Error decoding authentication request message when integrating Workday into Shib

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Error decoding authentication request message when integrating Workday into Shib

d.alvarez2
Hi everyone,

I am new at Shibboleth and I have been working for the last 3 months in my job "shibbolizing" applications.
i am trying to integrate Workday into our SSO procedure.  We are experiencing a warning when I added it as a new Relying Party to the configuration file RelyingParty.xml.
I wanted to know if anyone has done this before or encounter this WARN.
I noticed some people have seen this warning but not sure how the resolve it.
Sorry if I am inquiring about something that's already resolved but I cannot find any solutions to the problem I am having.

Workday configured their SP and I already added it to the Relying Party as any other application. I received their Metadata file and they received my Metadata.  However, they didn't upload our (IdP metadata), they just reference it and they uploaded my public key. They gave me their Public key but I don't really  need it. It should be in their Metadata for us (IdP). Is this correct?

This is the warning when trying to access the URL of their Application (it should redirect to our IDP SSO login page but it doesn't):

02:20:57.169 - INFO [Shibboleth-Access:74] - 20140408T062057Z|170.252.72.61|cas.cgcent.miami.edu:443|/profile/SAML2/POST/SSO|
02:20:57.169 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:371] - Error decoding authentication request message
org.opensaml.ws.message.decoder.MessageDecodingException: This message deocoder only supports the HTTP POST method
        at org.opensaml.saml2.binding.decoding.HTTPPostDecoder.doDecode(HTTPPostDecoder.java:83) ~[opensaml-2.5.3.jar:na]
        at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) ~[openws-1.4.4.jar:na]
        at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) ~[opensaml-2.5.3.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:357) [shibboleth-identityprovider-2.3.8.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:209) [shibboleth-identityprovider-2.3.8.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:187) [shibboleth-identityprovider-2.3.8.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:88) [shibboleth-identityprovider-2.3.8.jar:na]
        at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:84) [shibboleth-common-1.3.7.jar:na]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:na]
        at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.3.8.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:na]
        at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:81) [shibboleth-identityprovider-2.3.8.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:na]
        at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.3.7.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:na]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:na]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:na]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) [catalina.jar:na]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:na]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:na]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) [catalina.jar:na]
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote.jar:na]
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-coyote.jar:na]
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) [tomcat-coyote.jar:na]
        at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) [tomcat-coyote.jar:na]
        at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) [tomcat-coyote.jar:na]
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote.jar:na]
        at java.lang.Thread.run(Unknown Source) [na:1.6.0_18]


After much researching, I am not sure what is the problem. I've seen other threads but never explained how it was fixed. Any help will be greatly appreciated.

The SP Workday metadata does not contain any x509 certificate and only has the HTTP-POST location.
It seems pretty straight forward.
Also, I received their SP settings which seem to be okay

REDIRECTION URLS
Login Redirect URL Environment Setting: Implementation - https://cas.cgcent.miami.edu/idp/profile/SAML2/POST/SSO

Login Redirect URL: https://cas.cgcent.miami.edu/idp/profile/SAML2/POST/SSO

Logout Redirect URL: https://cas.cgcent.miami.edu/idp/logoutIDP.jsp

Timeout Redirect URL: https://cas.cgcent.miami.edu/idp/logoutIDP.jsp

Mobile Redirect: [blank]

Environment: implemenation

Preview Only: [blank]

OAuth 2.0 Settings

OAuth 2.0 Clients Enabled:  No

SAML Setup

Enable SAML Authentication: Yes

SAML IDENTITY PROVIDERS

Identity Provider: [blank]

Disabled: [blank]

Identity Provider Name: https://cas.cgcent.miami.edu/idp/shibboleth

Issuer: https://cas.cgcent.miami.edu/idp/shibboleth

x509 Certificate: UM_SSO_DEV_IDP_Certificate

Enable Idp-initiated Logout: Yes

Logout Response URL: https://cas.cgcent.miami.edu/idp/logoutIDP.jsp

Enable Workday-initiated Logout: Yes

Logout Redirect URL: https://cas.cgcent.miami.edu/idp/logoutIDP.jsp

x509 Private Key Pair: UM3_SSO_DEV_WD_Certificate

Enable Dynamic Deep Links for IdP initiated SAML: [blank]

Enable Dynamic Certificate Pinning: [blank]

Trusted Domain Certificates: [blank]

Service Provider ID: http:www.workday.com

Enable SP initiated SAML Authentication: Yes

IdP SSO Service URL: https://cas.cgcent.miami.edu/idp/shibboleth

Sign SP-initiated Authentication Request: No

Do not deflate SP-initiated Auehtnication Request: No

Always Require IdP auhentication: [blank]

Authentication Request Signature Method: SHA256

I'd appreciate anyone letting me know what could be wrong.
I turned on SAML tracer and I don't think I ever get an AuthnRequest SAML message. But notice that it somehow we (IdP) cannot decode it.

Thanks!

diana