Hi Rich,
Please see my comments inline
1. When using cf login --sso, prompt no longer points to proper url but
defaults to localhost: One Time Code ( Get one at
http://localhost:8080/uaa/passcode )
We are addressing this issue as part of
https://www.pivotaltracker.com/story/show/1125929672. When comparing the cf IP metadata, it differs now in the SignatureValue
field
We fixed an issue with mismatched public/private key pair which was causing
invalid signature to be generated.
Now the key set up is valid. Yes, you would need to change the PING side of
the configuration and update the SP metatdata
Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry
On Thu, Jan 28, 2016 at 6:41 AM, Rich Wohlstadter <lethwin(a)gmail.com> wrote:
Hi There,
We have cloudfoundry uaa setup to authenticate users to our Identity
Provider ping-federate. After we upgraded to cf-227 this functionality
broke. Are there any know issues with saml setup when you moved over to
the uaa-release github? Some of the symptoms we see:
1. When using cf login --sso, prompt no longer points to proper url but
defaults to localhost: One Time Code ( Get one at
http://localhost:8080/uaa/passcode )
2. When comparing the cf IP metadata, it differs now in the SignatureValue
field
Wondering if we need to set the ping info back up due to a change with
this new release?
Here is the config we use for saml (stripped sensitive info):
saml:
entity_base_url: login.cf-np.threega.com
entityid: login
keystore_key: selfsigned
keystore_name: samlKeystore.jks
keystore_password: UGN9RbgNaMwp4Dnn
providers:
ping-federate:
assertionConsumerIndex: 0
idpMetadata: |+
<md:EntityDescriptor ID="qhotIfnybstUv02tsh8w2jvpJxF"
cacheDuration="PT1440M" entityID="company-t"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#qhotIfnybstUv02tsh8w2jvpJxF">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>zzTEqNenEtq85owsS83D+YhJ3cU0Qfgr1bOWxoLssRI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
our_signature
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
our_certificate
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
lZ4ZUFzYXubIUKmMrw+maVTrPGikviTfsJWAiPhuSL6qGnRVLorTTeUr/ynS++TdLpVkBLz0hqD/
yQvd1V3sgK6X22NGikLcmIrHRX69DLqB7IdC9HFlpz3yVWK0lIChVlrqgLX7/wEQpYwWLnnLXjz4
J3ce0mQ4Y4kmiBvhciqNEoqPK/g9wrkZKzMhLk3/CMtR/hDVurG/s+bnmYhbNb3pmHYBu5KnqmrJ
xHzxsxnBRF6V8fEXlmI7pqu9SV21p7dEW1VYi5p99lnFPkL1ic+dF4iIIWtggbq4Ue3qdl1bUoc8
y+iG5fRPSQJIGkmiAfQdTdxe8zc384gmf6IenQ==
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature><md:IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
WantAuthnRequestsSigned="true"><md:KeyDescriptor use="signing"><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#
"><ds:X509Data><ds:X509Certificate>MIIDUjCCAjqgAwIBAgIGAU1EsJejMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNaXNzb3VyaTESMBAGA1UEBxMJU3QuIExvdWlzMREwDwYDVQQKEwhNb25zYW50bzEMMAoGA1UECxMDRUlTMRMwEQYDVQQDEwpNb25zYW50by10MB4XDTE1MDUxMTIwMzUzM1oXDTE3MDUxMDIwMzUzM1owajELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1pc3NvdXJpMRIwEAYDVQQHEwlTdC4gTG91aXMxETAPBgNVBAoTCE1vbnNhbnRvMQwwCgYDVQQLEwNFSVMxEzARBgNVBAMTCk1vbnNhbnRvLXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVnhlQXNhe5shQqYyvD6ZpVOs8aKS+JN+wlYCI+G5IvqoadFUuitNN5Sv/KdL75N0ulWQEvPSGoP/JC93VXeyArpfbY0aKQtyYisdFfr0MuoHsh0L0cWWnPfJVYrSUgKFWWuqAtfv/ARCljBYuectePPgndx7SZDhjiSaIG+FyKo0Sio8r+D3CuRkrMyEuTf8Iy1H+ENW6sb+z5ueZiFs1vemYdgG7kqeqasnEfPGzGcFEXpXx8ReWYjumq71JXbWnt0RbVViLmn32WcU+QvWJz50XiIgha2CBurhR7ep2XV
tShzzL6I
bl9E9JAkgaSaIB9B1N3F7zNzfziCZ/oh6dAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAG/MyUQ05U8Liqq85+xTY7WcUGiUAXv+/cSS7OLasoblDQ0iBxcpSkWvkGTVqR73QTRssIfnokG9GGJsSdyIcZzWoCLg2iTaJjRFEuI5oP9sy3QPeK66MeIdkkSGeEuHfNKloSoApxxocuDZuGTHCuU7dqXZe49hf1qiSvLbZHGZuksu4jBPN2qWqwe+v2TFM3AraakAwPbcYqir7c3nWAWkr4h/6KlmZwEo9gAFsMliUM0h9+AHVLyjRQfMlPeOP1N7zpNnMYr0JKJ9B7Rs2ebtCoHLLsyOVmiDiVJDRHVv04GBDSMXIkGcKY7ULLR9WiqMKfnkamGs1QOrQTIJZhU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService
index="0" Location="https://test.amp.company.com/idp/ARS.ssaml2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
isDefault="true"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://test.amp.monsanto.com/idp/SSO.saml2"/><md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
https://test.amp.monsanto.c
om/idp/S
SO.saml2"/><md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="
https://test.amp.monsanto.com/idp/SSO.saml2"/><md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="
https://test.amp.monsanto.com/idp/SSO.saml2"/></md:IDPSSODescriptor><md:ContactPerson
contactType="administrative"><md:Company>company</md:Company><md:GivenName>AMP</md:GivenName><md:SurName>Team</md:SurName><md:EmailAddress>
DL-AMPSUPPORT(a)company.com
</md:EmailAddress><md:TelephoneNumber>xxx-xxx-xxxx</md:TelephoneNumber></md:ContactPerson></md:EntityDescriptor>
linkText: Ping Identity
metadataTrustCheck: true
nameID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
showSamlLoginLink: true
