OpenAM SAML IDP and multiple SPs

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenAM SAML IDP and multiple SPs

Robert Morschel
Hi,

We have OpenAM 12.0.0 running with a realm and a COT containing our local OpenAM IDP and a remote SAML SP.  If we swap the SP for a different SP, then all still works fine, however, when we add the second SP to a second circle of trust, but in the same realm alongside the first SP circle of trust, only one SP works, with the other failing a mysterious 500 error.  Federation debug log doesn't shed any light.


libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://net-as.ig.com/openam
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaCache.getEntityDescriptor: cacheKey = /internal//https://iggroup--ci.cs17.my.salesforce.com, found = true
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://iggroup--ci.cs17.my.salesforce.com
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaCache.getEntityDescriptor: cacheKey = /external//https://net-as.ig.com/openam, found = true
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://net-as.ig.com/openam
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaCache.getEntityDescriptor: cacheKey = /external//https://iggroupcommunity-stage.ig.com/auth/saml, found = true
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://iggroupcommunity-stage.ig.com/auth/saml


What is the recommended configuration for multiple SPs against one IDP?

Regards,
Robert
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM SAML IDP and multiple SPs

Paul Figura
Hi Robert,

Can you please make sure that the metaAlias's of both Sp's are different, and the identity names as well? If you copy/pasted the metadata into openam and forgot to change an identifier, it would throw exceptions due to duplicate SP's found. Also make sure to check certs if you are doing encryption/signing.

Also, i hate to say this, but: Did you stop and restart OpenAM after adding the SP? It shouldn't be necessary, but sometimes It helps with SAML related issues.

Regards,
Paul Figura
Identity & Access Management Architect
Indigo Consulting Canada
Tel: 514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 1/27/2016 10:42 AM, Robert Morschel wrote:
Hi,

We have OpenAM 12.0.0 running with a realm and a COT containing our local OpenAM IDP and a remote SAML SP.  If we swap the SP for a different SP, then all still works fine, however, when we add the second SP to a second circle of trust, but in the same realm alongside the first SP circle of trust, only one SP works, with the other failing a mysterious 500 error.  Federation debug log doesn't shed any light.


libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://net-as.ig.com/openam
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaCache.getEntityDescriptor: cacheKey = /internal//https://iggroup--ci.cs17.my.salesforce.com, found = true
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://iggroup--ci.cs17.my.salesforce.com
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaCache.getEntityDescriptor: cacheKey = /external//https://net-as.ig.com/openam, found = true
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://net-as.ig.com/openam
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaCache.getEntityDescriptor: cacheKey = /external//https://iggroupcommunity-stage.ig.com/auth/saml, found = true
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://iggroupcommunity-stage.ig.com/auth/saml


What is the recommended configuration for multiple SPs against one IDP?

Regards,
Robert
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM SAML IDP and multiple SPs

Robert Morschel

Hi Paul,

 

Thanks for the tips.

 

I imported the remote SP meta data separately, so no copy pasting.   The remote SP metaAliases are not defined. (The MetaAlias attribute is specific to providers using OpenAM therefore, a null value for a remote provider configuration is possible.)  The identity names are different We’re not signing requests at the moment.

 

I tried rebooting. 

 

Still no joy.  L

 

Regards,

Robert

 

From: Paul Figura [mailto:[hidden email]]
Sent: 27 January 2016 16:48
To: [hidden email]
Cc: Robert Morschel <[hidden email]>
Subject: Re: [OpenAM] OpenAM SAML IDP and multiple SPs

 

Hi Robert,

Can you please make sure that the metaAlias's of both Sp's are different, and the identity names as well? If you copy/pasted the metadata into openam and forgot to change an identifier, it would throw exceptions due to duplicate SP's found. Also make sure to check certs if you are doing encryption/signing.

Also, i hate to say this, but: Did you stop and restart OpenAM after adding the SP? It shouldn't be necessary, but sometimes It helps with SAML related issues.

Regards,

Paul Figura
Identity & Access Management Architect

Indigo Consulting Canada

Tel: 514-432-6233

Email: [hidden email] 

http://www.indigoconsulting.ca

 

 

On 1/27/2016 10:42 AM, Robert Morschel wrote:

Hi,
 
We have OpenAM 12.0.0 running with a realm and a COT containing our local OpenAM IDP and a remote SAML SP.  If we swap the SP for a different SP, then all still works fine, however, when we add the second SP to a second circle of trust, but in the same realm alongside the first SP circle of trust, only one SP works, with the other failing a mysterious 500 error.  Federation debug log doesn't shed any light.
 
 
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://net-as.ig.com/openam
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaCache.getEntityDescriptor: cacheKey = /internal//https://iggroup--ci.cs17.my.salesforce.com, found = true
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://iggroup--ci.cs17.my.salesforce.com
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaCache.getEntityDescriptor: cacheKey = /external//https://net-as.ig.com/openam, found = true
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://net-as.ig.com/openam
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaCache.getEntityDescriptor: cacheKey = /external//https://iggroupcommunity-stage.ig.com/auth/saml, found = true
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://iggroupcommunity-stage.ig.com/auth/saml
 
 
What is the recommended configuration for multiple SPs against one IDP?
 
Regards,
Robert
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
 

 


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM SAML IDP and multiple SPs

Robert Morschel

Adding the second remote SP to the *existing* circle of trust works, i.e.

 

COT {

remoteSP1, remoteSP2, idp1

}

 

Whereas this does not work:

 

COT1 {

remoteSP1, idp1

}

 

COT2 {

remoteSP2, idp1

}

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Robert Morschel
Sent: 27 January 2016 17:00
To: 'Paul Figura' <[hidden email]>; [hidden email]
Subject: Re: [OpenAM] OpenAM SAML IDP and multiple SPs

 

Hi Paul,

 

Thanks for the tips.

 

I imported the remote SP meta data separately, so no copy pasting.   The remote SP metaAliases are not defined. (The MetaAlias attribute is specific to providers using OpenAM therefore, a null value for a remote provider configuration is possible.)  The identity names are different We’re not signing requests at the moment.

 

I tried rebooting. 

 

Still no joy.  L

 

Regards,

Robert

 

From: Paul Figura [[hidden email]]
Sent: 27 January 2016 16:48
To: [hidden email]
Cc: Robert Morschel <[hidden email]>
Subject: Re: [OpenAM] OpenAM SAML IDP and multiple SPs

 

Hi Robert,

Can you please make sure that the metaAlias's of both Sp's are different, and the identity names as well? If you copy/pasted the metadata into openam and forgot to change an identifier, it would throw exceptions due to duplicate SP's found. Also make sure to check certs if you are doing encryption/signing.

Also, i hate to say this, but: Did you stop and restart OpenAM after adding the SP? It shouldn't be necessary, but sometimes It helps with SAML related issues.

Regards,

Paul Figura
Identity & Access Management Architect

Indigo Consulting Canada

Tel: 514-432-6233

Email: [hidden email] 

http://www.indigoconsulting.ca

 

 

On 1/27/2016 10:42 AM, Robert Morschel wrote:

Hi,
 
We have OpenAM 12.0.0 running with a realm and a COT containing our local OpenAM IDP and a remote SAML SP.  If we swap the SP for a different SP, then all still works fine, however, when we add the second SP to a second circle of trust, but in the same realm alongside the first SP circle of trust, only one SP works, with the other failing a mysterious 500 error.  Federation debug log doesn't shed any light.
 
 
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://net-as.ig.com/openam
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaCache.getEntityDescriptor: cacheKey = /internal//https://iggroup--ci.cs17.my.salesforce.com, found = true
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://iggroup--ci.cs17.my.salesforce.com
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaCache.getEntityDescriptor: cacheKey = /external//https://net-as.ig.com/openam, found = true
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://net-as.ig.com/openam
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaCache.getEntityDescriptor: cacheKey = /external//https://iggroupcommunity-stage.ig.com/auth/saml, found = true
libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://iggroupcommunity-stage.ig.com/auth/saml
 
 
What is the recommended configuration for multiple SPs against one IDP?
 
Regards,
Robert
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
 

 


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM SAML IDP and multiple SPs

Peter Major
https://bugster.forgerock.org/jira/browse/OPENAM-2203 ?

CoTs are mostly useless, define everything in a single CoT, it's simpler
and it works.

2016. 01. 28. 8:47 keltezéssel, Robert Morschel írta:

> Adding the second remote SP to the **existing** circle of trust works, i.e.
>
> COT {
>
> remoteSP1, remoteSP2, idp1
>
> }
>
> Whereas this does not work:
>
> COT1 {
>
> remoteSP1, idp1
>
> }
>
> COT2 {
>
> remoteSP2, idp1
>
> }
>
> *From:*[hidden email]
> [mailto:[hidden email]] *On Behalf Of *Robert Morschel
> *Sent:* 27 January 2016 17:00
> *To:* 'Paul Figura' <[hidden email]>; [hidden email]
> *Subject:* Re: [OpenAM] OpenAM SAML IDP and multiple SPs
>
> Hi Paul,
>
> Thanks for the tips.
>
> I imported the remote SP meta data separately, so no copy pasting.   The
> remote SP metaAliases are not defined. (The MetaAlias attribute is
> specific to providers using OpenAM therefore, a null value for a remote
> provider configuration is possible.)  The identity names are different
> We’re not signing requests at the moment.
>
> I tried rebooting.
>
> Still no joy. L
>
> Regards,
>
> Robert
>
> *From:*Paul Figura [mailto:[hidden email]]
> *Sent:* 27 January 2016 16:48
> *To:* [hidden email] <mailto:[hidden email]>
> *Cc:* Robert Morschel <[hidden email]
> <mailto:[hidden email]>>
> *Subject:* Re: [OpenAM] OpenAM SAML IDP and multiple SPs
>
> Hi Robert,
>
> Can you please make sure that the metaAlias's of both Sp's are
> different, and the identity names as well? If you copy/pasted the
> metadata into openam and forgot to change an identifier, it would throw
> exceptions due to duplicate SP's found. Also make sure to check certs if
> you are doing encryption/signing.
>
> Also, i hate to say this, but: Did you stop and restart OpenAM after
> adding the SP? It shouldn't be necessary, but sometimes It helps with
> SAML related issues.
>
> Regards,
>
> *Paul Figura*
> Identity & Access Management Architect
>
>
>
> Indigo Consulting Canada
>
> *Tel:*514-432-6233
>
>
>
> *Email: *[hidden email]
> <mailto:[hidden email]> <http://ca.linkedin.com/in/paulfigura>
>
>
>
> *http://www.indigoconsulting.ca*
>
>
>
> On 1/27/2016 10:42 AM, Robert Morschel wrote:
>
>     Hi,
>
>     We have OpenAM 12.0.0 running with a realm and a COT containing our local OpenAM IDP and a remote SAML SP.  If we swap the SP for a different SP, then all still works fine, however, when we add the second SP to a second circle of trust, but in the same realm alongside the first SP circle of trust, only one SP works, with the other failing a mysterious 500 error.  Federation debug log doesn't shed any light.
>
>     libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
>
>     SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCachehttps://net-as.ig.com/openam
>
>     libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
>
>     SAML2MetaCache.getEntityDescriptor: cacheKey = /internal//https://iggroup--ci.cs17.my.salesforce.com, found = true
>
>     libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
>
>     SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCachehttps://iggroup--ci.cs17.my.salesforce.com
>
>     libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
>
>     SAML2MetaCache.getEntityDescriptor: cacheKey = /external//https://net-as.ig.com/openam, found = true
>
>     libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
>
>     SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCachehttps://net-as.ig.com/openam
>
>     libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
>
>     SAML2MetaCache.getEntityDescriptor: cacheKey = /external//https://iggroupcommunity-stage.ig.com/auth/saml, found = true
>
>     libSAML2:01/27/2016 03:12:22:912 PM GMT: Thread[tomcat-thread-23,5,main]
>
>     SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCachehttps://iggroupcommunity-stage.ig.com/auth/saml
>
>     What is the recommended configuration for multiple SPs against one IDP?
>
>     Regards,
>
>     Robert
>
>     The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
>
>     _______________________________________________
>
>     Visit the OpenAM forum athttps://forgerock.org/forum/fr-projects/openam/
>
>     OpenAM mailing list
>
>     [hidden email] <mailto:[hidden email]>
>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM SAML IDP and multiple SPs

Robert Morschel
Thanks, Peter.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Peter Major
Sent: 28 January 2016 08:51
To: Users <[hidden email]>
Subject: Re: [OpenAM] OpenAM SAML IDP and multiple SPs

https://bugster.forgerock.org/jira/browse/OPENAM-2203 ?

CoTs are mostly useless, define everything in a single CoT, it's simpler and it works.

2016. 01. 28. 8:47 keltezéssel, Robert Morschel írta:

> Adding the second remote SP to the **existing** circle of trust works, i.e.
>
> COT {
>
> remoteSP1, remoteSP2, idp1
>
> }
>
> Whereas this does not work:
>
> COT1 {
>
> remoteSP1, idp1
>
> }
>
> COT2 {
>
> remoteSP2, idp1
>
> }
>
> *From:*[hidden email]
> [mailto:[hidden email]] *On Behalf Of *Robert Morschel
> *Sent:* 27 January 2016 17:00
> *To:* 'Paul Figura' <[hidden email]>;
> [hidden email]
> *Subject:* Re: [OpenAM] OpenAM SAML IDP and multiple SPs
>
> Hi Paul,
>
> Thanks for the tips.
>
> I imported the remote SP meta data separately, so no copy pasting.   The
> remote SP metaAliases are not defined. (The MetaAlias attribute is
> specific to providers using OpenAM therefore, a null value for a
> remote provider configuration is possible.)  The identity names are
> different We're not signing requests at the moment.
>
> I tried rebooting.
>
> Still no joy. L
>
> Regards,
>
> Robert
>
> *From:*Paul Figura [mailto:[hidden email]]
> *Sent:* 27 January 2016 16:48
> *To:* [hidden email] <mailto:[hidden email]>
> *Cc:* Robert Morschel <[hidden email]
> <mailto:[hidden email]>>
> *Subject:* Re: [OpenAM] OpenAM SAML IDP and multiple SPs
>
> Hi Robert,
>
> Can you please make sure that the metaAlias's of both Sp's are
> different, and the identity names as well? If you copy/pasted the
> metadata into openam and forgot to change an identifier, it would
> throw exceptions due to duplicate SP's found. Also make sure to check
> certs if you are doing encryption/signing.
>
> Also, i hate to say this, but: Did you stop and restart OpenAM after
> adding the SP? It shouldn't be necessary, but sometimes It helps with
> SAML related issues.
>
> Regards,
>
> *Paul Figura*
> Identity & Access Management Architect
>
>
>
> Indigo Consulting Canada
>
> *Tel:*514-432-6233
>
>
>
> *Email: *[hidden email]
> <mailto:[hidden email]>
> <http://ca.linkedin.com/in/paulfigura>
>
>
>
> *http://www.indigoconsulting.ca*
>
>
>
> On 1/27/2016 10:42 AM, Robert Morschel wrote:
>
>     Hi,
>
>     We have OpenAM 12.0.0 running with a realm and a COT containing our local OpenAM IDP and a remote SAML SP.  If we swap the SP for a different SP, then all still works fine, however, when we add the second SP to a second circle of trust, but in the same realm alongside the first SP circle of trust, only one SP works, with the other failing a mysterious 500 error.  Federation debug log doesn't shed any light.
>
>     libSAML2:01/27/2016 03:12:22:912 PM GMT:
> Thread[tomcat-thread-23,5,main]
>
>     SAML2MetaManager.getEntityDescriptor: got descriptor from
> SAML2MetaCachehttps://net-as.ig.com/openam
>
>     libSAML2:01/27/2016 03:12:22:912 PM GMT:
> Thread[tomcat-thread-23,5,main]
>
>     SAML2MetaCache.getEntityDescriptor: cacheKey =
> /internal//https://iggroup--ci.cs17.my.salesforce.com, found = true
>
>     libSAML2:01/27/2016 03:12:22:912 PM GMT:
> Thread[tomcat-thread-23,5,main]
>
>     SAML2MetaManager.getEntityDescriptor: got descriptor from
> SAML2MetaCachehttps://iggroup--ci.cs17.my.salesforce.com
>
>     libSAML2:01/27/2016 03:12:22:912 PM GMT:
> Thread[tomcat-thread-23,5,main]
>
>     SAML2MetaCache.getEntityDescriptor: cacheKey =
> /external//https://net-as.ig.com/openam, found = true
>
>     libSAML2:01/27/2016 03:12:22:912 PM GMT:
> Thread[tomcat-thread-23,5,main]
>
>     SAML2MetaManager.getEntityDescriptor: got descriptor from
> SAML2MetaCachehttps://net-as.ig.com/openam
>
>     libSAML2:01/27/2016 03:12:22:912 PM GMT:
> Thread[tomcat-thread-23,5,main]
>
>     SAML2MetaCache.getEntityDescriptor: cacheKey =
> /external//https://iggroupcommunity-stage.ig.com/auth/saml, found =
> true
>
>     libSAML2:01/27/2016 03:12:22:912 PM GMT:
> Thread[tomcat-thread-23,5,main]
>
>     SAML2MetaManager.getEntityDescriptor: got descriptor from
> SAML2MetaCachehttps://iggroupcommunity-stage.ig.com/auth/saml
>
>     What is the recommended configuration for multiple SPs against one IDP?
>
>     Regards,
>
>     Robert
>
>     The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
>
>     _______________________________________________
>
>     Visit the OpenAM forum
> athttps://forgerock.org/forum/fr-projects/openam/
>
>     OpenAM mailing list
>
>     [hidden email] <mailto:[hidden email]>
>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam