-
Notifications
You must be signed in to change notification settings - Fork 682
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'real-pac4j/master' into master-pem
Conflicts: pac4j-jwt/src/main/java/org/pac4j/jwt/credentials/authenticator/JwtAuthenticator.java
- Loading branch information
Showing
172 changed files
with
2,596 additions
and
1,272 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,48 +1,48 @@ | ||
Using pac4j against Microsoft ADFS 2.0 / 3.0 | ||
-------------------------------------------- | ||
Follow these rules to successfully authenticate using Microsoft ADFS 2.0 / 3.0. | ||
1. Entity ID | ||
------------ | ||
Always specify an explicit Entity ID that does not contain any question mark. By default, pac4j uses the same Entity ID as the | ||
AssertionConsumerService location, which contains the client's name as a parameter after a question mark. Unfortunately ADFS does not work | ||
well with such IDs and starts an infinite redirection loop when A SAML message with such a message arrives. | ||
This property is supported since pac4j 1.6.0. | ||
Don't forget to change your metadata accordingly! | ||
2. Maximum authentication time | ||
------------------------------ | ||
pac4j has the default maximum time set to 1 hour while ADFS has it set to 8 hours. Therefore it can happen that ADFS sends | ||
an assertion which is still valid on ADFS side but evaluated as invalid on pac4j side. | ||
You can see the following error message: | ||
org.pac4j.saml.exceptions.SAMLException: Authentication issue instant is too old or in the future | ||
There are two possibilities how to make the values equal: | ||
- Change the value in ADFS management console in the trust properties dialog. | ||
- Change the value on pac4j side. | ||
3. Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files | ||
--------------------------------------------------------------------------------- | ||
You must install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files into your JRE/JDK | ||
running pac4j. If you don't do it, you may encounter errors like this: | ||
ERROR [org.opensaml.xml.encryption.Decrypter] - <Error decrypting the encrypted data element> | ||
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size | ||
ERROR [org.opensaml.xml.encryption.Decrypter] - <Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver> | ||
ERROR [org.opensaml.saml2.encryption.Decrypter] - <SAML Decrypter encountered an error decrypting element content> | ||
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files can be downloaded from Oracle's Java Download site. | ||
4. Error "Subject NameID, BaseID and EncryptedID cannot be all null at the same time if there are no Subject Confirmations." | ||
---------------------------------------------------------------------------------------------------------------------------- | ||
Make sure your SP declaration in ADFS Server has been configured to return "Name ID" attribute in its SAML responses. | ||
Using pac4j against Microsoft ADFS 2.0 / 3.0 | ||
-------------------------------------------- | ||
|
||
Follow these rules to successfully authenticate using Microsoft ADFS 2.0 / 3.0. | ||
|
||
1. Entity ID | ||
------------ | ||
Always specify an explicit Entity ID that does not contain any question mark. By default, pac4j uses the same Entity ID as the | ||
AssertionConsumerService location, which contains the client's name as a parameter after a question mark. Unfortunately ADFS does not work | ||
well with such IDs and starts an infinite redirection loop when A SAML message with such a message arrives. | ||
|
||
This property is supported since pac4j 1.6.0. | ||
|
||
Don't forget to change your metadata accordingly! | ||
|
||
|
||
2. Maximum authentication time | ||
------------------------------ | ||
|
||
pac4j has the default maximum time set to 1 hour while ADFS has it set to 8 hours. Therefore it can happen that ADFS sends | ||
an assertion which is still valid on ADFS side but evaluated as invalid on pac4j side. | ||
|
||
You can see the following error message: | ||
org.pac4j.saml.exceptions.SAMLException: Authentication issue instant is too old or in the future | ||
|
||
There are two possibilities how to make the values equal: | ||
- Change the value in ADFS management console in the trust properties dialog. | ||
- Change the value on pac4j side. | ||
|
||
|
||
3. Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files | ||
--------------------------------------------------------------------------------- | ||
|
||
You must install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files into your JRE/JDK | ||
running pac4j. If you don't do it, you may encounter errors like this: | ||
|
||
ERROR [org.opensaml.xml.encryption.Decrypter] - <Error decrypting the encrypted data element> | ||
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size | ||
ERROR [org.opensaml.xml.encryption.Decrypter] - <Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver> | ||
ERROR [org.opensaml.saml2.encryption.Decrypter] - <SAML Decrypter encountered an error decrypting element content> | ||
|
||
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files can be downloaded from Oracle's Java Download site. | ||
|
||
|
||
4. Error "Subject NameID, BaseID and EncryptedID cannot be all null at the same time if there are no Subject Confirmations." | ||
---------------------------------------------------------------------------------------------------------------------------- | ||
Make sure your SP declaration in ADFS Server has been configured to return "Name ID" attribute in its SAML responses. | ||
This attribute is required by SAML pac4j but not included by default by ADFS. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.