Something went wrong during the authentication process.
satishagrawal03 opened this issue · comments
Hi,
I have added an entity and the metadata generated using http://localhost:8080/saml/metadata in SSOCircle.
I started the application(running on localhost) and selected SSOCircle as the IdP, it redirects me to the IdP login page and after successful authentication, while redirecting back to the SP, it gives me an error message in UI screen -
"Something went wrong during the authentication process."
Kindly help.
But in Spring Boot console log,there seems to be no error.
2018-01-10 13:08:02.439 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.SignatureValidator : Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
2018-01-10 13:08:02.439 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.SignatureValidator : Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
2018-01-10 13:08:02.482 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.SignatureValidator : Signature validated with key from supplied credential
2018-01-10 13:08:02.482 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.i.BaseSignatureTrustEngine : Signature validation using candidate credential was successful
2018-01-10 13:08:02.483 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.i.BaseSignatureTrustEngine : Successfully verified signature using KeyInfo-derived credential
2018-01-10 13:08:02.483 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.i.BaseSignatureTrustEngine : Attempting to establish trust of KeyInfo-derived credential
2018-01-10 13:08:02.483 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.t.ExplicitKeyTrustEvaluator : Successfully validated untrusted credential against trusted key
2018-01-10 13:08:02.483 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.i.BaseSignatureTrustEngine : Successfully established trust of KeyInfo-derived credential
2018-01-10 13:08:02.484 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl : Processing Bearer subject confirmation
2018-01-10 13:08:02.484 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl : Verifying received AuthnContext org.opensaml.saml2.core.impl.AuthnContextImpl@3043e9fb against requested null
2018-01-10 13:08:02.485 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl : Validation of authentication statement in assertion s2959c42be21e2d85477fa1450d34a5717af116898 was successful
2018-01-10 13:08:02.485 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl : Including attribute EmailAddress from assertion s2959c42be21e2d85477fa1450d34a5717af116898
2018-01-10 13:08:02.485 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl : Including attribute UserID from assertion s2959c42be21e2d85477fa1450d34a5717af116898
2018-01-10 13:08:02.486 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl : Including attribute FirstName from assertion s2959c42be21e2d85477fa1450d34a5717af116898
2018-01-10 13:08:02.486 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl : Including attribute LastName from assertion s2959c42be21e2d85477fa1450d34a5717af116898
2018-01-10 13:08:02.489 INFO 3912 --- [http-nio-8080-exec-8] v.s.b.s.s.w.c.SAMLUserDetailsServiceImpl : satish_agrawal01@infosys.com is logged in
2018-01-10 13:08:02.494 INFO 3912 --- [http-nio-8080-exec-8] o.s.s.s.l.SAMLDefaultLogger : AuthNResponse;SUCCESS;0:0:0:0:0:0:0:1;com:infypoc:spring:sp;https://idp.ssocircle.com;satish_agrawal01@infosys.com;;
2018-01-10 13:08:02.494 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.SAMLProcessingFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@236cffc3: Principal: org.springframework.security.core.userdetails.User@ce0d27b9: Username: satish_agrawal01@infosys.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.core.userdetails.User@ce0d27b9: Username: satish_agrawal01@infosys.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Granted Authorities: ROLE_USER
It worked when starting the flow from "http://localhost:8080/" instead of "http://localhost:8080/spring-boot-security-saml-sample".
It's probably worth noting somewhere in the docs exactly how to setup ssocircle - i've been recently following along myself and there were a few non-obvious things that i had to do:
- Amend the
com.vdenotaris.spring.boot.security.saml.web.config.WebSecurityConfig#metadataGeneratormethod call tosetEntityIdto something unique - the value provided is already registered by the author of this repo in ssocircle, so for example i amended tocom:vdenotaris:spring:sp:chriswhite199 - In ssocircle.com, under the manage metadata section, add a new service provider and set the FQDN to your new entityId, and copy the generated SP Metadata XML into the text field
- For me (at least) i also had to run the app in https, otherwise you get errors relating the message response from ssocircle not corresponding to the sent message (this is because there is a new http session in the browser when switching between http-localhost and https-ssocircle):
Caused by: org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a13301cba7h5dj8c2bj5d9cf2bj78jh
To run in HTTPS mode, you'll want to add these to your application.properties:
server.port=8443
server.ssl.key-store=classpath:saml/samlKeystore.jks
server.ssl.key-store-password=nalle123
server.ssl.keyStoreType=JKS
server.ssl.keyAlias=apollo