Web Login Service - Message Security Error

[Andy Warner]

Folks,

I'm trying to setup a test of CAS using pac4j-saml to auth with a local Shibboleth IdP by just tweaking the cas-pac4j-oauth-client-demo,  but apparently I'm doing something wrong :-/

I changed the applicationContext.xml to reflect the local Idp by changing the identityProviderEntityId and overwrote the testshib-providers.xml with the metadata from the local IdP.

    <bean id="samlConfig" class="org.pac4j.saml.client.SAML2ClientConfiguration"

          c:keystorePassword="pac4j-demo-passwd"

          c:privateKeyPassword="pac4j-demo-passwd"

          c:keystorePath="resource:samlKeystore.jks"

          c:identityProviderMetadataPath="resource:testshib-providers.xml"

          c:identityProviderEntityId="https://idp.wolflake.com:8443/idp/shibboleth"

          c:serviceProviderEntityId="urn:mace:saml:pac4j.org"/>

    <bean id="saml1" class="org.pac4j.saml.client.SAML2Client"

          c:configuration-ref="samlConfig" />

    <bean id="clients" class="org.pac4j.core.client.Clients">

        <property name="callbackUrl" value="http://localhost:8080/cas/login" />

        <property name="clients">

            <list>

                <ref bean="saml1" />

            </list>

        </property>

    </bean>

Running the demo with jetty, I hitting http://localhost:8080/cas/login?client_name=SAML2Client&needs_client_redirection=true for testing with the browser.

I get redirected to the IdP (https://idp.wolflake.com:8443/idp/profile/SAML2/POST/SSO), but rather than getting a login prompt, I just get this: 

Web Login Service - Message Security Error

The request cannot be fulfilled because the message received does not meet the security requirements of the login service.             

In the IdP relying-party.xml, it's setup to allow unverified RPs, and works with a local Shibboleth SP.

    <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">

        <property name="profileConfigurations">

            <list>

                <bean parent="SAML2.SSO" p:encryptAssertions="true" />

            </list>

        </property>

    </bean>

Not sure what I'm missing.  Any pointers would be greatly appreciated :-)

Thanks

Andy

[Misagh Moayyed]

You’d have to look into your IdP logs to see what is going on. All AuthN requests submitted from pac4j are signed. I’d start there and see whether the idp has any issues with those requests.

 

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

This email has been sent from a virus-free computer protected by Avast. www.avast.com

[Andy Warner]

Thanks Misagh, I have it working now.  It required that I put a link to cas-metadata.xml file in the metadata-providers.xml on the IdP.

 <MetadataProvider id="pac4j"  xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shib-idp/metadata/cas-metadata.xml"/>

I also added pac4j to the relying-part.xml although I'm not even sure that is required;

        <bean parent="RelyingPartyByName" c:relyingPartyIds="urn:mace:saml:pac4j.org">

            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:encryptAssertions="true" />
                </list>
            </property>
        </bean>

Hopefully this will help someone else that needs to get saml working with cas using pac4j and a shibboleth IdP for testing.

BTW, Somewhere I seen mention of using multiple client names for presumably multiple IdPs.
Anyone know how to use multiple client_names instead of just client_name=SAML2Client in the url?
Looking at applicationContext.xml and ./java/org/leleuj/PrintSamlMetadata.java, it appears to be hard-coded unless I'm missing something.

Thanks
Andy