Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app
Hi all, I have done the same setup in tenant mode (IDP and travelocity SP are in tenant mode) and enabled assertion encryption. The SP created for the IDP is in super tenant mode that is the 2nd IS. Now I am getting error in IS side. I have exported the external IS private key and imported it to IDP. Any reason behind this exception that I have missed doing? (Testing in the wso2is-5.1.0-kernel-4.2.0-SNAPSHOT given on 14th Oct) Note - I can successfully log in when assertion encryption is disabled. [1] - https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510 [2015-10-20 13:50:00,139] ERROR {org.opensaml.xml.encryption.Decrypter} - Failed to decrypt EncryptedKey, valid decryption key could not be resolved [2015-10-20 13:50:00,140] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Unable to decrypt the SAML Assertion org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: Unable to decrypt the SAML Assertion at org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:202) at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:65) at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:426) at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:400) at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:114) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:171) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:111) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:119) at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:53) at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.wso2.carbon.ui.filters.CSRFPreventionFilter.doFilter(CSRFPreventionFilter.java:88) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.wso2.carbon.ui.filters.CRLFPreventionFilter.doFilter(CRLFPreventionFilter.java:59) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app
On Tue, Oct 20, 2015 at 2:21 PM, Nadeesha Meegodawrote: > Hi all, > > I have done the same setup in tenant mode (IDP and travelocity SP are in > tenant mode) > Could you be able to resolve the issue in super tenant mode ? > and enabled assertion encryption. The SP created for the IDP is in super > tenant mode that is the 2nd IS. Now I am getting error in IS side. I have > exported the external IS private key and imported it to IDP. Any reason > behind this exception that I have missed doing? (Testing in the > wso2is-5.1.0-kernel-4.2.0-SNAPSHOT given on 14th Oct) > > Note - I can successfully log in when assertion encryption is disabled. > > > [1] - > https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510 > > [2015-10-20 13:50:00,139] ERROR {org.opensaml.xml.encryption.Decrypter} - > Failed to decrypt EncryptedKey, valid decryption key could not be resolved > [2015-10-20 13:50:00,140] ERROR > {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} > - Unable to decrypt the SAML Assertion > org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: > Unable to decrypt the SAML Assertion > at > org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:202) > at > org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:65) > at > org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:426) > at > org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:400) > at > org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:114) > at > org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:171) > at > org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:111) > at > org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:119) > at > org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:53) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > at > org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) > at > org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) > at > org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) > at > org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > at > org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.wso2.carbon.ui.filters.CSRFPreventionFilter.doFilter(CSRFPreventionFilter.java:88) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.wso2.carbon.ui.filters.CRLFPreventionFilter.doFilter(CRLFPreventionFilter.java:59) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at >
Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app
Yes it works for super tenant mode On Tue, Oct 20, 2015 at 2:32 PM, Gayan Gunawardanawrote: > > > On Tue, Oct 20, 2015 at 2:21 PM, Nadeesha Meegoda > wrote: > >> Hi all, >> >> I have done the same setup in tenant mode (IDP and travelocity SP are in >> tenant mode) >> > > Could you be able to resolve the issue in super tenant mode ? > >> and enabled assertion encryption. The SP created for the IDP is in super >> tenant mode that is the 2nd IS. Now I am getting error in IS side. I have >> exported the external IS private key and imported it to IDP. Any reason >> behind this exception that I have missed doing? (Testing in the >> wso2is-5.1.0-kernel-4.2.0-SNAPSHOT given on 14th Oct) >> >> Note - I can successfully log in when assertion encryption is disabled. >> >> >> [1] - >> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510 >> >> [2015-10-20 13:50:00,139] ERROR {org.opensaml.xml.encryption.Decrypter} >> - Failed to decrypt EncryptedKey, valid decryption key could not be >> resolved >> [2015-10-20 13:50:00,140] ERROR >> {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} >> - Unable to decrypt the SAML Assertion >> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: >> Unable to decrypt the SAML Assertion >> at >> org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:202) >> at >> org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:65) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:426) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:400) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:114) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:171) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:111) >> at >> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:119) >> at >> org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:53) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) >> at >> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) >> at >> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) >> at >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) >> at >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) >> at >> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> org.wso2.carbon.ui.filters.CSRFPreventionFilter.doFilter(CSRFPreventionFilter.java:88) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> org.wso2.carbon.ui.filters.CRLFPreventionFilter.doFilter(CRLFPreventionFilter.java:59) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >>
Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app
#Alias of the IdP's public certificate IdPPublicCertAlias=wso2carbon seems this is not present in travelocity.properties file. Can you please try with latest travelocity app ? On Thu, Oct 8, 2015 at 5:53 PM, Nadeesha Meegodawrote: > Hi all, > > I'm continuously getting this error when assertion encryption is enabled. > I have attached the traveolcity.properties file for your reference. I can > give the travelocity.war on request. > > On Sun, Oct 4, 2015 at 1:43 PM, Gayan Gunawardana wrote: > >> Hi Nadeesha, >> >> I just checked Federated SSO scenario (product-is build 02/10/2015) you >> mentioned in the initial mail. It works fine for me except I had to replace >> commons-collections-3.1.jar with commons-collections-3.2.1.jar inside >> travelocity.com web app. >> >> Thanks, >> Gayan >> >> On Fri, Oct 2, 2015 at 9:11 PM, Nadeesha Meegoda >> wrote: >> >>> Hi Tharindu, >>> >>> When I tested this with single IS for SAML SSO (not the federated >>> scenario) everything worked fine for super tenant. I doubt this is related >>> to the federated scenario. Please have a look and let me know. >>> >>> Thanks! >>> >>> On Fri, Oct 2, 2015 at 8:52 PM, Tharindu Edirisinghe >> > wrote: >>> Hi Nadeesha, For super tenant, sso.agent should be able to decrypt the encrypted saml assertion. However there was an issue [1] where for a tenant, when the tenant encrypts the SAML assertion from the public certificate of the client (i.e travelocity app), then sso.agent could not decrypt the assertion because in the code, the private key of travelocity's key store was not getting picked up because of the particular method called in open saml library. This was patched sometimes back for sso.agent 1.2 version but we need to check whether the same fix got correctly merged to higher versions (i.e 1.4). Ideally this should anyway work for super tenant, but we'll check the same scenario more and let you know. [1] https://wso2.org/jira/browse/IDENTITY-3186 Regards, TharinduE On Fri, Oct 2, 2015 at 3:34 PM, Nadeesha Meegoda wrote: > Hi Darshana, > > Yes the response is encrypted. Sending the SAML sso trace attached > with the mail. > > @Ishara I used wso2carbon as the certificate alias since I'm using the > default key stores and also I'm testing this in super tenant mode. Do I > need to import the public certificate of the private key of travelocity > app > to IS keystores in super tenant mode? > > On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathna > wrote: > >> Hi Nadeesha, >> >> On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana < >> darsh...@wso2.com> wrote: >> >>> Hi Nadeesha, >>> >>> Have you checked whether the assertion is encrypted in the response >>> IS send back to travelocity app? >>> >>> And please provide the SSO Trace (save as a text file and attach in >>> the mail) for the whole flow. >>> >>> Thanks, >>> Darshana >>> >>> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda >> > wrote: >>> Hi. I have configured the setup to Login to the Identity Server Using Another Identity Server as per the details in [1] in Super tenant mode. With the happy scenario according to the documentation this works fine. But I have enabled some additional properties in IDP and SP used for IDP as following : *Properties enabled for Federated Authenticators* - SAML2 Web SSO Configuration 1. Enabled Assertion Encryption 2. Enable Assertion Signing 3. Enable Authentication Response Signing *Properties enabled fo SP used for IDP * 1. Enabled Assertion Encryption 2. Enabled Response Signing *Properties enabled fo SP used for travelocity app* 1. Enabled Assertion Encryption >>> What is the Certificate Alias you used here ? >> is that the public key in travelocity app ? >> >>> 2. Enabled Response Signing In the travelocity.properties file also I have enabled Assertion Encryption,Response signing and Assertion signing. I have already imported the Identity Provider Public Certificate to IDP When I'm signing in to travelocity.com I get Unable to decrypt the SAML Assertion error and error in [2] in tomcat. Note that only enabling "assertion signing" in IDP I was successfully able to login and no error was displayed. When I enabled the Assertion Encryption this error occurred. Why is this error occurred when I
Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app
Hi all, I'm continuously getting this error when assertion encryption is enabled. I have attached the traveolcity.properties file for your reference. I can give the travelocity.war on request. On Sun, Oct 4, 2015 at 1:43 PM, Gayan Gunawardanawrote: > Hi Nadeesha, > > I just checked Federated SSO scenario (product-is build 02/10/2015) you > mentioned in the initial mail. It works fine for me except I had to replace > commons-collections-3.1.jar with commons-collections-3.2.1.jar inside > travelocity.com web app. > > Thanks, > Gayan > > On Fri, Oct 2, 2015 at 9:11 PM, Nadeesha Meegoda > wrote: > >> Hi Tharindu, >> >> When I tested this with single IS for SAML SSO (not the federated >> scenario) everything worked fine for super tenant. I doubt this is related >> to the federated scenario. Please have a look and let me know. >> >> Thanks! >> >> On Fri, Oct 2, 2015 at 8:52 PM, Tharindu Edirisinghe >> wrote: >> >>> Hi Nadeesha, >>> >>> For super tenant, sso.agent should be able to decrypt the encrypted saml >>> assertion. However there was an issue [1] where for a tenant, when the >>> tenant encrypts the SAML assertion from the public certificate of the >>> client (i.e travelocity app), then sso.agent could not decrypt the >>> assertion because in the code, the private key of travelocity's key store >>> was not getting picked up because of the particular method called in open >>> saml library. This was patched sometimes back for sso.agent 1.2 version but >>> we need to check whether the same fix got correctly merged to higher >>> versions (i.e 1.4). Ideally this should anyway work for super tenant, but >>> we'll check the same scenario more and let you know. >>> >>> [1] https://wso2.org/jira/browse/IDENTITY-3186 >>> >>> Regards, >>> TharinduE >>> >>> On Fri, Oct 2, 2015 at 3:34 PM, Nadeesha Meegoda >>> wrote: >>> Hi Darshana, Yes the response is encrypted. Sending the SAML sso trace attached with the mail. @Ishara I used wso2carbon as the certificate alias since I'm using the default key stores and also I'm testing this in super tenant mode. Do I need to import the public certificate of the private key of travelocity app to IS keystores in super tenant mode? On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathna wrote: > Hi Nadeesha, > > On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana < > darsh...@wso2.com> wrote: > >> Hi Nadeesha, >> >> Have you checked whether the assertion is encrypted in the response >> IS send back to travelocity app? >> >> And please provide the SSO Trace (save as a text file and attach in >> the mail) for the whole flow. >> >> Thanks, >> Darshana >> >> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda >> wrote: >> >>> Hi. >>> >>> I have configured the setup to Login to the Identity Server Using >>> Another Identity Server as per the details in [1] in Super tenant mode. >>> With the happy scenario according to the documentation this works fine. >>> But >>> I have enabled some additional properties in IDP and SP used for IDP as >>> following : >>> >>> *Properties enabled for Federated Authenticators* - SAML2 Web SSO >>> Configuration >>> >>> 1. Enabled Assertion Encryption >>> 2. Enable Assertion Signing >>> 3. Enable Authentication Response Signing >>> >>> *Properties enabled fo SP used for IDP * >>> >>> 1. Enabled Assertion Encryption >>> 2. Enabled Response Signing >>> >>> *Properties enabled fo SP used for travelocity app* >>> >>> 1. Enabled Assertion Encryption >>> >> What is the Certificate Alias you used here ? > is that the public key in travelocity app ? > >> 2. Enabled Response Signing >>> >>> In the travelocity.properties file also I have enabled Assertion >>> Encryption,Response signing and Assertion signing. I have already >>> imported >>> the Identity Provider Public Certificate to IDP >>> >>> When I'm signing in to travelocity.com I get Unable to decrypt the >>> SAML Assertion error and error in [2] in tomcat. >>> >>> Note that only enabling "assertion signing" in IDP I was >>> successfully able to login and no error was displayed. When I enabled >>> the >>> Assertion Encryption this error occurred. Why is this error occurred >>> when I >>> enable this property as mentioned above? >>> >>> Any help regarding this is highly appreciated! >>> >>> >>> >>> [1] - >>> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510 >>> >>> [2] - Oct 02, 2015 2:10:47 PM >>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter >>>
Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app
Hi Nadeesha, On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardanawrote: > Hi Nadeesha, > > Have you checked whether the assertion is encrypted in the response IS > send back to travelocity app? > > And please provide the SSO Trace (save as a text file and attach in the > mail) for the whole flow. > > Thanks, > Darshana > > On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda > wrote: > >> Hi. >> >> I have configured the setup to Login to the Identity Server Using Another >> Identity Server as per the details in [1] in Super tenant mode. With the >> happy scenario according to the documentation this works fine. But I have >> enabled some additional properties in IDP and SP used for IDP as following : >> >> *Properties enabled for Federated Authenticators* - SAML2 Web SSO >> Configuration >> >> 1. Enabled Assertion Encryption >> 2. Enable Assertion Signing >> 3. Enable Authentication Response Signing >> >> *Properties enabled fo SP used for IDP * >> >> 1. Enabled Assertion Encryption >> 2. Enabled Response Signing >> >> *Properties enabled fo SP used for travelocity app* >> >> 1. Enabled Assertion Encryption >> > What is the Certificate Alias you used here ? is that the public key in travelocity app ? > 2. Enabled Response Signing >> >> In the travelocity.properties file also I have enabled Assertion >> Encryption,Response signing and Assertion signing. I have already imported >> the Identity Provider Public Certificate to IDP >> >> When I'm signing in to travelocity.com I get Unable to decrypt the SAML >> Assertion error and error in [2] in tomcat. >> >> Note that only enabling "assertion signing" in IDP I was successfully >> able to login and no error was displayed. When I enabled the Assertion >> Encryption this error occurred. Why is this error occurred when I enable >> this property as mentioned above? >> >> Any help regarding this is highly appreciated! >> >> >> >> [1] - >> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510 >> >> [2] - Oct 02, 2015 2:10:47 PM >> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter >> SEVERE: An error has occurred >> org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable to >> decrypt the SAML Assertion >> at >> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254) >> at >> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198) >> at >> org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >> at >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) >> at >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) >> at >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) >> at >> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> at >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >> at java.lang.Thread.run(Thread.java:745) >> >> >> >> >> Thanks! >> -- >> *Nadeesha Meegoda* >> Software Engineer - QA >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> email : nadees...@wso2.com >> mobile: +94783639540 >> <%2B94%2077%202273555> >> > > > > -- > Regards, > > > *Darshana Gunawardana*Senior Software Engineer > WSO2 Inc.; http://wso2.com > > *E-mail: darsh...@wso2.com * > *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware > -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791
Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app
Hi Darshana, Yes the response is encrypted. Sending the SAML sso trace attached with the mail. @Ishara I used wso2carbon as the certificate alias since I'm using the default key stores and also I'm testing this in super tenant mode. Do I need to import the public certificate of the private key of travelocity app to IS keystores in super tenant mode? On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathnawrote: > Hi Nadeesha, > > On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana > wrote: > >> Hi Nadeesha, >> >> Have you checked whether the assertion is encrypted in the response IS >> send back to travelocity app? >> >> And please provide the SSO Trace (save as a text file and attach in the >> mail) for the whole flow. >> >> Thanks, >> Darshana >> >> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda >> wrote: >> >>> Hi. >>> >>> I have configured the setup to Login to the Identity Server Using >>> Another Identity Server as per the details in [1] in Super tenant mode. >>> With the happy scenario according to the documentation this works fine. But >>> I have enabled some additional properties in IDP and SP used for IDP as >>> following : >>> >>> *Properties enabled for Federated Authenticators* - SAML2 Web SSO >>> Configuration >>> >>> 1. Enabled Assertion Encryption >>> 2. Enable Assertion Signing >>> 3. Enable Authentication Response Signing >>> >>> *Properties enabled fo SP used for IDP * >>> >>> 1. Enabled Assertion Encryption >>> 2. Enabled Response Signing >>> >>> *Properties enabled fo SP used for travelocity app* >>> >>> 1. Enabled Assertion Encryption >>> >> What is the Certificate Alias you used here ? > is that the public key in travelocity app ? > >> 2. Enabled Response Signing >>> >>> In the travelocity.properties file also I have enabled Assertion >>> Encryption,Response signing and Assertion signing. I have already imported >>> the Identity Provider Public Certificate to IDP >>> >>> When I'm signing in to travelocity.com I get Unable to decrypt the SAML >>> Assertion error and error in [2] in tomcat. >>> >>> Note that only enabling "assertion signing" in IDP I was successfully >>> able to login and no error was displayed. When I enabled the Assertion >>> Encryption this error occurred. Why is this error occurred when I enable >>> this property as mentioned above? >>> >>> Any help regarding this is highly appreciated! >>> >>> >>> >>> [1] - >>> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510 >>> >>> [2] - Oct 02, 2015 2:10:47 PM >>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter >>> SEVERE: An error has occurred >>> org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable >>> to decrypt the SAML Assertion >>> at >>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254) >>> at >>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198) >>> at >>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at >>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>> at >>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>> at >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) >>> at >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >>> at >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >>> at >>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) >>> at >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>> at >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) >>> at >>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) >>> at >>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) >>> at >>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>> at >>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>> at java.lang.Thread.run(Thread.java:745) >>> >>> >>> >>> >>> Thanks! >>> -- >>> *Nadeesha Meegoda* >>> Software Engineer - QA >>> WSO2 Inc.; http://wso2.com >>>
Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app
Hi Nadeesha, Have you checked whether the assertion is encrypted in the response IS send back to travelocity app? And please provide the SSO Trace (save as a text file and attach in the mail) for the whole flow. Thanks, Darshana On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegodawrote: > Hi. > > I have configured the setup to Login to the Identity Server Using Another > Identity Server as per the details in [1] in Super tenant mode. With the > happy scenario according to the documentation this works fine. But I have > enabled some additional properties in IDP and SP used for IDP as following : > > *Properties enabled for Federated Authenticators* - SAML2 Web SSO > Configuration > > 1. Enabled Assertion Encryption > 2. Enable Assertion Signing > 3. Enable Authentication Response Signing > > *Properties enabled fo SP used for IDP * > > 1. Enabled Assertion Encryption > 2. Enabled Response Signing > > *Properties enabled fo SP used for travelocity app* > > 1. Enabled Assertion Encryption > 2. Enabled Response Signing > > In the travelocity.properties file also I have enabled Assertion > Encryption,Response signing and Assertion signing. I have already imported > the Identity Provider Public Certificate to IDP > > When I'm signing in to travelocity.com I get Unable to decrypt the SAML > Assertion error and error in [2] in tomcat. > > Note that only enabling "assertion signing" in IDP I was successfully able > to login and no error was displayed. When I enabled the Assertion > Encryption this error occurred. Why is this error occurred when I enable > this property as mentioned above? > > Any help regarding this is highly appreciated! > > > > [1] - > https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510 > > [2] - Oct 02, 2015 2:10:47 PM > org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter > SEVERE: An error has occurred > org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable to > decrypt the SAML Assertion > at > org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254) > at > org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198) > at > org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > > > > > Thanks! > -- > *Nadeesha Meegoda* > Software Engineer - QA > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > email : nadees...@wso2.com > mobile: +94783639540 > <%2B94%2077%202273555> > -- Regards, *Darshana Gunawardana*Senior Software Engineer WSO2 Inc.; http://wso2.com *E-mail: darsh...@wso2.com * *Mobile: +94718566859*Lean . Enterprise . Middleware ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app
Hi. I have configured the setup to Login to the Identity Server Using Another Identity Server as per the details in [1] in Super tenant mode. With the happy scenario according to the documentation this works fine. But I have enabled some additional properties in IDP and SP used for IDP as following : *Properties enabled for Federated Authenticators* - SAML2 Web SSO Configuration 1. Enabled Assertion Encryption 2. Enable Assertion Signing 3. Enable Authentication Response Signing *Properties enabled fo SP used for IDP * 1. Enabled Assertion Encryption 2. Enabled Response Signing *Properties enabled fo SP used for travelocity app* 1. Enabled Assertion Encryption 2. Enabled Response Signing In the travelocity.properties file also I have enabled Assertion Encryption,Response signing and Assertion signing. I have already imported the Identity Provider Public Certificate to IDP When I'm signing in to travelocity.com I get Unable to decrypt the SAML Assertion error and error in [2] in tomcat. Note that only enabling "assertion signing" in IDP I was successfully able to login and no error was displayed. When I enabled the Assertion Encryption this error occurred. Why is this error occurred when I enable this property as mentioned above? Any help regarding this is highly appreciated! [1] - https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510 [2] - Oct 02, 2015 2:10:47 PM org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter SEVERE: An error has occurred org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable to decrypt the SAML Assertion at org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254) at org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198) at org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Thanks! -- *Nadeesha Meegoda* Software Engineer - QA WSO2 Inc.; http://wso2.com lean.enterprise.middleware email : nadees...@wso2.com mobile: +94783639540 <%2B94%2077%202273555> ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app
Hi Tharindu, When I tested this with single IS for SAML SSO (not the federated scenario) everything worked fine for super tenant. I doubt this is related to the federated scenario. Please have a look and let me know. Thanks! On Fri, Oct 2, 2015 at 8:52 PM, Tharindu Edirisinghewrote: > Hi Nadeesha, > > For super tenant, sso.agent should be able to decrypt the encrypted saml > assertion. However there was an issue [1] where for a tenant, when the > tenant encrypts the SAML assertion from the public certificate of the > client (i.e travelocity app), then sso.agent could not decrypt the > assertion because in the code, the private key of travelocity's key store > was not getting picked up because of the particular method called in open > saml library. This was patched sometimes back for sso.agent 1.2 version but > we need to check whether the same fix got correctly merged to higher > versions (i.e 1.4). Ideally this should anyway work for super tenant, but > we'll check the same scenario more and let you know. > > [1] https://wso2.org/jira/browse/IDENTITY-3186 > > Regards, > TharinduE > > On Fri, Oct 2, 2015 at 3:34 PM, Nadeesha Meegoda > wrote: > >> Hi Darshana, >> >> Yes the response is encrypted. Sending the SAML sso trace attached with >> the mail. >> >> @Ishara I used wso2carbon as the certificate alias since I'm using the >> default key stores and also I'm testing this in super tenant mode. Do I >> need to import the public certificate of the private key of travelocity app >> to IS keystores in super tenant mode? >> >> On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathna >> wrote: >> >>> Hi Nadeesha, >>> >>> On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana >>> wrote: >>> Hi Nadeesha, Have you checked whether the assertion is encrypted in the response IS send back to travelocity app? And please provide the SSO Trace (save as a text file and attach in the mail) for the whole flow. Thanks, Darshana On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda wrote: > Hi. > > I have configured the setup to Login to the Identity Server Using > Another Identity Server as per the details in [1] in Super tenant mode. > With the happy scenario according to the documentation this works fine. > But > I have enabled some additional properties in IDP and SP used for IDP as > following : > > *Properties enabled for Federated Authenticators* - SAML2 Web SSO > Configuration > > 1. Enabled Assertion Encryption > 2. Enable Assertion Signing > 3. Enable Authentication Response Signing > > *Properties enabled fo SP used for IDP * > > 1. Enabled Assertion Encryption > 2. Enabled Response Signing > > *Properties enabled fo SP used for travelocity app* > > 1. Enabled Assertion Encryption > What is the Certificate Alias you used here ? >>> is that the public key in travelocity app ? >>> 2. Enabled Response Signing > > In the travelocity.properties file also I have enabled Assertion > Encryption,Response signing and Assertion signing. I have already imported > the Identity Provider Public Certificate to IDP > > When I'm signing in to travelocity.com I get Unable to decrypt the > SAML Assertion error and error in [2] in tomcat. > > Note that only enabling "assertion signing" in IDP I was successfully > able to login and no error was displayed. When I enabled the Assertion > Encryption this error occurred. Why is this error occurred when I enable > this property as mentioned above? > > Any help regarding this is highly appreciated! > > > > [1] - > https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510 > > [2] - Oct 02, 2015 2:10:47 PM > org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter > SEVERE: An error has occurred > org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable > to decrypt the SAML Assertion > at > org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254) > at > org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198) > at > org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > at >
Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app
Hi Nadeesha, For super tenant, sso.agent should be able to decrypt the encrypted saml assertion. However there was an issue [1] where for a tenant, when the tenant encrypts the SAML assertion from the public certificate of the client (i.e travelocity app), then sso.agent could not decrypt the assertion because in the code, the private key of travelocity's key store was not getting picked up because of the particular method called in open saml library. This was patched sometimes back for sso.agent 1.2 version but we need to check whether the same fix got correctly merged to higher versions (i.e 1.4). Ideally this should anyway work for super tenant, but we'll check the same scenario more and let you know. [1] https://wso2.org/jira/browse/IDENTITY-3186 Regards, TharinduE On Fri, Oct 2, 2015 at 3:34 PM, Nadeesha Meegodawrote: > Hi Darshana, > > Yes the response is encrypted. Sending the SAML sso trace attached with > the mail. > > @Ishara I used wso2carbon as the certificate alias since I'm using the > default key stores and also I'm testing this in super tenant mode. Do I > need to import the public certificate of the private key of travelocity app > to IS keystores in super tenant mode? > > On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathna > wrote: > >> Hi Nadeesha, >> >> On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana >> wrote: >> >>> Hi Nadeesha, >>> >>> Have you checked whether the assertion is encrypted in the response IS >>> send back to travelocity app? >>> >>> And please provide the SSO Trace (save as a text file and attach in the >>> mail) for the whole flow. >>> >>> Thanks, >>> Darshana >>> >>> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda >>> wrote: >>> Hi. I have configured the setup to Login to the Identity Server Using Another Identity Server as per the details in [1] in Super tenant mode. With the happy scenario according to the documentation this works fine. But I have enabled some additional properties in IDP and SP used for IDP as following : *Properties enabled for Federated Authenticators* - SAML2 Web SSO Configuration 1. Enabled Assertion Encryption 2. Enable Assertion Signing 3. Enable Authentication Response Signing *Properties enabled fo SP used for IDP * 1. Enabled Assertion Encryption 2. Enabled Response Signing *Properties enabled fo SP used for travelocity app* 1. Enabled Assertion Encryption >>> What is the Certificate Alias you used here ? >> is that the public key in travelocity app ? >> >>> 2. Enabled Response Signing In the travelocity.properties file also I have enabled Assertion Encryption,Response signing and Assertion signing. I have already imported the Identity Provider Public Certificate to IDP When I'm signing in to travelocity.com I get Unable to decrypt the SAML Assertion error and error in [2] in tomcat. Note that only enabling "assertion signing" in IDP I was successfully able to login and no error was displayed. When I enabled the Assertion Encryption this error occurred. Why is this error occurred when I enable this property as mentioned above? Any help regarding this is highly appreciated! [1] - https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510 [2] - Oct 02, 2015 2:10:47 PM org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter SEVERE: An error has occurred org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable to decrypt the SAML Assertion at org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254) at org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198) at org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at