OAuth Plugin / Authorization question

42 views
Skip to first unread message

Martin Hümmerich

unread,
May 5, 2021, 8:52:07 AMMay 5
to dotCMS User Group
Hey everybody,

we are currently doing some tests for authentication and authorization with the OAuth 2 plugin that can be found at

https://github.com/dotcms-plugins/plugin-dotcms-oauth

Our goal is to set up and manage our users in keycloak (and in keycloak only!). Furthermore, depending on the groups / roles that we assign to our keycloak users, the specific user should or should not be authorized to use the admin UI and be able to act as a backend-user.

So far, we have set up a successful authentication, but we struggle with the authorization, i.e. the group / role mapping. We have found out that we can assign a "CMS Administrator" group in keycloak which seems to determine the "CMS Admin" flag in the dotcms (marked as green in the screenshot below). We have, however, not figured out if there might be similar groups for the dotcms "Back-end User" and the "Can Login To Admin UI" flags (marked as red).

Image6.png

Has anybody run into the same authorization problem before and figured out how the group / role mapping works for the above access flags? If not: Is our requirement even valid, or is this just not doable?

Thanks for your time,

looking forward to any kind of answer,

Martin

Nathan Keiter

unread,
May 5, 2021, 9:02:49 AMMay 5
to dotCMS User Group
APILocator.getRoleAPI().addRoleToUser(APILocator.getRoleAPI().loadBackEndUserRole(), userToModify);

Nathan I. Keiter | Lead Network Applications Programmer | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993
https://www.gettysburg.edu<https://www.gettysburg.edu/>
________________________________
From: dot...@googlegroups.com <dot...@googlegroups.com> on behalf of Martin Hümmerich <martin.h...@gmail.com>
Sent: Wednesday, May 5, 2021 7:43 AM
To: dotCMS User Group
Subject: [dotcms] OAuth Plugin / Authorization question

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
________________________________
Hey everybody,

we are currently doing some tests for authentication and authorization with the OAuth 2 plugin that can be found at

https://github.com/dotcms-plugins/plugin-dotcms-oauth

Our goal is to set up and manage our users in keycloak (and in keycloak only!). Furthermore, depending on the groups / roles that we assign to our keycloak users, the specific user should or should not be authorized to use the admin UI and be able to act as a backend-user.

So far, we have set up a successful authentication, but we struggle with the authorization, i.e. the group / role mapping. We have found out that we can assign a "CMS Administrator" group in keycloak which seems to determine the "CMS Admin" flag in the dotcms (marked as green in the screenshot below). We have, however, not figured out if there might be similar groups for the dotcms "Back-end User" and the "Can Login To Admin UI" flags (marked as red).

[Image6.png]

Has anybody run into the same authorization problem before and figured out how the group / role mapping works for the above access flags? If not: Is our requirement even valid, or is this just not doable?

Thanks for your time,

looking forward to any kind of answer,

Martin

--
http://dotcms.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fdotcms.com&c=E,1,2cCaR-oHvhKPRMiMva7s0zDxjS9LWA2LSr_gL5PaBHxtlQeUhxLeuccaUVl-Yk-tGDeKNUlpdSuv8LQbSX5KBg7pQdFGl1lYEUbMtPaZXyU,&typo=1> - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com<mailto:dotcms+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/b9030069-6ff5-4124-b9e4-4589fead6677n%40googlegroups.com<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fd%2fmsgid%2fdotcms%2fb9030069-6ff5-4124-b9e4-4589fead6677n%2540googlegroups.com%3futm_medium%3demail%26utm_source%3dfooter&c=E,1,GntEtNfY9zLjQ7CB3Khq8oPCpuHJ67zySILveQcXQ37zOGv2FIfn_IJGYvEcrR6tOIMGiaUmWpCIc0rZwTZtM-9vYyli9sjg0qipwmGzG3SvGw3rZoE,&typo=1>.

Will Ezell

unread,
May 5, 2021, 9:21:08 AMMay 5
to dot...@googlegroups.com
The idea is that the roles that are returned by your idp match the Role's keys.  You can set the Role Key by editing a role in dotCMS, though you should not change the system roles' keys.  Once the role.key matches the roles returned by your idp, they should be assigned, though every idp/scope is different and it might take some adjustment in code.  

The back end user role is special - its key is  DOTCMS_BACK_END_USER


Screen Shot 2021-05-05 at 9.17.34 AM.png

--
http://dotcms.com - Open Source Java Content Management

---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/1620219760808.48327%40gettysburg.edu.


--



382 NE 191st St #92150
Miami, Florida 33179-3899
Main: 
305-900-2001 | Direct: 978.294.9429

   

Mark Orciuch

unread,
May 25, 2021, 8:35:45 PMMay 25
to dotCMS User Group
Hello Martin,

Did you get your keycloak OAuth2 plugin implementation to work? Would you be willing to share your plugin code? Please let me know. Many thanks in advance.

Mark Orciuch

unread,
May 27, 2021, 4:03:04 PMMay 27
to dotCMS User Group
I tried following the instructions (https://dotcms.com/docs/latest/saml-authentication) to configure the SAML app with Keycloak but feel lost. Any tips on how to configure dotCMS with Keycloak would be greatly appreciated.

jonathan...@dotcms.com

unread,
May 28, 2021, 12:27:50 PMMay 28
to dotCMS User Group
Hi Mark,

I have not experience on Keycloak, however the usual process would be:
1) generate the metadata XML on the keycloak, 
2) configure dotCMS with that XML and then generate the metadata XML on dotCMS
3) configure the keycloack with the dotCMS metadata


You can use both as a reference about how to do the integration, of course each Identity provider is a whole world itself, lemme know if you have more questions

Best,
J

Mark Orciuch

unread,
May 28, 2021, 4:03:04 PMMay 28
to dotCMS User Group
Hi Jonathan,

Thanks for your reply - this is helpful. I will continue working on this and probably come up with more questions. In the end, if I get it all working, I hope to contribute back Keycloak specific how-to.

One question though: if I enable specific configuration in the SSO-SAMPL app, do I have to create a custom login page or is the existing login page going to automatically invoke the currently configured IDP? How does that work?

Many thanks in advance.

dotCMS Content Management Platform 2021-05-28 15-00-46.png

Mark Orciuch

unread,
May 28, 2021, 8:24:45 PMMay 28
to dotCMS User Group
Slowly inching my  way towards setting up working a Keycloak configuration. However, I hit a snug downloading the dotcms saml metadata using /api/v1/dotsaml/metadata/{host id} url. I am getting 500 error and this is what I see in the logs:

[28/05/21 20:16:40:687 EDT] ERROR lang.Class: javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
javax.servlet.ServletException: javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:489) ~[jersey-container-servlet-core-2.25.1.jar:?]
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:427) ~[jersey-container-servlet-core-2.25.1.jar:?]
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:388) ~[jersey-container-servlet-core-2.25.1.jar:?]
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:341) ~[jersey-container-servlet-core-2.25.1.jar:?]
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:228) ~[jersey-container-servlet-core-2.25.1.jar:?]
at com.dotcms.rest.servlet.ReloadableServletContainer.service(ReloadableServletContainer.java:97) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) ~[tomcat-websocket.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.CMSFilter.doFilterInternal(CMSFilter.java:198) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at com.dotmarketing.filters.CMSFilter.doFilter(CMSFilter.java:48) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.filters.interceptor.AbstractWebInterceptorSupportFilter.doFilter(AbstractWebInterceptorSupportFilter.java:90) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.filters.interceptor.AbstractWebInterceptorSupportFilter.doFilter(AbstractWebInterceptorSupportFilter.java:90) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.vanityurl.filters.VanityURLFilter.doFilter(VanityURLFilter.java:100) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176) ~[urlrewritefilter-4.0.4.jar:4.0.4]
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) ~[urlrewritefilter-4.0.4.jar:4.0.4]
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) ~[urlrewritefilter-4.0.4.jar:4.0.4]
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389) ~[urlrewritefilter-4.0.4.jar:4.0.4]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.TimeMachineFilter.doFilter(TimeMachineFilter.java:134) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.ThreadNameFilter.doFilter(ThreadNameFilter.java:88) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.CookiesFilter.doFilter(CookiesFilter.java:48) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotmarketing.filters.CharsetEncodingFilter.doFilter(CharsetEncodingFilter.java:99) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.filters.interceptor.AbstractWebInterceptorSupportFilter.doFilter(AbstractWebInterceptorSupportFilter.java:90) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at com.dotcms.filters.NormalizationFilter.doFilter(NormalizationFilter.java:73) ~[dotcms_5.3.8.4_8bd7c60.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) ~[catalina.jar:8.5.32]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) ~[catalina.jar:8.5.32]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) ~[catalina.jar:8.5.32]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) ~[catalina.jar:8.5.32]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:685) ~[catalina.jar:8.5.32]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) ~[catalina.jar:8.5.32]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) ~[catalina.jar:8.5.32]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) ~[tomcat-coyote.jar:8.5.32]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) ~[tomcat-coyote.jar:8.5.32]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) ~[tomcat-coyote.jar:8.5.32]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471) ~[tomcat-coyote.jar:8.5.32]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote.jar:8.5.32]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_282]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_282]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:8.5.32]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]
Caused by: javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
at org.glassfish.jersey.server.internal.MappableExceptionWrapperInterceptor.aroundWriteTo(MappableExceptionWrapperInterceptor.java:90) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.MessageBodyFactory.writeTo(MessageBodyFactory.java:1130) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.writeResponse(ServerRuntime.java:711) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.processResponse(ServerRuntime.java:444) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.process(ServerRuntime.java:490) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:334) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:473) ~[jersey-container-servlet-core-2.25.1.jar:?]
... 65 more
Caused by: org.glassfish.jersey.message.internal.MessageBodyProviderNotFoundException: MessageBodyWriter not found for media type=application/xml, type=class java.util.HashMap, genericType=class java.util.HashMap.
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor$TerminalWriterInterceptor.aroundWriteTo(WriterInterceptorExecutor.java:247) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.internal.JsonWithPaddingInterceptor.aroundWriteTo(JsonWithPaddingInterceptor.java:106) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.internal.MappableExceptionWrapperInterceptor.aroundWriteTo(MappableExceptionWrapperInterceptor.java:86) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.message.internal.MessageBodyFactory.writeTo(MessageBodyFactory.java:1130) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.writeResponse(ServerRuntime.java:711) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.processResponse(ServerRuntime.java:444) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.process(ServerRuntime.java:490) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:334) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) ~[jersey-common-2.25.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) ~[jersey-server-2.25.1.jar:?]
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:473) ~[jersey-container-servlet-core-2.25.1.jar:?]
... 65 more

jonathan...@dotcms.com

unread,
Jun 1, 2021, 5:10:40 PMJun 1
to dotCMS User Group
Hi Mark,

The way it works is such as:
if you hit the /dotAdmin for instance, and not logged in, instead of showing the dotCMS login page, you will be redirected to Keycloak login page, as soon as you get keycloak login and use your credentials, 
you will be back to dotCMS with the information to get login or even to create the user and sync the roles.

It is kinda summary, the whole process could be a more complex than that.

Best,
J

jonathan...@dotcms.com

unread,
Jun 1, 2021, 5:14:49 PMJun 1
to dotCMS User Group
Are you requesting something such as:

localhost:8080/api/v1/dotsaml/metadata/f9a194e0-9f37-4df3-8bdc-2f46d0215eaa    ?

I haven't see this error previously, can you share a bit more, such as your configuration (without the private key of course)

Best,
J

Mark Orciuch

unread,
Jun 1, 2021, 5:58:21 PMJun 1
to dotCMS User Group
Hi Jonathan,

Yes, I am using the following url (48190c8c-42c4-46af-8d1a-0cd5db894797 is the host identifier):


The adapter configuration generated by Keycloak is as follows:

<?xml version="1.0"?> <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="dotcms" ID="ID_719b103e-2654-4054-aa51-d4d1773c6e92"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="false"> <md:KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIICmzCCAYMCBgF5rwBfRjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZkb3RjbXMwHhcNMjEwNTI3MTgwMzI3WhcNMzEwNTI3MTgwNTA3WjARMQ8wDQYDVQQDDAZkb3RjbXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQtseX5HncadBr6IL+PTXIuYQTS8QdC+sfqJIOFMZGcFyVl353rEFpOb+3N4A6ziN0XsXoFIApUbGTOSGGGEL1UiswdiFgkmuXUO1gykkgoIb1dS1MzsZG9Uhd4Pj3IiN2dr5F1aIrg4uLt5LItZExwn49ARj5aYxSQhVs7A0o/wURaoKWGqcontYBu6/XDgZX+/X1zMDXRdpPVZaMxJgN30W29oxO6d6XMKzOqV0aX31HPp+MlYw1+zgVZvSc/MKvOqSlMi/rDE3W8oQYfAbevCaXnXq4uAI//Z5IHpP7Nby8N72EBPNEiXQjXLf4SikHkk9E3viR9kwcdClXyZHdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAwJ6KYJv9jd8Q+gwf9aSrjrt65xNeFoJFcHyiKOpY09IiJ2DjkIjMcHJ3zV4lEULLADly6edpBPoVf6WolDnW2a5CujaxIlgly+A5I8CA8Zrqptv0Q3diEQI0cA/Fv9A6DRT8/lTIUKeUs1GfXVGY0sW0itaFiaq6SZd++SSmjieVtKiv9Ggv301IyAqX7eKj+pQFeIpeoboCepqDz64gq8vwqTFr+P8C/dzHZ3jr3B1THunsAaOIFwx72EdQapT6j8WQcgdjJyttp1BetUJvwyRdFzSUukoEV+ECpU8fzHxcuknKRHFQHuqn/O/lu3f1RF+FvSfXJN5TaW1oY6ns0=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="ERROR:ENDPOINT_NOT_SET"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="ERROR:ENDPOINT_NOT_SET" isDefault="true" index="1"/> </md:SPSSODescriptor> </md:EntityDescriptor>

jonathan...@dotcms.com

unread,
Jun 1, 2021, 6:06:07 PMJun 1
to dotCMS User Group
ok probably you "service provider endpoint hostname" should be:

host.docker.internal:9090

keep in mind this is the host of dotCMS, not the keycloak host

Finally this meta does not looks good

```
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="ERROR:ENDPOINT_NOT_SET"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="ERROR:ENDPOINT_NOT_SET" isDefault="true" index="1"/> 
```

see  Location="ERROR:ENDPOINT_NOT_SET"

Mark Orciuch

unread,
Jun 1, 2021, 6:24:09 PMJun 1
to dotCMS User Group
I made the recommended change but still getting 500 error:

<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://host.docker.internal:8443/dotAdmin" ID="ID_889f849b-01fa-4543-8786-c76d73634431"><md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="false"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICmzCCAYMCBgF5rwBfRjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZkb3RjbXMwHhcNMjEwNTI3MTgwMzI3WhcNMzEwNTI3MTgwNTA3WjARMQ8wDQYDVQQDDAZkb3RjbXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQtseX5HncadBr6IL+PTXIuYQTS8QdC+sfqJIOFMZGcFyVl353rEFpOb+3N4A6ziN0XsXoFIApUbGTOSGGGEL1UiswdiFgkmuXUO1gykkgoIb1dS1MzsZG9Uhd4Pj3IiN2dr5F1aIrg4uLt5LItZExwn49ARj5aYxSQhVs7A0o/wURaoKWGqcontYBu6/XDgZX+/X1zMDXRdpPVZaMxJgN30W29oxO6d6XMKzOqV0aX31HPp+MlYw1+zgVZvSc/MKvOqSlMi/rDE3W8oQYfAbevCaXnXq4uAI//Z5IHpP7Nby8N72EBPNEiXQjXLf4SikHkk9E3viR9kwcdClXyZHdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAwJ6KYJv9jd8Q+gwf9aSrjrt65xNeFoJFcHyiKOpY09IiJ2DjkIjMcHJ3zV4lEULLADly6edpBPoVf6WolDnW2a5CujaxIlgly+A5I8CA8Zrqptv0Q3diEQI0cA/Fv9A6DRT8/lTIUKeUs1GfXVGY0sW0itaFiaq6SZd++SSmjieVtKiv9Ggv301IyAqX7eKj+pQFeIpeoboCepqDz64gq8vwqTFr+P8C/dzHZ3jr3B1THunsAaOIFwx72EdQapT6j8WQcgdjJyttp1BetUJvwyRdFzSUukoEV+ECpU8fzHxcuknKRHFQHuqn/O/lu3f1RF+FvSfXJN5TaW1oY6ns0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="host.docker.internal:8443"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="host.docker.internal:8443" isDefault="true" index="1"/></md:SPSSODescriptor></md:EntityDescriptor>

Also, attaching screenshots of the Keycloak client settings and dotCMS SAML configuration.
Keycloak Admin Console.pdf
dotCMS Content Management Platform.pdf

jonathan...@dotcms.com

unread,
Jun 1, 2021, 8:45:12 PMJun 1
to dotCMS User Group
Hi Mark,

It seems your metadata now looks good, when are you getting the 500?

Mark Orciuch

unread,
Jun 2, 2021, 11:27:04 AMJun 2
to dotCMS User Group
Hi Jonathan,

I am getting this error when navigating to http://localhost:8080/api/v1/dotsaml/metadata/48190c8c-42c4-46af-8d1a-0cd5db894797 to retrieve the SAML metadata.

My question is: does retrieving the dotCMS SAML metadata actually connects to the external IDP? In other words, if something is misconfigured, would it give me 500 error? Or does it just dump the specific configuration from SSO-SAML app?
Reply all
Reply to author
Forward
0 new messages