Announcement Announcement Module
Collapse
No announcement yet.
HTTP Status 401 - Authentication Failed: Error validating SAML message Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • HTTP Status 401 - Authentication Failed: Error validating SAML message

    Hi everyone, I have a problem like this:

    I can do SSO with my project on localhost but when I deploy its war file to tomcat server on the internet it does not work. For detail, when I choose IDP and click on button login it redirects to web portal. After that I input username and password to login and it returns 401 Error Authentication Failed. It's strange because my project works well on localhost. Please help me for this problem.

    Thanks & Regards.

    Attachment
    Attached Files

  • #2
    Hi,

    Can you please check the server logs, there should be additional information about the error. You can also enable additional logging (steps in manual chapter 7.1) and post the result.

    One typical issue causing this is a difference between time of your server and IDP. Enabling NTP makes this go away.

    Cheers, Vladi

    Comment


    • #3
      Hi Vladi this is the error log on my server.
      - FrameworkServlet 'saml': initialization completed in 565 ms
      - No default metadata configured, generating with default values, please pre-configure metadata for production use
      - Created default metadata for system with entityID: mysample.com
      - AuthNRequest;SUCCESS;125.88.132.103
      - PKIX path construction failed for untrusted credential: [subjectName='1.2.840.113549.1.9.1=#1612696e666f407 3736f636972636c652e6e6574,CN=idp.ssocircle.com,C=D E,2.5.4.13=#13105938423563597061365a4d466361374f' |credential entityID='http://idp.ssocircle.com']: unable to find valid certification path to requested target
      - SAML protocol message was not signed, skipping XML signature processing
      - SAML protocol message was not signed, skipping XML signature processing
      - AuthNResponse;FAILURE;125.88.132.103
      - AuthNRequest;SUCCESS;125.88.132.103
      - AuthNRequest;SUCCESS;125.88.132.103
      - SAML protocol message was not signed, skipping XML signature processing
      - SAML protocol message was not signed, skipping XML signature processing
      - AuthNResponse;FAILURE;125.88.132.103
      - AuthNRequest;SUCCESS;125.88.132.103
      - SAML protocol message was not signed, skipping XML signature processing
      - SAML protocol message was not signed, skipping XML signature processing
      - AuthNResponse;FAILURE;125.88.132.103
      Last edited by duybinh0208; Feb 28th, 2013, 02:27 AM.

      Comment


      • #4
        Still can't see the exact problem from here. Can you please enable the tracing?

        -V

        Comment


        • #5
          I think the error is "PKIX path construction failed for untrusted credential: [subjectName='1.2.840.113549.1.9.1=#1612696e666f407 3736f636972636c652e6e6574,CN=idp.ssocircle.com,C=D E,2.5.4.13=#13105938423563597061365a4d466361374f' |credential entityID='http://idp.ssocircle.com']: unable to find valid certification path to requested target". But I don't know how to resolve it, can you see this error?

          Comment


          • #6
            Hi Vladi I have a question.
            When I download spring-security-saml2-sample project, I see samlKeystore.jks file is available in this project.
            But if I deploy this project to tomcat server (on the internet), Do I need to generate new keystore for it?

            Comment


            • #7
              Hi,

              Yes I saw it, but the exception is present only in the first SSO attempt, the second attempt doesn't have it anymore and getting more logs might reveal what's the reason for it. Also, few revisions back there was a fix for situation when this error is displayed even in cases when PKIX validation ultimately succeeds and I'm not sure whether that might be your case.

              You should generate a new private key for production instance, but it's not mandatory. In other words you can deploy the default samlKeystore.jks at a server and expect it to work.

              The PKIX validation can e.g. when IDP or SP certificate is expired, IDP metadata is not imported correctly, a CA certificate for SSL/TLS connection is not imported to the keystore.

              Vladi

              Comment


              • #8
                HTTP Status 401 - Authentication Failed: Error validating SAML message

                Hi Vladi this is my securityContext.xml file. I wonder if I config something else wrong? Can you review it for me? Thank you very much.

                Attachment
                Attached Files

                Comment


                • #9
                  Hi, the config looks ok to me. The PKIX validation depends more on content of your KeyStore. I'd really go with the extra logging and see what exactly fails... Also, do you have a different entityId between your local and server environments? Have you correctly updated the IDP metadata? Perhaps there's some inconsistency in the namings.

                  Comment


                  • #10
                    I just update idp metadata in securityContext.xml like this:

                    <bean id="metadata"
                    class="org.springframework.security.saml.metadata. CachingMetadataManager">
                    <constructor-arg>
                    <list>
                    <bean class="org.opensaml.saml2.metadata.provider.HTTPMe tadataProvider">
                    <constructor-arg>
                    <value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value>
                    </constructor-arg>
                    <constructor-arg>
                    <value type="int">5000</value>
                    </constructor-arg>
                    <property name="parserPool" ref="parserPool" />
                    </bean>
                    </list>
                    </constructor-arg>
                    </bean>

                    Do I update it correctly?

                    Comment


                    • #11
                      I don't see any problem in the metadata declaration in the code above. What I had in mind in the previous post is updating your SP metadata on the IDP side.

                      V.

                      Comment


                      • #12
                        I just name the entityID of service metadata is "mysample.com" and this sp metadata can be imported by SSOCircle IDP. Furthermore, I can login successful in localhost. Thus, I think my entityID is right. But I don't understand why my project cannot do SSO when I deploy it to real server (on internet).
                        Last edited by duybinh0208; Feb 28th, 2013, 11:11 AM.

                        Comment


                        • #13
                          Do you use exactly the same URLs to access your application when deploying on the localhost as when you deploy on the real server? (e.g. http://www.myserver.com/app)? This is a pre-requisite for your configuration to work. Otherwise you need to generate two separate metadata documents - one for your localhost config and another for your server config, for each of them use a different entityID and import them both to the IDP.

                          Vladi

                          Comment


                          • #14
                            Hi Vladi,
                            1) In localhost: http://localhost:8080/my_sample_v2/s...urnIDParam=idp
                            2) In real server: https://myserver.com/my_sample_v2/sa...urnIDParam=idp
                            3) In securityContext.xml I just config default sp metadata with entityID is "mysample.com" like this:
                            <bean id="metadataGeneratorFilter"
                            class="org.springframework.security.saml.metadata. MetadataGeneratorFilter">
                            <constructor-arg>
                            <bean class="org.springframework.security.saml.metadata. MetadataGenerator">
                            <property name="entityId" value="mysample.com" />
                            <property name="signMetadata" value="false" />
                            </bean>
                            </constructor-arg>
                            </bean>
                            4) First, I go to www.ssocircle.com and remove localhost's metadata. Second, I run my project on real server and it automatically generate default sp metadata. Afterthat I just copy this sp metadata and import to SSOCirle.com. Anything else is wrong here?
                            Last edited by duybinh0208; Feb 28th, 2013, 08:48 PM.

                            Comment


                            • #15
                              Hi Vladi, I just test my project on another server (using http) and it works well but with old server (using https) it still occurs the error 401. I think the problem is the difference between http and https SSL. Do you think about this problem?

                              Comment

                              Working...
                              X