Layer 7 API Management

Expand all | Collapse all

Portal 3.5 - SAML SSO - timeout after token validation for groups "registeredUser" and "organizationAdmin"

Jump to Best Answer
  • 1.  Portal 3.5 - SAML SSO - timeout after token validation for groups "registeredUser" and "organizationAdmin"

    Posted 02-29-2016 10:55 AM

    Hello Colleagues,

     

    I have enabled on portal 3.5 saml sso authentication (not for CMS). For token creation, I am using demo service on gateway, which is behaving as an IDP – returning the saml token back.

     

    Role mapping on SAML plugin I left default.

     

     

    While having demo service(idp) returned token having group “admin”,”businessManager” or ‘ApiOwner” – I am logged in successfully – with correct access to dashboard or cms.

    While having demo service(idp) returned token having group “registeredUser” or “organizationAdmin”– I get timeout, but the timeout is after the validation of SAML token is done and the xml is sent back to portal.
    So the problem is on Portal side. (and I am not logged in ~ still the user in cms I see is updated/created)

     

    In Gateway there is no log for that.

    In Portal catalina.out log there is (that is all):

     

    Feb 29, 2016 2:29:55 PM com.l7tech.ldap.RequestUtil
      processRequest

    INFO: Response Status Code:200   (--------------------this line shows
      that gateway validated the token and sent the xml response to
      portal---------------------)

    02/29 14:30:58.851 ERROR (http-37080-12:) - [JForumIntegration general] -- java.net.ConnectException:
      Connection timed out

            at
      java.net.PlainSocketImpl.socketConnect(Native Method)

            at
      java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345)

            at
      java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)

            at
      java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)

            at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)

            at
      java.net.Socket.connect(Socket.java:589)

            at
      java.net.Socket.connect(Socket.java:538)

            at
      sun.net.NetworkClient.doConnect(NetworkClient.java:180)

            at
      sun.net.www.http.HttpClient.openServer(HttpClient.java:432)

            at
      sun.net.www.http.HttpClient.openServer(HttpClient.java:527)

            at
      sun.net.www.http.HttpClient.<init>(HttpClient.java:211)

            at
      sun.net.www.http.HttpClient.New(HttpClient.java:308)

            at
      sun.net.www.http.HttpClient.New(HttpClient.java:326)

            at
      sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1168)

            at
      sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1104)

            at
      sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:998)

            at
      sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:932)

            at
      sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)

            at
      sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)

            at
      java.net.URLConnection.getContent(URLConnection.java:739)

            at
      java.net.URL.getContent(URL.java:1052)

            at
      com.thelevel.lrs.jforum.JForumIntegration.reloadSecurity(JForumIntegration.java:66)

            at
      com.l7tech.ldap.ResourceManager.updateJForumGroupMembership(Unknown Source)

           at
      com.l7tech.sso.SAMLSSOAuthenticationPlugin.b(Unknown Source)

            at com.l7tech.sso.SAMLSSOAuthenticationPlugin.authenticate(Unknown
      Source)

            at
      com.l7tech.sso.SAMLTokenAuthenticator.authenticateUser(Unknown Source)

            at
      com.l7tech.sso.SAMLCredentialCollector.authenticateUser(Unknown Source)

            at com.l7tech.sso.SAMLCredentialCollector.authenticate(Unknown
      Source)

            at
      com.l7tech.sso.SAMLSSOAuthFilter.doFilter(Unknown Source)

            at
      org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

            at
      org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)

            at
      org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

            at
      org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

            at
      org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

            at
      org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

            at
      org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)

            at
      org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)

            at
      org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)

            at
      org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)

            at
      java.lang.Thread.run(Thread.java:745)

     

     

     

    Responses from gateway to portal are identical, they always are different only in value of group(memberOf).

     

     

    Is there a chance someone could have experienced that before?

     

    Thank you for all suggestions,

     

    Josef G.



  • 2.  Re: Portal 3.5 - SAML SSO - timeout after token validation for groups "registeredUser" and "organizationAdmin"
    Best Answer

    Posted 04-07-2016 06:53 AM

    Good afternoon colleagues,

     

    the issue was that the portal was calling "himself" not as "localhost" but as it's domain name. Thanks to /etc/hosts files, the name was aligned to IP (and related interface) -> which was not allowed to be called from "inside". Removing data from /etc/hosts and letting customer DNS to take care about name and ip resolution solved the issue.

     

    Thank you for all who were trying to get some light into it.

     

     

     

    Josef G.