[IdP] SLO returns error

[IdP] SLO returns error

  
Forge Component
(14)
Published on 14 Jun by Telmo Martins
14 votes
Published on 14 Jun by Telmo Martins

Hi Ricardo,


SSO is working as expected, thank you.


Have some troubles with SLO. Using oneLogin.

MessageID(unknown)
In Response To MessageID
Username
Session Index_3fe7dee0-48a4-0135-62cf-0ae89e500b46
Created On21:26 (58 minutes ago)
IPAddress192.81.164.30
Related URL
SPIssuerhttp://kai-osmon.outsystemscloud.com/IdP/SSO.aspx
MobileFalse
ValidFalse
Not Valid ErrorMessage ID already registered. Array may not be empty or null.
Parameter name: rawData
   at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
   at OutSystems.NssSAML_Utils.CssSAML_Utils.MssSAML_CreateLogoutRequest(String ssIssuer, String ssNameID, String ssSessionIndex, String ssSLOEndpoint, Byte[] sssignKeyStore, String ssKeyStorePassword, String& ssXmlSaml, Boolean& ssSuccess, String& ssError, String& ssMessageId)
Incoming MsgFalse
Saml Message TypeLogoutRequest


Identity Provider Single Logout URL: is set to be oneLogin SLO Endpoint (HTTP)


CommonFlow->LoginInfo->Logout

IdP_SLO_URLS

URL ->
"/IdP/SLO.aspx"






I am assuming the error happens because conficguration is missing some values? or  idp_slo_url set to /slo.asp is not corect?


Thank you very much for looking into it.

Hi,

The error itself it's due missing configuration to support SLO functionality, in the case, you need to configure the IdP connector keystore. The respective public key/certificate must be configured on IdP server, alongside with the SP issuer and URLs that you also mention.

Regards.

Thank you for the answer.


1. Where do I get "IdPConnector (SP) Keystore" with OneLogin?

For SAML they provide only certificate, x.509 or RSA PEM.

When I use it Im getting errors:


Cannot find the requested object.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertBlobType(Byte[] rawData)
   at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
   at OutSystems.NssSAML_Utils.CssSAML_Utils.MssSAML_CreateLogoutRequest(String ssIssuer, String ssNameID, String ssSessionIndex, String ssSLOEndpoint, Byte[] sssignKeyStore, String ssKeyStorePassword, String& ssXmlSaml, Boolean& ssSuccess, String& ssError, String& ssMessageId)

and


No Private Key present in Signing Certificate or missing private key read credentials.
   at ITfoxtec.Identity.Saml2.Saml2Binding`1.BindInternal(Saml2Request saml2RequestResponse)
   at ITfoxtec.Identity.Saml2.Saml2PostBinding.BindInternal(Saml2Request saml2RequestResponse, String messageName)
   at OutSystems.NssSAML_Utils.CssSAML_Utils.MssSAML_CreateLogoutRequest(String ssIssuer, String ssNameID, String ssSessionIndex, String ssSLOEndpoint, Byte[] sssignKeyStore, String ssKeyStorePassword, String& ssXmlSaml, Boolean& ssSuccess, String& ssError, String& ssMessageId)



2. in IdP Configuration for "SP Issuer (SP Entity ID" i Use http://<website>/IdP/SSO.aspx, right?


Thank you very much

As far as I understand I have to generate  "IdPConnector (SP) Keystore" myself using openssl?



Hi,
Yes, you have to generate the keystore (w/ openssl or similar) with a self-signed certificate. (assuming that you don't have any requirement to a be CA certificate).

From that keystore then you extract the public certificate (w/ openssl commands) and upload it on your IdP server (usually they provide an admin page to do that configuration for SLO).


The "SP Entity ID" can be any string, but usually its set to the SP URL.


Regards.

Hi Telmo,

I did create key and certificate using openssl command line:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem


However when I set IdPConnector (SP) Keystore to key.pem I am getting this error:


Cannot find the requested object.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertBlobType(Byte[] rawData)
   at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
   at OutSystems.NssSAML_Utils.CssSAML_Utils.MssSAML_CreateLogoutRequest(String ssIssuer, String ssNameID, String ssSessionIndex, String ssSLOEndpoint, Byte[] sssignKeyStore, String ssKeyStorePassword, String& ssXmlSaml, Boolean& ssSuccess, String& ssError, String& ssMessageId)


oneLogin.com,SAML,  the only setting for SLO, is SLO Endpoint: https://rme.onelogin.com/trust/saml2/http-redirect/slo/679818

I did also try generate onelogin_publickey.pem with oneLogin.com, but still getting the error:



Cannot find the requested object.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertBlobType(Byte[] rawData)
   at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
   at OutSystems.NssSAML_Utils.CssSAML_Utils.MssSAML_CreateLogoutRequest(String ssIssuer, String ssNameID, String ssSessionIndex, String ssSLOEndpoint, Byte[] sssignKeyStore, String ssKeyStorePassword, String& ssXmlSaml, Boolean& ssSuccess, String& ssError, String& ssMessageId)

may be it will be helpful, in the IdP connector logs i see this message:

MessageIDpfx5e4f1099-75a1-0a4d-3be8-09a994959732
In Response To MessageIDid552baab9d05d4edf8b0734470eebfd72
Username???
Session Index_e7e43780-4a07-0135-d487-02f7cf3f51ee
Created On14:56 (just now)
IPAddress192.81.164.30
Related URLhttps://???.outsystemscloud.com/idp/Configuration.aspx?(Not.Licensed.For.Production)=
SPIssuerhttp:/???.outsystemscloud.com/IdP/SSO.aspx
MobileFalse
ValidTrue
Not Valid Error
Incoming MsgTrue
Saml Message TypeLoginResponse


<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R5f5f3327a30ac6803b3fd32cf70d4d6aa311a1be" Version="2.0" IssueInstant="2017-07-13T14:56:50Z" Destination="{recipient}" InResponseTo="id552baab9d05d4edf8b0734470eebfd72"><saml:Issuer>https://app.onelogin.com/saml/metadata/679818</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx5e4f1099-75a1-0a4d-3be8-09a994959732" IssueInstant="2017-07-13T14:56:50Z"><saml:Issuer>https://app.onelogin.com/saml/metadata/679818</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#pfx5e4f1099-75a1-0a4d-3be8-09a994959732"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>6OoqUgTFmrwvyLjAwfYHchxEleE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>PLNWCxh0jpR5h7a5IdTCZgeN+XTwxH2tyCI9bJ3lLScbkGZTMortK5U2TEEK+Q1hAghsPYStdLgvngm2lav8V/ubwRBZwGehhadAuZq1b8HI0AOH2yYD8z28uwugVSZoI9hCMx3ZN1SJGeaCzuHIGYyFKiofzJL9Q3bWf74ZrwBu++ToS12bRcUSCKsOq/pZZ8E/1gyU4xZz+DD/vpi2LcmG1l2JN0gxmYWDTsQnftvy7MWswM7QVNP6p0yYiIBPhhd0NVHrDHsFq0e9W4qF+CClPc5d3TWFrZr5biDNqruaGooe5zV8ISwqIb12FvZPMF+71IZHCirELbrLo+EkWA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIECzCCAvOgAwIBAgIUZsorK2yJpvTsYssG29qsrm1ni4kwDQYJKoZIhvcNAQEFBQAwVDELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA1JNRTEVMBMGA1UECwwMT25lTG9naW4gSWRQMSAwHgYDVQQDDBdPbmVMb2dpbiBBY2NvdW50IDExMDMxODAeFw0xNzA3MTAxOTU0NTBaFw0yMjA3MTExOTU0NTBaMFQxCzAJBgNVBAYTAlVTMQwwCgYDVQQKDANSTUUxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEgMB4GA1UEAwwXT25lTG9naW4gQWNjb3VudCAxMTAzMTgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDi06J9lHUAbm0skKvFNOYGJ0J5T4dutkZINsUZVACHmK4j84B1uupqg7AyIQTGgxKfuqpslClLHHkkFku+1J/05xygvLadfvOmCZO2JDCHU13WgbIEkEaio62YZNc4OCAY5lp9GB5SIsrO8Yl+CQpbxU3ZiS3sCvWbpIVju1mef43Ykzbg5aDjLJj61QhqRzjLVKxsFhXBQgIjaQKvMVeksvAYHwU5g9qFXth6JUjvFYPIZbLOUohJFdD5iCslc7tzSiLtbIjVV9I9rVn2qXeonBmjpxKU3+w9Ulo/JtozYltbcnvcPh2bUmP0BQWnS1WBO7lkCpwDOCMKn5ajn9jLAgMBAAGjgdQwgdEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUugf+TdO9U7j+IFdxTwDRic1dIoIwgZEGA1UdIwSBiTCBhoAUugf+TdO9U7j+IFdxTwDRic1dIoKhWKRWMFQxCzAJBgNVBAYTAlVTMQwwCgYDVQQKDANSTUUxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEgMB4GA1UEAwwXT25lTG9naW4gQWNjb3VudCAxMTAzMTiCFGbKKytsiab07GLLBtvarK5tZ4uJMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAyNJLZO7IYQR6p0T/h9ADUPE9AvOFZ5K1Tg1cgu+s88EZTOX5UX33RiVJwxbRfuwrQ//0zsmWJCHkcTHgZ6THJuUaPiecsC2BnPk7CC6HKL2+mkgV4WC+MRTjpAXPNC6MtF0ukapln1ocpV4bWBbSCzUgG/J1Q9LE8l1y2+hQtm0xD6BkXFrJMdAeb+FkiKqx+mNnAIkwDkGT42fCzEFlr7NeP+8U5X49zR1ynqOwc2oV5B6m+zqBvbYpnzW2RDBMITbJW+hP2O7oV1LLpfguxG3G9jcA+EDAu0gv0BKu2mkNaYS/Lx8ocST/BhIye7fFnnMKqqwvVTbHXN6esoQx/w==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">semelianov@rockymtn.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2017-07-13T14:59:50Z" Recipient="{recipient}" InResponseTo="id552baab9d05d4edf8b0734470eebfd72"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2017-07-13T14:53:50Z" NotOnOrAfter="2017-07-13T14:59:50Z"><saml:AudienceRestriction><saml:Audience>{audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2017-07-13T14:56:49Z" SessionNotOnOrAfter="2017-07-14T14:56:50Z" SessionIndex="_e7e43780-4a07-0135-d487-02f7cf3f51ee"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>


Hi,

the saml message above is regarding login response which is working fine.


The "IdPConnector (SP) Keystore" cannot be a pem file format has you can check in the IdP connector configuration page: "The keystore that contains the private key and the public certificate that IdP connector use to sign SAML messages sent to IdPServer (also to decrypt assertions if configured to do so). PFX/PKCS12 format is supported in both stacks (and JKS only for Java Stack). It should have only one RSA key."


Therefor you must convert your pem file to PFX/P12 format. If your current pem file does not contain both public and private keys plus certificate, you should create a new PFX/P12 keystore from scratch with openssl


Regards,