Re: Using SAML 2 Bearer token with our own UAA Server #uaa
Martijn de Boer
Hi,
For SAML Bearer an Assertion object is expected as bas64-url(base64(assertion)). Looks like you are send not the Assertion, but the SAML response object.
See
10:44:22.088: [APP/PROC/WEB.0] java.lang.ClassCastException: class org.opensaml.saml2.core.impl.ResponseImpl cannot be cast to class org.opensaml.saml2.core.Assertion (org.opensaml.saml2.core.impl.ResponseImpl and org.opensaml.saml2.core.Assertion are in unnamed module of loader org.apache.catalina.loader.ParallelWebappClassLoader @3ed242a4)
Regards,
Martijn
Gesendet: Dienstag, 10. Dezember 2019 um 18:06 Uhr
Von: "vshetty via Lists.Cloudfoundry.Org" <vshetty=fdic.gov@...> An: cf-dev@... Betreff: [cf-dev] Using SAML 2 Bearer token with our own UAA Server #uaa I am trying to prototype a situation where a user is already authenticated to an On-prem application using ADFS using SAML. Now, this application needs to call a web service deployed on cloud.gov (Cloud foundry). We also have our own instance of UAA running in cloud.gov which is used for authorization. IF the user has already been authenticated with the on-prem application, then it should be possible to exchange the SAML token with an OAuth Bearer token with the UAA Server installed on cloud.gov. So, as a prototype I obtained the SAML token for a user and tried to exchange with OAuth Bearer token by calling the UAA on cloud.gov as specified in
https://docs.cloudfoundry.org/api/uaa/version/74.4.0/index.html#saml2-bearer-grant However, I keep getting an error no matter what. I even decrypted the SAML token and then sent the Base64 URI but still no luck. The error I am getting is the following Anyone has any ideas why this might be happening ? 10:44:22.088: [APP/PROC/WEB.0] [2019-12-10 15:44:22.086] uaa - 7 [http-nio-8080-exec-2] .... ERROR --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Uncaught Exception:
10:44:22.088: [APP/PROC/WEB.0] java.lang.ClassCastException: class org.opensaml.saml2.core.impl.ResponseImpl cannot be cast to class org.opensaml.saml2.core.Assertion (org.opensaml.saml2.core.impl.ResponseImpl and org.opensaml.saml2.core.Assertion are in unnamed module of loader org.apache.catalina.loader.ParallelWebappClassLoader @3ed242a4)
10:44:22.088: [APP/PROC/WEB.0] at org.cloudfoundry.identity.uaa.authentication.SamlAssertionDecoder.doDecode(SamlAssertionDecoder.java:97) ~[cloudfoundry-identity-server-74.5.0.jar:?]
10:44:22.088: [APP/PROC/WEB.0] at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) ~[openws-1.5.6.jar:?]
10:44:22.088: [APP/PROC/WEB.0] at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) ~[opensaml-2.6.6.jar:?]
10:44:22.088: [APP/PROC/WEB.0] at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105) ~[spring-security-saml2-core-1.0.9.RELEASE.jar:1.0.9.RELEASE]
10:44:22.088: [APP/PROC/WEB.0] at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172) ~[spring-security-saml2-core-1.0.9.RELEASE.jar:1.0.9.RELEASE]
10:44:22.088: [APP/PROC/WEB.0] at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:85) ~[spring-security-saml2-core-1.0.9.RELEASE.jar:1.0.9.RELEASE]
10:44:22.088: [APP/PROC/WEB.0] at org.cloudfoundry.identity.uaa.authentication.BackwardsCompatibleTokenEndpointAuthenticationFilter.attemptTokenAuthentication(BackwardsCompatibleTokenEndpointAuthenticationFilter.java:218) ~[cloudfoundry-identity-server-74.5.0.jar:?]
10:44:22.088: [APP/PROC/WEB.0] at org.cloudfoundry.identity.uaa.authentication.BackwardsCompatibleTokenEndpointAuthenticationFilter.doFilter(BackwardsCompatibleTokenEndpointAuthenticationFilter.java:114) ~[cloudfoundry-identity-server-74.5.0.jar:?]
10:44:22.088: [APP/PROC/WEB.0] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
10:44:22.088: [APP/PROC/WEB.0] at org.cloudfoundry.identity.uaa.authentication.ClientBasicAuthenticationFilter.doFilterInternal(ClientBasicAuthenticationFilter.java:142) ~[cloudfoundry-identity-server-74.5.0.jar:?]
10:44:22.088: [APP/PROC/WEB.0] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
|
|