ca Securecenter Federation Runbook for Pivotal Cloud Foundry



Similar documents
Adobe Sign. Enabling Single Sign-On with SAML Reference Guide

MaaS360 Cloud Extender

LogMeIn Rescue Web SSO via SAML 2.0 Configuration Guide

Click Studios. Passwordstate. RSA SecurID Configuration

Webalo Pro Appliance Setup

Installation Guide Marshal Reporting Console

StarterPak: Dynamics CRM Opportunity To NetSuite Sales Order

StarterPak: Dynamics CRM On-Premise to Dynamics Online Migration - Option 2. Version 1.0

Installation Guide Marshal Reporting Console

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE Savision B.V. savision.com All rights reserved.

Configuring BMC AREA LDAP Using AD domain credentials for the BMC Windows User Tool

Introduction to Mindjet MindManager Server

Junos Pulse Instructions for Windows and Mac OS X

ROSS RepliWeb Operations Suite for SharePoint. SSL User Guide

SBClient and Microsoft Windows Terminal Server (Including Citrix Server)

Helpdesk Support Tickets & Knowledgebase

990 e-postcard FAQ. Is there a charge to file form 990-N (e-postcard)? No, the e-postcard system is completely free.

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1

AvePoint High Speed Migration Supplementary Tools

Ten Steps for an Easy Install of the eg Enterprise Suite

Mobile Device Manager Admin Guide. Reports and Alerts

Readme File. Purpose. Introduction to Data Integration Management. Oracle s Hyperion Data Integration Management Release 9.2.

Copyright 2013, SafeNet, Inc. All rights reserved. We have attempted to make these documents complete, accurate, and

How To Upgrade A Crptocard To A 6.4 Migratin Tl (Cpl) For A 6Th Generation Of A Crntl (Cypercoder) On A Crperd (Cptl) 6.

ISAM TO SQL MIGRATION IN SYSPRO

KronoDesk Migration and Integration Guide Inflectra Corporation

STIOffice Integration Installation, FAQ and Troubleshooting

The user authentication process varies from client to client depending on internal resource capabilities, and client processes and procedures.

Durango Merchant Services QuickBooks SyncPay

ScaleIO Security Configuration Guide

Getting Started Guide

Using Shift4 with Magento

BackupAssist SQL Add-on

Telelink 6. Installation Manual

Instructions for Configuring a SAFARI Montage Managed Home Access Expansion Server

Click Studios. Passwordstate. SafeNet Two-Factor Configuration

Cyber Security: Simulation Platform

HSBC Online Home Loan Application Process

Password Reset for Remote Users

Configuring and Monitoring AS400 Servers. eg Enterprise v5.6

Montana Acquisition & Contracting System (emacs) emacs Handbook. Vendor Registration and Data Management

User Guide. Sysgem SysMan Remote Control. By Sysgem AG

Cloud Services MDM. Windows 8 User Guide

Learn More Cloud Extender Requirements Cheat Sheet

Regions File Transmission

User Manual Brainloop Outlook Add-In. Version 3.4

INTEGRATION OVERVIEW. Introduction Authentication methods Learning management system (LMS) integration methods AICC standard...

Connector for Microsoft Dynamics Installation Guide

Configuring an Client for your Hosting Support POP/IMAP mailbox

GETTING STARTED With the Control Panel Table of Contents

Configuring and Monitoring SysLog Servers

HOWTO: How to configure SSL VPN tunnel gateway (office) to gateway

Service Desk Self Service Overview

ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation

Optimal Payments Extension. Supporting Documentation for the Extension Package v1.1

FINRA Regulation Filing Application Batch Submissions

April 3, Release Notes

Online Banking Agreement

CenterPoint Accounting for Agriculture Network (Domain) Installation Instructions

Pexip Infinity and Cisco UCM Deployment Guide

Welcome to CNIPS Training: CACFP Claim Entry

Release Notes. Dell SonicWALL Security 8.0 firmware is supported on the following appliances: Dell SonicWALL Security 200

How To Install Fcus Service Management Software On A Pc Or Macbook

Merchant Management System. New User Guide CARDSAVE

This guide is intended for administrators, who want to install, configure, and manage SAP Lumira, server for BI Platform

Create a Non-Catalog Requisition

Implementing SQL Manage Quick Guide

Reference Guide. Service Pack 5 Cumulative Update 1. Issued June DocAve 6: Control Panel

iphone Mobile Application Guide Version 2.2.2

Implementing ifolder Server in the DMZ with ifolder Data inside the Firewall

CSAT Account Management

Dell InTrust Preparing for Auditing and Monitoring Linux

Release Notes. Dell SonicWALL Security firmware is supported on the following appliances: Dell SonicWALL Security 200

FOCUS Service Management Software Version 8.5 for Passport Business Solutions Installation Instructions

FO and OTHER FOES - A Guide to Cmmerce

Citrix XenServer from HP Getting Started Guide

Deployment Overview (Installation):

User Guide. Excel Data Management Pack (EDM-Pack) OnCommand Workflow Automation (WFA) Abstract PROFESSIONAL SERVICES. Date: December 2015

StarterPak: Salesforce To Dynamics CRM Online. Version 1.0

How To Install An Orin Failver Engine On A Network With A Network Card (Orin) On A 2Gigbook (Orion) On An Ipad (Orina) Orin (Ornet) Ornet (Orn

WatchDox for Windows User Guide

SaaS Listing CA Cloud Service Management

Credit Report Reissue Recommendation TABLE OF CONTENTS

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Access EEC s Web Applications... 2 View Messages from EEC... 3 Sign In as a Returning User... 3

TaskCentre v4.5 File Transfer (FTP) Tool White Paper

AvePoint CallAssist for Microsoft Dynamics CRM. User Guide

USF Remote Desktop Gateway

RSA SecurID Software Token Security Best Practices Guide. Version 3

Offer Specifications Dell Management Services (EMS): Policy Based Encryption-E

expertise hp services valupack consulting description security review service for Linux

Transcription:

ca Securecenter Federatin Runbk fr Pivtal Clud Fundry

Legal Ntice This Dcumentatin, which includes embedded help systems and electrnically distributed materials, (hereinafter referred t as the Dcumentatin ) is fr yur infrmatinal purpses nly and is subject t change r withdrawal by CA at any time. This Dcumentatin may nt be cpied, transferred, reprduced, disclsed, mdified r duplicated, in whle r in part, withut the prir written cnsent f CA. This Dcumentatin is cnfidential and prprietary infrmatin f CA and may nt be disclsed by yu r used fr any purpse ther than as may be permitted in (i) a separate agreement between yu and CA gverning yur use f the CA sftware t which the Dcumentatin relates; r (ii) a separate cnfidentiality agreement between yu and CA. Ntwithstanding the freging, if yu are a licensed user f the sftware prduct(s) addressed in the Dcumentatin, yu may print r therwise make available a reasnable number f cpies f the Dcumentatin fr internal use by yu and yur emplyees in cnnectin with that sftware, prvided that all CA cpyright ntices and legends are affixed t each reprduced cpy. The right t print r therwise make available cpies f the Dcumentatin is limited t the perid during which the applicable license fr such sftware remains in full frce and effect. Shuld the license terminate fr any reasn, it is yur respnsibility t certify in writing t CA that all cpies and partial cpies f the Dcumentatin have been returned t CA r destryed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY AD- VISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. The use f any sftware prduct referenced in the Dcumentatin is gverned by the applicable license agreement and such license agreement is nt mdified in any way by the terms f this ntice. The manufacturer f this Dcumentatin is CA. Prvided with Restricted Rights. Use, duplicatin r disclsure by the United States Gvernment is subject t the restrictins set frth in FAR Sectins 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Sectin 252.227-7014(b)(3), as applicable, r their successrs. Cpyright 2015 CA. All rights reserved. All trademarks, trade names, service marks, and lgs referenced herein belng t their respective cmpanies. Legal Ntice 2

Cntact CA Technlgies Cntact CA Supprt Fr yur cnvenience, CA Technlgies prvides ne site where yu can access the infrmatin that yu need fr yur Hme Office, Small Business, and Enterprise CA Technlgies prducts. At http://ca.cm/supprt, yu can access the fllwing resurces: Online and telephne cntact infrmatin fr technical assistance and custmer services Infrmatin abut user cmmunities and frums Prduct and dcumentatin dwnlads CA Supprt plicies and guidelines Other helpful resurces apprpriate fr yur prduct Prviding Feedback Abut Prduct Dcumentatin If yu have cmments r questins abut CA Technlgies prduct dcumentatin, yu can send a message t techpubs@ca.cm r custmer-service@pivtal.i Legal Ntice 3

Cntents Legal Ntice... 2 Cntents... 4 Chapter 1: SaaS Partner Intrductin... 6 Overview... 6 Partnership Prcess... 6 Prerequisites... 6 Target Pivtal Clud Fundry... 7 Chapter 2: Cnfigure CA Single Sign-On (12.52) as Identity Prvider... 8 Cnfigure Identity Prvider and Service Prvider Entities... 8 Lcal Entity Creatin... 8 Remte Entity Creatin... 9 Cnfigure Federatin Partnership between CA Single Sign-On (IDP) & Pivtal Clud Fundry (SP)... 10 Cnfigure Partnership... 10 Federatin Users...11 Assertin Cnfiguratin... 12 SSO and SLO... 12 Cnfigure Signature and Encryptin... 13 Partnership Activatin... 14 Chapter 3: Cnfigure Service Prvider... 15 Cnfigure SAML 2.0 SSO in Pivtal Clud Fundry... 15 Chapter 4: Federatin Testing & Target Services... 18 Federatin Testing... 18 Identity Prvider initiated Testing... 18 Service Prvider initiated Testing... 19 Accessing varius Pivtal Clud Fundry Federatin services... 21 Chapter 5: Exceptin Handling... 23 Exceptin Cases... 23 When the Single Sign-On Partnership is Inactive... 23 Cntents 4

When Service Prvider Entity ID was miscnfigured n the Single Sign-On Side23 When Identity Prvider Entity ID was miscnfigured n the Single Sign-On Side 24 When Service Prvider Assertin Cnsumer URL was miscnfigured n the Single Sign-On Side... 25 Audience Field was miscnfigured n the Single Sign-On Side... 25 Name ID Frmat values was miscnfigured n the Single Sign-On Side... 26 Expired certificate n Single Sign-On Side... 27 When Identity Prvider Entity ID was miscnfigured n the Pivtal Clud FundrySide... 28 When Identity Prvider SSO URL was miscnfigured n the Pivtal Clud Fundry Side... 28 When Identity Prvider SLO URL was miscnfigured n the Pivtal Clud Fundry Side... 29 When Identity Prvider Certificate was miscnfigured n the Pivtal Clud Fundry Side... 29 User wh is nt in the Pivtal Clud Fundry trying t lgin thrugh Single Sign-On... 30 Single Sign-On User wh desn t have desired attributes in the user stre... 30 Chapter 6: Summary... 31 Cntents 5

Chapter 1: SaaS Partner Intrductin This sectin cntains the fllwing tpics: Overview Partnership Prcess Prerequisites Target Pivtal Clud Fundry Overview The scpe f the dcument is t prvide the necessary steps t cnfigure the federatin partnership t achieve SSO (Single-Sign-On) between CA Single Sign-On 12.52 (frmerly CA SiteMinder), acting as the Identity Prvider (IDP), and Pivtal Clud Fundry acting as the Service Prvider (SP). This integratin wrks nly fr Pivtal Clud Fundry 1.4 and abve Partnership Prcess The partnership creatin fr each partner invlves the fllwing steps: 1. Installing and cnfiguring the prerequisites 2. Cnfiguring CA Single Sign-On as an Identity Prvider 3. Cnfiguring the Service Prvider 4. Testing the Federated SSO Prerequisites Installatin f CA Single Sign-On 12.52 Suite Cnfiguratin and testing f User stre and Sessin stre Creatin f Signed Certificate by a well-knwn Certificate Authrity such as VeriSign, Entrust, Thawte r G Daddy fr Identity Prvider Digital Signature. Chapter 1: SaaS Partner Intrductin 6

Imprtant! - Prtect Identity Prvider Authenticatin URL with a plicy using CA Single Sign-On 12.52 Identity Prvider Authenticatin URL is prtected by creating fllwing bjects: Authenticatin Scheme Dmain Realm Rule & Plicy Ntes: Prtecting the Authenticatin URL ensures that a user requesting a prtected federated resurce is presented with an authenticatin challenge if they d nt have a CA Single Sign-On sessin at the Identity Prvider. Tenant envirnment at Pivtal Clud Fundry Lgin URL - https://cnsle.{systemdmain} Nte: Replace System Dmain with yur Pivtal Clud Fundry inslallatiin equivalent Target Pivtal Clud Fundry The fllwing services f Pivtal Clud Fundry have been tested fr federatin using CA Single Sign-On 12.52 as Identity Prvider. 1. Apps Manager 2. Clud Fundry Cmmand Line Interface (CF CLI) Chapter 1: SaaS Partner Intrductin 7

Chapter 2: Cnfigure CA Single Sign-On (12.52) as Identity Prvider This sectin cntains the fllwing tpics: Cnfigure Identity Prvider and Service Prvider Entities Cnfigure Federatin Partnership between CA Single Sign-On (IDP) & Pivtal Clud Fundry (SP) Cnfigure Identity Prvider and Service Prvider Entities T create Entities, Lgin t CA Single Sign-On and get t Federatin Partnership Federatin Entity Create Entity Lcal Entity Creatin Cnfigure Lcal Identity Prvider Entity with fllwing details: Entity Lcatin Lcal Entity Type SAML2 IDP Entity ID Any (e.g. https://ca-technlgies.xxx.cm) Entity Name Any (sampleentity) Base URL https://<fws_fqdn> where FWS_FQDN is the fully-qualified dmain name fr the hst serving CA Single Sign-On Federatin Web Services (e.g. ca-technlgies.xxx.cm) Signing Private Key Alias Select the crrect private key alias r imprt ne if nt dne already (e.g. catech) Signed Authenticatin Requests Required N Supprted NameID frmat urn:asis:names:tc:saml:1.1:nameid-frmat:emailaddress Chapter 2: Cnfigure CA Single Sign-On (12.52) as Identity Prvider 8

urn:asis:names:tc:saml:1.1:nameid-frmat:unspecified Remte Entity Creatin T cnfigure Remte Service Prvider Entity manually, click n Imprt Metadata Buttn and perfrm the steps belw Start by dwnlading the Service Prvider Metadata frm https://lgin.{systemdmain}/saml/metadata and save t an XML file Brwse and select the saved XML Metadata frm Previus step and cntinue Prvide a Name fr the Remte Service Prvider Entity Prvide an alias fr the Signing Certificate imprted frm the Metadata. Nte: Pivtal Clud Fundry always signs the utging SAML Authenitcatin Requests Save the Remte Service Prvider Entity Chapter 2: Cnfigure CA Single Sign-On (12.52) as Identity Prvider 9

Cnfigure Federatin Partnership between CA Single Sign-On (IDP) & Pivtal Clud Fundry (SP) Lgin t CA Single Sign-On and navigate t Federatin Partnership Federatin Create Partnership (SAML 2 IDP SP) Cnfigure Partnership Add Partnership Name Any (e.g. SamplePartnership_<??>) Descriptin Any (Relevant descriptin) Lcal IDP ID Select Lcal IDP ID created abve Remte SP ID Select Remte SP ID created abve Chapter 2: Cnfigure CA Single Sign-On (12.52) as Identity Prvider 10

Base URL Will be pre-ppulated Skew Time Any per envirnment requirement User Directries and Search Order Select required Directries in required search rder. Prceed t Next Page Federatin Users Cnfigure Federatin Users Accept default values Chapter 2: Cnfigure CA Single Sign-On (12.52) as Identity Prvider 11

Assertin Cnfiguratin Name ID Frmat: Name ID Frmat *Email Address Name ID Type User Attribute Value mail Assertin Attributes: Pivtal Clud Fundry desn t supprt prcessing SAML Assertin Attributes at this time SSO and SLO Add Authenticatin URL that is prtected by CA Single Sign-On under pre-requisites SSO Binding Select SSO Binding supprted by the Service Prvider HTTP-Pst Audience - http://lgin.{system-dmain} Transactin Allwed Bth IDP and SP Initiated Assertin Cnsumer Service URL Shuld be pre-ppulated using infrmatin frm the Service Prvider entity Chapter 2: Cnfigure CA Single Sign-On (12.52) as Identity Prvider 12

Cnfigure Signature and Encryptin Signing Private Key Alias Verify if crrect Private Key Alias is selected Verificatin Certificate Alias Verify if crrect Verificatin Certificate Alias is selected. This shuld be the same certificiate created during the imprt f the Remte Service Prvider Entity ID. Fr Pst Signature select Sign Bth (Sign bth the Repnse and the Assertin) Nte: Pivtal Clud Fundry desn t supprt the varius encryptin ptins at this time Chapter 2: Cnfigure CA Single Sign-On (12.52) as Identity Prvider 13

Cnfirm the values and finish Partnership. Partnership Activatin Activate the created Partnership. Chapter 2: Cnfigure CA Single Sign-On (12.52) as Identity Prvider 14

Chapter 3: Cnfigure Service Prvider This sectin cntains the fllwing tpics: Cnfigure SAML 2.0 SSO in Cnfigure SAML 2.0 SSO in Pivtal Clud Fundry Please fllw the steps belw fr cnfiguring Pivtal Clud Fundry if using Ops Manager Lg int the Ops Manager Cnsle and Click n Pivtal Elastic Runtime tile Click n SSO Cnfig under Settings Enter a name under Prvider Name. This name will be displayed n the Pivtal Clud Fundry Lgin Page as a link which perfms SP Intiated Single Sign-On Chapter 3: Cnfigure Service Prvider 15

Enter the Idenity Prvider Metadata. Navigate t Lgin t CA Single Sign-On and navigate t Federatin Partnership Federatin Select the Exprt Metadata ptin in the Actins Menu f the Partnership Save the Exprted Metadata in an XML file Paste the cntents f the XML file int the Identity Prvider Metadata Text Area Exprted Identity Prvider metadata desn t cntain the XML declaratin tag. Yu will need add this at the beginning f the XML <?xml versin="1.0" encding="utf-8"?> Save the frm Click n Apply Changes Chapter 3: Cnfigure Service Prvider 16

Chapter 3: Cnfigure Service Prvider 17

Chapter 4: Federatin Testing & Target Services This sectin cntains the fllwing tpics: Federatin Testing Accessing varius Pivtal Clud Fundry Federatin services Federatin Testing Bth Identity Prvider and Service Prvider Initiated Single Sign-On were tested n <SaaS_Partner> as described belw Identity Prvider initiated Testing Access the Identity Prvider initiated lgin URL https://<hst_fqdn>/affwebservices/public/sam2ss?spid=<sp_id> (e.g.: https://<hst_fqdn>/affwebservices/public/saml2ss?spid=<sp_id>) This will autmatically direct the user t the lgin page f Identity Prvider (CA Single Sign- On). Enter the credentials and click lgin Chapter 4: Federatin Testing & Target Services 18

User will be landing at the Pivtal Clud Fundry Apps Manager hme page Service Prvider initiated Testing Access Pivtal Clud Fundry Apps Manager at https://cnsle.{system-dmain}/ The User is redirected t the Lgin Page Click n the Identity Prvider Link : CA Single Sign-On (The link text will vary based n what has been entered fr the Identity Prvider Name under Single Sign-On cnfiguratin in Ops Manager) This will autmatically direct the user t the lgin page f Identity Prvider (CA Single Sign- On). Enter the credentials n the CA Single Sign-On Lgin page and click lgin User will be redirected t the Apps Manager Hme page Chapter 4: Federatin Testing & Target Services 19

Chapter 4: Federatin Testing & Target Services 20

Nte: If the user is lgging in fr the first time they are nt assciated with an any Organizatin r Space Rle in Pivtal Clud Fundry. After the user lgs in nce int Apps Manager r lgs in via the Clud Fundry cmmand line (CF CLI) a shadw accunt is prvisined fr them in Pivtal Clud Fundry. The Pivtal Clud Fundry Admnisratr needs t assciate the user t the right rle pst creatin f the shadwn accunt. This is als via executin f rle membership cmmand like set-rg-rle and setspace-rle via the CF CLI. Single Lgut Nt yet supprted Accessing varius Pivtal Clud Fundry Federatin services Please fllw the steps belw fr Single Sign-On t Clud Fundry Cmmand Line Interface (CF CLI) Launch the cmmand prmpt and target the CF CLI t yur Pivtal Clud Fundry Deplyment cf target https://api.{system-dmain} Perfrm cf lgin using the ss ptin cf lgin ss Chapter 4: Federatin Testing & Target Services 21

This will display a URL fr generating a One Time Passwrd Cpy the URL in the brwser If yu aleadry nt authenticated, authenticate by Clicking n the CA Single Sign-On Identity prvider link n the Lgin Page After cmpletin f authenticatin a One Time Passwrd will be displayed Cpy the One Time Passwrd and enter in the Cmmand Prmpt Yu will be lgged int CF CLI Chapter 4: Federatin Testing & Target Services 22

Chapter 5: Exceptin Handling This sectin cntains the fllwing exceptins: When the CA Single Sign-On Partnership is Inactive When Service Prvider Entity ID was miscnfigured n the CA Single Sign-On Side When Identity Prvider Entity ID was miscnfigured n the CA Single Sign-On Side When Service Prvider Assertin Cnsumer URL was miscnfigured n the CA Single Sign-On Side Audience Field was miscnfigured n the CA Single Sign-On Side Name ID Frmat values was miscnfigured n the CA Single Sign-On Side Expired certificate n the CA Single Sign-On Side When Identity Prvider Entity ID was miscnfigured n the Pivtal Clud FundrySide When Identity Prvider SSO URL was miscnfigured n the Pivtal Clud Fundry Side When Identity Prvider SLO URL was miscnfigured n the Pivtal Clud Fundry Side When Identity Prvider Certificate was miscnfigured n the Pivtal Clud Fundry Side User wh is nt in the Pivtal Clud Fundry trying t lgin thrugh CA Single Sign-On User wh desn t have desired attributes in the user stre Exceptin Cases When the CA Single Sign-On Partnership is Inactive When CA Single Sign-On Partnership is Inactive r nt Defined, fllwing errr appears n brwser When Service Prvider Entity ID was miscnfigured n the CA Single Sign-On Side Entity used saml:entityid: http://lgin.blah.wild.cf-app.cm Result Authenticatin at CA Single Sign-On fails and displays the errr given belw. Chapter 5: Exceptin Handling 23

CA Single Sign-On errr page is displayed n click f SSO Link When Identity Prvider Entity ID was miscnfigured n the CA Single Sign-On Side Entity ID used samlidp1 Result Authenticatin at the <SaaS_Partner> fails and displays the errr given belw. CA Single Sign-On Lgin Page Displayed After Authenitcatin Errr displayed n SP side Lgs [2015-03-23 19:59:41.813] lgin - 12965 [http-bi-8080-exec-6]... DEBUG --- MetadataCredentialReslver: Added 0 credentials reslved frm metadata f entity smidp1 [2015-03-23 19:59:42.316] lgin - 12965 [http-bi-8080-exec-6]... DEBUG --- SAMLPrcessingFilter: Incming SAML message is invalid rg.pensaml.ws.security.securityplicyexceptin: Validatin f prtcl message signature failed at rg.pensaml.cmmn.binding.security.samlprtclmessagexmlsignaturesecurityplicyrul e.devaluate(samlprtclmessagexmlsignaturesecurityplicyrule.java:138) Chapter 5: Exceptin Handling 24

When Service Prvider Assertin Cnsumer URL was miscnfigured n the CA Single Sign-On Side ACS URL used http://lgin.grilla.wild.cf-app.cm/saml/sso/alias/lgin.blah.wild.cf-app.cm Result Authenticatin at the Pivtal Clud Fundry fails and displays the errr given belw. Click n SSO Link -> Shws CA Single Sign-On Lgin Page. After Authenitcatin -> Errr Displayed n Clud Fundry Lgs [2015-03-23 23:25:59.435] lgin - 12965 [http-bi-8080-exec-7]... DEBUG --- SAMLPrcessingFilter: Attempting SAML2 authenticatin using prfile urn:asis:names:tc:saml:2.0:prfiles:sso:brwser [2015-03-23 23:25:59.436] lgin - 12965 [http-bi-8080-exec-7]... DEBUG --- SAMLPrcessingFilter: Errr determining metadata cntracts rg.pensaml.saml2.metadata.prvider.metadataprviderexceptin: N lcal entity fund fr alias lgin.blah.wild.cf-app.cm, verify yur cnfiguratin. at rg.springframewrk.security.saml.cntext.samlcntextprviderimpl.ppulatelcalentityid(sa MLCntextPrviderImpl.java:279) at rg.springframewrk.security.saml.cntext.samlcntextprviderimpl.getlcalentity(samlcnt extprviderimpl.java:106) Chapter 5: Exceptin Handling 25

Audience Field was miscnfigured n the CA Single Sign-On Side Audience used http://lgin.blah.wild.cf-app.cm Result Authenticatin at the Pivtal Clud Fundry fails and displays the errr given belw. Click n SSO Link -> Shws Single Sign-On Lgin Page. After Authenitcatin -> Errr Displayed n Clud Fundry Lgs [2015-03-23 23:38:16.316] lgin - 12965 [http-bi-8080-exec-8]... INFO --- SAMLDefaultLgger: AuthNRespnse;FAILURE;10.80.16.46;http://lgin.grilla.wild.cfapp.cm;smidp;;;rg.pensaml.cmmn.SAMLExceptin: Respnse desn't have any valid assertin which wuld pass subject validatin at rg.springframewrk.security.saml.webss.webssoprfilecnsumerimpl.prcessauthenticati nrespnse(webssoprfilecnsumerimpl.java:229) at rg.springframewrk.security.saml.samlauthenticatinprvider.authenticate(samlauthenticati nprvider.java:82) Name ID Frmat values was miscnfigured n the CA Single Sign-On Side Name ID Frmat used Kerbers Principal Name Result Authenticatin at the <SaaS_Partner> fails and displays the errr given belw. Chapter 5: Exceptin Handling 26

Lgs [2015-03-23 23:49:06.966] lgin - 12965 [http-bi-8080-exec-1]... ERROR --- BaseSAMLMessageDecder: SAML message intended destinatin endpint URI required by binding was empty [2015-03-23 23:49:06.966] lgin - 12965 [http-bi-8080-exec-1]... DEBUG --- SAMLPrcessingFilter: Incming SAML message is invalid rg.pensaml.xml.security.securityexceptin: SAML message intended destinatin (required by binding) was nt present at rg.pensaml.cmmn.binding.decding.basesamlmessagedecder.checkendpinturi(base SAMLMessageDecder.java:201) at rg.pensaml.saml2.binding.decding.basesaml2messagedecder.decde(basesaml2mess agedecder.java:72) Expired certificate n the CA Single Sign-On Side Cnditin When CA Single Sign-On signing certificate is expired. Lg File Infrmatin appears t be like this <Respnse ID="_5e705c022c4ce8c6c8a5c39a057e3eb211d0" InRespnseT="fjedijkpiblphaigikhdieilebpfaibhmampl" IssueInstant="2012-12- 27T13:29:00Z" Versin="2.0" xmlns="urn:asis:names:tc:saml:2.0:prtcl"> <ns1:issuer Frmat="urn:asis:names:tc:SAML:2.0:nameid-frmat:entity" xmlns:ns1="urn:asis:names:tc:saml:2.0:assertin"></ns1:issuer> <Status> <StatusCde Value="urn:asis:names:tc:SAML:2.0:status:Respnder"/> <StatusMessage>Errr Signing Assertin.</StatusMessage> </Status> </Respnse> Chapter 5: Exceptin Handling 27

Message that appears n brwser When Identity Prvider Entity ID was miscnfigured n the Pivtal Clud Fundry- Side Identity Prvider EntityID samlidp1 Result Authenticatin at the <SaaS_Partner> fails and displays the errr given belw. [2015-03-24 00:41:27.185] lgin - 15186 [http-bi-8080-exec-2]... DEBUG --- MetadataCredentialReslver: Added 0 credentials reslved frm metadata f entity smidp [2015-03-24 00:41:27.390] lgin - 15186 [http-bi-8080-exec-2]... DEBUG --- SAMLPrcessingFilter: Incming SAML message is invalid rg.pensaml.ws.security.securityplicyexceptin: Validatin f prtcl message signature failed at rg.pensaml.cmmn.binding.security.samlprtclmessagexmlsignaturesecurityplicyrul e.devaluate(samlprtclmessagexmlsignaturesecurityplicyrule.java:138) at rg.pensaml.cmmn.binding.security.samlprtclmessagexmlsignaturesecurityplicyrul e.evaluate(samlprtclmessagexmlsignaturesecurityplicyrule.java:107) When Identity Prvider SSO URL was miscnfigured n the Pivtal Clud Fundry Side SSO URL used https://sc5.casecurecenter.cm/affwebservices/public/saml2ss PCF Lgin Page -> Link Click -> Redirect t Errr page n SM Chapter 5: Exceptin Handling 28

Result Authenticatin at Pivtal Clud Fundry fails and displays the errr given belw. [2015-03-24 01:43:58.397] lgin - 16468 [http-bi-8080-exec-9]... DEBUG --- ExceptinTranslatinFilter: Authenticatin exceptin ccurred; redirecting t authenticatin entry pint rg.springframewrk.security.authenticatin.authenticatincredentialsntfundexceptin: An Authenticatin bject was nt fund in the SecurityCntext at rg.springframewrk.security.access.intercept.abstractsecurityinterceptr.credentialsntfund(abstract SecurityInterceptr.java:339) at rg.springframewrk.security.access.intercept.abstractsecurityinterceptr.befreinvcatin(abstractsec urityinterceptr.java:198) at rg.springframewrk.security.web.access.intercept.filtersecurityinterceptr.invke(filtersecurityintercep tr.java:115) When Identity Prvider SLO URL was miscnfigured n the Pivtal Clud Fundry Side SLO is nt supprted When Identity Prvider Certificate was miscnfigured n the Pivtal Clud Fundry Side After CA Single Sign-On Auth -> Errr displayed Identity Prvider Certificate : Crrupted Value Result Authenticatin at the <SaaS_Partner> fails and displays the errr given belw. Lgs: Chapter 5: Exceptin Handling 29

[2015-03-24 01:52:24.860] lgin - 17087 [http-bi-8080-exec-3]... ERROR --- InlineX509DataPrvider: Errr extracting certificates frm X509Data java.security.cert.certificateexceptin: Unable t decde X.509 certificates at rg.pensaml.xml.security.x509.x509util.decdecertificate(x509util.java:354) at rg.pensaml.xml.security.keyinf.keyinfhelper.getcertificate(keyinfhelper.java:201) at rg.pensaml.xml.security.keyinf.keyinfhelper.getcertificates(keyinfhelper.java:176) at rg.pensaml.xml.security.keyinf.prvider.inlinex509dataprvider.extractcertificates(inlinex50 9DataPrvider.java:192) User wh is nt in the Pivtal Clud Fundry trying t lgin thrugh CA Single Sign- On This is nt relevant fr Pivtal Clud Fundry. Users are prvisined just in time after successful authenitcatin. Hwever additinal steps need t be perfmed by the Administratr t assign the user t the right set f rles. CA Single Sign-On User wh desn t have desired attributes in the user stre User ID used feduser1 This user desn t have the email id attribute which is the NameID Frmat used in the Partnership. Result After authenticatin, fllwing errr page appears. Chapter 5: Exceptin Handling 30

Chapter 6: Summary Pivtal Clud Fundry supprts bth Identity Prvider and Service Prvider-initiated scenari Pivtal Clud Fundry services federatin via Brwser-SSO is tested N backchannel r artifact based prfiles are implemented at Pivtal Clud Fundry The SSO, assertin cnsumer and target URLs are all https This versin f Pivtal Clud Fundry Applicatin des nt supprt prcessing f SAML Assertin Attributes and Single Lgut Signing f assertin & entire SAML respnse is supprted The fllwing services prvided by Pivtal Clud Fundry have been tested fr desktp brwser envirnment Pivtal Clud Fundry Applicatin Manager Cnsle Pivtal Clud Fundry Cmmand Line Interface (CF CLI) Chapter 6: Summary 31

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information