Announcement Announcement Module
Collapse
No announcement yet.
No inbound message in artifact response Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • No inbound message in artifact response

    I am running the sample app with an AD FS IDP. The debug log shows:

    No inbound message in artifact response message.
    Could not decode artifact response message.
    org.opensaml.ws.message.decoder.MessageDecodingExc eption: No inbound message in artifact response message.
    at org.springframework.security.saml.websso.ArtifactR esolutionProfileBase.resolveArtifact(ArtifactResol utionProfileBase.java:110)

    Does this indicate a misconfiguration on the AD FS side or a decryption error on my side? Any help in what could be the possible issues is much appreciated.

    Thanks,
    Mark

  • #2
    Hi Mark,

    The best thing to do is enable full logging (chapter 7.1 in the manual) and possibly post the result here. The ArtifactResponse to be found in the logs might contain more information in the status code. I don't think it's a decryption error, rather IDP understands the request, but refuses to provide the assertion (e.g. when artifact is no longer valid).

    Vladi

    Comment


    • #3
      I am having the same issue. Here is the output from the log file ...

      - Successfully decoded message.
      - Checking SAML message intended destination endpoint against receiver endpoint
      - SAML message intended destination endpoint in message was empty, not required by binding, skipping
      - No inbound message in artifact response message.
      - Could not decode artifact response message.
      org.opensaml.ws.message.decoder.MessageDecodingExc eption: No inbound message in artifact response message.
      at org.springframework.security.saml.websso.ArtifactR esolutionProfileBase.resolveArtifact(ArtifactResol utionProfileBase.java:110)
      at org.opensaml.saml2.binding.decoding.HTTPArtifactDe coderImpl.doDecode(HTTPArtifactDecoderImpl.java:94 )
      at org.opensaml.ws.message.decoder.BaseMessageDecoder .decode(BaseMessageDecoder.java:79)
      at org.opensaml.saml2.binding.decoding.BaseSAML2Messa geDecoder.decode(BaseSAML2MessageDecoder.java:70)
      at org.springframework.security.saml.processor.SAMLPr ocessorImpl.retrieveMessage(SAMLProcessorImpl.java :105)
      at org.springframework.security.saml.processor.SAMLPr ocessorImpl.retrieveMessage(SAMLProcessorImpl.java :172)
      at org.springframework.security.saml.SAMLProcessingFi lter.attemptAuthentication(SAMLProcessingFilter.ja va:77)
      at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:195)
      at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 342)
      at org.springframework.security.web.FilterChainProxy. doFilterInternal(FilterChainProxy.java:192)
      at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:166)
      at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 342)
      at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:87)
      at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 342)
      at org.springframework.security.saml.metadata.Metadat aGeneratorFilter.doFilter(MetadataGeneratorFilter. java:86)
      at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 342)
      at org.springframework.security.web.FilterChainProxy. doFilterInternal(FilterChainProxy.java:192)
      at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:160)
      at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:346)
      at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:259)
      at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:222)
      at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:123)
      at org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:472)
      at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:171)
      at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:99)
      at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:936)
      at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:118)
      at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:407)
      at org.apache.coyote.http11.AbstractHttp11Processor.p rocess(AbstractHttp11Processor.java:1004)
      at org.apache.coyote.AbstractProtocol$AbstractConnect ionHandler.process(AbstractProtocol.java:589)
      at org.apache.tomcat.util.net.JIoEndpoint$SocketProce ssor.run(JIoEndpoint.java:312)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run Task(ThreadPoolExecutor.java:895)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:918)
      at java.lang.Thread.run(Thread.java:662)
      - Authentication request failed: org.springframework.security.authentication.Authen ticationServiceException: Error decoding incoming SAML message
      - Updated SecurityContextHolder to contain null Authentication
      - Delegating to authentication failure handler org.springframework.security.web.authentication.Si mpleUrlAuthenticationFailureHandler@76899322

      Comment


      • #4
        Hi,

        Same applies here, please enable debug logging per chapter 7.1 in the manual so we can see the full SAML messages being exchanged. Also, please check whether there are any errors on the ADFS side (I presume you use ADFS as well?).

        Vladi

        Comment


        • #5
          Looks like this may be a part of the problem - I am seeing this error in the ADFS 2.0 logs in Windows ...

          Cannot get the artifact from storage. See exception message for more details.
          ArtifactId: 1D89274053F0CF08130014E86C802C1626EA2086
          Inner exception details:
          MSIS3106: SQL command returns no result when looking for artifact.

          User Action
          Ensure that the artifact storage in the AD FS 2.0 configuration database is configured properly.
          Troubleshoot connectivity to the artifact storage in the AD FS 2.0 configuration database.

          Comment


          • #6
            I changed to POST binding with <property name="assertionConsumerIndex" value="1"/> in WebSSOProfileOptions. That got a successful Assertion from AD FS but introduced the InResponseTo problem (see my recent post).

            Mark

            Comment


            • #7
              I went ahead and added mls's last post and it changed the error to the following in catalina.out (enabled logging ...

              - Executing metadata refresh task
              - Request is to process authentication
              - Attempting SAML2 authentication using profile urn:oasis:names:tc:SAML:2.0rofiles:SSO:browser
              - Using SP https://tomcat.example.com:8443/spri...s/defaultAlias specified in request with alias defaultAlias
              - Checking child metadata provider for entity descriptor with entity ID: https://tomcat.example.com:8443/spri...s/defaultAlias
              - Searching for entity descriptor with an entity ID of https://tomcat.example.com:8443/spri...s/defaultAlias
              - Metadata document did not contain a descriptor for entity https://tomcat..com:8443/spring-secu...s/defaultAlias
              - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescrip tor for entity https://tomcat.example.com:8443/spri...s/defaultAlias
              - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescrip tor supporting protocol urn:oasis:names:tc:SAML:2.0rotocol for entity https://tomcat.example.com:8443/spri...s/defaultAlias
              - Checking child metadata provider for entity descriptor with entity ID: https://tomcat.example.com:8443/spri...s/defaultAlias
              - Searching for entity descriptor with an entity ID of https://tomcat.example.com:8443/spri...s/defaultAlias
              - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
              - Processing PrivateKeyEntry from keystore
              - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.Eval uableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteri a
              - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
              - Processing PrivateKeyEntry from keystore
              - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.Eval uableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteri a
              - Retrieving message using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
              - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestA dapter
              - Decoded SAML relay state of: null
              - Getting Base64 encoded message from request
              - Parsing message stream into DOM document
              - Unmarshalling message DOM
              - Message succesfully unmarshalled
              - Decoded SAML message
              - Extracting ID, issuer and issue instant from status response
              - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPo licy' for decoded message
              - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostS impleSignRule
              - HTTP request was not signed via simple signature mechanism, skipping
              - SAML protocol message was not signed, skipping XML signature processing
              - Successfully decoded message.
              - Checking SAML message intended destination endpoint against receiver endpoint
              - Intended message destination endpoint: https://tomcat.example.com:8443/spri...s/defaultAlias
              - Actual message receiver endpoint: https://tomcat.example.com:8443/spri...s/defaultAlias
              - SAML message intended destination endpoint matched recipient endpoint
              - Verifying issuer of the message
              - Decrypting assertion
              - Getting key iterator from next resolver: class org.opensaml.xml.encryption.InlineEncryptedKeyReso lver
              - Found matching encrypted key: org.opensaml.xml.encryption.impl.EncryptedKeyImpl@ 31b191c4
              - Added decryption key algorithm criteria: RSA
              - Error decrypting the encrypted data element
              org.apache.xml.security.encryption.XMLEncryptionEx ception: Illegal key size
              Original Exception was java.security.InvalidKeyException: Illegal key size

              Comment


              • #8
                org.apache.xml.security.encryption.XMLEncryptionEx ception: Illegal key size
                Original Exception was java.security.InvalidKeyException: Illegal key size
                You may need to install the Unlimited Strength Jurisdiction Policy Files, see chapter 3.1 of the manual.

                Cheers,
                Vladi

                Comment

                Working...
                X