Inbound message issuer was not authenticated.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Inbound message issuer was not authenticated.

arunsamavedula
We have a requirement to generate an attribute query, to retrieve attributes from IDP. I'm testing this with shibboleth's test IDP and I'm facing following error while initiating attribute query.

13:45:05.607 - INFO [Shibboleth-Access:73] - 20140113T184505Z|115.241.3.79|idp.testshib.org:8443|/profile/SAML2/SOAP/AttributeQuery|
13:45:05.607 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/SOAP/AttributeQuery
13:45:05.607 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler
13:45:05.607 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler:166] - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP'
13:45:05.609 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for carelocal.com
13:45:05.609 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:134] - No custom relying party configuration found for carelocal.com, looking up configuration based on metadata groups.
13:45:05.610 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or group-based relying party configuration found for carelocal.com. Using default relying party configuration.
13:45:05.610 - ERROR [org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule:37] - Inbound message issuer was not authenticated.
13:45:05.610 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler:203] - Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
        at org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule.evaluate(MandatoryAuthenticatedMessageRule.java:38) ~[openws-1.5.0.jar:na]
        at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51) ~[openws-1.5.0.jar:na]
        at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132) ~[openws-1.5.0.jar:na]
        at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83) ~[openws-1.5.0.jar:na]
        at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) ~[opensaml-2.6.0.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler.decodeRequest(AttributeQueryProfileHandler.java:186) [shibboleth-identityprovider-2.4.0.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler.processRequest(AttributeQueryProfileHandler.java:88) [shibboleth-identityprovider-2.4.0.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler.processRequest(AttributeQueryProfileHandler.java:55) [shibboleth-identityprovider-2.4.0.jar:na]
        at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83) [shibboleth-common-1.4.0.jar:na]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.36]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.36]
        at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.4.0.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.36]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.36]
        at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87) [shibboleth-identityprovider-2.4.0.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.36]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.36]
        at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.4.0.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.36]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.36]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.36]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.36]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) [catalina.jar:6.0.36]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.36]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) [catalina.jar:6.0.36]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.36]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) [catalina.jar:6.0.36]
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote.jar:6.0.36]
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:311) [tomcat-coyote.jar:6.0.36]
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:776) [tomcat-coyote.jar:6.0.36]
        at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:705) [tomcat-coyote.jar:6.0.36]
        at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:898) [tomcat-coyote.jar:6.0.36]
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote.jar:6.0.36]
        at java.lang.Thread.run(Thread.java:662) [na:1.6.0_43]



Following is the SAMLResponse which we received doing initial authentication request on HTTP-POST.
--------------------------------------------------------------------------------

<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://www.carelocal.com:8080/saml/SSO/alias/defaultAlias" ID="_e97977fdf1f5955feb7ce464c1a1500a" InResponseTo="a2ic6a41ae8ehe1920hcj5i7ee8fddd" IssueInstant="2014-01-13T19:06:27.782Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.testshib.org/idp/shibboleth</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_d4c0abb0348e8f6b530c4bca2e81b869"  ......


Following the Attribute Query sent
---------------------------------

<soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
    <soap11:Body>
        <saml2p:AttributeQuery ID="_e97977fdf1f5955feb7ce464c1a1500a"
            IssueInstant="2014-01-13T19:06:27.843Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
            <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">carelocal.com</saml2:Issuer>
            <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
                <saml2:NameID
                    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.testshib.org/idp/shibboleth">_42e502727962577e764516c71c141217</saml2:NameID>
            </saml2:Subject>
            <saml2:Attribute FriendlyName="FirstName" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"/>
        </saml2p:AttributeQuery>
    </soap11:Body>
</soap11:Envelope>

Following is our metadata which we uploaded into shibboleth
---------------------------------------------------------

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor ID="carelocal.com" entityID="carelocal.com" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDSDCCAjCgAwIBAgIEUrBDrzANBgkqhkiG9w0BAQUFADBmMQswCQYDVQQGEwJVUzEOMAwGA1UE
CBMFdGV4YXMxEjAQBgNVBAcTCXNvdXRobGFrZTERMA8GA1UEChMIY2FyZS5jb20xETAPBgNVBAsT
CGNhcmUuY29tMQ0wCwYDVQQDEwRjYXJlMB4XDTEzMTIxNzEyMjkzNVoXDTE0MTIxMjEyMjkzNVow
ZjELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBXRleGFzMRIwEAYDVQQHEwlzb3V0aGxha2UxETAPBgNV
BAoTCGNhcmUuY29tMREwDwYDVQQLEwhjYXJlLmNvbTENMAsGA1UEAxMEY2FyZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKX6tRvUZC+pcDkPZoqDz/w6Gx+uihio3eeUiCt3beKgqHqq
aF+Ef0Qj6dL7Tx3rB14xcXs9+JBa4WMc2EnEb84D00V50GHF/STHcRhh6sTiqzLjoUY3QC2JhrAC
dGN5AALQFEUNLT68T8OKNbX9WkA/8MZ3y2pwPd9GKdKNdCJ2DQ18RTV5Hd1pOYQ6ykrKiIee3qeh
kmCMxxfAyPfsAGPCGXVOxpJinCwyupAImFmJ1cbMUK41V5zqcS1Ewz1dummBdmnn20oihnvwBdbC
cBZzZbXfojN3T0qUE0JmAixk/AWiDxLiKpJFg8VVdG8DTsP8K97b7fgo84W7sVF9CTMCAwEAATAN
BgkqhkiG9w0BAQUFAAOCAQEAFufHUKG2oKhrZ0TffB6pG4M1X33lrL+IDwDkTwYemvqUYyLtl/62
KQLlbsLYFjYtOf41GTOC20wdx+tFp8p5S4vO1rUQsnulrm0VSD8PSrz8CSdS/2L+oE+4gZztu9mh
jM6ZR9Y4f2Rkt10NHUJpxmLnrmRZVoGikL0lMdtvISkpZZlN8OGG63jgRJIe6TgrHl8H9MHLrX8T
asG7/K+Bz5VYontcO/RxZoBG/mJ6QP9UP3sVwAtF4C7T74dO1r8goS4M8XgzPM94HAa5H4fuqGIU
VgGUvhNWIoEF8ADUtGVPbnsQsF04W7doIC4hXZtytObtUqTxEJeS5JtGbzGBEQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDSDCCAjCgAwIBAgIEUrBDrzANBgkqhkiG9w0BAQUFADBmMQswCQYDVQQGEwJVUzEOMAwGA1UE
CBMFdGV4YXMxEjAQBgNVBAcTCXNvdXRobGFrZTERMA8GA1UEChMIY2FyZS5jb20xETAPBgNVBAsT
CGNhcmUuY29tMQ0wCwYDVQQDEwRjYXJlMB4XDTEzMTIxNzEyMjkzNVoXDTE0MTIxMjEyMjkzNVow
ZjELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBXRleGFzMRIwEAYDVQQHEwlzb3V0aGxha2UxETAPBgNV
BAoTCGNhcmUuY29tMREwDwYDVQQLEwhjYXJlLmNvbTENMAsGA1UEAxMEY2FyZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKX6tRvUZC+pcDkPZoqDz/w6Gx+uihio3eeUiCt3beKgqHqq
aF+Ef0Qj6dL7Tx3rB14xcXs9+JBa4WMc2EnEb84D00V50GHF/STHcRhh6sTiqzLjoUY3QC2JhrAC
dGN5AALQFEUNLT68T8OKNbX9WkA/8MZ3y2pwPd9GKdKNdCJ2DQ18RTV5Hd1pOYQ6ykrKiIee3qeh
kmCMxxfAyPfsAGPCGXVOxpJinCwyupAImFmJ1cbMUK41V5zqcS1Ewz1dummBdmnn20oihnvwBdbC
cBZzZbXfojN3T0qUE0JmAixk/AWiDxLiKpJFg8VVdG8DTsP8K97b7fgo84W7sVF9CTMCAwEAATAN
BgkqhkiG9w0BAQUFAAOCAQEAFufHUKG2oKhrZ0TffB6pG4M1X33lrL+IDwDkTwYemvqUYyLtl/62
KQLlbsLYFjYtOf41GTOC20wdx+tFp8p5S4vO1rUQsnulrm0VSD8PSrz8CSdS/2L+oE+4gZztu9mh
jM6ZR9Y4f2Rkt10NHUJpxmLnrmRZVoGikL0lMdtvISkpZZlN8OGG63jgRJIe6TgrHl8H9MHLrX8T
asG7/K+Bz5VYontcO/RxZoBG/mJ6QP9UP3sVwAtF4C7T74dO1r8goS4M8XgzPM94HAa5H4fuqGIU
VgGUvhNWIoEF8ADUtGVPbnsQsF04W7doIC4hXZtytObtUqTxEJeS5JtGbzGBEQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.carelocal.com:8080/saml/SingleLogout/alias/defaultAlias"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.carelocal.com:8080/saml/SingleLogout/alias/defaultAlias"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.carelocal.com:8080/saml/SSO/alias/defaultAlias" index="0" isDefault="true"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://www.carelocal.com:8080/saml/SSO/alias/defaultAlias" index="1"/></md:SPSSODescriptor></md:EntityDescriptor>


Can someone please help on this.

Thanks,
Arun