SAML Authentication does not work with SAML Token
search cancel

SAML Authentication does not work with SAML Token

book

Article ID: 325626

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

Symptoms:
  • When trying to access an Org in vCloud Director with SAML authentication, you get this message:

    HTTP ERROR 500
    Problem accessing /cloud/org/orgname/saml/login/alias/vcd. Reason:
    Server Error
    Caused by:
    javax.servlet.ServletException: org.opensaml.ws.message.encoder.MessageEncodingException: Error creating output document
     
  • In the vcloud-container-debug.log file, you see entries similar to:

    * No default metadata configured
    * ERROR | pool-jetty-80 | HTTPPostEncoder | Error invoking Velocity template | requestId=<REQUEST_UUID>,request=GET
    (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) li...,accept=text/html application/xhtml+xml image/jxr */*
    org.apache.velocity.exception.ResourceNotFoundException: Unable to find resource '/templates/saml2-post-binding.vm'
    at org.apache.velocity.runtime.resource.ResourceManagerImpl.loadResource(ResourceManagerImpl.java:483)
    at org.apache.velocity.runtime.resource.ResourceManagerImpl.getResource(ResourceManagerImpl.java:354)
    at org.apache.velocity.runtime.RuntimeInstance.getTemplate(RuntimeInstance.java:1400)
    at org.apache.velocity.app.VelocityEngine.mergeTemplate(VelocityEngine.java:370)
    at org.opensaml.saml2.binding.encoding.HTTPPostEncoder.postEncode(HTTPPostEncoder.java:136)
    at org.opensaml.saml2.binding.encoding.HTTPPostEncoder.doEncode(HTTPPostEncoder.java:112)
    at org.opensaml.ws.message.encoder.BaseMessageEncoder.encode(BaseMessageEncoder.java:52)
    at org.springframework.security.saml.processor.SAMLProcessorImpl.sendMessage(SAMLProcessorImpl.java:224)
    at org.springframework.security.saml.processor.SAMLProcessorImpl.sendMessage(SAMLProcessorImpl.java:192)
    at org.springframework.security.saml.websso.AbstractProfileBase.sendMessage(AbstractProfileBase.java:148)
    at org.springframework.security.saml.websso.WebSSOProfileImpl.sendAuthenticationRequest(WebSSOProfileImpl.java:105)
    at com.vmware.vcloud.backendbase.federation.impl.CustomSamlEntryPoint.initializeSSO(CustomSamlEntryPoint.java:93)
    at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:153)
    at org.springframework.security.saml.SAMLEntryPoint.doFilter(SAMLEntryPoint.java:107)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
    at org.springframework.osgi.service.importer.support.internal.aop.ServiceInvoker.doInvoke(ServiceInvoker.java:58)
    at org.springframework.osgi.service.importer.support.internal.aop.ServiceInvoker.invoke(ServiceInvoker.java:62)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:132)

    * ERROR | pool-jetty-68 | SLF4JLogChute | ResourceManager : unable to find resource '/templates/saml2-post-binding.vm' in any resource loader. | requestId=<REQUEST_UUID>,request=GET (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) lik...,accept=text/html application/xhtml+xml */*

    * DEBUG | pool-jetty-68 | SAMLEntryPoint | Error initializing entry point | requestId=f1990691-5c73-4658-8ead-1c2efc27109c,request=GET
    (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) lik...,accept=text/html application/xhtml+xml */*
    org.opensaml.ws.message.encoder.MessageEncodingException: Error creating output document
    at org.opensaml.saml2.binding.encoding.HTTPPostEncoder.postEncode(HTTPPostEncoder.java:140)
    at org.opensaml.saml2.binding.encoding.HTTPPostEncoder.doEncode(HTTPPostEncoder.java:112)
    at org.opensaml.ws.message.encoder.BaseMessageEncoder.encode(BaseMessageEncoder.java:52)
    at org.springframework.security.saml.processor.SAMLProcessorImpl.sendMessage(SAMLProcessorImpl.java:224)
    at org.springframework.security.saml.processor.SAMLProcessorImpl.sendMessage(SAMLProcessorImpl.java:192)
    at org.springframework.security.saml.websso.AbstractProfileBase.sendMessage(AbstractProfileBase.java:148)
    at org.springframework.security.saml.websso.WebSSOProfileImpl.sendAuthenticationRequest(WebSSOProfileImpl.java:105)
    at com.vmware.vcloud.backendbase.federation.impl.CustomSamlEntryPoint.initializeSSO(CustomSamlEntryPoint.java:93)
    at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:153)
    at org.springframework.security.saml.SAMLEntryPoint.doFilter(SAMLEntryPoint.java:107)
    at sun.reflect.GeneratedMethodAccessor588.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    [...]
    at java.lang.Thread.run(Thread.java:745)
    Caused by: org.apache.velocity.exception.ResourceNotFoundException: Unable to find resource '/templates/saml2-post-binding.vm'
    at org.apache.velocity.runtime.resource.ResourceManagerImpl.loadResource(ResourceManagerImpl.java:483)
    at org.apache.velocity.runtime.resource.ResourceManagerImpl.getResource(ResourceManagerImpl.java:354)
    at org.apache.velocity.runtime.RuntimeInstance.getTemplate(RuntimeInstance.java:1400)
    at org.apache.velocity.app.VelocityEngine.mergeTemplate(VelocityEngine.java:370)
    at org.opensaml.saml2.binding.encoding.HTTPPostEncoder.postEncode(HTTPPostEncoder.java:136)
    ... 131 more

    * DEBUG | pool-eventPublishing-5-thread-1 | EventPublishingAgent | Event agent <AGENT_UUID>: publishing events |


    Note: This log excerpt is an example. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware Cloud Director for Service Provider 8.20.x
VMware Cloud Director for Service Provider 8.10.x

Cause

This issue occurs when HTTP-POST and HTTP-Redirect bindings are in the SAML_metadata.xml file.

Examples of metadata.xml files:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="</SPAN>https://example.com" />
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="</SPAN> https://example.com" />

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="</SPAN> https://example.com" />

<Attribute Name="Email Address" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" /></IDPSSODescriptor></EntityDescriptor>
 

Resolution

To resolve the SAML authentication issues in vCloud Director 8.10 and 8.20, remove the SingleSignOnService HTTP-POST bindings from the SAML_metadata.xml file and let the HTTP-Redirect bindings handle the request.

Powered by Wolken Software