Play-pac4j with wso2is throws "IDP Metadata cannot be null"

0
votes

I need a little help with this. I'm use this project (play-pac4j-scala-demo) to test my wso2is SAML server, the only change that I make is in the openidp-feide.xml file, replaced with this content:

    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                     entityID="https://localhost:9443/samlsso" validUntil="2023-09-23T06:57:15.396Z">
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo>
        <ds:X509Data >
          <ds:X509Certificate >
            MIIEVTCCAz2gAwIBAgIQIzI6SPzN4kG8sJ2/gY6QDTANBgkqhkiG9w0BAQsFADCB
            hDE7MDkGA1UECwwyZ2VuZXJhdGVkIGJ5IGF2YXN0ISBhbnRpdmlydXMgZm9yIFNT
            TC9UTFMgc2Nhbm5pbmcxHzAdBgNVBAoMFmF2YXN0ISBXZWIvTWFpbCBTaGllbGQx
            JDAiBgNVBAMMG2F2YXN0ISBXZWIvTWFpbCBTaGllbGQgUm9vdDAeFw0xNTAxMjAy
            MDA2MzlaFw0xNjAxMjAyMDA2MzlaMD8xITAfBgNVBAsTGERvbWFpbiBDb250cm9s
            IFZhbGlkYXRlZDEaMBgGA1UEAwwRKi5qZndlYnBvcnRhbC5jb20wggEiMA0GCSqG
            SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvNSZgsBqc+0iEQL//mc/sWCKsTQTnxCEs
            4FL4JN7RzoV0rftB0XkxxSdss66YeSwZ1/hN8hNkswDyL9ttlsum8r4brirJdRgI
            XaXYj5gzGKWa5fhbQjeUQ3FqXQbM+ytnHvUvD4JqRgs3ccXEpHf35dk/2MtveI0b
            us8IeCbvrScerbG5a6zdz2pPmlh5jRc/MQ8mHWQjYZTf4/hLMZR2iXzVAhCD59BG
            aPAWUBbv4uz44xs288QDhA8Ty0+M0fHNxH6v5v1AFENMaMVwoeLb8d2VkFZK+1nm
            kRTgGeVupab3k4+3XlV7QKD9EqsfDso+oAiRIrvvmAXC3BMkwEflAgMBAAGjggEF
            MIIBATAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
            AjAOBgNVHQ8BAf8EBAMCBaAwUwYDVR0gBEwwSjBIBgtghkgBhv1tAQcXATA5MDcG
            CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z
            aXRvcnkvMB8GA1UdIwQYMBaAFBlpv0JwXwGkdtayZXqLgJRKp/VxMC0GA1UdEQQm
            MCSCESouamZ3ZWJwb3J0YWwuY29tgg9qZndlYnBvcnRhbC5jb20wHQYDVR0OBBYE
            FBpRAaygfEl1uFhj8ijqTcjA71V0MA0GCSqGSIb3DQEBCwUAA4IBAQCT7CS4yUUd
            VI+oE7KGsGmTgtjEc7Ui211v5f6HUmscz2g/udFJwppKkutoRVovrVl6S64LVIpY
            pgmwDCreBwxhwmn+x4W1GpQ97R9PLTW2QAh5AoBbUCT8y/RbLvxY9W9Qz5gj5RIi
            NRi7i2J/omo/qh5mQfC6WRmHz91mKSv6+Ts5S+PGB30kkezYXc7KG/1z4L7nBlLs
            brsIcG7fVu7fRJEyxG64ePONIm0zu4agOWd+AqBbfz6PS+RimgqGbIBNjBjJxGNi
            ySG0z4s5NUsOxMgWc54HEOyTu6ULCaslrWVQqAZIYRDBoYt98LfkhDSMmT7+YN04
            aWezsyuqis2V
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso" ResponseLocation="https://localhost:9443/samlsso"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/samlsso"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

The above is the Idp metadata. Next, in the wso2is server I created an issuer, like this:

Issuer : http://localhost:9000/callback?client_name=Saml2Client
Assertion Consumer URL *: http://localhost:9000/callback?client_name=Saml2Client
NameID format : urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Enable Attribute Profile: true

Other attributes stay with default options.

But when I try to authenticate the project (play-pac4j-scala-demo) throws this Exception:

[debug] - org.pac4j.play.CallbackController - defaultUrl : /?2
        at scala.concurrent.impl.CallbackRunnable.executeWithValue(Promise.scala:40) [scala-library-2.11.6.jar:na]
        at scala.concurrent.impl.Promise$DefaultPromise.tryComplete(Promise.scala:248) [scala-library-2.11.6.jar:na]
        at scala.concurrent.Promise$class.complete(Promise.scala:55) [scala-library-2.11.6.jar:na]
        at scala.concurrent.impl.Promise$DefaultPromise.complete(Promise.scala:153) [scala-library-2.11.6.jar:na]
        at scala.concurrent.Future$$anonfun$recover$1.apply(Future.scala:324) [scala-library-2.11.6.jar:na]
        at scala.concurrent.Future$$anonfun$recover$1.apply(Future.scala:324) [scala-library-2.11.6.jar:na]
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:32) [scala-library-2.11.6.jar:na]
        at play.core.j.HttpExecutionContext$$anon$2.run(HttpExecutionContext.scala:40) [play_2.11-2.4.0.jar:2.4.0]
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40) [akka-actor_2.11-2.3.11.jar:na]
        at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(AbstractDispatcher.scala:397) [akka-actor_2.11-2.3.11.jar:na]
        at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) [scala-library-2.11.6.jar:na]
        at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339) [scala-library-2.11.6.jar:na]
        at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) [scala-library-2.11.6.jar:na]
        at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) [scala-library-2.11.6.jar:na]
Caused by: org.pac4j.saml.exceptions.SamlException: IDP Metadata cannot be null
        at org.pac4j.saml.sso.Saml2WebSSOProfileHandler.receiveMessage(Saml2WebSSOProfileHandler.java:127) ~[pac4j-saml-1.7.0.jar:na]
        at org.pac4j.saml.client.Saml2Client.retrieveCredentials(Saml2Client.java:322) ~[pac4j-saml-1.7.0.jar:na]
        at org.pac4j.saml.client.Saml2Client.retrieveCredentials(Saml2Client.java:95) ~[pac4j-saml-1.7.0.jar:na]
        at org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:220) ~[pac4j-core-1.7.0.jar:na]
        at org.pac4j.play.java.RequiresAuthenticationAction$6.apply(RequiresAuthenticationAction.java:202) ~[play-pac4j-java-1.5.0-SNAPSHOT.jar:na]
        at org.pac4j.play.java.RequiresAuthenticationAction$6.apply(RequiresAuthenticationAction.java:194) ~[play-pac4j-java-1.5.0-SNAPSHOT.jar:na]
        at play.core.j.FPromiseHelper$$anonfun$promise$2.apply(FPromiseHelper.scala:36) ~[play_2.11-2.4.0.jar:2.4.0]
        at scala.concurrent.impl.Future$PromiseCompletingRunnable.liftedTree1$1(Future.scala:24) ~[scala-library-2.11.6.jar:na]
        at scala.concurrent.impl.Future$PromiseCompletingRunnable.run(Future.scala:24) ~[scala-library-2.11.6.jar:na]
        ... 7 common frames omitted

What is wrong here? Can anyone help? Thanks!

2
scalaplayframeworkwso2saml-2.0wso2is

2 Answers

0
votes

I'm the creator of play-pac4j, but unfortunately no SAML specialist. I guess the SAML response from your IdP does not contain the necessary data as it's an explicit check: https://github.com/pac4j/pac4j/blob/pac4j-1.7.0/pac4j-saml/src/main/java/org/pac4j/saml/sso/Saml2WebSSOProfileHandler.java#L127 In pac4j (and pac4j-saml v1.7.1), the SAML support has evolved: maybe you should give it a try...

0
votes

This indicates that the method decoder.decode was not able to determine the IDP to use from the SAML Authentication response. If you encounter an error at this point, I assume you successfully redirect to your IDP, enter your credentials and redirect back to your application which is rather a good starting point. Please use a debugging tool (for example SAML Tracer for Firefox) to read the SAML assertion and check if the IDP entity ID is consistent with your set-up.