#Alias of the IdP's public certificate IdPPublicCertAlias=wso2carbon seems this is not present in travelocity.properties file. Can you please try with latest travelocity app ?
On Thu, Oct 8, 2015 at 5:53 PM, Nadeesha Meegoda <[email protected]> wrote: > Hi all, > > I'm continuously getting this error when assertion encryption is enabled. > I have attached the traveolcity.properties file for your reference. I can > give the travelocity.war on request. > > On Sun, Oct 4, 2015 at 1:43 PM, Gayan Gunawardana <[email protected]> wrote: > >> Hi Nadeesha, >> >> I just checked Federated SSO scenario (product-is build 02/10/2015) you >> mentioned in the initial mail. It works fine for me except I had to replace >> commons-collections-3.1.jar with commons-collections-3.2.1.jar inside >> travelocity.com web app. >> >> Thanks, >> Gayan >> >> On Fri, Oct 2, 2015 at 9:11 PM, Nadeesha Meegoda <[email protected]> >> wrote: >> >>> Hi Tharindu, >>> >>> When I tested this with single IS for SAML SSO (not the federated >>> scenario) everything worked fine for super tenant. I doubt this is related >>> to the federated scenario. Please have a look and let me know. >>> >>> Thanks! >>> >>> On Fri, Oct 2, 2015 at 8:52 PM, Tharindu Edirisinghe <[email protected] >>> > wrote: >>> >>>> Hi Nadeesha, >>>> >>>> For super tenant, sso.agent should be able to decrypt the encrypted >>>> saml assertion. However there was an issue [1] where for a tenant, when the >>>> tenant encrypts the SAML assertion from the public certificate of the >>>> client (i.e travelocity app), then sso.agent could not decrypt the >>>> assertion because in the code, the private key of travelocity's key store >>>> was not getting picked up because of the particular method called in open >>>> saml library. This was patched sometimes back for sso.agent 1.2 version but >>>> we need to check whether the same fix got correctly merged to higher >>>> versions (i.e 1.4). Ideally this should anyway work for super tenant, but >>>> we'll check the same scenario more and let you know. >>>> >>>> [1] https://wso2.org/jira/browse/IDENTITY-3186 >>>> >>>> Regards, >>>> TharinduE >>>> >>>> On Fri, Oct 2, 2015 at 3:34 PM, Nadeesha Meegoda <[email protected]> >>>> wrote: >>>> >>>>> Hi Darshana, >>>>> >>>>> Yes the response is encrypted. Sending the SAML sso trace attached >>>>> with the mail. >>>>> >>>>> @Ishara I used wso2carbon as the certificate alias since I'm using the >>>>> default key stores and also I'm testing this in super tenant mode. Do I >>>>> need to import the public certificate of the private key of travelocity >>>>> app >>>>> to IS keystores in super tenant mode? >>>>> >>>>> On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathna <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Nadeesha, >>>>>> >>>>>> On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi Nadeesha, >>>>>>> >>>>>>> Have you checked whether the assertion is encrypted in the response >>>>>>> IS send back to travelocity app? >>>>>>> >>>>>>> And please provide the SSO Trace (save as a text file and attach in >>>>>>> the mail) for the whole flow. >>>>>>> >>>>>>> Thanks, >>>>>>> Darshana >>>>>>> >>>>>>> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda <[email protected] >>>>>>> > wrote: >>>>>>> >>>>>>>> Hi. >>>>>>>> >>>>>>>> I have configured the setup to Login to the Identity Server Using >>>>>>>> Another Identity Server as per the details in [1] in Super tenant mode. >>>>>>>> With the happy scenario according to the documentation this works >>>>>>>> fine. But >>>>>>>> I have enabled some additional properties in IDP and SP used for IDP as >>>>>>>> following : >>>>>>>> >>>>>>>> *Properties enabled for Federated Authenticators* - SAML2 Web SSO >>>>>>>> Configuration >>>>>>>> >>>>>>>> 1. Enabled Assertion Encryption >>>>>>>> 2. Enable Assertion Signing >>>>>>>> 3. Enable Authentication Response Signing >>>>>>>> >>>>>>>> *Properties enabled fo SP used for IDP * >>>>>>>> >>>>>>>> 1. Enabled Assertion Encryption >>>>>>>> 2. Enabled Response Signing >>>>>>>> >>>>>>>> *Properties enabled fo SP used for travelocity app* >>>>>>>> >>>>>>>> 1. Enabled Assertion Encryption >>>>>>>> >>>>>>> What is the Certificate Alias you used here ? >>>>>> is that the public key in travelocity app ? >>>>>> >>>>>>> 2. Enabled Response Signing >>>>>>>> >>>>>>>> In the travelocity.properties file also I have enabled Assertion >>>>>>>> Encryption,Response signing and Assertion signing. I have already >>>>>>>> imported >>>>>>>> the Identity Provider Public Certificate to IDP >>>>>>>> >>>>>>>> When I'm signing in to travelocity.com I get Unable to decrypt the >>>>>>>> SAML Assertion error and error in [2] in tomcat. >>>>>>>> >>>>>>>> Note that only enabling "assertion signing" in IDP I was >>>>>>>> successfully able to login and no error was displayed. When I enabled >>>>>>>> the >>>>>>>> Assertion Encryption this error occurred. Why is this error occurred >>>>>>>> when I >>>>>>>> enable this property as mentioned above? >>>>>>>> >>>>>>>> Any help regarding this is highly appreciated! >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> [1] - >>>>>>>> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer&spaceKey=IS510 >>>>>>>> >>>>>>>> [2] - Oct 02, 2015 2:10:47 PM >>>>>>>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter >>>>>>>> SEVERE: An error has occurred >>>>>>>> org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: >>>>>>>> Unable to decrypt the SAML Assertion >>>>>>>> at >>>>>>>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254) >>>>>>>> at >>>>>>>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198) >>>>>>>> at >>>>>>>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89) >>>>>>>> at >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>>>> at >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>> at >>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>>>>>>> at >>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>>>>>> at >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) >>>>>>>> at >>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >>>>>>>> at >>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >>>>>>>> at >>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) >>>>>>>> at >>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>>>>>> at >>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) >>>>>>>> at >>>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) >>>>>>>> at >>>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) >>>>>>>> at >>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) >>>>>>>> at >>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>>>>>>> at >>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>>>>>>> at >>>>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thanks! >>>>>>>> -- >>>>>>>> *Nadeesha Meegoda* >>>>>>>> Software Engineer - QA >>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> email : [email protected] >>>>>>>> mobile: +94783639540 >>>>>>>> <%2B94%2077%202273555> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Regards, >>>>>>> >>>>>>> >>>>>>> *Darshana Gunawardana*Senior Software Engineer >>>>>>> WSO2 Inc.; http://wso2.com >>>>>>> >>>>>>> *E-mail: [email protected] <[email protected]>* >>>>>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . >>>>>>> Middleware >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ishara Karunarathna >>>>>> Senior Software Engineer >>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>> >>>>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>>>>> +94717996791 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Nadeesha Meegoda* >>>>> Software Engineer - QA >>>>> WSO2 Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> email : [email protected] >>>>> mobile: +94783639540 >>>>> <%2B94%2077%202273555> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> Tharindu Edirisinghe >>>> Software Engineer | WSO2 Inc >>>> Identity Server Team >>>> Blog : tharindue.blogspot.com >>>> mobile : +94 775 181586 >>>> >>>> >>>> >>> >>> >>> -- >>> *Nadeesha Meegoda* >>> Software Engineer - QA >>> WSO2 Inc.; http://wso2.com >>> lean.enterprise.middleware >>> email : [email protected] >>> mobile: +94783639540 >>> <%2B94%2077%202273555> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: [email protected] >> Mobile: +94 (71) 8020933 >> > > > > -- > *Nadeesha Meegoda* > Software Engineer - QA > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > email : [email protected] > mobile: +94783639540 > <%2B94%2077%202273555> > -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: [email protected] Mobile: +94 (71) 8020933
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
