Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2016-05-30

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:32 MegaMatt joined #openam
01:48 ilbot3 joined #openam
01:48 Topic for #openam is now Chat about the OpenAM project - https://backstage.forgerock.com/#/downloads - OpenAM 13.0.0 is out! OpenAM 12.0.2 is out! Channel logs at: http://irclog.perlgeek.de/openam/today
03:10 ramteid joined #openam
04:55 eran joined #openam
04:55 eran Hi everyone. Anyone familiar with Remote SP integration with OpenAM IDP?
05:08 aldaris joined #openam
06:27 asyd morning
06:27 asyd eran: go ahead
07:06 KermitTheFragger joined #openam
07:33 eran asyd: Hi, thanks. I have an existing SP that implements the SAML redirect & post and is working properly with Okta based IDP. I now try to make it work with OpenAM hosted IDP but failing to understand how to configure OpenAM. I launched OpenAM using default profile, configured saml2 hosted idp and then tried to configure the remote SP. It forces me to upload metadata file so I did one (although is not
07:34 eran necessary for Okta, so I just created a very basic one with entityId to match the name I gave in OpenAM configuration and an AssertionConsumerService with Location attribute to where it should return to (send the SAMLResponse). I then went to Federation tab and clicked my IDP, went to Services tab and took the "Single  Signon Service" "HTTP-REDIRECT" link, tried to navigate to it with my
07:34 eran "?SAMLRequest=<Base64 encoded xml as I know it works well with other IDP>" and I always get error 500 - The saml request is invalid. I cant find any descriptive logging information at all, so Im quite stuck
07:34 eran I also tried to mimic IDP-initiated authentication, but cant understand where to find the URL for it. Im running Tomcat8 with OpenAM 13.0.0
07:36 asyd have you tried to increase log level and checked them?
07:38 eran I tried to enable, set buffer time to 1 minute and specify the location. I then went there and I see SAML2.access and SAML2.error. I only see a message that is regarding LDAP. Cant really understand how this is related. I saw that configuring OpenAM automatically setsup OpenDj and LDAP server but I havent even got to the part of authentication really
08:03 eran Do I need, in addition to create the hosted IDP, also add to the top level realm an  authentication module of type SAML2?
08:06 asyd no
08:07 asyd eran: you have no indication at all help on the error?
08:07 asyd is the openam server have the correct time? (ntp)
08:09 eran asyd: Nothing other than what I said. NTP configured correctly. All SAMLv2 related articles in the forgerock blog shows examples with OpenAM SP (hosted or remote), nothing that is external and 'generic'
08:11 asyd eran: can you pastebin the message your have in sam2L.erroir ? and there is also federation or sth like that iirc
08:14 eran asyd: http://pastebin.com/Uu2678Sq I found IDFF, is it the one related to federation logs? There's COT which is my circle of trust name, but all of them contain the same message
08:20 asyd strange
08:21 asyd eran: so you create the IdP, and then a SP assigned in the CoT?
08:23 eran Yes. The steps I did are: 1. Create hosted IDP without touching anything in the config. Then I edit it and copy the "Single Signon Service" HTTP-REDIRECT link, and to its end I add a "?SAMLRequest=....".
08:23 asyd hmm "single signon services" ? hmm long time I didn't use openam for SAML but that sounds strange
08:25 eran In the middle, before testing the link I created a basic SP metadata file, with my details (http://pastebin.com/GAE7TUYU), and then registered a remote SP, named "myEntitySP" (same as in sp metadata I uploaded) and added it to my IDP's COT
08:26 eran asyd: Was I supposed to do it differently?
08:27 eran The url I took from sso services is "http://localhost:8888/opena​m/SSORedirect/metaAlias/idp"
08:30 asyd is your openam available on internet?
08:31 eran How can this be related? I run it locally inside a docker container. my SP is also running locally so I simply use localhost with ports
08:33 asyd none :)
08:33 eran So we're in the part where we're shooting in the dark? :(
08:37 eran Could it be that with version 13.0.0 something is broken, and I should try older version? Sounds unreasonable..but I dont know what to try
08:37 eran Did you peek in the metadata file? does it seems enough?
08:56 eran Its really not clear what is wrong. Setup takes barely a minute, but then there's no information at all about what went wrong.
10:18 aldaris joined #openam
10:26 eran asyd: Thanks anyway, I hope someone else will volunteer to help me :)
10:55 eran Ok. Progress. I found the federation log and I keep getting SAML2Utils.decodeFromRedirect: Base64 decoded result is null
10:55 eran although it seems very much valid :(
10:55 asyd ahh
10:57 eran I tried two options, just xml that is base64 encoded, then I get "Base64 decoded result is null", and a uri encoded version of it, which results in "ZipException: invalid code lengths set"
10:58 asyd eran: try the firefox saml extension
11:01 eran asyd: Im with chrome but it does fail to display the content, although its a valid xml and it works with okta. Does it mean its not well formatted (although I cant see any errors with it) ?
11:02 asyd try to paste your saml request here: https://rnd.feide.no/simplesaml/​module.php/saml2debug/debug.php
11:03 eran asyd: It works fine, I can see the content clear
11:04 asyd can you pastebin it?
11:05 eran asyd: Sure: http://pastebin.com/kvEpVpre
11:15 eran asyd: Its like its expecting the content to be compressed in some sort of way, but I cant understand what way.
11:48 eran What is the correct way to encode the authnrequest? I base64->uriencode it. But I read that also gzip is a possibility? Is it the case with OpenAM?
12:21 eran Im getting closer now. Dont know why it matters but I reordered the params in the authnrequest, and got to this error in federation log: "com.sun.identity.saml2.common.SAML2Exception: Service provider does not support name identifier format urn:oasis:names:tc:SAML:1.1:​nameid-format:emailAddress"
12:28 aldaris joined #openam
12:28 asyd ahhh sounds better :)
12:30 aldaris the encoding of the SAML Request is binding specific. Please read the SAML bindings spec for guidelines on how to encode the request with HTTP-Redirect binding
12:31 aldaris sounds like your home-built SP metadata needs to be modified so that it includes the emailAddress NameID-Format
12:44 eran aldaris: You're correct. Thanks, I did specified different values. I corrected it to both contain emailAddress format and now I get status 500 - SAML2Exception: Unable to generate NameID value
12:46 aldaris because you haven't set up NameID value mapping in the hosted IdP configuration
12:47 eran How do I specify it?
12:56 eran aldaris: Isnt is enough to specify  "urn:oasis:names:tc:SAML:1.1:​nameid-format:emailAddress="? Its the default value
12:56 eran among all the other possibilities, they're all listed the same way.
13:16 eran Ok, Specified specifically that urn...emailAddress=mail, and got "SAML2Exception: Permission denied on setting attributes for amAdmin" :)
13:26 aldaris joined #openam
13:44 eran I always just base64 and url encode it. Do I need something more with OpenAM?
14:35 MegaMatt joined #openam
15:31 aldaris joined #openam
15:34 aldaris if you are using base64 encoding, then you should also deflate the value, see SAML bindings spec
15:34 aldaris you shouldn't use amadmin for testing federation, use a real end-user, and saml should work just fine
17:20 aldaris joined #openam
17:31 aldaris joined #openam
18:15 aldaris joined #openam
18:48 MegaMatt joined #openam
19:06 aldaris joined #openam
19:56 aldaris joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary