I am trying to integrate SSO in an existing java/jsp based application(SP) with help of Spring Security SAML extension and ADFS 4(IP). After I land in the ADFS SSO page from SP login link and enter credentials, application is not able to validate the ADFS response and giving "HTTP Status 401 - Authentication Failed: Error validating SAML message" error.
However from logs I can see the Assertion is already decrypted successfully and Attributes are being printed. So I am not able to understand why it is giving Authentication Failed error. Pl. help. I am providing log data below. The java application is hosted in Tomcat server.
20-08-2019 11:52:20,003 DEBUG org.apache.xml.security.signature.Reference:? - Verification successful for URI "#_530eaef7-3196-431c-bef8-36fc7c76ef27"
20-08-2019 11:52:20,003 DEBUG org.apache.xml.security.signature.Manifest:? - The Reference has Type
20-08-2019 11:52:20,006 TRACE org.springframework.web.context.support.XmlWebApplicationContext:322 - Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.AuthenticationFailureServiceExceptionEvent[source=org.springframework.security.saml.SAMLAuthenticationToken#43b19eef: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities]
20-08-2019 11:52:20,006 DEBUG org.springframework.security.saml.SAMLProcessingFilter:346 - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
20-08-2019 11:52:20,006 DEBUG org.springframework.security.saml.SAMLProcessingFilter:347 - Updated SecurityContextHolder to contain null Authentication
20-08-2019 11:52:20,007 DEBUG org.springframework.security.saml.SAMLProcessingFilter:348 - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler#90f53ff
20-08-2019 11:52:20,007 DEBUG org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler:56 - No failure URL set, sending 401 Unauthorized error
20-08-2019 11:52:20,007 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
Related
Everything is ok before token exchange. I found that Google Home showed "something went wrong,try again." It seems that the account linking was failed. I checked the official document, but I could not find the point that where is wrong.
[enter image description here](https://i.stack.imgur.com/8NzVp.png)
Our OAuth server's log:
14:30:09.322 [https-jsse-nio-9000-exec-10] DEBUG o.s.s.w.FilterChainProxy - [doFilterInternal,218] - Securing GET /oauth2/authorize?response_type=code&client_id=home-control-google&redirect_uri=https://oauth-redirect.googleusercontent.com/r/smarthome-63b16&state=AGsGMl0x-_cveABQcrOPo1I0RVk6fFwzA328sn87humHtmb_d33ppy7MtK0bnqRKJnKKocsJlIGBZyqUBfZnmskiIi5lFU4Kfus9gVFJeQAqyWoKOUwKUbKo5xl3ieM-ElcYYqMJJ0M4IJ5L171QldMLmeAoIJPlSoIgB4-cTx5NQoXYdcFgj4deBZ8p1GA1ucuT_UlTc72irf8GXlLg19geMnJ0W6-PE8cRlx0gN22Qj8AzsmXRRj_h0N6unvRIIfJI-7NaFdmVpYVQBuXzZYi-ajjcLLhiQYLSveVFnbSv-HS2P8mRuZvXhooPoqnj9j7yg0TPDaXPsS3myHb7G1Ka9UHIXHy6yQnEtboQQhLPfHzw204raLk4FzxzUqF4RGz7I8RZu8ExGopO0NkXk4xHn51oLJumyAs6FRJ6n38sYw43yWboa1q3KjAqiPs-2AxqHofL1Hzq-xmWKvKNx5D1i80toVi3nIQys_EPOje89qWH6cWgcuiJ2s4-l_ZIkuw0GK1YT61_dg9XSW2ACJ72agnY2k81vTZYJt1yuh_kGgg83_oqbjcsazr2x9gF_beVxOxq65H9xxYE0D8m2tiNJRaS5CUvygQLJjqCoOy1JozI0sgS9dy6warYk7mc9KPg27e5LagQmEYdghtG_5t5iluzNX4jag
14:30:09.353 [https-jsse-nio-9000-exec-10] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - [readSecurityContextFromSession,189] - Retrieved SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=linesware, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=58.56.179.134, SessionId=E1CD90937DE27B197B6DA53D47FA0454], Granted Authorities=[ROLE_USER]]]
14:30:09.384 [https-jsse-nio-9000-exec-10] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - [doFilter,109] - Set SecurityContextHolder to SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=linesware, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=58.56.179.134, SessionId=E1CD90937DE27B197B6DA53D47FA0454], Granted Authorities=[ROLE_USER]]]
14:30:11.556 [https-jsse-nio-9000-exec-10] DEBUG o.s.s.w.DefaultRedirectStrategy - [sendRedirect,57] - Redirecting to https://oauth-redirect.googleusercontent.com/r/smarthome-63b16?code=O1h-RSPrRnKn45aWutuafiC3EkB_jVVJU-AJfRwdB177-xq1BIJ2fHbftdaMNHZ1Zv70YkKvtHkHZGKO5kAwoqYGmK0ATXAAnSYmyNg_cdQ5Q9V2YnVhs3RUkUr1lYtb&state=AGsGMl0x-_cveABQcrOPo1I0RVk6fFwzA328sn87humHtmb_d33ppy7MtK0bnqRKJnKKocsJlIGBZyqUBfZnmskiIi5lFU4Kfus9gVFJeQAqyWoKOUwKUbKo5xl3ieM-ElcYYqMJJ0M4IJ5L171QldMLmeAoIJPlSoIgB4-cTx5NQoXYdcFgj4deBZ8p1GA1ucuT_UlTc72irf8GXlLg19geMnJ0W6-PE8cRlx0gN22Qj8AzsmXRRj_h0N6unvRIIfJI-7NaFdmVpYVQBuXzZYi-ajjcLLhiQYLSveVFnbSv-HS2P8mRuZvXhooPoqnj9j7yg0TPDaXPsS3myHb7G1Ka9UHIXHy6yQnEtboQQhLPfHzw204raLk4FzxzUqF4RGz7I8RZu8ExGopO0NkXk4xHn51oLJumyAs6FRJ6n38sYw43yWboa1q3KjAqiPs-2AxqHofL1Hzq-xmWKvKNx5D1i80toVi3nIQys_EPOje89qWH6cWgcuiJ2s4-l_ZIkuw0GK1YT61_dg9XSW2ACJ72agnY2k81vTZYJt1yuh_kGgg83_oqbjcsazr2x9gF_beVxOxq65H9xxYE0D8m2tiNJRaS5CUvygQLJjqCoOy1JozI0sgS9dy6warYk7mc9KPg27e5LagQmEYdghtG_5t5iluzNX4jag
14:30:11.556 [https-jsse-nio-9000-exec-10] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - [doFilter,120] - Cleared SecurityContextHolder to complete request
Exchange authorization codes for access tokens
Account Linking through Google Home App consists of two steps: Users are sent to your Authorization Url to provide credentials and complete the consent flow. Once this process is completed successfully, your server gets a token exchange request containing the authorization code at your Token Url. In order to debug this flow, you might need to understand if your credentials exchange completes successfully. You can learn more from the Account Linking Documentation for Google Home.
If you still have issues after this step, make sure to take a look at the Troubleshooting flow. You can also go through the introductory codelab to try these out in a brand new project with a functioning OAuth 2.0 implementation to compare against your project/implementation.
I was trying out the curity configuration for an authentication service and a token service for OAuth and OpenID Connect locally. After all the configuration, when I was trying to test it with OAuth Assistant, I get an error:
Bad request
The request could not be processed
In the terminal, I can see these two INFO logs for particular
se.curity.identityserver.util.AllowedFrameOriginUtils - Requested origin is not allowed: 'http://localhost:...'
se.curity.identityserver.controllers.authorize.AuthorizeOAuthRequestModelProvider - Could not establish the redirect uri for request and client www. If this error occurs *after* being redirected to the authentication service and back, then this error has probably occurred because the original session cookie has been lost. Ensure that the cookie named 'sessionid' was sent to the authentication service. If not, check that the user's browser is not withholding it (for example by the cookie jar becoming full) and that a reverse proxy is not interfering with it.
There is no issue with sessionid. Anyone know how to fix this issue?
I have implemented my own oAuth2 provider server (using the Grails spring security oAuth2 plugin) and am now trying to connect it to OpenAM.
When I try to log in, it redirects properly to my own login form and on succesfull authentication redirects back to OpenAM with the following url:
http://sso.my-domain.com/openam/XUI/#login/&realm=%myRealm&code=dPPg1g&state=rzhjjjl1wpmndz7zfh4gqm1r5k9xi2l
However, OpenAM says "Unable to login". The auth code is in the URL so it should be able to request an access token, so I went and did some debugging to find out that it doesnt even attempt to retrieve a token; relevant bits of logs follow:
from localhost_access_log:
[15/Dec/2015:11:29:17 +0100] "GET /MyOAuthProvider/oauth/authorize?client_id=openAm&scope=read&redirect_uri=http%3A%2F%2Fsso.my-domain.com%3A80%2Fopenam%2Foauth2c%2FOAuthProxy.jsp&response_type=code&state=rzhjjjl1wpmndz7zfh4gqm1r5k9xi2l HTTP/1.1" 200 901
[15/Dec/2015:11:29:18 +0100] "POST /MyOAuthProvider/oauth/authorize?client_id=openAm&scope=read&redirect_uri=http%3A%2F%2Fsso.my-domain.com%3A80%2Fopenam%2Foauth2c%2FOAuthProxy.jsp&response_type=code&state=rzhjjjl1wpmndz7zfh4gqm1r5k9xi2l HTTP/1.1" 302 -
As you can see, there is no call to /MyOAuthProvider/oauth/token, which is the token access point.
From /usr/share/tomcat7/openam/openam/debug/debug.log: http://pastebin.com/qivhR9JF (put on PasteBin because its a little too long)
When testing on local I was able to get the auth code and then the token just fine with calls from Postman, so that shouldnt be the problem.
Am I missing something here? Any help is appreciated
After digging around through the OpenAM debug log, I found out that it attempts to retrieve the token, but gets a "Connection refused". It seems the problem lied in a proxy and routing on my servers.
Since openAM and my oAuth provider run on the same Tomcat, changing the token (and user data) urls from sso.my-domain.com to localhost:8080 fixed the issue
I'm trying to make spring-boot-security-saml-sample application work with Okta. To add Okta as a provider, I've made the following changes to WebSecurityConfig.java:
https://gist.github.com/mraible/c8b52972f76e6f5e30d5
I found the following question that provides some guidance, but I can't quite get things to work.
configuring saml-sample (SP) to work with Okta (IdP)
Here's what I'm using for values on Okta:
Application label: Spring Boot SAML App
Force Authentication: false
Post Back URL: http://localhost:8080/
Name ID Format: EmailAddressRecipient
Recipient: http://localhost:8080/saml/SSO/alias/defaultAlias
Audience Restriction: com:vdenotaris:spring:sp
authnContextClassRef: PasswordProtectedTransport
Response: Signed
Assertion: Signed
Request: Compressed
Destination: http://localhost:8080/saml/SSO/alias/defaultAlias
Default Relay State: (none)
Attribute Statements: email|${user.email},firstName|${user.firstName}
It looks like it works from the logs:
[2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- BaseMessageEncoder: Successfully encoded message.
[2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- HttpSessionStorage: Storing message a12gf64fh3f35fgh2a8dd1fd0i0dc02 to session C5D010344EF5D022718B12B6D25F1D1E
[2014-12-30 12:18:33.004] boot - 18748 INFO [http-nio-8080-exec-8] --- SAMLDefaultLogger: AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;com:vdenotaris:spring:sp;http://www.okta.com/k2gpb06TOMYOKAWUSXJM;;;
However, it redirects me to Okta's site rather than back to my site.
I got it to work! The key appears to be setting Request to "Uncompressed". From there, I removed "alias/defaultAlias" since this only seems to work when you set an alias on the ExtendedMetadata. My settings that work on the Okta side:
Application label: Spring Boot SAML App
Force Authentication: false
Post Back URL: http://localhost:8080/saml/SSO
Name ID Format: EmailAddressRecipient
Recipient: http://localhost:8080/saml/SSO
Audience Restriction: com:vdenotaris:spring:sp
authnContextClassRef: PasswordProtectedTransport
Response: Signed
Assertion: Signed
Request: Uncompressed
Destination: http://localhost:8080/saml/SSO
Default Relay State: (none)
Attribute Statements: email|${user.email},firstName|${user.firstName}
Matt,
Try setting the "Post Back URL" to "localhost:8080/saml/SSO/alias/defaultAlias".
From the looks of your configuration "localhost:8080/saml/SSO/alias/defaultAlias" is the SAML endpoint on "localhost" which is where we post the SAML Response to.
Right now with it being "localhost:8080/" - your demo site is probably just redirecting you back to Okta rather than parsing the SAML response.
You haven't mentioned what you have done on the Okta side to test this out. Here is the instructions on how to do it - https://support.okta.com/entries/27560008-Using-the-App-Integration-Wizard - using our App Wizard which creates the proper SAML IDP endpoints on the okta side. The SAML login URL on the Okta side is needed by your demo site so that it knows where to redirect SAML requests to.
For more info on SAML - you can check out our SAML guidance on our developer site - http://developer.okta.com/docs/getting_started/saml_guidance.html
Let me know how it goes. Cheers
Stephen
I have tried to secure rest API by creating the custom handler with wso2 Identity server 4.6, It shows Invalid token even for valid tokens. (stub.validate(dto).getValid() always false) But It works well in IS 4.5.What will be the reason ?
Please help..
log in IS 4.6
[2013-12-31 09:38:21,625] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token Request Received with the Client Id : jjTDKDAThDSg_IroxfpC4qjPCR8a, Grant Type : password
[2013-12-31 09:38:21,625] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were available in the cache for client id : jjTDKDAThDSg_IroxfpC4qjPCR8a
[2013-12-31 09:38:21,626] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : jjTDKDAThDSg_IroxfpC4qjPCR8a
[2013-12-31 09:38:21,646] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler} - Token request with Password Grant Type received. Username : admin#carbon.superScope : , Authentication State : true
[2013-12-31 09:38:21,647] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Access Token info retrieved from the cache and served to client with client id : jjTDKDAThDSg_IroxfpC4qjPCR8a
[2013-12-31 09:38:21,647] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Access Token issued to client. client-id=jjTDKDAThDSg_IroxfpC4qjPCR8a user-name=admin#carbon.super to application=sample
[2013-12-31 09:38:21,721] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2013-12-31
09:38:21,721+0530]
[2013-12-31 09:38:21,723] DEBUG {org.wso2.carbon.identity.oauth2.validators.TokenValidationHandler} - Access token identifier is not present in the validation request
[2013-12-31 09:38:21,740] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2013-12-31
09:38:21,740+0530]
DEBUG {org.wso2.carbon.identity.oauth2.validators.TokenValidationHandler} - Access token identifier is not present in the validation request
log in IS 4.5
[2013-12-31 09:48:47,432] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service}
- Access Token Request Received with the Client Id : jjTDKDAThDSg_IroxfpC4qjPCR8a, Grant Type : password
[2013-12-31 09:48:47,442] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were available in the cache for client id : jjTDKDAThDSg_IroxfpC4qjPCR8a
[2013-12-31 09:48:47,442] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : jjTDKDAThDSg_IroxfpC4qjPCR8a
[2013-12-31 09:48:47,462] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler} - Token request with Password Grant Type received.
Username : admin#carbon.superScope : , Authentication State : true
[2013-12-31 09:48:47,462] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Access Token info retrieved from the cache and served to client with client id : jjTDKDAThDSg_IroxfpC4qjPCR8a
[2013-12-31 09:48:47,462] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Access Token issued to client. client-id=jjTDKDAThDSg_IroxfpC4qjPCR8a user-name=admin#carbon.super to application=sample
[2013-12-31 09:48:47,582] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2013-12-31 09:48:47,582+0530]
[2013-12-31 09:48:47,582] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService} - Token validation request received for : Client Id : nullTokenType : bearer
[2013-12-31 09:48:47,582] DEBUG {org.wso2.carbon.identity.oauth2.validators.BearerTokenValidator} - Started processing token validation request of type : bearer
[2013-12-31 09:48:47,612] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2013-12-31 09:48:47,612+0530]
[2013-12-31 09:48:47,612] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService} - Token validation request received for : Client Id : nullTokenType : bearer
[2013-12-31 09:48:47,612] DEBUG {org.wso2.carbon.identity.oauth2.validators.BearerTokenValidator} - Started processing token validation request of type : bearer
I faced the same problem with OAuth Mediator in Wso2 ESB 4.8.0 accessing Wso2 Identity Server 4.6.0 via Oauth2 validation web service. With Identity server 4.5.0 it works fine. The mediator code invokes the client stub passing the accessToken as plain string.
The error message returned by validation service is Access token identifier is not present in the validation request.
To answer your question you should use the bundle org.wso2.carbon.identity.oauth.stub in version 4.2.2. It defines a class org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO_OAuth2AccessToken which should be used as a parameter for the OAuth2TokenValidationRequestDTO.setAccessToken method. The dto object can the be used as parameter for the OAuth2TokenValidationServiceStub.validate method.
As you may know, OAuth access token are validated by calling OAuth2TokenValidationService web service in Identity Server. Could you try out this service using the SOAPUI and see... WSDL can be found at (https://{ip}:{port}/services/OAuth2TokenValidationService?wsdl). Normally this error is generated when access token is not present in the web service request that is sent to the this service.
In request message body, must be as following..
<xsd1:accessToken>
<xsd1:identifier>35d1538940ce9a1e86c0a287c521d14</xsd1:identifier>
<xsd1:tokenType>bearer</xsd1:tokenType>
</xsd1:accessToken>
In your code, "dto" object may not have been properly set with identifier value.
Also please find the sample OAuth token validation client code from here