Anonymous_User Absent Member.
Absent Member.
2083 views

Setting up SSO to Userapp


Trying to setup UserApp to work with our existing SSO application for
other web apps. I imported the metadata file for the connection from
the IDP to same server as UserApp. I then ran the configupdate.sh tool
and set auth type to SAML and provided URL of metadata xml file from
IDP. I then restarted the server and downloaded the spmetadata.xml file
and used it to create the IDP connection on the federation server. Now
when I try to sign onto the user app I get the following error:

One SSO Platform Error
Too many login attempts in a short period of time. Please close the
browser, open a new one, and begin a new authentication.

I have tried clearing the cache and closing the browser but same error.
No errors in Catalina or OSP logs. I do see the logs below in the
localhost_access_logs and also when I run the SAML tracer plugin with
firefox. It looks like OSP is never trying to connect to IDP server. I
also checked logs on IDP server and there are no errors there either.

I read an article that said the RBPM to eDirectory SAML Configuration
under the advanced options in the configupdate tool should be set to
Auto. I have tried setting this several times and hitting Ok but every
time I start the configupdate tool it goes back to No Change.

Any ideas on what piece I might be missing or how to troubleshoot?

10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
/osp/a/idm/auth/oauth2/grant?response_type=code&client_id=rbpm&state=94d1f561-a690-4b03-b7ce-69b963ee32ea&redirect_uri=https%3A//serverdns%3A5043/dev/oauth
HTTP/1.1" 200 375
10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
/osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
375
10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
/osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
375
10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
/osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
375
10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
/osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
375
10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
/osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
141621
10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
/osp/images/productlogo.png HTTP/1.1" 404 1003


--
CHSB1130
------------------------------------------------------------------------
CHSB1130's Profile: https://forums.netiq.com/member.php?userid=6130
View this thread: https://forums.netiq.com/showthread.php?t=54606

Labels (1)
0 Likes
8 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Setting up SSO to Userapp

On 11/5/15 5:04 PM, CHSB1130 wrote:
>
> Trying to setup UserApp to work with our existing SSO application for
> other web apps. I imported the metadata file for the connection from
> the IDP to same server as UserApp. I then ran the configupdate.sh tool
> and set auth type to SAML and provided URL of metadata xml file from
> IDP. I then restarted the server and downloaded the spmetadata.xml file
> and used it to create the IDP connection on the federation server. Now
> when I try to sign onto the user app I get the following error:
>
> One SSO Platform Error
> Too many login attempts in a short period of time. Please close the
> browser, open a new one, and begin a new authentication.
>
> I have tried clearing the cache and closing the browser but same error.
> No errors in Catalina or OSP logs. I do see the logs below in the
> localhost_access_logs and also when I run the SAML tracer plugin with
> firefox. It looks like OSP is never trying to connect to IDP server. I
> also checked logs on IDP server and there are no errors there either.
>
> I read an article that said the RBPM to eDirectory SAML Configuration
> under the advanced options in the configupdate tool should be set to
> Auto. I have tried setting this several times and hitting Ok but every
> time I start the configupdate tool it goes back to No Change.
>
> Any ideas on what piece I might be missing or how to troubleshoot?
>
> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> /osp/a/idm/auth/oauth2/grant?response_type=code&client_id=rbpm&state=94d1f561-a690-4b03-b7ce-69b963ee32ea&redirect_uri=https%3A//serverdns%3A5043/dev/oauth
> HTTP/1.1" 200 375
> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> 375
> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> 375
> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> 375
> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> 375
> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> 141621
> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> /osp/images/productlogo.png HTTP/1.1" 404 1003
>
>

Greetings,

1) With the 4.5 release we only support NAM with SAML to the OSP.

2) When you change the setting to "Auto" and then press OK in
configupdate, we perform the actions necessary in eDirectory at that
time. If that had failed, you would see an error in the terminal that
you launched configupdate in.


--
Sincerely,
Steven Williams
Lead Software Engineer
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: Setting up SSO to Userapp

On 11/5/2015 5:04 PM, CHSB1130 wrote:
>
> Trying to setup UserApp to work with our existing SSO application for
> other web apps. I imported the metadata file for the connection from
> the IDP to same server as UserApp. I then ran the configupdate.sh tool
> and set auth type to SAML and provided URL of metadata xml file from
> IDP. I then restarted the server and downloaded the spmetadata.xml file
> and used it to create the IDP connection on the federation server. Now
> when I try to sign onto the user app I get the following error:


What format is the URL for the metadata file?

I have run into this but so many errors are undocumented in OSP that I
forget the answer.

Is the Cert from the metadata imported into the keystore used by OSP?
(The one you specified in configupdate) and you need it to be a
-trustcacerts when you import it.


> One SSO Platform Error
> Too many login attempts in a short period of time. Please close the
> browser, open a new one, and begin a new authentication.


Watching in SAML Tracer, do you ever see a SAML Assert to the IDP?

Is the URL defined for the OSP URL exactly right? (if you forwarded
from 8443 to 443 it gets confusing, since you would think
https://url:443 is valud, but since the browser strips the 443 it is
not, and needs to be https://url and stuff like that).

Did you enable tracing in the OSP log to see if any other hints are there?

> I have tried clearing the cache and closing the browser but same error.
> No errors in Catalina or OSP logs. I do see the logs below in the
> localhost_access_logs and also when I run the SAML tracer plugin with
> firefox. It looks like OSP is never trying to connect to IDP server. I
> also checked logs on IDP server and there are no errors there either.
>
> I read an article that said the RBPM to eDirectory SAML Configuration
> under the advanced options in the configupdate tool should be set to
> Auto. I have tried setting this several times and hitting Ok but every
> time I start the configupdate tool it goes back to No Change.
>
> Any ideas on what piece I might be missing or how to troubleshoot?
>
> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> /osp/a/idm/auth/oauth2/grant?response_type=code&client_id=rbpm&state=94d1f561-a690-4b03-b7ce-69b963ee32ea&redirect_uri=https%3A//serverdns%3A5043/dev/oauth
> HTTP/1.1" 200 375
> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> 375
> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> 375
> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> 375
> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> 375
> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> 141621
> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> /osp/images/productlogo.png HTTP/1.1" 404 1003
>
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Setting up SSO to Userapp


Below is the URL of the metadata file. There is a port number in the
URL. If I put this URL in a web browser it shows the XML so I know the
address is correct.

https://userapp_server:5043/ping_metadata.xml

When I run the SAML Tracer plugin with Firefox the IDP server is never
accessed. Looks like it tries this URL 5 times and then fails.

http://tinyurl.com/psuyd2m HTTP/1.1

I set the -Dcom.netiq.idm.osp.logging.level=TRACE in tomcat setenv.sh
and restarted Tomcat. Below are some of the error messages in the OSP
log...

[OIDP]
Time: 2015-11-10T14:11:31.832-0600
Level: TRACE
Java Execution:
Class: com.novell.oidp.profile.authentication.MethodProfile
Method: P
Line Number: -1
Thread: http-bio-5043-exec-6
Message: Contract Executable counter: 0, Contract Executable array
length: 1

[OIDP]
Time: 2015-11-10T14:11:31.832-0600
Level: TRACE
Java Execution:
Class: com.novell.oidp.session.NIDPSession
Method: isAuthenticated
Line Number: -1
Thread: http-bio-5043-exec-6
Message: Session Id:
1c2e9dd7f4df4a6ea4b9c9489f7adfdd-5138353C7C30242539
Session has zero consumed authentications! Not Authenticated!
Authenticated: false


[OIDP]
Time: 2015-11-10T14:11:31.832-0600
Level: TRACE
Java Execution:
Class: com.novell.oidp.profile.authentication.MethodProfile
Method: P
Line Number: -1
Thread: http-bio-5043-exec-6
Message: Session is NOT authenticated OR method is NOT valid on session,
so execute Contract Method: SAML2 Method

[OIDP]
Time: 2015-11-10T14:11:31.833-0600
Level: TRACE
Java Execution:
Class: com.novell.oidp.profile.authentication.MethodProfile
Method: A
Line Number: -1
Thread: http-bio-5043-exec-6
Message: Authentication Method executing: SAML2 Method

[OIDP]
Time: 2015-11-10T14:11:31.833-0600
Level: TRACE
Java Execution:
Class: com.novell.oidp.authentication.AuthenticationManager
Method: getCard
Line Number: -1
Thread: http-bio-5043-exec-6
Message: Could not find candidate authentication card with id:
saml2-auth-card
Existing card ids are:
eIDPLogin
name-pwd-login
krb-login


[OIDP]
Time: 2015-11-10T14:11:31.834-0600
Level: TRACE
Java Execution:
Class: com.novell.oidp.profile.authentication.MethodProfile
Method: A
Line Number: -1
Thread: http-bio-5043-exec-6
Message: Authenticated authentication class:
com.novell.oidp.protocol.authentication.classes.IDPAuthenticationClass,
Status: 6

[OIDP]
Time: 2015-11-10T14:11:31.834-0600
Level: TRACE
Java Execution:
Class: com.novell.oidp.profile.authentication.MethodProfile
Method: A
Line Number: -1
Thread: http-bio-5043-exec-6
Message: Authentication Method SAML2 Method requires additional
interaction.

[OIDP]
Time: 2015-11-10T14:11:31.834-0600
Level: TRACE
Java Execution:
Class: com.novell.oidp.profile.authentication.ContractExecutionProfile
Method: exec
Line Number: -1
Thread: http-bio-5043-exec-6
Message: Executing methods returned status: 6

[OIDP]
Time: 2015-11-10T14:11:31.834-0600
Level: TRACE
Java Execution:
Class: com.novell.oidp.profile.LoginProfile
Method: executeContract
Line Number: -1
Thread: http-bio-5043-exec-6
Message: Contract Execution Profile "execute()" returned status: 1

[OIDP]
Time: 2015-11-10T14:11:31.835-0600
Level: TRACE
Java Execution:
Class: com.novell.oidp.session.NIDPSession
Method: removeSessionData
Line Number: -1
Thread: http-bio-5043-exec-6
Message: Removed NIDPSessionData with id: 0

[OIDP]
Time: 2015-11-10T14:11:31.835-0600
Level: TRACE
Java Execution:
Class:
com.novell.oidp.servlets.handler.AuthenticationServiceRequestHandler
Method: A
Line Number: -1
Thread: http-bio-5043-exec-6
Message: Persisting session
1c2e9dd7f4df4a6ea4b9c9489f7adfdd-5138353C7C30242539-A45747772-B0D45404C4E5E454C3F383B-CiKwwlDJlUsIBFeXVVwLLEOEUWPcWY/V1ejkvgaKYJZA~
to cookie!

[OIDP]
Time: 2015-11-10T10:32:05.776-0600
Level: ERROR
Java Execution:
Class:
com.novell.oidp.servlets.handler.AuthenticationServiceRequestHandler
Method: handleRequest
Line Number: -1
Thread: localhost-startStop-1
Correlation:
Id: c31a523a-47fe-476f-8e4c-bdb038fec947
Message: LocalizableLoggableMessage
Code: com.novell.oidp.session.NIDPSession.markAuthenticationFailed()
[-1]
Thread: http-bio-5043-exec-6
Correlation Id: c31a523a-47fe-476f-8e4c-bdb038fec947
Text: Endless loop detected in authentication. Continue Count: 6, Time
Window: 299

geoffc;262223 Wrote:
> On 11/5/2015 5:04 PM, CHSB1130 wrote:
> >
> > Trying to setup UserApp to work with our existing SSO application for
> > other web apps. I imported the metadata file for the connection from
> > the IDP to same server as UserApp. I then ran the configupdate.sh

> tool
> > and set auth type to SAML and provided URL of metadata xml file from
> > IDP. I then restarted the server and downloaded the spmetadata.xml

> file
> > and used it to create the IDP connection on the federation server.

> Now
> > when I try to sign onto the user app I get the following error:

>
> What format is the URL for the metadata file?
>
> I have run into this but so many errors are undocumented in OSP that I
> forget the answer.
>
> Is the Cert from the metadata imported into the keystore used by OSP?
> (The one you specified in configupdate) and you need it to be a
> -trustcacerts when you import it.
>
>
> > One SSO Platform Error
> > Too many login attempts in a short period of time. Please close the
> > browser, open a new one, and begin a new authentication.

>
> Watching in SAML Tracer, do you ever see a SAML Assert to the IDP?
>
> Is the URL defined for the OSP URL exactly right? (if you forwarded
> from 8443 to 443 it gets confusing, since you would think
> https://url:443 is valud, but since the browser strips the 443 it is
> not, and needs to be https://url and stuff like that).
>
> Did you enable tracing in the OSP log to see if any other hints are
> there?
>
> > I have tried clearing the cache and closing the browser but same

> error.
> > No errors in Catalina or OSP logs. I do see the logs below in the
> > localhost_access_logs and also when I run the SAML tracer plugin with
> > firefox. It looks like OSP is never trying to connect to IDP server.

> I
> > also checked logs on IDP server and there are no errors there either.
> >
> > I read an article that said the RBPM to eDirectory SAML Configuration
> > under the advanced options in the configupdate tool should be set to
> > Auto. I have tried setting this several times and hitting Ok but

> every
> > time I start the configupdate tool it goes back to No Change.
> >
> > Any ideas on what piece I might be missing or how to troubleshoot?
> >
> > 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> >

> /osp/a/idm/auth/oauth2/grant?response_type=code&client_id=rbpm&state=94d1f561-a690-4b03-b7ce-69b963ee32ea&redirect_uri=https%3A//serverdns%3A5043/dev/oauth
> > HTTP/1.1" 200 375
> > 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> > /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> > 375
> > 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> > /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> > 375
> > 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> > /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> > 375
> > 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> > /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> > 375
> > 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> > /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
> > 141621
> > 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
> > /osp/images/productlogo.png HTTP/1.1" 404 1003
> >
> >



--
CHSB1130
------------------------------------------------------------------------
CHSB1130's Profile: https://forums.netiq.com/member.php?userid=6130
View this thread: https://forums.netiq.com/showthread.php?t=54606

0 Likes
Knowledge Partner
Knowledge Partner

Re: Setting up SSO to Userapp

On 11/10/2015 3:34 PM, CHSB1130 wrote:
>
> Below is the URL of the metadata file. There is a port number in the
> URL. If I put this URL in a web browser it shows the XML so I know the
> address is correct.
>
> https://userapp_server:5043/ping_metadata.xml
>
> When I run the SAML Tracer plugin with Firefox the IDP server is never
> accessed. Looks like it tries this URL 5 times and then fails.


Stupid Tinurl'er ruined it for me...

> http://tinyurl.com/psuyd2m HTTP/1.1
>
> I set the -Dcom.netiq.idm.osp.logging.level=TRACE in tomcat setenv.sh
> and restarted Tomcat. Below are some of the error messages in the OSP
> log...


I have seen this issue before and am totally blanking on the cause.

Issues I recall:
The cert in that metadata needs to be in the osp.jks (or whatever you
renamed/selected it as in configupdate.sh) as a trustedcacerts.

Access to metatdata is important.

Also, the URL's in configupdate need to work exactly as typed in the
browser. I.e. To the point that if you had https://ospURL:443 in
configupdate, that would fail, since the browser hides the 443 so the
URL is different.

If you have an internal and external address for this resource, that
won't work, you need to use the address that the URL bar will have on
the web browser in configupdate.



I will say this snippet looks odd:

Message: Could not find candidate authentication card with id:
saml2-auth-card
Existing card ids are:
eIDPLogin
name-pwd-login
krb-login

Almost like you did not properly configure the SAML.


> [OIDP]
> Time: 2015-11-10T14:11:31.832-0600
> Level: TRACE
> Java Execution:
> Class: com.novell.oidp.profile.authentication.MethodProfile
> Method: P
> Line Number: -1
> Thread: http-bio-5043-exec-6
> Message: Contract Executable counter: 0, Contract Executable array
> length: 1
>
> [OIDP]
> Time: 2015-11-10T14:11:31.832-0600
> Level: TRACE
> Java Execution:
> Class: com.novell.oidp.session.NIDPSession
> Method: isAuthenticated
> Line Number: -1
> Thread: http-bio-5043-exec-6
> Message: Session Id:
> 1c2e9dd7f4df4a6ea4b9c9489f7adfdd-5138353C7C30242539
> Session has zero consumed authentications! Not Authenticated!
> Authenticated: false
>
>
> [OIDP]
> Time: 2015-11-10T14:11:31.832-0600
> Level: TRACE
> Java Execution:
> Class: com.novell.oidp.profile.authentication.MethodProfile
> Method: P
> Line Number: -1
> Thread: http-bio-5043-exec-6
> Message: Session is NOT authenticated OR method is NOT valid on session,
> so execute Contract Method: SAML2 Method
>
> [OIDP]
> Time: 2015-11-10T14:11:31.833-0600
> Level: TRACE
> Java Execution:
> Class: com.novell.oidp.profile.authentication.MethodProfile
> Method: A
> Line Number: -1
> Thread: http-bio-5043-exec-6
> Message: Authentication Method executing: SAML2 Method
>
> [OIDP]
> Time: 2015-11-10T14:11:31.833-0600
> Level: TRACE
> Java Execution:
> Class: com.novell.oidp.authentication.AuthenticationManager
> Method: getCard
> Line Number: -1
> Thread: http-bio-5043-exec-6
> Message: Could not find candidate authentication card with id:
> saml2-auth-card
> Existing card ids are:
> eIDPLogin
> name-pwd-login
> krb-login
>
>
> [OIDP]
> Time: 2015-11-10T14:11:31.834-0600
> Level: TRACE
> Java Execution:
> Class: com.novell.oidp.profile.authentication.MethodProfile
> Method: A
> Line Number: -1
> Thread: http-bio-5043-exec-6
> Message: Authenticated authentication class:
> com.novell.oidp.protocol.authentication.classes.IDPAuthenticationClass,
> Status: 6
>
> [OIDP]
> Time: 2015-11-10T14:11:31.834-0600
> Level: TRACE
> Java Execution:
> Class: com.novell.oidp.profile.authentication.MethodProfile
> Method: A
> Line Number: -1
> Thread: http-bio-5043-exec-6
> Message: Authentication Method SAML2 Method requires additional
> interaction.
>
> [OIDP]
> Time: 2015-11-10T14:11:31.834-0600
> Level: TRACE
> Java Execution:
> Class: com.novell.oidp.profile.authentication.ContractExecutionProfile
> Method: exec
> Line Number: -1
> Thread: http-bio-5043-exec-6
> Message: Executing methods returned status: 6
>
> [OIDP]
> Time: 2015-11-10T14:11:31.834-0600
> Level: TRACE
> Java Execution:
> Class: com.novell.oidp.profile.LoginProfile
> Method: executeContract
> Line Number: -1
> Thread: http-bio-5043-exec-6
> Message: Contract Execution Profile "execute()" returned status: 1
>
> [OIDP]
> Time: 2015-11-10T14:11:31.835-0600
> Level: TRACE
> Java Execution:
> Class: com.novell.oidp.session.NIDPSession
> Method: removeSessionData
> Line Number: -1
> Thread: http-bio-5043-exec-6
> Message: Removed NIDPSessionData with id: 0
>
> [OIDP]
> Time: 2015-11-10T14:11:31.835-0600
> Level: TRACE
> Java Execution:
> Class:
> com.novell.oidp.servlets.handler.AuthenticationServiceRequestHandler
> Method: A
> Line Number: -1
> Thread: http-bio-5043-exec-6
> Message: Persisting session
> 1c2e9dd7f4df4a6ea4b9c9489f7adfdd-5138353C7C30242539-A45747772-B0D45404C4E5E454C3F383B-CiKwwlDJlUsIBFeXVVwLLEOEUWPcWY/V1ejkvgaKYJZA~
> to cookie!
>
> [OIDP]
> Time: 2015-11-10T10:32:05.776-0600
> Level: ERROR
> Java Execution:
> Class:
> com.novell.oidp.servlets.handler.AuthenticationServiceRequestHandler
> Method: handleRequest
> Line Number: -1
> Thread: localhost-startStop-1
> Correlation:
> Id: c31a523a-47fe-476f-8e4c-bdb038fec947
> Message: LocalizableLoggableMessage
> Code: com.novell.oidp.session.NIDPSession.markAuthenticationFailed()
> [-1]
> Thread: http-bio-5043-exec-6
> Correlation Id: c31a523a-47fe-476f-8e4c-bdb038fec947
> Text: Endless loop detected in authentication. Continue Count: 6, Time
> Window: 299
>
> geoffc;262223 Wrote:
>> On 11/5/2015 5:04 PM, CHSB1130 wrote:
>>>
>>> Trying to setup UserApp to work with our existing SSO application for
>>> other web apps. I imported the metadata file for the connection from
>>> the IDP to same server as UserApp. I then ran the configupdate.sh

>> tool
>>> and set auth type to SAML and provided URL of metadata xml file from
>>> IDP. I then restarted the server and downloaded the spmetadata.xml

>> file
>>> and used it to create the IDP connection on the federation server.

>> Now
>>> when I try to sign onto the user app I get the following error:

>>
>> What format is the URL for the metadata file?
>>
>> I have run into this but so many errors are undocumented in OSP that I
>> forget the answer.
>>
>> Is the Cert from the metadata imported into the keystore used by OSP?
>> (The one you specified in configupdate) and you need it to be a
>> -trustcacerts when you import it.
>>
>>
>>> One SSO Platform Error
>>> Too many login attempts in a short period of time. Please close the
>>> browser, open a new one, and begin a new authentication.

>>
>> Watching in SAML Tracer, do you ever see a SAML Assert to the IDP?
>>
>> Is the URL defined for the OSP URL exactly right? (if you forwarded
>> from 8443 to 443 it gets confusing, since you would think
>> https://url:443 is valud, but since the browser strips the 443 it is
>> not, and needs to be https://url and stuff like that).
>>
>> Did you enable tracing in the OSP log to see if any other hints are
>> there?
>>
>>> I have tried clearing the cache and closing the browser but same

>> error.
>>> No errors in Catalina or OSP logs. I do see the logs below in the
>>> localhost_access_logs and also when I run the SAML tracer plugin with
>>> firefox. It looks like OSP is never trying to connect to IDP server.

>> I
>>> also checked logs on IDP server and there are no errors there either.
>>>
>>> I read an article that said the RBPM to eDirectory SAML Configuration
>>> under the advanced options in the configupdate tool should be set to
>>> Auto. I have tried setting this several times and hitting Ok but

>> every
>>> time I start the configupdate tool it goes back to No Change.
>>>
>>> Any ideas on what piece I might be missing or how to troubleshoot?
>>>
>>> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
>>>

>> /osp/a/idm/auth/oauth2/grant?response_type=code&client_id=rbpm&state=94d1f561-a690-4b03-b7ce-69b963ee32ea&redirect_uri=https%3A//serverdns%3A5043/dev/oauth
>>> HTTP/1.1" 200 375
>>> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
>>> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
>>> 375
>>> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
>>> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
>>> 375
>>> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
>>> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
>>> 375
>>> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
>>> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
>>> 375
>>> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
>>> /osp/a/idm/auth/app/login?acAuthCardId=eIDPLogin&sid=0 HTTP/1.1" 200
>>> 141621
>>> 10.199.225.160 - - [05/Nov/2015:10:06:49 -0600] "GET
>>> /osp/images/productlogo.png HTTP/1.1" 404 1003
>>>
>>>

>
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Setting up SSO to Userapp


I found a typo in the URL for the metadata and fixed it and restarted
Tomcat but Tomcat would just hang and not start. Looking at the OSP
logs the log messages stop when trying to open the metatdata URL. I
think the problem is the metatdata URL was hosted on same Tomcat as OSP
so when it tried to retrieve the URL Tomcat hadn't finished loading. So
I tried to put the URL on another web server on the same server as OSP
but get error loading it. So I also tried 2 other web servers on
different servers but still get this error message:

[OIDP]
Time: 2015-11-11T12:38:40.887-0600
Level: TRACE
Java Execution:
Class: com.novell.oidp.saml2.SAML2Protocol
Method: loadTrustedProvider
Line Number: -1
Thread: localhost-startStop-1
Message: Load of SAML2 Trusted Provider"saml2-idp" Failed because
metadata could not be read: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Untrusted Certificate-chain

I copied the URL from all the error messages and tried in a browser to
make sure they were correct. Also tried URL's with and without :443 for
the port. I even tried to put the URL as file:/// but get an error
message in log that it has to be http or https. Based on error message
I thought it might be a cert error as was pointed out in previous post
but realized this was the same error message as when I had the typo in
the URL. So to test I changed the URL again to a file I know doesn't
exist and get this same error message so I'm not sure this message is
accurate. It seems clear the problem is the metadata URL is not loading
but not sure how else to debug it.


--
CHSB1130
------------------------------------------------------------------------
CHSB1130's Profile: https://forums.netiq.com/member.php?userid=6130
View this thread: https://forums.netiq.com/showthread.php?t=54606

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Setting up SSO to Userapp


Try loading the web server cert from your metadata server into the
cacerts and the osp.jks (I don't remember which it needs to be in). The
other option is to host the metadata on port 80. Java as a client is a
very different beast


--
schwoerb
------------------------------------------------------------------------
schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=54606

0 Likes
Knowledge Partner
Knowledge Partner

Re: Setting up SSO to Userapp

On 11/12/2015 10:44 AM, CHSB1130 wrote:
>
> I found a typo in the URL for the metadata and fixed it and restarted
> Tomcat but Tomcat would just hang and not start. Looking at the OSP
> logs the log messages stop when trying to open the metatdata URL. I
> think the problem is the metatdata URL was hosted on same Tomcat as OSP
> so when it tried to retrieve the URL Tomcat hadn't finished loading. So
> I tried to put the URL on another web server on the same server as OSP
> but get error loading it. So I also tried 2 other web servers on
> different servers but still get this error message:
>
> [OIDP]
> Time: 2015-11-11T12:38:40.887-0600
> Level: TRACE
> Java Execution:
> Class: com.novell.oidp.saml2.SAML2Protocol
> Method: loadTrustedProvider
> Line Number: -1
> Thread: localhost-startStop-1
> Message: Load of SAML2 Trusted Provider"saml2-idp" Failed because
> metadata could not be read: javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: Untrusted Certificate-chain
>
> I copied the URL from all the error messages and tried in a browser to
> make sure they were correct. Also tried URL's with and without :443 for
> the port. I even tried to put the URL as file:/// but get an error
> message in log that it has to be http or https. Based on error message
> I thought it might be a cert error as was pointed out in previous post
> but realized this was the same error message as when I had the typo in
> the URL. So to test I changed the URL again to a file I know doesn't
> exist and get this same error message so I'm not sure this message is
> accurate. It seems clear the problem is the metadata URL is not loading
> but not sure how else to debug it.


Is your metadata URL https? If so, THAT cert needs to be trusted in the
osp keystore.

(This is very painful but once configured is usually fine).


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Setting up SSO to Userapp


The metadata URL was https and couldn't get certs to work so just made
it http since it was same server and it can now read the metadata file.
When using saml tracer I can see the request is now being made to our
SSO provider but the request errors out. Looking at the error message
it says:

<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
<samlp:StatusMessage>Request was invalid
XML</samlp:StatusMessage>
<samlp:StatusDetail>
<Cause>com.pingidentity.common.util.xml.InvalidXmlException:
Invalid XML - errors: [error: cvc-complex-type.3.2.1: Attribute not
allowed (no wildcards allowed): target in element
AuthnRequest@urn:oasis:names:tc:SAML:2.0:protocol]</Cause>
</samlp:StatusDetail>
</samlp:Status>

I looked at logs from SSO provider and they are the same. Looking at
the SAML request it doesn't look like it is passing the Entity ID so my
guess is that what it means by wildcard. Has anyone seen this error
before or help me figure out why the SAML request might be failing?


--
CHSB1130
------------------------------------------------------------------------
CHSB1130's Profile: https://forums.netiq.com/member.php?userid=6130
View this thread: https://forums.netiq.com/showthread.php?t=54606

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.