SSO login configuration in VocBench
141 views
Skip to first unread message
Joeli Takala
Sep 12, 2024, 9:35:18 AM9/12/24
to vocbench-user
Hello,
I'm configuring VB login through an SSO identity provider, and it's going somewhat fine, up until the point where the system is trying to access the semanticturkey saml file during the SSO login.
The saml file whould be accessed at (http://base-url/semanticturkey/saml2/login/sso/st_saml). This gives me an error page with "Access denied. You need to be logged in"
This happens both on my locally installed VB and with the one running on a server. I have generated the identity provider metadata and saved it in the idp-metadata.xml -file configured in VB.
The only tweak so far was that I spotted in the logs that spring.security.saml2.relyingparty.registration.st_saml.entity-id was not set during vocbench startup. That could be sorted by adding the line in the config/saml/application.yml and making sure it matches witht he entity-id I had set up in the indentity provider for my VB installation.
I have optional configuration lines in the identity provider side that could be helpful here, but I'm not sure whether they are applicable in this case:
IDP-Initiated SSO URL name
IDP Initiated SSO Relay State
Master SAML Processing URL (here I tried providing the location for {baseUrl}/semanticturkey/saml2/service-provider-metadata/st_saml in case it would work)
https://vocbench.uniroma2.it/doc/sys/ at "SAML configuration" indicates that both {baseUrl}/semanticturkey/saml2/service-provider-metadata/st_saml and {baseUrl}/semanticturkey/saml2/login/sso/st_saml would be accessible, but I have the problem that only the first one is, and the second other one is giving me a 401 error.
Any tips on how to proceed with this?
_____________
Joeli Takala
I'm configuring VB login through an SSO identity provider, and it's going somewhat fine, up until the point where the system is trying to access the semanticturkey saml file during the SSO login.
The saml file whould be accessed at (http://base-url/semanticturkey/saml2/login/sso/st_saml). This gives me an error page with "Access denied. You need to be logged in"
This happens both on my locally installed VB and with the one running on a server. I have generated the identity provider metadata and saved it in the idp-metadata.xml -file configured in VB.
The only tweak so far was that I spotted in the logs that spring.security.saml2.relyingparty.registration.st_saml.entity-id was not set during vocbench startup. That could be sorted by adding the line in the config/saml/application.yml and making sure it matches witht he entity-id I had set up in the indentity provider for my VB installation.
I have optional configuration lines in the identity provider side that could be helpful here, but I'm not sure whether they are applicable in this case:
IDP-Initiated SSO URL name
IDP Initiated SSO Relay State
Master SAML Processing URL (here I tried providing the location for {baseUrl}/semanticturkey/saml2/service-provider-metadata/st_saml in case it would work)
https://vocbench.uniroma2.it/doc/sys/ at "SAML configuration" indicates that both {baseUrl}/semanticturkey/saml2/service-provider-metadata/st_saml and {baseUrl}/semanticturkey/saml2/login/sso/st_saml would be accessible, but I have the problem that only the first one is, and the second other one is giving me a 401 error.
Any tips on how to proceed with this?
_____________
Joeli Takala
Tiziano Lorenzetti
Sep 12, 2024, 11:55:34 AM9/12/24
to Joeli Takala, vocbench-user
Dear Joeli,
if you don't explicitly set the entity-id in config/saml/application.yml, an ID is automatically initialized with the default value that is
{baseUrl}/saml2/service-provider-metadata/st_saml
This is also the endpoint for generating the Service Provider metadata.
I confirm that you can explicitly set the entity ID using the property
So, you can generate Semantic Turkey metadata by accessing the URL
{baseUrl}/saml2/service-provider-metadata/st_saml
and you'll notice that the entityID set in the generated XML metadata is the same as the default one.
As for:
{baseUrl}/semanticturkey/saml2/login/sso/st_saml
this URL represents the location of the Assertion Consumer Service, namely the endpoint where the SAML Response is posted after authentication.
It is not meant to be accessed manually, it is just part of the automatic SAML flow and it's designed to accept POST requests containing the SAML Response from the IdP.
if you don't explicitly set the entity-id in config/saml/application.yml, an ID is automatically initialized with the default value that is
{baseUrl}/saml2/service-provider-metadata/st_saml
This is also the endpoint for generating the Service Provider metadata.
I confirm that you can explicitly set the entity ID using the property
spring.security.saml2.relyingparty.registration.st_saml.entity-id
However, in most cases it's not required, you can leave the default value.
However, in most cases it's not required, you can leave the default value.
So, you can generate Semantic Turkey metadata by accessing the URL
{baseUrl}/saml2/service-provider-metadata/st_saml
and you'll notice that the entityID set in the generated XML metadata is the same as the default one.
As for:
{baseUrl}/semanticturkey/saml2/login/sso/st_saml
this URL represents the location of the Assertion Consumer Service, namely the endpoint where the SAML Response is posted after authentication.
It is not meant to be accessed manually, it is just part of the automatic SAML flow and it's designed to accept POST requests containing the SAML Response from the IdP.
So, I guess it's normal that you receive and error trying to access it.
About the optional fields on the IdP side, you don't need to configure them, so you can leave them empty.
Best regards,
Tiziano
About the optional fields on the IdP side, you don't need to configure them, so you can leave them empty.
Best regards,
Tiziano
--
You received this message because you are subscribed to the Google Groups "vocbench-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vocbench-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vocbench-user/0bb88ae1-7e79-4a23-b602-cce142b76b9bn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages