SAML and OpenID integration Zimbra Mail Error

Have a great idea for extending Zimbra? Share ideas, ask questions, contribute, and get feedback.
Post Reply
mr_tps
Posts: 8
Joined: Tue Mar 19, 2019 5:46 am

SAML and OpenID integration Zimbra Mail Error

Post by mr_tps »

Identity Provider(Idp) : https://saml.example.com/
Zimbra Mail Server :https://demo.mail.com/



=======SAML===========


for SAML setup in zimbra mail server: (https://wiki.zimbra.com/wiki/Authentication/SAML)

Also trust relationship created for zimbra mail serevr in Idp

https://saml.example.com/idp/profile/SA ... .mail.com/

This will show the saml.example.com login page, after successful login in Idp it redirects to demo.mail.com with a SAML Response.

Below is a response
===================================
==========Saml response============
===================================

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://demo.mail.com/service/extension/samlreceiver" ID="_30545986664105272c9cd43b3648b10d" IssueInstant="2019-03-25T11:58:46.460Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.example.com/idp/shibboleth</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_30545986664105272c9cd43b3648b10d">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>z9K1a7L/ioAnRzyOxy64QvYo5ZZhumtCQqx41NIODXg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
FAIsFdYKVpmcK0G4jC2Cu93UcC+12UfudjSRYJUO7n2NzB1hFJbNAnCRZ4KkrwjQ6CJFmxDyrCH3
tDRVCDLG36ztDiIQaPR9oplXpSauBcZFPzv8oFgHTR8P7GpN1j1KnhN7mt3vW+couAbucge/l6z7
yZdGTIRy9bM1HsXUNY0NqjgEW+gZRJfKG3A4jEPKSH8Ai0MGrVrmIew5tpRHy0ltrrAkbOI70PeG
CoMN5jRwBEH/E2zYeIMfNVhqkpqk92b6KOU2LymJmCDuA0u/NYCirae8ylMyC1fwqyTfiHbvHnWY
5E9RQXxS62LASIDAjofsmWDx+mKQNxud4T4w4Q==
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDgjCCAmoCCQDHjHIhnqPTrDANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCSU4xCzAJBgNV
BAgMAk9EMRQwEgYDVQQHDAtCaHViYW5lc3dhcjERMA8GA1UECgwIQ2VudHJveHkxGjAYBgNVBAMM
EXNhbWwuY2VudHJveHkuY29tMSEwHwYJKoZIhvcNAQkBFhJoZWxsb0BjZW50cm94eS5jb20wHhcN
MTkwMzA5MDk1MTU3WhcNMjAwMzA4MDk1MTU3WjCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAk9E
MRQwEgYDVQQHDAtCaHViYW5lc3dhcjERMA8GA1UECgwIQ2VudHJveHkxGjAYBgNVBAMMEXNhbWwu
Y2VudHJveHkuY29tMSEwHwYJKoZIhvcNAQkBFhJoZWxsb0BjZW50cm94eS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSZkZrx/bZiCj1FZf01MG2WHgSRLb+xmjXwe4FuPVV5UiQ
qyk5N9tqzGCjDCsgzkH4C345jqJ/HpbUUT7IN2hPoM/q9rtzhr+pj2m4HBWILzhM3/m8n77IlLh2
828fvFMbvh9UVB6yNQIHQn5JolMmBh6sMvjNJnfj5IPf5zyXmVCC9Tz75vpFgohlzaHLWQzWsifW
EmvUxB1wG3DKh+9RRsmW/88oVYsjxQQyYrrGGi2tXOCW+Tb3FSM/cr3b8KzNe1qV9h5FqCbDdldy
EsGVA5AA6N7BZJL1YiV4RoIeB8YAg4pGglUsarSR9ZBhM+jIQkI0DHeG9J8dlDgVsZsvAgMBAAEw
DQYJKoZIhvcNAQELBQADggEBAESTsoQFepxbBiaGo6BG73XRpXKZfps7OeA901eQnD3jEibGThAq
UpL7kwPQHrXzvvkiAC0yHetUm+5hZx8EARQPCuYuauyWbOIoXXUqyul4kTyeZO2wY9qBlv96UkuS
1bKvmoaaEL6E96kzeasPSGzz9nAu41zAIy8TCYdDDPhvRBOh7yfc7nNn52wqm9KZwaj+FF7Ph5dc
PydQga858wIan1FFyd6ldqQWn6i9Xg6MulpbuJ5lTPLVCpNlq34V8IGB9CtSbO3KvTYEt20gxkIp
ZawrPmZKi7r+oLRAjKg123fc3nzLQxG9zxUH3mu+92O9ODHdXvc7ey+hSIqIrwc=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="_45518ae0f05d7879078b09f48f9d4cd3" IssueInstant="2019-03-25T11:58:46.460Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>https://saml.example.com/idp/shibboleth</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://saml.example.com/idp/shibboleth" SPNameQualifier="https://demo.mail.com/" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">AAdzZWNyZXQx/f95wDE+A1yu97ik3uI0E0buqp5uHPKAS3CYq2pnPt1sbnjjZ3cw+7ul3pmPMjqrwJuVJMGqHEXthLfD+JdA05YD/vKiPEcdLr6DMHb+ot8T9aRvpDaVR0EaTF/FgiK6pAA=</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData Address="203.129.204.90" NotOnOrAfter="2019-03-25T12:03:46.483Z" Recipient="https://demo.mail.com/service/extension/samlreceiver"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2019-03-25T11:58:46.460Z" NotOnOrAfter="2019-03-25T12:03:46.460Z"><saml2:AudienceRestriction><saml2:Audience>https://demo.mail.com/</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2019-03-25T11:58:46.369Z" SessionIndex="_17d8cb9b0858af49b0cb63bea1ae4d4a"><saml2:SubjectLocality Address="203.129.204.90"/><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>cbecerra</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>
===================================
==========Saml response============
===================================

The below error is created for the above SAML Response:

Code: Select all

2019-03-25 07:58:48.413:WARN:oejs.ServletHandler:qtp1935637221-2210:https:https://demo.mail.com/service/extension/samlreceiver:
javax.servlet.ServletException: Could not find the domain corresponding to the given SAML Response
        at com.zimbra.cs.security.saml.SamlResponseHandler.validateSamlResponse(SamlResponseHandler.java:146)
        at com.zimbra.cs.security.saml.SamlResponseHandler.handleSamlResponse(SamlResponseHandler.java:109)
        at com.zimbra.cs.security.saml.SamlResponseHandler.doPost(SamlResponseHandler.java:91)
        at com.zimbra.cs.extension.ExtensionDispatcherServlet.service(ExtensionDispatcherServlet.java:113)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:821)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1685)
        at com.zimbra.cs.servlet.CsrfFilter.doFilter(CsrfFilter.java:169)


=============OPENID=============

Documentaion followed:

https://github.com/Zimbra/zm-openid-consumer-store
https://wiki.zimbra.com/wiki/Authentica ... IDConsumer


openid configuration file of saml.example.com: https://saml.example.com/.well-known/op ... figuration

In our case <op_endpoint_url> is set to https://saml.example.com/oxauth/restv1/authorize which is the authorize endpoint.

Note: Actually I don't know what to set in <op_endpoint_url>, that's why set authorization url :?

and

<user-supplied-identifier> should be saml.example.com (according to the documentation)

but, while executing this url

<zimbra_host_base_url>/service/extension/openid/consumer?openid_identifier=saml.example.com

The below error is raised :

Code: Select all

2019-03-25 06:59:56.819:WARN:oejs.ServletHandler:qtp1935637221-1916:https:https://demo.mail.com/service/extension/openid/consumer?openid_identifier=saml.example.com :
javax.servlet.ServletException: Expected supplied identifier to be OP Endpoint URL
        at com.zimbra.cs.security.openid.consumer.OpenIDConsumerHandler.authRequest(OpenIDConsumerHandler.java:234)
        at com.zimbra.cs.security.openid.consumer.OpenIDConsumerHandler.doPost(OpenIDConsumerHandler.java:135)
        at com.zimbra.cs.security.openid.consumer.OpenIDConsumerHandler.doGet(OpenIDConsumerHandler.java:123)
        at com.zimbra.cs.extension.ExtensionDispatcherServlet.service(ExtensionDispatcherServlet.java:111)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:821)



when adding http or https (i.e. changing "openid_identifier=saml.example.com" to "openid_identifier=https://saml.example.com" or "openid_identifier=http://saml.example.com") a java.lang.NullPointerException error created instead above error.
Post Reply