OpenAM x MalwareBytes SSO

[neel-quantasis]

Malware Bytes SP Metadata (Ids modified for privacy)

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="urn:amazon:cognito:sp:us-east-1_1234">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"  Location="http://www.example2.local:3000/logout/callback"/>

    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="0"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="1"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="2"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="3"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="4"/>
   </SPSSODescriptor>
  <ContactPerson contactType="technical">
    <GivenName>Administrator</GivenName>
    <EmailAddress>noreply@example.org</EmailAddress>
  </ContactPerson>
</EntityDescriptor>

Steps:

1. Create COT : https://scribehow.com/shared/How_to_Create_a_Circle_of_Trust_in_OpenAM__XUI7nRCpR9at1Ly2jZLtBA
2. Create IDP : https://scribehow.com/shared/Add_Entity_Provider_in_OpenAM_Admin_Interface__inTb644qRfSoqNlposJlQQ
3. Create SP using above mentioned XML : https://scribehow.com/shared/How_To_Add_An_Entity_Provider_In_OpenAM__K-gfI7UyRy2vM6YC007Rrg
4. Configure assertion properties as mentioned by MalwareBytes
   
5. Create tokenId for user (that has same email id in Malware Bytes)

curl --location --request POST 'http://redhatnew.convertcurrency.online:8080/openam/json/realms/root/authenticate' \
--header 'X-OpenAM-Username: user' \
--header 'X-OpenAM-Password: password' \
--header 'Content-Type: application/json' \
--header 'Accept-API-Version: resource=2.1'

6. Perform IDP Initiated flow with user's tokenId

curl --location 'http://redhatnew.convertcurrency.online:8080/openam/idpssoinit?metaAlias=%2Fidp&spEntityID=urn%3Aamazon%3Acognito%3Asp%3Aus-east-1_1234&binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST' \
--header 'iplanetDirectoryPro: tokenId' \
--header 'Accept: application/json'

After performing these steps, I get redirected to MalwareBytes link and then get redirected back to OpenAM site on the login page

Am I missing something?

[maximthomas]

As the third-party SP redirects back to OpenAM for login, the issue could be with the SP itself.
Could you reproduce the issue using another instance of OpenAM as a Service Provider?
https://github.com/OpenIdentityPlatform/OpenAM/wiki/How-to-Setup-SAMLv2-Federation-in-OpenAM

[maximthomas]

@neel-quantasis could you attach the curl command output in verbose mode with all redirects?

[neel-quantasis]

@maximthomas

I was able to implement the IdP and SP as instructed here and they are working as mentioned in the link

---

Here are the next steps I performed for my use case

1. Create a Hosted IdP
2. Export IdP Metadata using this link
3. Create Remote SP using Malware Bytes SP Metadata (mentioned in the first post)
4. Add Attribute mapping as mentioned by MalwareBytes
   
5. Perform IdP Initiated Flow using this link

After login, I'm getting redirected to this link with 500 Internal Server Error

While SAML is generated and sent to MalwareBytes, Assertion Attributes are present in the XML

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                ID="s227d6ac70ed8735d64526402cf82efb06ed687857"
                Version="2.0"
                IssueInstant="2024-12-09T09:12:42Z"
                Destination="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/a4f5db39dc3e1287fececc1ed4b75da9"
                >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">mb-idp</saml:Issuer>
    <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
        <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                          Value="urn:oasis:names:tc:SAML:2.0:status:Success"
                          />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="s2abc400c10b8cf6498096d32d6430f3a39740ef59"
                    IssueInstant="2024-12-09T09:12:42Z"
                    Version="2.0"
                    >
        <saml:Issuer>mb-idp</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#s2abc400c10b8cf6498096d32d6430f3a39740ef59">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>PKoOtFu6Dug57J0+v0JrhYrOaW0=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
ExOehvrFubVSCeNZ8dEXr0+JBICXiw2nThno9/O9uUv9Ja8Fh7caYzn7e/bOVaEqB44+Ooe5J8Jw
QP703AYLeEsVUpvgzh+cdK/yRrrFQJOSbJB7gARiY2n3BaDCGazi3PJI45SnJT4Ec/Jdgwm6Ayp9
wdM1t3IfbAnxFG6ElLMT0AVqfqOwkwtXtiaMt83Wz77S1Z3bf99JLNKBCADNopWZKvK9LFFTF3BL
qEo22FF5rTSLyAerILq648JXtzNHycLRs/SwraLdmE6hX2GUnaem/gmudYLgxaRMeFEYS9o1ug3e
6245ts9ZB6RBkFFBUPFIHnqYe/5rlhFokNt2AQ==
</ds:SignatureValue>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>
MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQI
EwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsT
Bk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAzMTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUx
CzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQK
EwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXCAaCKqJFw
jwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuVYWwPIQ/ts2iTiWOVn7wz
lE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyiP+6roo/EYgX4AH7OAhfUMncYsopWhkW/
ze9z8wTXc8BAEgDmt8zFCez1CtqJB/MlSBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eL
FootBIn0FvUZSnwTiSpbaHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8w
HQYDVR0OBBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ29/2i
dv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkmt+FZxpafqUC/mukj
IzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjItcGqydGZXR2FH93vXWoAotUwtZ119
IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlG
o99yE5eJwoHXXU7csaZVttmx7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV3
1sBREs8FaaCeksu7Y48BmkUqw6E9
</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                         NameQualifier="IDP"
                         SPNameQualifier="urn:amazon:cognito:sp:us-east-1_wq2nnfJxr"
                         >EMAIL_ID</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2024-12-09T09:22:42Z"
                                              Recipient="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/a4f5db39dc3e1287fececc1ed4b75da9"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2024-12-09T09:02:42Z"
                         NotOnOrAfter="2024-12-09T09:22:42Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>urn:amazon:cognito:sp:us-east-1_1234</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2024-12-09T09:12:41Z"
                             SessionIndex="s245ba8401adb4be9b46ac57f012179f8536588f01"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >EMAIL_ID</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >FIRST_NAME</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/familyname">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >LAST_NAME</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

Am I missing something here?

[neel-quantasis]

HAR File : idp.convertcurrency.online.har.txt

Open AM Federation Log from /usr/openam/config/openam/debug

libSAML2:12/09/2024 10:40:52:268 AM UTC: Thread[#35,http-nio-8080-exec-6,5,main]: TransactionId[91f23c89-9cce-4249-98e7-5815fdfe946e-32829]
ERROR: UtilProxySAMLAuthenticator.generateAssertionResponseUnable to do sso or federation.
com.sun.identity.saml2.common.SAML2Exception: The Assertion Consumer Service URL https://ipi-intg-partner-portal-prod.auth.us-east-1.amazoncognito.com/saml2/idpresponse is not registered in
the metadata for the SP urn:amazon:cognito:sp:us-east-1_1234
        at com.sun.identity.saml2.profile.IDPSSOUtil.getACSurl(IDPSSOUtil.java:1830)
        at com.sun.identity.saml2.profile.IDPSSOUtil.getACSurl(IDPSSOUtil.java:1783)
        at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponseToACS(IDPSSOUtil.java:400)
        at org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.generateAssertionResponse(UtilProxySAMLAuthenticator.java:510)
        at org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.authenticate(UtilProxySAMLAuthenticator.java:418)
        at com.sun.identity.saml2.profile.IDPSSOFederate.process(IDPSSOFederate.java:236)
        at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:142)
        at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:102)
        at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:202)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:67)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:466)
        at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:376)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:324)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:199)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:86)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:396)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:937)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
        at java.base/java.lang.Thread.run(Unknown Source)

[maximthomas]

According to logs

The Assertion Consumer Service URL https://ipi-intg-partner-portal-prod.auth.us-east-1.amazoncognito.com/saml2/idpresponse is not registered in
the metadata for the SP urn:amazon:cognito:sp:us-east-1_1234

Either the SP's metadata is invalid or the settings on the SP's side.
Assertion Consumer Service returned by the SP does not match the metadata you have provided above

...
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="0"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="1"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="2"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="3"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="4"/>
...

[neel-quantasis]

This URL is mentioned over here as an Additional Reply URL

Where do I configure this in the SP?

[maximthomas]

Try to add manually this url to the SP's metadata file as AssertionConsumerService elements and recreate the remote SP in the OpenAM instance with the new metadata.

[neelbhanushali]

@maximthomas

This worked! Thanks for your prompt support!