OTDS - SAML assertion

Kirti_Kamtikar
Kirti_Kamtikar
in AppWorks #1

I am trying to set up an authentication flow for a custom front-end using OTDS and Process Platform. I am using OTDS Version: 10.5.0 SP1 with Patch 5 (10.5.0.1282 2014-12-11 20:45:56) with Process Platform Version 10.7 Build 19 Revision 272720. The user should first be authenticated in OTDS and then be authenticated in Process Platform using a SAML artifact. I am able to retrieve a SAML assertion after logging in to OTDS and getting a resource-specific ticket for Process Platform. However, when I try to make Process Platform calls (e.g. GetUserDetails) with the SAML artifact cookie set, I get the following error: Unable to bind an artifact '[xyz]' to a SAML assertion. Here is the flow I am doing:

1) Call to OTDS to get ticket for organization-specific resource:

http://ragnar.c20g.com:8080/otdsws/rest/authentication/credentials

{
"userName" : [Username],
"password" : [Password],
"targetResourceId" : "368c31c8-872e-4c3d-ad31-e7b73f26b174"
}

{
"token": "2B3BB3A829F5D687E3A6F7D3BF0279FE",
"userId": [UserID],
"ticket": "ACA8ydB_LapDB5t_ZGNPDNCsKWy4gUlV0qBKvKj_Fdz5bgFYQWxFd2lONkkxNUNtaUM0WTNZUFJpdUluaFhHYlZ1eEtVVDhwOHNSVjNlaDlBb1FhUCtYSlZZZXd2VCs1dEZaRTM0UnJCbnlpVWVNbm9MNUl5LzNEMGdCVkZiQVJ4U3JScmEzMWwreWdRbzhKSkZ3VHh2M29lQmpyY1RDOHhTZHNyQTBhaElxUisycGNJajB3WmZ0OUczVU5NcUN4d3cyQkdvKzJlUEg0ZHQ2a3hWYUhFM3FveTRFZnlOdThaMFJEck1Tb25BdWNMdE9xQzd5NHZ6MEd2QnY0eXhXUlNDdi9iNDFqNlBBUTdoYWNQY2dISmdXN0dSaEN6alRpKzU5bk1aVHBYelRZU1VvV2ZheFd1bFQwdHlVQ2hCby81Y2xWaDdDOVA3bTBWa1RmaEdzR2ZLSlI0eWVndmtqTC9jUFNBT2E0RWwrRjVrcERBU1NVSDRvS25COD0AJAAgf9UQ511bDhLKOlLKgkNqUskhlIGyHNztit4mRjzW05kAAA**",
"resourceID": "368c31c8-872e-4c3d-ad31-e7b73f26b174",
"failureReason": null,
"passwordExpirationTime": 0,
"continuation": false,
"continuationContext": null,
"continuationData": null
}

2) Call to Process Platform for SAML assertion:

http://ragnar.c20g.com:81/home/rop/com.eibus.web.soap.Gateway.wcp?organization=o=rop,cn=cordys,cn=defaultInst,o=c20g.com&messageOptions=0




[...ticket from above here...]













...ommitted for clarity...
MDF4Gzf3RGXE4pXAurSjHS8hcdhXLD/fIeJk7vz5+ZqGnjDyP0Atz1TC


3) Call to Cordys with defaultinst_SAMLart cookie set to assertion from above:

http://ragnar.c20g.com:81/home/rop/com.eibus.web.soap.Gateway.wcp?organization=o=rop,cn=cordys,cn=defaultInst,o=c20g.com&messageOptions=0








ns0:Server
Unable to bind an artifact 'MDF4Gzf3RGXE4pXAurSjHS8hcdhXLD/fIeKSIM3moOyd8FAOzUdfwwzn' to a SAML assertion.
com.eibus.web.soap.Gateway.wcp



Cordys.WebGateway.Messages.WG_Artifact_Unbound
MDF4Gzf3RGXE4pXAurSjHS8hcdhXLD/fIeKSIM3moOyd8FAOzUdfwwzn



<![CDATA[com.eibus.web.soap.GatewayException: Unable to bind an artifact 'MDF4Gzf3RGXE4pXAurSjHS8hcdhXLD/fIeKSIM3moOyd8FAOzUdfwwzn' to a SAML assertion.
at com.eibus.web.util.Util.getException(Util.java:93)
at com.eibus.web.gateway.interceptor.identity.saml.ArtifactIdentityResolver.resolveOsIdentity(ArtifactIdentityResolver.java:55)
at com.eibus.web.gateway.interceptor.identity.IdentityResolver.execute(IdentityResolver.java:24)
at com.eibus.web.gateway.interceptor.InterceptorHub.execute(InterceptorHub.java:86)
at com.cordys.applicationserver.filter.AuthenticationFilter.findOsIdentity(AuthenticationFilter.java:85)
at com.cordys.applicationserver.filter.AuthenticationFilter.wrapWithOSIdentityPrincipal(AuthenticationFilter.java:77)
at com.cordys.applicationserver.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:65)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.cordys.applicationserver.filter.ContentExpiryFilter.doFilter(ContentExpiryFilter.java:108)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.cordys.applicationserver.filter.OrganizationContextFilter.doFilter(OrganizationContextFilter.java:49)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.cordys.applicationserver.filter.ReverseProxyFilter.doFilter(ReverseProxyFilter.java:37)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at com.cordys.platformloader.CrossContextRewriteValve.invokeNext(CrossContextRewriteValve.java:84)
at com.cordys.platformloader.CrossContextRewriteValve.invoke(CrossContextRewriteValve.java:53)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
]]>




This authentication flow worked for Process Platform 10.5, but is not working for 10.7. What is needed to for this to work in the newest version?

Comments

  • Willem_Jan_Gerritsen
    Willem_Jan_Gerritsen
    #2

    Please post this kind of questions at the appropriate forum for OpenText Process Platform. From a glance my first suggestion would be that the URL parameter (and header) for CRSF protection is missing (e.g. Cookie: defaultinst_ct=1e975ad8cc464cbc0526f287964cc7835942e3e1).

  • Ethan Beisher
    Ethan Beisher E mod
    #3

    I received this error with a security configuration issue. For example, I was accessing the SAML assertion on port 81, but the Resource connection was made from port 80 in OTDS.

Categories

image
OpenText CE Products
AppWorks
Gateway & Platform