HTTP Status 401 - Authentication Failed: Error validating SAML message

[vsch]

I don't see any problem in the metadata declaration in the code above. What I had in mind in the previous post is updating your SP metadata on the IDP side.

V.

[duybinh0208]

I just name the entityID of service metadata is "mysample.com" and this sp metadata can be imported by SSOCircle IDP. Furthermore, I can login successful in localhost. Thus, I think my entityID is right. But I don't understand why my project cannot do SSO when I deploy it to real server (on internet).

[vsch]

Do you use exactly the same URLs to access your application when deploying on the localhost as when you deploy on the real server? (e.g. http://www.myserver.com/app)? This is a pre-requisite for your configuration to work. Otherwise you need to generate two separate metadata documents - one for your localhost config and another for your server config, for each of them use a different entityID and import them both to the IDP.

Vladi

[duybinh0208]

Hi Vladi,
1) In localhost: http://localhost:8080/my_sample_v2/s...nIDParam= idp
2) In real server: https://myserver.com/my_sample_v2/sa...nIDParam= idp
3) In securityContext.xml I just config default sp metadata with entityID is "mysample.com" like this:
<bean id="metadataGeneratorFilter"
class="org.springframework.security.saml.metadata. MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata. MetadataGenerator">
<property name="entityId" value="mysample.com" />
<property name="signMetadata" value="false" />
</bean>
</constructor-arg>
</bean>
4) First, I go to www.ssocircle.com and remove localhost's metadata. Second, I run my project on real server and it automatically generate default sp metadata. Afterthat I just copy this sp metadata and import to SSOCirle.com. Anything else is wrong here?

[duybinh0208]

Hi Vladi, I just test my project on another server (using http) and it works well but with old server (using https) it still occurs the error 401. I think the problem is the difference between http and https SSL. Do you think about this problem?

[vsch]

Hi,

I go to www.ssocircle.com and remove localhost's metadata

That rules out my previous hypothesis of IDP having metadata pointing to the local SP.

I'm really shooting in the dark here. In order to be able to help you further I'd need you to:

- enable tracing as is described in chapter 7.1 of the manual
- enable tracing of certpath validation by adding system property javax.net.debug=all (-Djavax.net.debug=all)
- restart the server and try again the SSO
- send me all the resulting logs
- send me list of content of your keyStore (keytool -list -keystore samlKestore.jks)
- send me metadata you're importing to the IDP

It might have something to do with the HTTP vs. HTTPS, but I don't have enough information to be able to tell. You can also send the data to vladimir.schafer@gmail.com

Vladi

[duybinh0208]

I just send the logs to you through email. Please help me identify this problem. Thank you very much.

[vsch]

Hi,

The reason for your server to reject the SAML response is:

Response issue time is either too old or with date in the future, skew 60, time 2013-03-02T03:20:56.000Z

And as I said in my first reply:

One typical issue causing this is a difference between time of your server and IDP. Enabling NTP makes this go away.

Just synchronize time on your server and you'll see the problem disappear. The skew time defines how big difference can there be between issuing and processing of the SAML response. The default value of 60 seconds can be changed for this case by setting property responseSkew on the WebSSOProfileConsumerImpl bean.

Cheers, Vladi

[duybinh0208]

Thanks Vladi so much.

Let me try to synchronize time and reply to you soon.

[duybinh0208]

Hi Vladi, your answer is correct. Thank you very much. I just synchronize time and it works well.