Hi all, I have done the same setup in tenant mode (IDP and travelocity SP are in tenant mode) and enabled assertion encryption. The SP created for the IDP is in super tenant mode that is the 2nd IS. Now I am getting error in IS side. I have exported the external IS private key and imported it to IDP. Any reason behind this exception that I have missed doing? (Testing in the wso2is-5.1.0-kernel-4.2.0-SNAPSHOT given on 14th Oct)
Note - I can successfully log in when assertion encryption is disabled. [1] - https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer&spaceKey=IS510 [2015-10-20 13:50:00,139] ERROR {org.opensaml.xml.encryption.Decrypter} - Failed to decrypt EncryptedKey, valid decryption key could not be resolved [2015-10-20 13:50:00,140] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Unable to decrypt the SAML Assertion org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: Unable to decrypt the SAML Assertion at org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:202) at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:65) at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:426) at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:400) at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:114) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:171) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:111) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:119) at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:53) at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.wso2.carbon.ui.filters.CSRFPreventionFilter.doFilter(CSRFPreventionFilter.java:88) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.wso2.carbon.ui.filters.CRLFPreventionFilter.doFilter(CRLFPreventionFilter.java:59) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57) at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: Unable to decrypt the SAML Assertion at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSSOResponse(DefaultSAML2SSOManager.java:431) at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processResponse(DefaultSAML2SSOManager.java:312) at org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:157) ... 53 more Caused by: org.opensaml.xml.encryption.DecryptionException: Valid decryption key for EncryptedKey could not be resolved at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:623) at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.getDecryptedAssertion(DefaultSAML2SSOManager.java:897) at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSSOResponse(DefaultSAML2SSOManager.java:429) ... 55 more Thanks! On Fri, Oct 9, 2015 at 4:12 PM, Gayan Gunawardana <[email protected]> wrote: > #Alias of the IdP's public certificate > IdPPublicCertAlias=wso2carbon > > seems this is not present in travelocity.properties file. Can you please > try with latest travelocity app ? > > On Thu, Oct 8, 2015 at 5:53 PM, Nadeesha Meegoda <[email protected]> > wrote: > >> Hi all, >> >> I'm continuously getting this error when assertion encryption is enabled. >> I have attached the traveolcity.properties file for your reference. I can >> give the travelocity.war on request. >> >> On Sun, Oct 4, 2015 at 1:43 PM, Gayan Gunawardana <[email protected]> wrote: >> >>> Hi Nadeesha, >>> >>> I just checked Federated SSO scenario (product-is build 02/10/2015) you >>> mentioned in the initial mail. It works fine for me except I had to replace >>> commons-collections-3.1.jar with commons-collections-3.2.1.jar inside >>> travelocity.com web app. >>> >>> Thanks, >>> Gayan >>> >>> On Fri, Oct 2, 2015 at 9:11 PM, Nadeesha Meegoda <[email protected]> >>> wrote: >>> >>>> Hi Tharindu, >>>> >>>> When I tested this with single IS for SAML SSO (not the federated >>>> scenario) everything worked fine for super tenant. I doubt this is related >>>> to the federated scenario. Please have a look and let me know. >>>> >>>> Thanks! >>>> >>>> On Fri, Oct 2, 2015 at 8:52 PM, Tharindu Edirisinghe < >>>> [email protected]> wrote: >>>> >>>>> Hi Nadeesha, >>>>> >>>>> For super tenant, sso.agent should be able to decrypt the encrypted >>>>> saml assertion. However there was an issue [1] where for a tenant, when >>>>> the >>>>> tenant encrypts the SAML assertion from the public certificate of the >>>>> client (i.e travelocity app), then sso.agent could not decrypt the >>>>> assertion because in the code, the private key of travelocity's key store >>>>> was not getting picked up because of the particular method called in open >>>>> saml library. This was patched sometimes back for sso.agent 1.2 version >>>>> but >>>>> we need to check whether the same fix got correctly merged to higher >>>>> versions (i.e 1.4). Ideally this should anyway work for super tenant, but >>>>> we'll check the same scenario more and let you know. >>>>> >>>>> [1] https://wso2.org/jira/browse/IDENTITY-3186 >>>>> >>>>> Regards, >>>>> TharinduE >>>>> >>>>> On Fri, Oct 2, 2015 at 3:34 PM, Nadeesha Meegoda <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Darshana, >>>>>> >>>>>> Yes the response is encrypted. Sending the SAML sso trace attached >>>>>> with the mail. >>>>>> >>>>>> @Ishara I used wso2carbon as the certificate alias since I'm using >>>>>> the default key stores and also I'm testing this in super tenant mode. >>>>>> Do >>>>>> I need to import the public certificate of the private key of travelocity >>>>>> app to IS keystores in super tenant mode? >>>>>> >>>>>> On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathna <[email protected] >>>>>> > wrote: >>>>>> >>>>>>> Hi Nadeesha, >>>>>>> >>>>>>> On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Nadeesha, >>>>>>>> >>>>>>>> Have you checked whether the assertion is encrypted in the response >>>>>>>> IS send back to travelocity app? >>>>>>>> >>>>>>>> And please provide the SSO Trace (save as a text file and attach in >>>>>>>> the mail) for the whole flow. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Darshana >>>>>>>> >>>>>>>> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi. >>>>>>>>> >>>>>>>>> I have configured the setup to Login to the Identity Server Using >>>>>>>>> Another Identity Server as per the details in [1] in Super tenant >>>>>>>>> mode. >>>>>>>>> With the happy scenario according to the documentation this works >>>>>>>>> fine. But >>>>>>>>> I have enabled some additional properties in IDP and SP used for IDP >>>>>>>>> as >>>>>>>>> following : >>>>>>>>> >>>>>>>>> *Properties enabled for Federated Authenticators* - SAML2 Web SSO >>>>>>>>> Configuration >>>>>>>>> >>>>>>>>> 1. Enabled Assertion Encryption >>>>>>>>> 2. Enable Assertion Signing >>>>>>>>> 3. Enable Authentication Response Signing >>>>>>>>> >>>>>>>>> *Properties enabled fo SP used for IDP * >>>>>>>>> >>>>>>>>> 1. Enabled Assertion Encryption >>>>>>>>> 2. Enabled Response Signing >>>>>>>>> >>>>>>>>> *Properties enabled fo SP used for travelocity app* >>>>>>>>> >>>>>>>>> 1. Enabled Assertion Encryption >>>>>>>>> >>>>>>>> What is the Certificate Alias you used here ? >>>>>>> is that the public key in travelocity app ? >>>>>>> >>>>>>>> 2. Enabled Response Signing >>>>>>>>> >>>>>>>>> In the travelocity.properties file also I have enabled Assertion >>>>>>>>> Encryption,Response signing and Assertion signing. I have already >>>>>>>>> imported >>>>>>>>> the Identity Provider Public Certificate to IDP >>>>>>>>> >>>>>>>>> When I'm signing in to travelocity.com I get Unable to decrypt >>>>>>>>> the SAML Assertion error and error in [2] in tomcat. >>>>>>>>> >>>>>>>>> Note that only enabling "assertion signing" in IDP I was >>>>>>>>> successfully able to login and no error was displayed. When I enabled >>>>>>>>> the >>>>>>>>> Assertion Encryption this error occurred. Why is this error occurred >>>>>>>>> when I >>>>>>>>> enable this property as mentioned above? >>>>>>>>> >>>>>>>>> Any help regarding this is highly appreciated! >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> [1] - >>>>>>>>> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer&spaceKey=IS510 >>>>>>>>> >>>>>>>>> [2] - Oct 02, 2015 2:10:47 PM >>>>>>>>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter >>>>>>>>> SEVERE: An error has occurred >>>>>>>>> org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: >>>>>>>>> Unable to decrypt the SAML Assertion >>>>>>>>> at >>>>>>>>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>>>>>>> at >>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >>>>>>>>> at >>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >>>>>>>>> at >>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>>>>>>> at >>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) >>>>>>>>> at >>>>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) >>>>>>>>> at >>>>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) >>>>>>>>> at >>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) >>>>>>>>> at >>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>>>>>>>> at >>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>>>>>>>> at >>>>>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> -- >>>>>>>>> *Nadeesha Meegoda* >>>>>>>>> Software Engineer - QA >>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>> lean.enterprise.middleware >>>>>>>>> email : [email protected] >>>>>>>>> mobile: +94783639540 >>>>>>>>> <%2B94%2077%202273555> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Regards, >>>>>>>> >>>>>>>> >>>>>>>> *Darshana Gunawardana*Senior Software Engineer >>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>> >>>>>>>> *E-mail: [email protected] <[email protected]>* >>>>>>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . >>>>>>>> Middleware >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Ishara Karunarathna >>>>>>> Senior Software Engineer >>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>> >>>>>>> email: [email protected], blog: isharaaruna.blogspot.com, >>>>>>> mobile: +94717996791 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Nadeesha Meegoda* >>>>>> Software Engineer - QA >>>>>> WSO2 Inc.; http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> email : [email protected] >>>>>> mobile: +94783639540 >>>>>> <%2B94%2077%202273555> >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> [email protected] >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Tharindu Edirisinghe >>>>> Software Engineer | WSO2 Inc >>>>> Identity Server Team >>>>> Blog : tharindue.blogspot.com >>>>> mobile : +94 775 181586 >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Nadeesha Meegoda* >>>> Software Engineer - QA >>>> WSO2 Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> email : [email protected] >>>> mobile: +94783639540 >>>> <%2B94%2077%202273555> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: [email protected] >>> Mobile: +94 (71) 8020933 >>> >> >> >> >> -- >> *Nadeesha Meegoda* >> Software Engineer - QA >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> email : [email protected] >> mobile: +94783639540 >> <%2B94%2077%202273555> >> > > > > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: [email protected] > Mobile: +94 (71) 8020933 > -- *Nadeesha Meegoda* Software Engineer - QA WSO2 Inc.; http://wso2.com lean.enterprise.middleware email : [email protected] mobile: +94783639540 <%2B94%2077%202273555>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
