single sign on - OpenAm (as IdP): SSO login returning NoAuthnContext (unable to login with SSO) -
below metadata file idp @ openam
<?xml version="1.0" encoding="utf-8" standalone="yes"?> <entitydescriptor entityid="http://myidp.com/openam" xmlns="urn:oasis:names:tc:saml:2.0:metadata"> <idpssodescriptor wantauthnrequestssigned="false" protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol"> <keydescriptor use="signing"> <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:x509data> <ds:x509certificate> miicqd.....0y0q== </ds:x509certificate> </ds:x509data> </ds:keyinfo> </keydescriptor> <artifactresolutionservice index="0" isdefault="true" binding="urn:oasis:names:tc:saml:2.0:bindings:soap" location="http://myidp.com/openam/artifactresolver/metaalias/idp"/> <singlelogoutservice binding="urn:oasis:names:tc:saml:2.0:bindings:http-redirect" location="http://myidp.com/openam/idpsloredirect/metaalias/idp" responselocation="http://myidp.com/openam/idpsloredirect/metaalias/idp"/> <singlelogoutservice binding="urn:oasis:names:tc:saml:2.0:bindings:http-post" location="http://myidp.com/openam/idpslopost/metaalias/idp" responselocation="http://myidp.com/openam/idpslopost/metaalias/idp"/> <singlelogoutservice binding="urn:oasis:names:tc:saml:2.0:bindings:soap" location="http://myidp.com/openam/idpslosoap/metaalias/idp"/> <managenameidservice binding="urn:oasis:names:tc:saml:2.0:bindings:http-redirect" location="http://myidp.com/openam/idpmniredirect/metaalias/idp" responselocation="http://myidp.com/openam/idpmniredirect/metaalias/idp"/> <managenameidservice binding="urn:oasis:names:tc:saml:2.0:bindings:http-post" location="http://myidp.com/openam/idpmnipost/metaalias/idp" responselocation="http://myidp.com/openam/idpmnipost/metaalias/idp"/> <managenameidservice binding="urn:oasis:names:tc:saml:2.0:bindings:soap" location="http://myidp.com/openam/idpmnisoap/metaalias/idp"/> <nameidformat>urn:oasis:names:tc:saml:2.0:nameid-format:persistent</nameidformat> <nameidformat>urn:oasis:names:tc:saml:2.0:nameid-format:transient</nameidformat> <nameidformat>urn:oasis:names:tc:saml:1.1:nameid-format:emailaddress</nameidformat> <nameidformat>urn:oasis:names:tc:saml:1.1:nameid-format:unspecified</nameidformat> <nameidformat>urn:oasis:names:tc:saml:1.1:nameid-format:windowsdomainqualifiedname</nameidformat> <nameidformat>urn:oasis:names:tc:saml:2.0:nameid-format:kerberos</nameidformat> <nameidformat>urn:oasis:names:tc:saml:1.1:nameid-format:x509subjectname</nameidformat> <singlesignonservice binding="urn:oasis:names:tc:saml:2.0:bindings:http-redirect" location="http://myidp.com/openam/ssoredirect/metaalias/idp"/> <singlesignonservice binding="urn:oasis:names:tc:saml:2.0:bindings:http-post" location="http://myidp.com/openam/ssopost/metaalias/idp"/> <singlesignonservice binding="urn:oasis:names:tc:saml:2.0:bindings:soap" location="http://myidp.com/openam/ssosoap/metaalias/idp"/> <nameidmappingservice binding="urn:oasis:names:tc:saml:2.0:bindings:soap" location="http://myidp.com/openam/nimsoap/metaalias/idp"/> <assertionidrequestservice binding="urn:oasis:names:tc:saml:2.0:bindings:soap" location="http://myidp.com/openam/aidreqsoap/idprole/metaalias/idp"/> <assertionidrequestservice binding="urn:oasis:names:tc:saml:2.0:bindings:uri" location="http://myidp.com/openam/aidrequri/idprole/metaalias/idp"/> </idpssodescriptor> </entitydescriptor> sp located @ : http://mysp.com/
sp's auth url saml response can posted @ : http://mysp.com/login
the following request works sso login: http://myidp.com/openam/idpssoinit?metaalias=%2fidp&spentityid=mysp.com&binding=urn%3aoasis%3anames%3atc%3asaml%3a2.0%3abindings%3ahttp-post&relaystate=http%3a%2f%2fmysp.com believe openam specific, not saml's standard way authenticate.
when post saml request http://myidp.com/openam/ssopost/metaalias/idp returns following xml
<?xml version="1.0" ?> <samlp:response id="s2ffea3d194a0d2587fd0cfc9cc8c57fa4a9414159" inresponseto="_ad466c99-c8b6-4fbf-96c9-922dffc3ea22" issueinstant="2013-05-03t07:22:34z" version="2.0" xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol"> <saml:issuer xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion"> http://myidp.com/openam </saml:issuer> <samlp:status xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol"> <samlp:statuscode value="urn:oasis:names:tc:saml:2.0:status:requester" xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol"> <samlp:statuscode value="urn:oasis:names:tc:saml:2.0:status:noauthncontext" xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol"> </samlp:statuscode> </samlp:statuscode> </samlp:status> </samlp:response> saml request posted base 64 encoded version of following xml
<?xml version="1.0" ?> <samlp:authnrequest assertionconsumerserviceurl="http://mysp.com/login" id="_ad466c99-c8b6-4fbf-96c9-922dffc3ea22" issueinstant="2013-05-03t12:35:42" protocolbinding="urn:oasis:names:tc:saml:2.0:bindings:http-post" version="2.0" xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol"> <saml:issuer xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion"> mysp.com </saml:issuer> <samlp:nameidpolicy allowcreate="true" format="urn:oasis:names:tc:saml:2.0:nameid-format:unspecified"/> <samlp:requestedauthncontext comparison="exact"/> <saml:authncontextclassref xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion"> urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport </saml:authncontextclassref> </samlp:authnrequest> since working in first case, should issue saml request. there parameter present first request not in 2nd?
authncontextclassref should inside requestedauthncontext. request should this.
<?xml version="1.0" ?> <samlp:authnrequest assertionconsumerserviceurl="http://mysp.com/login" id="_ad466c99-c8b6-4fbf-96c9-922dffc3ea22" issueinstant="2013-05-03t12:35:42" protocolbinding="urn:oasis:names:tc:saml:2.0:bindings:http-post" version="2.0" xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol"> <saml:issuer xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion"> mysp.com </saml:issuer> <samlp:nameidpolicy allowcreate="true" format="urn:oasis:names:tc:saml:2.0:nameid-format:unspecified"/> <samlp:requestedauthncontext comparison="exact"> <saml:authncontextclassref xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion"> urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport </saml:authncontextclassref> </samlp:requestedauthncontext> </samlp:authnrequest>
Comments
Post a Comment