UNHANDLEDEXCEPTION "Unable to extract public key"
1,164 views
Skip to first unread message
blab...@gmail.com
Mar 26, 2018, 6:57:12 AM3/26/18
to SimpleSAMLphp
I'm newbie on this field, so expect trivial mistakes. Also I'm sorry if I fail to provide some relevant information bellow.
What are you trying to do?
I am trying to set up a SSO involving Plone and ownCloud. The IdP is Plone itself, using collective.saml2. OwnCloud using their user_saml app, where a working SimpleSAMLphp SP connected to the IdP is a prerequisite.
Since I'm only testing I did follow the guide steps:
I got stuck here...
What are you trying to do?
I am trying to set up a SSO involving Plone and ownCloud. The IdP is Plone itself, using collective.saml2. OwnCloud using their user_saml app, where a working SimpleSAMLphp SP connected to the IdP is a prerequisite.
What have you done?
Since I'm only testing I did follow the guide steps:
- Created a Plone site with collective.saml2 as IdP configured based on documentation - uses Zope server, available on http://localhost:8080.
- I have a working ownCloud installation - uses apache, available on http://localhost/owncloud.
- ownCloud user_saml docs said SimpleSAMLphp SP is a "previous dependence" thus I followed SimpleSAMLphp installation and quick-start guides they linked in their documentation
- got stuck at step 5 - Test the SP
- SimpleSAMLphp 1.15.4 installed; available on http://localhost/simplesaml/
- configured as SP based on the quick start guide steps:
- authsources.php contains following default-sp (only removed comments):
'default-sp' => array(
'saml:SP',
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
'entityID' => 'simplesamlphp',
'idp' => 'plonesamlauth',
'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
'discoURL' => null,
),
'saml:SP',
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
'entityID' => 'simplesamlphp',
'idp' => 'plonesamlauth',
'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
'discoURL' => null,
),
- Plone IdP metadata has been converted with XML to SimpleSAMLphp metadata converter for saml20-idp-remote.php:
$metadata['plonesamlauth'] = array (
'entityid' => 'plonesamlauth',
'contacts' =>
array (
),
'metadata-set' => 'saml20-idp-remote',
'expire' => 1552807338,
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://localhost:8080/Plone/saml2idp/redirect',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'http://localhost:8080/Plone/saml2idp/post',
),
),
'SingleLogoutService' =>
array (
),
'ArtifactResolutionService' =>
array (
),
'NameIDFormats' =>
array (
0 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIEpAIBAAKCAQEAqX9BKK...+MbBg==',
),
),
);
'entityid' => 'plonesamlauth',
'contacts' =>
array (
),
'metadata-set' => 'saml20-idp-remote',
'expire' => 1552807338,
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://localhost:8080/Plone/saml2idp/redirect',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'http://localhost:8080/Plone/saml2idp/post',
),
),
'SingleLogoutService' =>
array (
),
'ArtifactResolutionService' =>
array (
),
'NameIDFormats' =>
array (
0 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIEpAIBAAKCAQEAqX9BKK...+MbBg==',
),
),
);
- when I use the Test authentication sources - default-sp link:
- log shows Plone as IdP gets an incoming <samlp:AuthnRequest> message and I get redirected to the Plone login page
- I log in with valid credentials into Plone (so far all good)
- log shows Plone sends the following outgoing saml message:
2018-03-26 12:18:10 INFO dm.zope.saml2.role outgoing saml message to http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp via binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST with relay state http://localhost/simplesaml/module.php/core/authenticate.php?as=default-sp:
<ns1:Response Destination="http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" ID="_cfef5f71-14ef-4906-a500-eb92dc2ad69e" InResponseTo="_751637a0688bd68c11087be56393623fd2f534e86f" IssueInstant="2018-03-26T10:18:10.118697Z" Version="2.0" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#"><ns2:Issuer>plonesamlauth</ns2:Issuer><ns1:Status><ns1:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></ns1:Status><ns2:Assertion ID="_f49660a3-a17b-4a5d-be10-e748b0638a8d" IssueInstant="2018-03-26T10:18:09.998225Z" Version="2.0"><ns2:Issuer>plonesamlauth</ns2:Issuer><ns3:Signature><ns3:SignedInfo><ns3:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns3:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns3:Reference URI="#_f49660a3-a17b-4a5d-be10-e748b0638a8d"><ns3:Transforms><ns3:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns3:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns3:Transforms><ns3:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns3:DigestValue>MtJ1eay+SFA6th3l0KLzUFLMD9k=</ns3:DigestValue></ns3:Reference></ns3:SignedInfo><ns3:SignatureValue>ivpFyrIcbkf3uKs+Nfl82RcQA7qQP1YDSQGsfRp4rnFC3HSaYq3BQ/OgGR53gSva
eqlALXJzRvJuoGePzxFGdrlFm6ruganB3qOVm/5apgtRYTC+25b9ZgRLju76CEqH
oWPlEWQmK1Aflf85RvJlJB7VVPITK8vnX2MHBEvSvFoDJV4fGpJY22DErHQSS9VB
xvhOoqt1YUHxtrDetkNJP/65UuHk6J5Ohw5+ucrnC4DZRjmk01Nfve3qWp+nCiWd
MPLAcnpiFlk76cRVJyB6C6SX1efEmpYSGtl468U9M3FwrlgXgPdd2nt04gzkDRPN
SonQNI4UayjXRYotV3FEig==</ns3:SignatureValue></ns3:Signature><ns2:Subject><ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="plonesamlauth">admin</ns2:NameID><ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns2:SubjectConfirmationData InResponseTo="_751637a0688bd68c11087be56393623fd2f534e86f" NotOnOrAfter="2018-03-26T10:23:10.116395Z" Recipient="http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"/></ns2:SubjectConfirmation></ns2:Subject><ns2:Conditions><ns2:AudienceRestriction><ns2:Audience>simplesamlphp</ns2:Audience></ns2:AudienceRestriction></ns2:Conditions><ns2:AuthnStatement AuthnInstant="2018-03-26T10:18:09.998225Z"><ns2:AuthnContext><ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef></ns2:AuthnContext></ns2:AuthnStatement></ns2:Assertion></ns1:Response>
<ns1:Response Destination="http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" ID="_cfef5f71-14ef-4906-a500-eb92dc2ad69e" InResponseTo="_751637a0688bd68c11087be56393623fd2f534e86f" IssueInstant="2018-03-26T10:18:10.118697Z" Version="2.0" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#"><ns2:Issuer>plonesamlauth</ns2:Issuer><ns1:Status><ns1:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></ns1:Status><ns2:Assertion ID="_f49660a3-a17b-4a5d-be10-e748b0638a8d" IssueInstant="2018-03-26T10:18:09.998225Z" Version="2.0"><ns2:Issuer>plonesamlauth</ns2:Issuer><ns3:Signature><ns3:SignedInfo><ns3:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns3:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns3:Reference URI="#_f49660a3-a17b-4a5d-be10-e748b0638a8d"><ns3:Transforms><ns3:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns3:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns3:Transforms><ns3:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns3:DigestValue>MtJ1eay+SFA6th3l0KLzUFLMD9k=</ns3:DigestValue></ns3:Reference></ns3:SignedInfo><ns3:SignatureValue>ivpFyrIcbkf3uKs+Nfl82RcQA7qQP1YDSQGsfRp4rnFC3HSaYq3BQ/OgGR53gSva
eqlALXJzRvJuoGePzxFGdrlFm6ruganB3qOVm/5apgtRYTC+25b9ZgRLju76CEqH
oWPlEWQmK1Aflf85RvJlJB7VVPITK8vnX2MHBEvSvFoDJV4fGpJY22DErHQSS9VB
xvhOoqt1YUHxtrDetkNJP/65UuHk6J5Ohw5+ucrnC4DZRjmk01Nfve3qWp+nCiWd
MPLAcnpiFlk76cRVJyB6C6SX1efEmpYSGtl468U9M3FwrlgXgPdd2nt04gzkDRPN
SonQNI4UayjXRYotV3FEig==</ns3:SignatureValue></ns3:Signature><ns2:Subject><ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="plonesamlauth">admin</ns2:NameID><ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns2:SubjectConfirmationData InResponseTo="_751637a0688bd68c11087be56393623fd2f534e86f" NotOnOrAfter="2018-03-26T10:23:10.116395Z" Recipient="http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"/></ns2:SubjectConfirmation></ns2:Subject><ns2:Conditions><ns2:AudienceRestriction><ns2:Audience>simplesamlphp</ns2:Audience></ns2:AudienceRestriction></ns2:Conditions><ns2:AuthnStatement AuthnInstant="2018-03-26T10:18:09.998225Z"><ns2:AuthnContext><ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef></ns2:AuthnContext></ns2:AuthnStatement></ns2:Assertion></ns1:Response>
- which results in SimpleSAMLphp Unhandled exception page with following info:
Debug information
The debug information below may be of interest to the administrator / help desk:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace: 1 www/_include.php:45 (SimpleSAML_exception_handler) 0 [builtin] (N/A) Caused by: Exception: Unable to extract public key Backtrace: 4 vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:340 (RobRichards\XMLSecLibs\XMLSecurityKey::loadKey) 3 modules/saml/lib/Message.php:212 (sspmod_saml_Message::checkSign) 2 modules/saml/lib/Message.php:565 (sspmod_saml_Message::processResponse) 1 modules/saml/www/sp/saml2-acs.php:129 (require) 0 www/module.php:135 (N/A)
I got stuck here...
Additional info:
Since I do first tests, I used self-signed certificates created based on section 1.1 instructions. The Plone IdP also uses self-signed certificate, created the same way.
After encountering the above error I searched on it, but got nowhere. Some suggested reloading metadata, and expired certificates. Thus I tried removing certificates, creating brand new ones with -days 3652 in both systems, then updated metadata in both system, but did not help... same error.
Can someone help on this issue or point me to the right direction?
Thanks!
After encountering the above error I searched on it, but got nowhere. Some suggested reloading metadata, and expired certificates. Thus I tried removing certificates, creating brand new ones with -days 3652 in both systems, then updated metadata in both system, but did not help... same error.
Can someone help on this issue or point me to the right direction?
Thanks!
trun...@vnext.com.vn
May 16, 2020, 12:47:14 AM5/16/20
to SimpleSAMLphp
I same isssue with you ! Do you help me !!
Lewis LaCook
May 27, 2020, 6:24:36 AM5/27/20
to SimpleSAMLphp
We've also recently run across this exception with an install that we've had running for years. Any resolution or tips toward finding one would be appreciated!
Peter Schober
May 27, 2020, 9:08:02 AM5/27/20
to SimpleSAMLphp
* Lewis LaCook <le...@lewislacook.org> [2020-05-27 12:30]:
those described of the thread you're replying to (i.e., you're using
Plone as a SAML IDP and ownCloud as the SAML SP) a "me too" kind of
reply is unlikely for anyone to help you determin the error in your
specific deployment.
-peter
> We've also recently run across this exception with an install that we've
> had running for years. Any resolution or tips toward finding one would be
> appreciated!
Unless all the details and software implementations used exactly match
> had running for years. Any resolution or tips toward finding one would be
> appreciated!
those described of the thread you're replying to (i.e., you're using
Plone as a SAML IDP and ownCloud as the SAML SP) a "me too" kind of
reply is unlikely for anyone to help you determin the error in your
specific deployment.
-peter
Reply all
Reply to author
Forward
0 new messages