|
Title: SSO SAML Failure Post by: Paul M. on November 18, 2024, 11:35:27 pm Not sure how, but I seemed to have broken my SAML-SSO
I can run the program without saml just fine, but when I attach the DELEGATE to the zcf. It goes away. I have gas 3.20 and gas 4.01 on the same WS2019 IIS10 box. .xcf looks like this. gas 3.20 does not use the SAML and has the /gas application pointing to the 3.20.09 isapi.dll gas 4.01.05 uses SAML and has a /gas4 application pointing to the 4.01.03 isapi.dll <APPLICATION Parent="defaultgwc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/4.01/cfextwa.xsd"> <EXECUTION> <ENVIRONMENT_VARIABLE Id="FGLSQLDEBUG">3</ENVIRONMENT_VARIABLE> <ENVIRONMENT_VARIABLE Id="FGLWSDEBUG">3</ENVIRONMENT_VARIABLE> <PATH>$(res.deployment.path)/.</PATH> <MODULE>helloWorld.42m</MODULE> <DELEGATE service="services/SAMLServiceProvider" /> </EXECUTION> </APPLICATION> The SAML.log shows this. Date: 11/18/2024 Time: 17:18:02 MSG : 3152 - [Logs] "INIT" with level='DEBUG' done Date: 11/18/2024 Time: 17:18:02 MSGLOG : 3152 - [Server] "Main" Started Date: 11/18/2024 Time: 17:18:02 DEBUG : 3152 - [CryptoManager] "LoadKeys" Signing Date: 11/18/2024 Time: 17:18:02 DEBUG : 3152 - [CryptoManager] "LoadKeys" Encryption Date: 11/18/2024 Time: 17:18:02 DEBUG : 3152 - [CryptoManager] "LoadKeys" Metadata Date: 11/18/2024 Time: 17:18:02 MSGLOG : 3152 - [CryptoManager] "LoadKeys" Metadata: No certificate or key found Date: 11/18/2024 Time: 17:18:02 ACCESS : 3152 - [Server] "Main" Started Date: 11/18/2024 Time: 17:18:02 ACCESS : 3152 - [Request] "10.16.100.104" incoming request : /gas4/ws/r/services/SAMLServiceProvider/Delegate Date: 11/18/2024 Time: 17:18:02 MSGLOG : 3152 - [SPManager] "HasAccess" https://apps01.myserver.org/gas4/ua/r/HelloWorld Date: 11/18/2024 Time: 17:18:02 DEBUG : 3152 - [SPManager] "HasAccess" (null) Date: 11/18/2024 Time: 17:18:02 DEBUG : 3152 - [Access] "ValidateAccessToken" (null) Date: 11/18/2024 Time: 17:18:02 MSGLOG : 3152 - [SPManager] "StartAuthentication" https://apps01.myserver.org/gas4/ua/r/HelloWorld Date: 11/18/2024 Time: 17:18:02 ERROR : 3152 - [Session] "CreateSession" unable to create session: crypto library function failed : openssl error: error:1E08010C:DECODER Date: 11/18/2024 Time: 17:18:02 ERROR : 3152 - [SPManager] "StartAuthentication" Unable to create session Date: 11/18/2024 Time: 17:18:02 ACCESS : 3152 - [Request] "10.16.100.104" response returned: ACCESS : 3152 - [Request] "10.16.100.104" response returned: Date: 11/18/2024 Time: 17:21:58 ERROR : 3152 - [Server] "Request" -15575 Date: 11/18/2024 Time: 17:21:58 MSGLOG : 3152 - [RelayState] "RelayState" cleanup Date: 11/18/2024 Time: 17:21:58 SQLERR : 3152 - [Nonce] "CleanupNonce" cleanup failed sqlcode=-6372 Date: 11/18/2024 Time: 17:21:58 MSGLOG : 3152 - [Access] "CleanupAccessToken" cleanup Date: 11/18/2024 Time: 17:21:58 MSGLOG : 3152 - [Session] "Session" cleanup Date: 11/18/2024 Time: 17:21:58 Configuration is xml.saml_signature.x509 = "../crt/MyApps.crt" xml.saml_signature.key = "../crt/MyApps.key" xml.saml_encryption.x509 = "../crt/MyApps.crt" xml.saml_encryption.key = "../crt/MyApps.key" xml.saml_metadata_signature.x509 = "../crt/Fourjs.crt" xml.saml_metadata_signature.key = "../crt/Fourjs.key" # # IdP Trusted certificates list # #xml.keystore.calist = "../crt/SSOCircleCA.crt" # # Configuration # saml.entityId = "urn:genero" # Identifies the Service Provider saml.allowUnsecure = "false" # Whether unsecured communications are allowed between IdP and SP (Not recommended) saml.wantAssertionsSigned = "true" # Indicates whether the incoming assertion must be signed saml.wantResponseSigned = "false" # Indicates whether the incoming response must be signed and yes, the files are there. Microsoft SAML shows I signed in successfully. The openssl error seems to lead me to think my certs went bad, but they are good until 2025 on the server and 2027 at microsoft. My other thought was the folder is not readable by IIS, but the FGLDIR is readable by IIS_IUSRS. Any help would be greatly appreciated. |