Subscribe for automatic updates: RSS icon RSS

Login icon Sign in for full access | Help icon Help
Advanced search

Pages: [1]
  Reply  |  Print  
Author Topic: SSO SAML Failure  (Read 65 times)
Paul M.
Posts: 16


« on: November 18, 2024, 11:35:27 pm »

Not sure how, but I seemed to have broken my SAML-SSO

I can run the program without saml just fine, but when I attach the DELEGATE to the zcf.  It goes away.

I have gas 3.20 and gas 4.01 on the same WS2019 IIS10 box.  .xcf looks like this.
gas 3.20 does not use the SAML and has the /gas application pointing to the 3.20.09 isapi.dll
gas 4.01.05 uses SAML and has a /gas4 application pointing to the 4.01.03 isapi.dll

<APPLICATION Parent="defaultgwc"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/4.01/cfextwa.xsd">
  <EXECUTION>
    <ENVIRONMENT_VARIABLE Id="FGLSQLDEBUG">3</ENVIRONMENT_VARIABLE>
    <ENVIRONMENT_VARIABLE Id="FGLWSDEBUG">3</ENVIRONMENT_VARIABLE>
    <PATH>$(res.deployment.path)/.</PATH>
        <MODULE>helloWorld.42m</MODULE>
        <DELEGATE service="services/SAMLServiceProvider" />
  </EXECUTION>
</APPLICATION>

The SAML.log shows this.
Date: 11/18/2024    Time: 17:18:02
MSG  : 3152 - [Logs] "INIT" with level='DEBUG' done
Date: 11/18/2024    Time: 17:18:02
MSGLOG : 3152 - [Server] "Main" Started
Date: 11/18/2024    Time: 17:18:02
DEBUG  : 3152 - [CryptoManager] "LoadKeys" Signing
Date: 11/18/2024    Time: 17:18:02
DEBUG  : 3152 - [CryptoManager] "LoadKeys" Encryption
Date: 11/18/2024    Time: 17:18:02
DEBUG  : 3152 - [CryptoManager] "LoadKeys" Metadata
Date: 11/18/2024    Time: 17:18:02
MSGLOG : 3152 - [CryptoManager] "LoadKeys" Metadata: No certificate or key found
Date: 11/18/2024    Time: 17:18:02
ACCESS : 3152 - [Server] "Main" Started
Date: 11/18/2024    Time: 17:18:02
ACCESS : 3152 - [Request] "10.16.100.104" incoming request : /gas4/ws/r/services/SAMLServiceProvider/Delegate
Date: 11/18/2024    Time: 17:18:02
MSGLOG : 3152 - [SPManager] "HasAccess" https://apps01.myserver.org/gas4/ua/r/HelloWorld
Date: 11/18/2024    Time: 17:18:02
DEBUG  : 3152 - [SPManager] "HasAccess" (null)
Date: 11/18/2024    Time: 17:18:02
DEBUG  : 3152 - [Access] "ValidateAccessToken" (null)
Date: 11/18/2024    Time: 17:18:02
MSGLOG : 3152 - [SPManager] "StartAuthentication" https://apps01.myserver.org/gas4/ua/r/HelloWorld
Date: 11/18/2024    Time: 17:18:02
ERROR  : 3152 - [Session] "CreateSession" unable to create session: crypto library function failed : openssl error: error:1E08010C:DECODER
Date: 11/18/2024    Time: 17:18:02
ERROR  : 3152 - [SPManager] "StartAuthentication" Unable to create session
Date: 11/18/2024    Time: 17:18:02
ACCESS : 3152 - [Request] "10.16.100.104" response returned:
ACCESS : 3152 - [Request] "10.16.100.104" response returned:
Date: 11/18/2024    Time: 17:21:58
ERROR  : 3152 - [Server] "Request" -15575
Date: 11/18/2024    Time: 17:21:58
MSGLOG : 3152 - [RelayState] "RelayState" cleanup
Date: 11/18/2024    Time: 17:21:58
SQLERR : 3152 - [Nonce] "CleanupNonce" cleanup failed sqlcode=-6372
Date: 11/18/2024    Time: 17:21:58
MSGLOG : 3152 - [Access] "CleanupAccessToken" cleanup
Date: 11/18/2024    Time: 17:21:58
MSGLOG : 3152 - [Session] "Session" cleanup
Date: 11/18/2024    Time: 17:21:58

Configuration is
xml.saml_signature.x509             = "../crt/MyApps.crt"
xml.saml_signature.key              = "../crt/MyApps.key"
xml.saml_encryption.x509            = "../crt/MyApps.crt"
xml.saml_encryption.key             = "../crt/MyApps.key"
xml.saml_metadata_signature.x509    = "../crt/Fourjs.crt"
xml.saml_metadata_signature.key     = "../crt/Fourjs.key"

#
# IdP Trusted certificates list
#
#xml.keystore.calist       = "../crt/SSOCircleCA.crt"

#
# Configuration
#

saml.entityId = "urn:genero"        # Identifies the Service Provider
saml.allowUnsecure = "false"        # Whether unsecured communications are allowed between IdP and SP (Not recommended)
saml.wantAssertionsSigned = "true"  # Indicates whether the incoming assertion must be signed
saml.wantResponseSigned   = "false" # Indicates whether the incoming response must be signed


and yes, the files are there.

Microsoft SAML shows I signed in successfully.

The openssl error seems to lead me to think my certs went bad, but they are good until 2025 on the server and 2027 at microsoft.  My other thought was the folder is not readable by IIS, but the FGLDIR is readable by IIS_IUSRS.

Any help would be greatly appreciated. 

Pages: [1]
  Reply  |  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines