I am trying to test springboot-saml singlelogout with Okta . I am facing a error when I hit /saml/logout/ . The Spring log says "Received LogoutResponse has invalid status code " . The Okta app log says "Unable to validate SAML Logout Request: [a1f8d8g1ged7c86d277iebbihcfecj] - Issuer [demosaml] does not match the Issuer configured for the application."
Thanks in advance .
Our developer website has further documentation on the Spring App http://developer.okta.com/docs/guides/spring_security_saml
In order for the SLO to work, you need to ensure the following:
- That you are using POST binding
- That you have generated a certificate
- That your logout request includes a signature
Related
hello friends i am right now making chat application using opentok
Authorization Failure - Invalid credentials were provided.
i am getting this error
i am getting session id and getting token starting from T1==
what to do?
I'm trying to make spring-boot-security-saml-sample application work with Okta. To add Okta as a provider, I've made the following changes to WebSecurityConfig.java:
https://gist.github.com/mraible/c8b52972f76e6f5e30d5
I found the following question that provides some guidance, but I can't quite get things to work.
configuring saml-sample (SP) to work with Okta (IdP)
Here's what I'm using for values on Okta:
Application label: Spring Boot SAML App
Force Authentication: false
Post Back URL: http://localhost:8080/
Name ID Format: EmailAddressRecipient
Recipient: http://localhost:8080/saml/SSO/alias/defaultAlias
Audience Restriction: com:vdenotaris:spring:sp
authnContextClassRef: PasswordProtectedTransport
Response: Signed
Assertion: Signed
Request: Compressed
Destination: http://localhost:8080/saml/SSO/alias/defaultAlias
Default Relay State: (none)
Attribute Statements: email|${user.email},firstName|${user.firstName}
It looks like it works from the logs:
[2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- BaseMessageEncoder: Successfully encoded message.
[2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- HttpSessionStorage: Storing message a12gf64fh3f35fgh2a8dd1fd0i0dc02 to session C5D010344EF5D022718B12B6D25F1D1E
[2014-12-30 12:18:33.004] boot - 18748 INFO [http-nio-8080-exec-8] --- SAMLDefaultLogger: AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;com:vdenotaris:spring:sp;http://www.okta.com/k2gpb06TOMYOKAWUSXJM;;;
However, it redirects me to Okta's site rather than back to my site.
I got it to work! The key appears to be setting Request to "Uncompressed". From there, I removed "alias/defaultAlias" since this only seems to work when you set an alias on the ExtendedMetadata. My settings that work on the Okta side:
Application label: Spring Boot SAML App
Force Authentication: false
Post Back URL: http://localhost:8080/saml/SSO
Name ID Format: EmailAddressRecipient
Recipient: http://localhost:8080/saml/SSO
Audience Restriction: com:vdenotaris:spring:sp
authnContextClassRef: PasswordProtectedTransport
Response: Signed
Assertion: Signed
Request: Uncompressed
Destination: http://localhost:8080/saml/SSO
Default Relay State: (none)
Attribute Statements: email|${user.email},firstName|${user.firstName}
Matt,
Try setting the "Post Back URL" to "localhost:8080/saml/SSO/alias/defaultAlias".
From the looks of your configuration "localhost:8080/saml/SSO/alias/defaultAlias" is the SAML endpoint on "localhost" which is where we post the SAML Response to.
Right now with it being "localhost:8080/" - your demo site is probably just redirecting you back to Okta rather than parsing the SAML response.
You haven't mentioned what you have done on the Okta side to test this out. Here is the instructions on how to do it - https://support.okta.com/entries/27560008-Using-the-App-Integration-Wizard - using our App Wizard which creates the proper SAML IDP endpoints on the okta side. The SAML login URL on the Okta side is needed by your demo site so that it knows where to redirect SAML requests to.
For more info on SAML - you can check out our SAML guidance on our developer site - http://developer.okta.com/docs/getting_started/saml_guidance.html
Let me know how it goes. Cheers
Stephen
I am using spring security Saml 2.0.I ran the sample application provided by spring security
(idp.ssocircle.com as identity provider).And it is running successfully.
Now I am tring to implement it in my application .
my application is redirecting successfully on idp and asking for username password.After putting credentials it is giving error message "unable to single sign out or federation" on idp.ssocircle.com site .I am unable to get control it to my application .
I would like help obtaining/locating the correct access_token value for an API call.
I'm configuring an application that wants to search Facebook using the graph-api search request at https://graph.facebook.com/fql, for which I need an access_token. The application is a backend server so there's no UI and no users.
I registered a new 'app' using the developer pages 'Create a New App' link, so I now have an app at: https://developers.facebook.com/apps/<> and from that I get an 'app secret' token. Digging into the Advanced settings page for the app there is also a Client token.
However using either token results in the following JSON error:
{"error":{"message":"Invalid OAuth access token.","type":"OAuthException","code":190}}
Can anyone point me to where I've gone wrong?
==
The following 'curl' request demonstrates the command working correctly, but it's only usable token-less like this occasionally, so the app needs &access_token=...stuff... adding to the parameters.
$ curl 'https://graph.facebook.com/fql?q=select%20url,%20share_count,%20like_count,%20comment_count,%20click_count,%20total_count%20from%20link_stat%20where%20url%20=%20"http%253A%252F%252Felifesciences.org%252Fcontent%252F2%252Fe01233"'
{"data":[{"url":"http\u00253A\u00252F\u00252Felifesciences.org\u00252Fcontent\u00252F2\u00252Fe01233","share_count":0,"like_count":0,"comment_count":0,"click_count":0,"total_count":0}]}
The 'app secret' and 'Client token' will not work.
What you need is an Access Token, refer to this.
I'm having issues with Google OAuth2 in iOS; I'm getting an "invalid_grant" error. I am doing the following steps:
I created the project and Credential ( iOS app ) Google Console;
I did request the CODE;
I did request the access token (working well);
10 minutes before the expiry of the access token , I do request a refresh token.
The problem is intermittent . Sometimes the request for refresh ( refresh_token ) returns " invalid_grant " and so the access_token becomes invalid and my application just stops .
If forcing the user login to generate a new access_token and refresh_token not work. I have to revoke the permissions of the account and try again.
What I need is access to IMAP and SMTP Gmail . If I check the access_token ( https://www.googleapis.com/oauth2/v1/tokeninfo ) is active and valid , but the IMAP and SMTP denies access.
I'm actually thinking of going back to the login username and password . The service is very unstable for not having the same reaction . I'm sure I'm not bursting any limitations and been the message " invalid_grant " would at least not appropriate.
Please , any employee of Google, HELP ME !
Thank you.
I was facing this problem as well. I wasn't doing anything with IMAP, but I was getting an invalid_grant pretty frequently when trying to handle auth. Eventually I got things working using the following settings:
authentication.refreshToken = savedRefreshToken;
authentication.accessToken = savedAccessToken;
authentication.additionalTokenRequestParameters = #{#"access_type":#"offline"};
I think it was mainly that last one that did the trick. I found it somewhere in the Google documentation, but I didn't save where. Their docs are pretty messy.