdotcms.com&c=E,1,2cCaR-oHvhKPRMiMva7s0zDxjS9LWA2LSr_gL5PaBHxtlQeUhxLeuccaUVl-Yk-tGDeKNUlpdSuv8LQbSX5KBg7pQdFGl1lYEUbMtPaZXyU,&typo=1> - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com<mailto:dotcms+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/b9030069-6ff5-4124-b9e4-4589fead6677n%40googlegroups.com<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fd%2fmsgid%2fdotcms%2fb9030069-6ff5-4124-b9e4-4589fead6677n%2540googlegroups.com%3futm_medium%3demail%26utm_source%3dfooter&c=E,1,GntEtNfY9zLjQ7CB3Khq8oPCpuHJ67zySILveQcXQ37zOGv2FIfn_IJGYvEcrR6tOIMGiaUmWpCIc0rZwTZtM-9vYyli9sjg0qipwmGzG3SvGw3rZoE,&typo=1>.
Will Ezell
May 5, 2021, 9:21:08 AM5/5/21
to dot...@googlegroups.com
The idea is that the roles that are returned by your idp match the Role's keys. You can set the Role Key by editing a role in dotCMS, though you should not change the system roles' keys. Once the role.key matches the roles returned by your idp, they should be assigned, though every idp/scope is different and it might take some adjustment in code.
The back end user role is special - its key is DOTCMS_BACK_END_USER
--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/1620219760808.48327%40gettysburg.edu.
Mark Orciuch
May 25, 2021, 8:35:45 PM5/25/21
to dotCMS User Group
Hello Martin,
Did you get your keycloak OAuth2 plugin implementation to work? Would you be willing to share your plugin code? Please let me know. Many thanks in advance.
Mark Orciuch
May 27, 2021, 4:03:04 PM5/27/21
to dotCMS User Group
I tried following the instructions (https://dotcms.com/docs/latest/saml-authentication) to configure the SAML app with Keycloak but feel lost. Any tips on how to configure dotCMS with Keycloak would be greatly appreciated.
jonathan...@dotcms.com
May 28, 2021, 12:27:50 PM5/28/21
to dotCMS User Group
Hi Mark,
I have not experience on Keycloak, however the usual process would be:
1) generate the metadata XML on the keycloak,
2) configure dotCMS with that XML and then generate the metadata XML on dotCMS
3) configure the keycloack with the dotCMS metadata
We have an example of Okta: https://dotcms.com/docs/latest/saml-with-okta
You can use both as a reference about how to do the integration, of course each Identity provider is a whole world itself, lemme know if you have more questions
Best,
J
J
Mark Orciuch
May 28, 2021, 4:03:04 PM5/28/21
to dotCMS User Group
Hi Jonathan,
Thanks for your reply - this is helpful. I will continue working on this and probably come up with more questions. In the end, if I get it all working, I hope to contribute back Keycloak specific how-to.
One question though: if I enable specific configuration in the SSO-SAMPL app, do I have to create a custom login page or is the existing login page going to automatically invoke the currently configured IDP? How does that work?
Many thanks in advance.
Mark Orciuch
May 28, 2021, 8:24:45 PM5/28/21
to dotCMS User Group
Slowly inching my way towards setting up working a Keycloak configuration. However, I hit a snug downloading the dotcms saml metadata using /api/v1/dotsaml/metadata/{host id} url. I am getting 500 error and this is what I see in the logs:
[28/05/21 20:16:40:687 EDT] ERROR lang.Class: javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
javax.servlet.ServletException: javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:489) ~[jersey-container-servlet-core-2.25.1.jar:?]
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:427) ~[jersey-container-servlet-core-2.25.1.jar:?]
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:388) ~[jersey-container-servlet-core-2.25.1.jar:?]
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:341) ~[jersey-container-servlet-core-2.25.1.jar:?]
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:228) ~[jersey-container-servlet-core-2.25.1.jar:?]
at com.dotcms.rest.servlet.ReloadableServletContainer.service(ReloadableServletContainer.java:97) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) ~[tomcat-websocket.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.CMSFilter.doFilterInternal(CMSFilter.java:198) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at com.dotmarketing.filters.CMSFilter.doFilter(CMSFilter.java:48) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.filters.interceptor.AbstractWebInterceptorSupportFilter.doFilter(AbstractWebInterceptorSupportFilter.java:90) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.filters.interceptor.AbstractWebInterceptorSupportFilter.doFilter(AbstractWebInterceptorSupportFilter.java:90) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.vanityurl.filters.VanityURLFilter.doFilter(VanityURLFilter.java:100) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176) ~[urlrewritefilter-4.0.4.jar:4.0.4]
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) ~[urlrewritefilter-4.0.4.jar:4.0.4]
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) ~[urlrewritefilter-4.0.4.jar:4.0.4]
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389) ~[urlrewritefilter-4.0.4.jar:4.0.4]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.TimeMachineFilter.doFilter(TimeMachineFilter.java:134) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.ThreadNameFilter.doFilter(ThreadNameFilter.java:88) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.CookiesFilter.doFilter(CookiesFilter.java:48) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.CharsetEncodingFilter.doFilter(CharsetEncodingFilter.java:99) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.filters.interceptor.AbstractWebInterceptorSupportFilter.doFilter(AbstractWebInterceptorSupportFilter.java:90) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.filters.NormalizationFilter.doFilter(NormalizationFilter.java:73) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) ~[catalina.jar:8.5.32]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) ~[catalina.jar:8.5.32]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) ~[catalina.jar:8.5.32]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) ~[catalina.jar:8.5.32]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:685) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) ~[catalina.jar:8.5.32]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) ~[catalina.jar:8.5.32]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) ~[tomcat-coyote.jar:8.5.32]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) ~[tomcat-coyote.jar:8.5.32]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) ~[tomcat-coyote.jar:8.5.32]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471) ~[tomcat-coyote.jar:8.5.32]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote.jar:8.5.32]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_282]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_282]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:8.5.32]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]
Caused by: javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
at org.glassfish.jersey.server.internal.MappableExceptionWrapperInterceptor.aroundWriteTo(MappableExceptionWrapperInterceptor.java:90) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.MessageBodyFactory.writeTo(MessageBodyFactory.java:1130) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.writeResponse(ServerRuntime.java:711) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.processResponse(ServerRuntime.java:444) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.process(ServerRuntime.java:490) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:334) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:473) ~[jersey-container-servlet-core-2.25.1.jar:?]
... 65 more
Caused by: org.glassfish.jersey.message.internal.MessageBodyProviderNotFoundException: MessageBodyWriter not found for media type=application/xml, type=class java.util.HashMap, genericType=class java.util.HashMap.
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor$TerminalWriterInterceptor.aroundWriteTo(WriterInterceptorExecutor.java:247) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.internal.JsonWithPaddingInterceptor.aroundWriteTo(JsonWithPaddingInterceptor.java:106) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.internal.MappableExceptionWrapperInterceptor.aroundWriteTo(MappableExceptionWrapperInterceptor.java:86) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.MessageBodyFactory.writeTo(MessageBodyFactory.java:1130) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.writeResponse(ServerRuntime.java:711) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.processResponse(ServerRuntime.java:444) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.process(ServerRuntime.java:490) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:334) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:473) ~[jersey-container-servlet-core-2.25.1.jar:?]
... 65 more
javax.servlet.ServletException: javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:489) ~[jersey-container-servlet-core-2.25.1.jar:?]
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:427) ~[jersey-container-servlet-core-2.25.1.jar:?]
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:388) ~[jersey-container-servlet-core-2.25.1.jar:?]
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:341) ~[jersey-container-servlet-core-2.25.1.jar:?]
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:228) ~[jersey-container-servlet-core-2.25.1.jar:?]
at com.dotcms.rest.servlet.ReloadableServletContainer.service(ReloadableServletContainer.java:97) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) ~[tomcat-websocket.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.CMSFilter.doFilterInternal(CMSFilter.java:198) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at com.dotmarketing.filters.CMSFilter.doFilter(CMSFilter.java:48) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.filters.interceptor.AbstractWebInterceptorSupportFilter.doFilter(AbstractWebInterceptorSupportFilter.java:90) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.filters.interceptor.AbstractWebInterceptorSupportFilter.doFilter(AbstractWebInterceptorSupportFilter.java:90) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.vanityurl.filters.VanityURLFilter.doFilter(VanityURLFilter.java:100) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176) ~[urlrewritefilter-4.0.4.jar:4.0.4]
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) ~[urlrewritefilter-4.0.4.jar:4.0.4]
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) ~[urlrewritefilter-4.0.4.jar:4.0.4]
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389) ~[urlrewritefilter-4.0.4.jar:4.0.4]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.TimeMachineFilter.doFilter(TimeMachineFilter.java:134) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.ThreadNameFilter.doFilter(ThreadNameFilter.java:88) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.CookiesFilter.doFilter(CookiesFilter.java:48) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.CharsetEncodingFilter.doFilter(CharsetEncodingFilter.java:99) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.filters.interceptor.AbstractWebInterceptorSupportFilter.doFilter(AbstractWebInterceptorSupportFilter.java:90) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.filters.NormalizationFilter.doFilter(NormalizationFilter.java:73) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) ~[catalina.jar:8.5.32]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) ~[catalina.jar:8.5.32]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) ~[catalina.jar:8.5.32]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) ~[catalina.jar:8.5.32]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:685) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) ~[catalina.jar:8.5.32]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) ~[catalina.jar:8.5.32]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) ~[tomcat-coyote.jar:8.5.32]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) ~[tomcat-coyote.jar:8.5.32]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) ~[tomcat-coyote.jar:8.5.32]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471) ~[tomcat-coyote.jar:8.5.32]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote.jar:8.5.32]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_282]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_282]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:8.5.32]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]
Caused by: javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
at org.glassfish.jersey.server.internal.MappableExceptionWrapperInterceptor.aroundWriteTo(MappableExceptionWrapperInterceptor.java:90) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.MessageBodyFactory.writeTo(MessageBodyFactory.java:1130) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.writeResponse(ServerRuntime.java:711) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.processResponse(ServerRuntime.java:444) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.process(ServerRuntime.java:490) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:334) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:473) ~[jersey-container-servlet-core-2.25.1.jar:?]
... 65 more
Caused by: org.glassfish.jersey.message.internal.MessageBodyProviderNotFoundException: MessageBodyWriter not found for media type=application/xml, type=class java.util.HashMap, genericType=class java.util.HashMap.
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor$TerminalWriterInterceptor.aroundWriteTo(WriterInterceptorExecutor.java:247) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.internal.JsonWithPaddingInterceptor.aroundWriteTo(JsonWithPaddingInterceptor.java:106) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.internal.MappableExceptionWrapperInterceptor.aroundWriteTo(MappableExceptionWrapperInterceptor.java:86) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.MessageBodyFactory.writeTo(MessageBodyFactory.java:1130) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.writeResponse(ServerRuntime.java:711) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.processResponse(ServerRuntime.java:444) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.process(ServerRuntime.java:490) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:334) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:473) ~[jersey-container-servlet-core-2.25.1.jar:?]
... 65 more
jonathan...@dotcms.com
Jun 1, 2021, 5:10:40 PM6/1/21
to dotCMS User Group
Hi Mark,
The way it works is such as:
if you hit the /dotAdmin for instance, and not logged in, instead of showing the dotCMS login page, you will be redirected to Keycloak login page, as soon as you get keycloak login and use your credentials,
you will be back to dotCMS with the information to get login or even to create the user and sync the roles.
It is kinda summary, the whole process could be a more complex than that.
Best,
J
jonathan...@dotcms.com
Jun 1, 2021, 5:14:49 PM6/1/21
to dotCMS User Group
Are you requesting something such as:
localhost:8080/api/v1/dotsaml/metadata/f9a194e0-9f37-4df3-8bdc-2f46d0215eaa ?
localhost:8080/api/v1/dotsaml/metadata/f9a194e0-9f37-4df3-8bdc-2f46d0215eaa ?
I haven't see this error previously, can you share a bit more, such as your configuration (without the private key of course)
Best,
J
Mark Orciuch
Jun 1, 2021, 5:58:21 PM6/1/21
to dotCMS User Group
Hi Jonathan,
Yes, I am using the following url (48190c8c-42c4-46af-8d1a-0cd5db894797 is the host identifier):
The adapter configuration generated by Keycloak is as follows:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="dotcms" ID="ID_719b103e-2654-4054-aa51-d4d1773c6e92">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="false">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICmzCCAYMCBgF5rwBfRjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZkb3RjbXMwHhcNMjEwNTI3MTgwMzI3WhcNMzEwNTI3MTgwNTA3WjARMQ8wDQYDVQQDDAZkb3RjbXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQtseX5HncadBr6IL+PTXIuYQTS8QdC+sfqJIOFMZGcFyVl353rEFpOb+3N4A6ziN0XsXoFIApUbGTOSGGGEL1UiswdiFgkmuXUO1gykkgoIb1dS1MzsZG9Uhd4Pj3IiN2dr5F1aIrg4uLt5LItZExwn49ARj5aYxSQhVs7A0o/wURaoKWGqcontYBu6/XDgZX+/X1zMDXRdpPVZaMxJgN30W29oxO6d6XMKzOqV0aX31HPp+MlYw1+zgVZvSc/MKvOqSlMi/rDE3W8oQYfAbevCaXnXq4uAI//Z5IHpP7Nby8N72EBPNEiXQjXLf4SikHkk9E3viR9kwcdClXyZHdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAwJ6KYJv9jd8Q+gwf9aSrjrt65xNeFoJFcHyiKOpY09IiJ2DjkIjMcHJ3zV4lEULLADly6edpBPoVf6WolDnW2a5CujaxIlgly+A5I8CA8Zrqptv0Q3diEQI0cA/Fv9A6DRT8/lTIUKeUs1GfXVGY0sW0itaFiaq6SZd++SSmjieVtKiv9Ggv301IyAqX7eKj+pQFeIpeoboCepqDz64gq8vwqTFr+P8C/dzHZ3jr3B1THunsAaOIFwx72EdQapT6j8WQcgdjJyttp1BetUJvwyRdFzSUukoEV+ECpU8fzHxcuknKRHFQHuqn/O/lu3f1RF+FvSfXJN5TaW1oY6ns0=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="ERROR:ENDPOINT_NOT_SET"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="ERROR:ENDPOINT_NOT_SET" isDefault="true" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
jonathan...@dotcms.com
Jun 1, 2021, 6:06:07 PM6/1/21
to dotCMS User Group
ok probably you "service provider endpoint hostname" should be:
host.docker.internal:9090
keep in mind this is the host of dotCMS, not the keycloak host
Finally this meta does not looks good
```
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="ERROR:ENDPOINT_NOT_SET"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="ERROR:ENDPOINT_NOT_SET" isDefault="true" index="1"/>
```
see Location="ERROR:ENDPOINT_NOT_SET"
Mark Orciuch
Jun 1, 2021, 6:24:09 PM6/1/21
to dotCMS User Group
I made the recommended change but still getting 500 error:
<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://host.docker.internal:8443/dotAdmin" ID="ID_889f849b-01fa-4543-8786-c76d73634431"><md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="false"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICmzCCAYMCBgF5rwBfRjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZkb3RjbXMwHhcNMjEwNTI3MTgwMzI3WhcNMzEwNTI3MTgwNTA3WjARMQ8wDQYDVQQDDAZkb3RjbXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQtseX5HncadBr6IL+PTXIuYQTS8QdC+sfqJIOFMZGcFyVl353rEFpOb+3N4A6ziN0XsXoFIApUbGTOSGGGEL1UiswdiFgkmuXUO1gykkgoIb1dS1MzsZG9Uhd4Pj3IiN2dr5F1aIrg4uLt5LItZExwn49ARj5aYxSQhVs7A0o/wURaoKWGqcontYBu6/XDgZX+/X1zMDXRdpPVZaMxJgN30W29oxO6d6XMKzOqV0aX31HPp+MlYw1+zgVZvSc/MKvOqSlMi/rDE3W8oQYfAbevCaXnXq4uAI//Z5IHpP7Nby8N72EBPNEiXQjXLf4SikHkk9E3viR9kwcdClXyZHdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAwJ6KYJv9jd8Q+gwf9aSrjrt65xNeFoJFcHyiKOpY09IiJ2DjkIjMcHJ3zV4lEULLADly6edpBPoVf6WolDnW2a5CujaxIlgly+A5I8CA8Zrqptv0Q3diEQI0cA/Fv9A6DRT8/lTIUKeUs1GfXVGY0sW0itaFiaq6SZd++SSmjieVtKiv9Ggv301IyAqX7eKj+pQFeIpeoboCepqDz64gq8vwqTFr+P8C/dzHZ3jr3B1THunsAaOIFwx72EdQapT6j8WQcgdjJyttp1BetUJvwyRdFzSUukoEV+ECpU8fzHxcuknKRHFQHuqn/O/lu3f1RF+FvSfXJN5TaW1oY6ns0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="host.docker.internal:8443"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="host.docker.internal:8443" isDefault="true" index="1"/></md:SPSSODescriptor></md:EntityDescriptor>
Also, attaching screenshots of the Keycloak client settings and dotCMS SAML configuration.
jonathan...@dotcms.com
Jun 1, 2021, 8:45:12 PM6/1/21
to dotCMS User Group
Hi Mark,
It seems your metadata now looks good, when are you getting the 500?
Mark Orciuch
Jun 2, 2021, 11:27:04 AM6/2/21
to dotCMS User Group
Hi Jonathan,
I am getting this error when navigating to http://localhost:8080/api/v1/dotsaml/metadata/48190c8c-42c4-46af-8d1a-0cd5db894797 to retrieve the SAML metadata.
My question is: does retrieving the dotCMS SAML metadata actually connects to the external IDP? In other words, if something is misconfigured, would it give me 500 error? Or does it just dump the specific configuration from SSO-SAML app?
Reply all
Reply to author
Forward
0 new messages