cXML

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

cXML

Jim McDonald
Hi,

I was unable to find any information about OpenAM support for Ariba cXML which their customers sometimes use for federating as an IDP.

Here is info about the cXML spec:
http://xml.cxml.org/current/cXMLUsersGuide.pdf

Does OpenAM support this? What are our options?

Thanks, Jim

_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: cXML

Brad Tumy
Jim,

Not really sure what you mean by "does OpenAM support this".  Are you looking to provide federated authentication to/from another service?  Does the other service support SAML or OpenID?  Is the Ariba service a web service or deployed on a web or application server?  

Can you provide some additional detail for the use case that you are trying to support?

Thanks,
Brad

Brad Tumy  |   [hidden email]   |   240.215.4825  |   www.tumy-tech.com  |   linkedin.com/in/bradtumy



On Wed, Apr 23, 2014 at 12:18 PM, Jim McDonald <[hidden email]> wrote:
Hi,

I was unable to find any information about OpenAM support for Ariba cXML which their customers sometimes use for federating as an IDP.

Here is info about the cXML spec:
http://xml.cxml.org/current/cXMLUsersGuide.pdf

Does OpenAM support this? What are our options?

Thanks, Jim

_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: cXML

Jim McDonald
In reply to this post by Jim McDonald
Hi Brad - thank you. Upon further investigation, this was a custom federation that my customer worked out with one of their customers back in 2007. At that time SAML was not an available option, at least for those using Ariba as an IdP.

For now, we will investigate replacing this using SAML as it appears Ariba has been SAML 2.0 compliant for some time.

Thanks, Jim

------------------------------
----------------------------------------

Message: 1
Date: Wed, 23 Apr 2014 14:18:36 -0400
From: Brad Tumy <[hidden email]>
To: Users <[hidden email]>
Subject: Re: [OpenAM] cXML
Message-ID:
        <CABO5VpQRoQucqG-mp=V6WKXp=[hidden email]>
Content-Type: text/plain; charset="utf-8"

Jim,

Not really sure what you mean by "does OpenAM support this".  Are you
looking to provide federated authentication to/from another service?  Does
the other service support SAML or OpenID?  Is the Ariba service a web
service or deployed on a web or application server?

Can you provide some additional detail for the use case that you are trying
to support?

Thanks,
Brad

Brad Tumy  |   [hidden email]   |   <a href="tel:240.215.4825" value="+12402154825">240.215.4825  |
www.tumy-tech.com |
linkedin.com/in/bradtumy



On Wed, Apr 23, 2014 at 12:18 PM, Jim McDonald <[hidden email]>wrote:

> Hi,
>
> I was unable to find any information about OpenAM support for Ariba cXML
> which their customers sometimes use for federating as an IDP.
>
> Here is info about the cXML spec:
> http://xml.cxml.org/current/cXMLUsersGuide.pdf
>
> Does OpenAM support this? What are our options?
>
> Thanks, Jim
>
> _______________________________________________
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.forgerock.org/pipermail/openam/attachments/20140423/bbb3f873/attachment-0001.html>

------------------------------


On Wed, Apr 23, 2014 at 2:35 PM, <[hidden email]> wrote:
Send OpenAM mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.forgerock.org/mailman/listinfo/openam
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OpenAM digest..."


Today's Topics:

   1. Re: cXML (Brad Tumy)
   2. Re: 2 factor authentication help (Brad Tumy)
   3. OTP in openAM (Raghu Raja)
   4. Re: SAML Assertion generation using openSAML (Paul Figura)


----------------------------------------------------------------------

Message: 1
Date: Wed, 23 Apr 2014 14:18:36 -0400
From: Brad Tumy <[hidden email]>
To: Users <[hidden email]>
Subject: Re: [OpenAM] cXML
Message-ID:
        <CABO5VpQRoQucqG-mp=V6WKXp=[hidden email]>
Content-Type: text/plain; charset="utf-8"

Jim,

Not really sure what you mean by "does OpenAM support this".  Are you
looking to provide federated authentication to/from another service?  Does
the other service support SAML or OpenID?  Is the Ariba service a web
service or deployed on a web or application server?

Can you provide some additional detail for the use case that you are trying
to support?

Thanks,
Brad

Brad Tumy  |   [hidden email]   |   <a href="tel:240.215.4825" value="+12402154825">240.215.4825  |
www.tumy-tech.com |
linkedin.com/in/bradtumy



On Wed, Apr 23, 2014 at 12:18 PM, Jim McDonald <[hidden email]>wrote:

> Hi,
>
> I was unable to find any information about OpenAM support for Ariba cXML
> which their customers sometimes use for federating as an IDP.
>
> Here is info about the cXML spec:
> http://xml.cxml.org/current/cXMLUsersGuide.pdf
>
> Does OpenAM support this? What are our options?
>
> Thanks, Jim
>
> _______________________________________________
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.forgerock.org/pipermail/openam/attachments/20140423/bbb3f873/attachment-0001.html>

------------------------------

Message: 2
Date: Wed, 23 Apr 2014 14:19:20 -0400
From: Brad Tumy <[hidden email]>
To: Users <[hidden email]>
Subject: Re: [OpenAM] 2 factor authentication help
Message-ID:
        <CABO5VpR3uc=[hidden email]>
Content-Type: text/plain; charset="utf-8"

Sai,

What do the error logs say?

Brad

Brad Tumy  |   [hidden email]   |   <a href="tel:240.215.4825" value="+12402154825">240.215.4825  |
www.tumy-tech.com |
linkedin.com/in/bradtumy



On Wed, Apr 23, 2014 at 12:15 PM, sai kumar <[hidden email]> wrote:

> Hi All,
>
> I am trying for 2 factor authentication. 1st level is LDAP and 2nd level
> is HOTP.
>
> 1st level is re-directing to the 2nd level (i.e) for OTP page...When i am
> requesting for a OTP am getting a msg saying " An error occured while
> sending the OTP. Please contact the system administrator ".
>
> What may be the problem ?
>
> Thanks for your help in advance.
> Thanks
> Sai
>
> _______________________________________________
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.forgerock.org/pipermail/openam/attachments/20140423/4cff967f/attachment-0001.html>

------------------------------

Message: 3
Date: Wed, 23 Apr 2014 18:23:15 +0000
From: Raghu Raja <[hidden email]>
To: Users <[hidden email]>
Subject: [OpenAM] OTP in openAM
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="us-ascii"

Hi,


How to lock the UserID in openAM , after user has entered wrong OTP's for more than three times?

could any one help on this



Regards,

Raghu


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.forgerock.org/pipermail/openam/attachments/20140423/31b1d659/attachment-0001.html>

------------------------------

Message: 4
Date: Wed, 23 Apr 2014 14:35:20 -0400
From: Paul Figura <[hidden email]>
To: Sarris Overbosch <[hidden email]>
Cc: Users <[hidden email]>
Subject: Re: [OpenAM] SAML Assertion generation using openSAML
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

Hi again Sarris,

So that rules out any "easy" fixes :)

Well, next step is that I'd make sure that OpenSAML library is indeed
signing the correct portions of your assertion with the correct
algorithm (rsa-sha1). Just because it appears correctly in your header,
doesn't mean that's what the code is doing!

I'm quite confident that OpenAM will accept a properly formatted signed
assertion, as I've used it with multiple vendors with no issues.

I guess another thing you can try is to disable signature verification
in OpenAM and see if the assertion gets through, or if it's failing for
other reasons! And like I mentioned in my first post (just to be
pedantic), if the metadata you imported into openAM is incorrect, it
won't validate the signature!

Regards,
*Paul Figura*
Identity & Access Management Architect
*Tel:* <a href="tel:514-432-6233" value="+15144326233">514-432-6233
        *Email: *[hidden email]
<mailto:[hidden email]>    *http://www.indigoconsulting.ca*



On 4/23/2014 1:49 PM, Sarris Overbosch wrote:
> Hi Paul,
>
> Thanks for spending time and trying to help:
>
> This is from the non working SAML assertion:
>             <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>             <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>             <ds:Reference URI="#2028b5c0-ea96-430a-9957-5917ae7b1319">
>                <ds:Transforms>
>                   <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                   <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                </ds:Transforms>
>                <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>  <ds:DigestValue>4zrp0sW0/agvH7ZtmCj0F1eKhus=</ds:DigestValue>
>             </ds:Reference>
>          </ds:SignedInfo>
> This is from the working SAML assertion:
>             <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>                 <ds:Reference
> URI="#s2f1bcfa3c382896359ab489b3b6146d4f331ba3cd">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> <ds:DigestValue>pwLe95HROx190SGqXRm1jvRGGqY=</ds:DigestValue>
>                 </ds:Reference>
>             </ds:SignedInfo>
> Further the certificates are signed using the same keystore as used by
> the IDP, and comparing the presented certificate in the <ds:keyInfo>
> of the SAML assertions is positive, they are both the same...
>
> Br,
>
> Sarris
>
>
> 2014-04-23 17:49 GMT+02:00 Paul Figura <[hidden email]
> <mailto:[hidden email]>>:
>
>     Hi Sarris,
>
>     What is the signing method you are using to sign the assertion? Do
>     the "<SignedInfo>" elements match between the OpenAM IDP and your
>     custom implementation?
>
>     Just to be sure, did you try using the same key from both the
>     OpenAM IDP and your custom IDP? Is it possible that you are
>     signing the assertion with a different key than the one which was
>     imported with the Metadata?
>
>     Regards,
>     *Paul Figura*
>     Identity & Access Management Architect
>     *Tel:* <a href="tel:514-432-6233" value="+15144326233">514-432-6233 <tel:<a href="tel:514-432-6233" value="+15144326233">514-432-6233>
>       *Email: *[hidden email]
>     <mailto:[hidden email]>
>     *http://www.indigoconsulting.ca*
>
>
>
>     On 4/23/2014 9:28 AM, Sarris Overbosch wrote:
>>     Hi,
>>
>>     For some test case we are implementing a class which creates a
>>     signed SAML Assertion, we use openSAML library to achieve this
>>     task. So far everything seams to be well, the assertion is
>>     created and signed. But when we send it to OpenAM (which is the
>>     SP) then OpenAM complains about an invalid signature. We've also
>>     configured a second OpenAM instance to be the IDP and when we do
>>     an IDP initiated SSO and catch the resulting SAML Assertion
>>     generated by the IDP it looks the same (apart from namespace
>>     naming, time stamps and ids) and the flow works fine. Is there
>>     someone who has experienced this problem and knows a solution to
>>     is as I can't find it?
>>
>>     FMSigProvider.verify: Signature verification failed.
>>
>>     libSAML2:04/23/2014 01:17:56:960 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     ERROR: SAML2Utils.verifyResponse:Assertion is not signed or
>>     signature is not valid.
>>
>>     libSAML2:04/23/2014 01:17:56:961 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     SAML2Utils.getSPAdapterClass: get SPAdapter for hostEntity under
>>     realm /Realm
>>
>>     libSAML2:04/23/2014 01:17:56:961 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     getAttributeValueFromSSOConfig : realm - /Realm
>>
>>     libSAML2:04/23/2014 01:17:56:961 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     getAttributeValueFromSSOConfig : hostEntityId - hostEntity
>>
>>     libSAML2:04/23/2014 01:17:56:961 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     getAttributeValueFromSSOConfig : entityRole - SPRole
>>
>>     libSAML2:04/23/2014 01:17:56:961 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     getAttributeValueFromSSOConfig : attrName - spAdapter
>>
>>     libSAML2:04/23/2014 01:17:56:961 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     getAllAttributeValueFromSSOConfig : realm - /Realm
>>
>>     libSAML2:04/23/2014 01:17:56:961 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     getAllAttributeValueFromSSOConfig : hostEntityId - hostEntity
>>
>>     libSAML2:04/23/2014 01:17:56:961 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     getAllAttributeValueFromSSOConfig : entityRole - SPRole
>>
>>     libSAML2:04/23/2014 01:17:56:961 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     getAllAttributeValueFromSSOConfig : attrName - spAdapter
>>
>>     libSAML2:04/23/2014 01:17:56:961 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     SAML2MetaCache.getEntityConfig: cacheKey = /Realm//hostEntity,
>>     found = true
>>
>>     libSAML2:04/23/2014 01:17:56:961 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     SAML2MetaManager.getEntityConfig: got entity config from
>>     SAML2MetaCache: hostEntity
>>
>>     libSAML2:04/23/2014 01:17:56:961 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     getAttributeValueFromSSOConfig:
>>     values=com.sun.xml.bind.util.ListImpl@1f
>>
>>     libSAML2:04/23/2014 01:17:56:961 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     SAML2Utils.getSPAdapterClass: get SPAdapter class
>>
>>     libSAML2:04/23/2014 01:17:56:961 PM UTC:
>>     Thread[catalina-exec-34,5,main]
>>
>>     ERROR: spAssertionConsumer.jsp: SSO failed.
>>
>>     com.sun.identity.saml2.common.SAML2Exception: The signature on
>>     Assertion is not valid.
>>
>>             at
>>     com.sun.identity.saml2.common.SAML2Utils.verifyResponse(SAML2Utils.java:594)
>>
>>
>>
>>     _______________________________________________
>>     OpenAM mailing list
>>     [hidden email]  <mailto:[hidden email]>
>>     https://lists.forgerock.org/mailman/listinfo/openam
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.forgerock.org/pipermail/openam/attachments/20140423/e1ed7f5a/attachment.html>

------------------------------

_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


End of OpenAM Digest, Vol 42, Issue 89
**************************************



--
Jim McDonald
cell: 704-431-5835

_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam