Problems with SAML authentication

[Eric Blanc]

Hi,

I am trying to setup a portal instance that uses SAML authentication (obtained from OneLogin). The portal & the session server both run fine without authentication, but the connection to the portal fails with error 500 (full message attached), caused by:

org.opensaml.common.SAMLRuntimeException: Can't obtain SP signing key

org.opensaml.xml.security.SecurityException: Could not retrieve entry from keystore

java.security.UnrecoverableKeyException: Cannot recover key

The portal.properties section relevant to SAML reads:

saml.sp.metadata.entityid=cbioportal
saml.idp.metadata.location=classpath:/onelogin_metadata_nnnnnn.xml
saml.idp.metadata.entityid=https://app.onelogin.com/saml/metadata/nnnnnn
# saml keystore settings:
saml.keystore.location=classpath:/samlKeystore.jks
saml.keystore.password=xxx...xxx
saml.keystore.private-key.key=secure-key
saml.keystore.private-key.password=yyy...yyy
saml.keystore.default-key=secure-key
# How to send SAML request messages to the IDP.
# Set to "specificBinding" to configure specific binding:
saml.idp.comm.binding.settings=defaultBinding
# Configure the specific binding if above is specificBinding. Leave empty if defaultBinding.
# Options: bindings:HTTP-POST, bindings:HTTP-Redirect, bindings:PAOS, profiles:holder-of-key:SSO:browser
saml.idp.comm.binding.type=
# Change this to configure your custom UserDetails parser (default: org.cbioportal.security.spring.authentication.saml.SAMLUserDetailsServiceImpl)
saml.custom.userservice.class=org.cbioportal.security.spring.authentication.saml.SAMLUserDetailsServiceImpl
# Change this to configure to configure a custom logout URL: (default: /login.jsp?logout_success=true)
saml.logout.url=/login.jsp?logout_success=true

The portal properties, onelogin metadata & keystore files are all in $PORTAL_HOME/target/tomcat.8081/webapps/expanded/WEB-INF/classes

I am not sure whether the problem is that the keystore or onelogin metadata cannot be found, and if it is the case, where should I put them, and how should I set the locations in the portal properties.

Thanks very much for your help,

Best,

Eric

[Benjamin Gross]

Hi Eric,

Based on the information you provided, it sounds like samlKeystore.jks is not in your classpath.  Did you following the “Create a signing key for cBioPortal” setup?

https://docs.cbioportal.org/2.2-authorization-and-authentication/authenticating-and-authorizing-users-via-keycloak#create-a-signing-key-for-cbioportal

Regards,

Benjamin

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/d560baac-2aa8-42a2-adce-0df0cb16be8a%40googlegroups.com.

[Eric Blanc]

Hi Benjamin,

Thanks for your reply.

I have created the keystore, but I just put the file in the WEB-INF/classes, not re-created a war file. Should I re-create one?

Regards,

Eric

[Benjamin Gross]

Yeah, its gotta get into the war.  Let me know how it goes.

-- 
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/256e9e15-8b64-4fa7-bbb1-55903e01d8c8%40googlegroups.com.

[Eric Blanc]

So I have rebuilt my portal (mvn -DskipTests clean install), but the problem persists, and I can't find the keystore in the war file using

jar -tvf portal/target/cbioportal.war | grep jks

Is it possible that the maven step doesn't roll the keystore file into the cbioportal.war?

Thanks again,

Eric

On Friday, October 4, 2019 at 1:24:07 PM UTC+2, Eric Blanc wrote:

[Benjamin Gross]

The way the code is setup, if the file goes into $PORTAL_HOME/portal/src/main/resources, it should end-up on the class path.  Is that where you put it?

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/9b3557ac-c927-43c4-8d0b-35d9e16ebc24%40googlegroups.com.

[Eric Blanc]

I'm sorry to have wasted your time, I had put it in src/main/resources, not in portal/src/main/resources as stated in the documentation. Now the keystore is in the war file, and it is accessible by the portal.

However, I am now facing another set of errors: the cBioPortal log states that:

2019-10-04 21:40:33 [http-nio-8081-exec-4] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 1 of 10 in additional filter chain; firing Filter: 'MetadataGeneratorFilter'
2019-10-04 21:40:33 [http-nio-8081-exec-4] INFO  org.springframework.security.saml.metadata.MetadataGeneratorFilter - No default metadata configured, generating with default values, please pre-configure metadata for production use
2019-10-04 21:40:33 [http-nio-8081-exec-4] ERROR org.opensaml.xml.security.credential.KeyStoreCredentialResolver - Unable to retrieve keystore entry for entityID (keystore alias): secure-key
2019-10-04 21:40:33 [http-nio-8081-exec-4] ERROR org.opensaml.xml.security.credential.KeyStoreCredentialResolver - Check for invalid keystore entityID/alias entry password

The keystore is readable using keytool -list, and it has a secure-key alias. Any idea what has gone wrong?

Thanks, and sorry again.

On Friday, October 4, 2019 at 1:24:07 PM UTC+2, Eric Blanc wrote:

[Benjamin Gross]

Hi Eric,

Based on this message "Check for invalid keystore entityID/alias entry password”

my only thought it to run the keytool -keypasswd command to verify (or set) the key password for the secure-key entry.  I haven’t done this, but I think this may be the command

keytool -keypasswd -keystore samlKeystore.jks -alias secure-key

In lieu of this, you may just want to try and create a new keystore file.

B

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/7c98df2c-4588-46c1-8d98-8739d4e17fe5%40googlegroups.com.

[Eric Blanc]

Hi Benjamin,

That was indeed a faulty keystore: the connection can be made using a new keystore.

Thanks for your help,

Eric

On Friday, October 4, 2019 at 1:24:07 PM UTC+2, Eric Blanc wrote:

[Benjamin Gross]

Glad to hear it!

B

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/ec4039fa-47fd-4d10-9cae-cbd101a37d43%40googlegroups.com.