cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <rohit.ya...@shapeblue.com>
Subject RE: ADFS + CloudStack problem
Date Thu, 12 May 2016 07:17:36 GMT
Igor, have you added CloudStack's SP metadata to your MS ADFS SAML IDP? You'll need to authorize
CloudStack SP first.
I've not configured or tested MS ADFS with CloudStack's SAML plugin but I know Erik has more
experience with the configuration/authorization.

Regards.

Regards,

Rohit Yadav

rohit.yadav@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue

-----Original Message-----
From: Igor S. Lopes [mailto:igor@rsantos.eti.br] 
Sent: Wednesday, May 11, 2016 5:44 PM
To: users <users@cloudstack.apache.org>
Subject: Re: ADFS + CloudStack problem

Thanks for your answer

I'd like to share some stuff that I found this morning. 

Take a look at those two error scenarios with the IDs captured from the Tracer's output:


Scenario 1:

  SAML Tracer's captured ID="eiki1dt3f3msjcgaeilge51odfo0hkqu"

  When the ID starts with a letter the ADFS gives the following authentication error:

  Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0037:
No signature verification certificate found for issuer 'org.apache.cloudstack'.
   em Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage
message)
   em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage
httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState,
String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded,
WrappedHttpListenerContext context, Boolean isKmsiRequested)
   em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext
context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier,
Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState,
String& samlpAuthenticationProvider)
   em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage
httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement
signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext
context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext
context)
   em Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext
protocolContext, PassiveProtocolHandler protocolHandler)
   em Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext
context)
  
  Which I believe is a Certificate related error, since I'm still learning how to properly
generate a self-signed certificate using OpenSSL I was expecting this to happen. But there
is another scenario where the previously reportted error appears.



Scenario 2:

  Tracer's captured ID="5085t333p0nqg619mdulj6fe253ks9kg"

  System.Xml.XmlException: MSIS0018: The SAML protocol message cannot be read because it contains
data that is not valid. ---> System.ArgumentException: ID4128: The value is not a valid
SAML ID.
Parameter name: value ---> System.Xml.XmlException: Name cannot begin with the '5' character,
hexadecimal value 0x35.
   em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
   em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
 --- End of inner exception stack trace ---
   em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
   em Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
reader, SamlMessage message)
 --- End of inner exception stack trace ---
   em 
   (...)

  Which is the same error I reported before but this time the ID starts with a 5 instead of
a 7.



I did some check and, if I'm not mistaken, the XML 1.1 standard defines the following for
it's objects xml IDs:

'An xml:id processor must assure that the following constraints hold for all xml:id attributes:

  The normalized value of the attribute is an NCName according to the Namespaces in XML Recommendation
which has the same version as the document in which this attribute occurs (NCName for XML
1.0, or NCName for XML 1.1).'

Which leads us to the following Namespaces' grammar:

[4]   	NCName	   ::=   	NCNameStartChar NCNameChar*	/* An XML Name, minus the ":" */

Am I wrong or this says ALL XML IDs MUST start with a letter?Could this be a bug on CloudStack's
SAML plugin?

Sorry for the long answer and the bad english.



Igor Steuck Lopes



----- Mensagem original -----
De: "Erik Weber" <terbolous@gmail.com>
Para: "users" <users@cloudstack.apache.org>
Enviadas: Terça-feira, 10 de maio de 2016 17:57:39
Assunto: Re: ADFS + CloudStack problem

Thanks, the error message seems to come from the ADFS server. Could you intercept the SAML
process?
For firefox there is a plugin called 'SAML Tracer', getting the output of that could give
us some hints.

--
Erik

On Tue, May 10, 2016 at 10:35 PM, Igor S. Lopes <igor@rsantos.eti.br> wrote:

> Hi, thank you for your answer. Here is the translated error message:
>
> System.Xml.XmlException: MSIS0018: The SAML protocol message cannot be 
> read because it contains data that is not valid. --->
> System.ArgumentException: ID4128: The value is not a valid SAML ID.
> Parameter name: value ---> System.Xml.XmlException: Name cannot begin 
> with the '7' character, hexadecimal value 0x37.
>    em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
>    em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
>  --- End of inner exception stack trace ---
>    em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
>    em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCom
> monAttributes(XmlReader
> reader, SamlMessage message)
>  --- End of inner exception stack trace ---
>    em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCom
> monAttributes(XmlReader
> reader, SamlMessage message)
>    em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAut
> hnRequest(XmlReader
> reader)
>    em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSam
> lMessage(XmlReader
> reader, NamespaceContext context)
>    em
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.Read
> ProtocolMessage(String
> encodedSamlMessage)
>    em
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.Crea
> teFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
>    em
> Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSeriali
> zer.ReadMessage(Uri
> requestUrl, NameValueCollection form)
>    em
> Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.Cre
> ateMessage(WrappedHttpListenerRequest
> httpRequest)
>    em
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateP
> rotocolContextFromRequest(WrappedHttpListenerRequest
> request, ProtocolContext& protocolContext)
>    em
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Create
> ProtocolContext(WrappedHttpListenerRequest
> request)
>    em
> Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandle
> r(WrappedHttpListenerRequest request, ProtocolContext& 
> protocolContext, PassiveProtocolHandler&
> protocolHandler)
>    em
> Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(Wrap
> pedHttpListenerContext
> context)
>
> System.ArgumentException: ID4128: The value is not a valid SAML ID.
> Parameter name: value ---> System.Xml.XmlException: Name cannot begin 
> with the '7' character, hexadecimal value 0x37.
>    em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
>    em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
>  --- End of inner exception stack trace ---
>    em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
>    em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCom
> monAttributes(XmlReader
> reader, SamlMessage message)
>
> System.Xml.XmlException: Name cannot begin with the '7' character, 
> hexadecimal value 0x37.
>    em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
>    em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
>
> There is a huge chance that I configured something wrong.
>
> Igor Steuck Lopes
>
>
> ----- Mensagem original -----
> De: "Erik Weber" <terbolous@gmail.com>
> Para: "users" <users@cloudstack.apache.org>
> Enviadas: Terça-feira, 10 de maio de 2016 17:24:13
> Assunto: Re: ADFS + CloudStack problem
>
> I haven't tried since I wrote that post, but it worked back then.
>
> Any chance that you could translate the error messages?
>
> Erik
>
> Den tirsdag 10. mai 2016 skrev Igor S. Lopes <igor@rsantos.eti.br>
> følgende:
>
> > Hi,
> > I am working with CloudStack and I'm indending to use it as a 
> > Service Provider connected through SSO with our Active Directory 
> > Federation
> Service
> > .
> > I have no Idea how to allow CloudStack to authenticate on the ADFS .
> > I tried to follow this guide
> >
> http://www.terbolo.us/2015/06/how-to-set-up-apache-cloudstack-4-5-24-6
> -0-and-saml-2-0-authentication-against-microsoft-adfs/
> > but
> > a few problems showed up:
> >
> > 1 - Even though I had set the URL metadata to https://
> <domain>/FederationMetadata/2007-06/FederationMetadata.xml
> > when I checked /var/log/cloudstack/management/management-server.log
> > for error messages I saw a few saying that CloudStack couldn't 
> > retrieve the metadata file. So I did it manually.
> >
> > 2 - I configured the ADFS claims as showed in the 'how-to' but the 
> > following error message shows up on my ADFS Event Logs. I already 
> > spent a couple hours browsing about this error but nothing really 
> > usefull came up:
> >
> > Error code: 364
> > (...)
> > System.Xml.XmlException: MSIS0018: Não é possível ler a mensagem do 
> > protocolo SAML porque ela contém dados inválidos. --->
> > System.ArgumentException: ID4128: O valor não é um ID de SAML válido.
> > Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não 
> > pode ser iniciado pelo caractere '7', valor hexadecimal 0x37.
> > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> > exceptionType)
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> > --- Fim do rastreamento de pilha de exceções internas --- em 
> > Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCom
> monAttributes(XmlReader
> > reader, SamlMessage message)
> > --- Fim do rastreamento de pilha de exceções internas --- em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCom
> monAttributes(XmlReader
> > reader, SamlMessage message)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAut
> hnRequest(XmlReader
> > reader)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSam
> lMessage(XmlReader
> > reader, NamespaceContext context)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.Read
> ProtocolMessage(String
> > encodedSamlMessage)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.Crea
> teFromNameValueCollection(Uri
> > baseUrl, NameValueCollection collection) em
> >
> Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSeriali
> zer.ReadMessage(Uri
> > requestUrl, NameValueCollection form) em
> >
> Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.Cre
> ateMessage(WrappedHttpListenerRequest
> > httpRequest)
> > em
> >
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateP
> rotocolContextFromRequest(WrappedHttpListenerRequest
> > request, ProtocolContext& protocolContext) em
> >
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Create
> ProtocolContext(WrappedHttpListenerRequest
> > request)
> > em
> >
> Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandle
> r(WrappedHttpListenerRequest
> > request, ProtocolContext& protocolContext, PassiveProtocolHandler&
> > protocolHandler)
> > em
> >
> Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(Wrap
> pedHttpListenerContext
> > context)
> >
> > System.ArgumentException: ID4128: O valor não é um ID de SAML válido.
> > Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não 
> > pode ser iniciado pelo caractere '7', valor hexadecimal 0x37.
> > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> > exceptionType)
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> > --- Fim do rastreamento de pilha de exceções internas --- em 
> > Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCom
> monAttributes(XmlReader
> > reader, SamlMessage message)
> >
> > System.Xml.XmlException: Um nome não pode ser iniciado pelo 
> > caractere
> '7',
> > valor hexadecimal 0x37.
> > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> > exceptionType)
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> >
> >
> > There is a few parts in brazilian portuguese, sorry about that.
> > Did anyone succeeded in connecting CloudStack to an ADFS using the 
> > Saml plugin?
> >
> > Thank you in advance.
> >
> > Igor Steuck Lopes
> >
> > --
> > Este email foi checado por SOPHOS UTM 9 SPAM &amp; Virus Firewall.
> > http://www.rsantos.eti.br
> >
>
> --
> Este email foi checado por SOPHOS UTM 9 SPAM &amp; Virus Firewall.
> http://www.rsantos.eti.br
>

--
Este email foi checado por SOPHOS UTM 9 SPAM &amp; Virus Firewall.
http://www.rsantos.eti.br
Mime
View raw message