VMware Cloud Community
kadnreddy
Enthusiast
Enthusiast
Jump to solution

Trying to Login into vCD 5.1 through SSO

Hi,
I am trying to  login into vCD 5.1 through SSO programatically, by SSOLogin.java sample code  provided in vCloud API samples SDK. But, I am getting a "500 - No Error Report"  exception on the console.
Through browser, I can successfully login through  vSphere Web Client SSO page which redirects to vCD 5.1 home  page.
I went through the  log after changing the log4j.properties setting to TRACE and found this below exception in  vcd-container-debug.log.
2012-10-08 09:34:51,935 | WARN     | pool-jetty-57 - /api/sessions | ErrorPageErrorHandler          | EXCEPTION   |
org.apache.jasper.JasperException: /error.jsp(1,64) PWC6188: The absolute  uri: http://java.sun.com/jsp/jstl/fmt cannot be resolved in either web.xml or the jar files deployed with this  application
        at  org.apache.jasper.compiler.DefaultErrorHandler.jspError(DefaultErrorHandler.java:89)
         at  org.apache.jasper.compiler.ErrorDispatcher.dispatch(ErrorDispatcher.java:375)
         at  org.apache.jasper.compiler.ErrorDispatcher.jspError(ErrorDispatcher.java:169)
         at  org.apache.jasper.compiler.TagLibraryInfoImpl.generateTLDLocation(TagLibraryInfoImpl.java:429)
         at  org.apache.jasper.compiler.TagLibraryInfoImpl.<init>(TagLibraryInfoImpl.java:234)
         at  org.apache.jasper.compiler.Parser.parseTaglibDirective(Parser.java:499)
         at org.apache.jasper.compiler.Parser.parseDirective(Parser.java:579)
         at org.apache.jasper.compiler.Parser.parseElements(Parser.java:1649)
         at org.apache.jasper.compiler.Parser.parse(Parser.java:182)
        at  org.apache.jasper.compiler.ParserController.doParse(ParserController.java:239)
         at  org.apache.jasper.compiler.ParserController.parse(ParserController.java:140)
         at  org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:204)
         at org.apache.jasper.compiler.Compiler.compile(Compiler.java:431)
        at  org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:608)
         at  org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:374)
         at  org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:476)
         at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:366)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
        at  org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:565)
         at  org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:479)
         at  org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
Can please tell me  how to fix this one?
Reply
0 Kudos
26 Replies
kadnreddy
Enthusiast
Enthusiast
Jump to solution

Thanks Rajesh for helping me out for debugging this issue.

Answer to your questions:

There is no NTP server setup on ESXi, I can try adding NTP server.

Please go through the version table below. My ESXi is on 5 version, should I have to upgrade it to 5.1?

SystemVersionBuild Number
ESXi5.0.0469512 - Enterprise Plus
vCD5.1.0.0 (GA )817173 - Eval license
vCloud SDK API5.1.0
vCenter5.1.0799731 - Standard

Thanks & Regards,

Avi

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

Hi,

Was this issue resolved? I am running into the exact same problem. I have setup org federation with an external SAML IDP. I am able to login to my org via the VCD UI but when I try to run the sample SSOLogin class I see -

com.vmware.vcloud.sdk.exception.UnauthorizedAccessException: Authentication Failed: Error validating SAML message

I have checked that time is synchronized between VCD and the IDP.

Thanks

Reply
0 Kudos
kadnreddy
Enthusiast
Enthusiast
Jump to solution

I am assuming vSphere sample code is not working, which is failed to get correct SAML token using vSphere samples.jar which using sso-client.jar.

I created a vSphere plugin from vsphere-plugin samples, and got the SAML token by com.vmware.vise.vim.security.sso.SsoService injection. Once I got the SAML token, I can easily login into vCD using ssoLogin() method.

So, I am assuming this problem is with vSphere sample code (samples.jar) which is unable to fetch SAML token using sso url, username and password.

Using vSphere samples.jar, I got this null value when I print the SAML token

[saml2:Assertion: null]

Using vSphere plugin by injecting SsoService, I got this below SAML token xml

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns4="http://www.w3.org/2005/08/addressing" xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802" xmlns:ns8="http://www.rsa.com/names/2009/01/std-ext/WS-Trust1.3/Claims" xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_8490f18c-e0e5-491e-8b5a-fb1c0f4a003d" IssueInstant="2012-11-29T23:09:29.611Z" Version="2.0"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://10.7.85.90:7444/STS</saml2:Issuer><ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_8490f18c-e0e5-491e-8b5a-fb1c0f4a003d"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs xsi"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>mAF77PvBezx3KI63ycZvOw4lJ4pCEAjskvL6MoDIQPs=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>pmhuTjc2XySUwh4bUmk7TND/7iSInY4dP739XhAA2SnMC4MVlE+lwrXdTFXZjF1fKyUIfB9YF7SJ
hvZSdSTftXBJMbMUQjsM82lGBudToCSKUlxLj/v0pOkadxHbDLjuKJjfNHdiTm2G36mGCtYgDM9m
J4tNVsR3k3N6tjJGYTDqsMjtsc38PR6/iWgdaKCF6Dlr5lyY0B4Eq4Tbpzr5yxJGGUfXweCpNWP3
ix0kzdZlLB3Fzd1EkVjgsOm8VLe1+g8XRfgnKf5bO/VyCBlBhgCIR4rEIUOeVeCxHc8wis8bbzHy
pVpzecZlyr22FpnTH2poClgyaWlzrcMBpC715A==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEoTCCA4mgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEVMBMGA1UEChMMVk13YXJlLCBJbmMuMScw
JQYDVQQDEx5sb2NhbGhvc3QubG9jYWxkb20gQ0EgNDgxMWU5ZTUxKjAoBgkqhkiG9w0BCQEWG3Nz
bC1jZXJ0aWZpY2F0ZXNAdm13YXJlLmNvbTAeFw0xMjEwMDQyMjU3MDJaFw0yMjEwMDMyMjU3MDJa
MIH9MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJUGFsbyBBbHRv
MRUwEwYDVQQKEwxWTXdhcmUsIEluYy4xKjAoBgNVBAsTIVZNd2FyZSB2Q2VudGVyIFNlcnZlciBD
ZXJ0aWZpY2F0ZTEqMCgGCSqGSIb3DQEJARYbc3NsLWNlcnRpZmljYXRlc0B2bXdhcmUuY29tMRsw
GQYDVQQDExJsb2NhbGhvc3QubG9jYWxkb20xOTA3BgkqhkiG9w0BCQITKjEzNDk0Nzc4MjIsZWU4
ZmExZDUsNTY0ZDc3NjE3MjY1MjA0OTZlNjMyZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAKb02emaBwn5naFkwECU1vzIotAGOt6G7rB1SCPC38MWaDkkHubr5ntuG0kzj0ycYNk+VrmN
7wcFZn0TbGrI575dUyjrlPHrK2v/BZ4ZyGAvQCwbylK0qVU8X+En/0GswIzbreSeSDHWScPz669o
8aoU/Yab8qkSX3PujdqsiNJcKXiuOxtI3i40922wkf6DIjt3/G7GMXqvmHLA/nY7rogrAgvRvx4Y
Fv/HdLl8pJdFxftkAjCgK6U0OrwxPxFxawLWLUqYMztfpWt9CJMnFITutisuHMUWyQhQd/DJq2qj
5wemlH9O34sjAT/V6fauxg91/aGxdK1DzowN073NO6UCAwEAAaOBhDCBgTAJBgNVHRMEAjAAMAsG
A1UdDwQEAwIEsDATBgNVHSUEDDAKBggrBgEFBQcDATBSBgNVHREESzBJghJsb2NhbGhvc3QubG9j
YWxkb22CCWxvY2FsaG9zdIcECgdVWocQJiAAAAFwBwUCUFb//pdpTocQ/oAAAAAAAAACUFb//pdp
TjANBgkqhkiG9w0BAQsFAAOCAQEApSrS0WD9e1At773s/1/LxqHiaPUkS1sGXaAbXUuwVytudwHq
HyVsmq3YSUnWylCV9tr88h3HxomdXqZ4HOPSdZfOs2m1Iyw3ufscymizxxUYoyL9FaxLqZltZQJr
27Ef//Jw9PRx92axFF1lpwNKHt/YHKdNCFehT+KRMYH3isErIzMyeRVNABCc8LOipP1PL8ie3oLb
FFFWF0/fgohesDAttMWSu9bAm7hRPpTogN5VN1N5McKQSowOdgx7sHvJOuO0lvFoAN9IzALUeOOJ
yNIdOHnfwgW8VxUecGjryVCoGRaxNI+uqfyjuY8Jk6j5qjIe+NE6UZzXcXOdd7Md/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN">builder@DEVAVAMAR.COM</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType"><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDPzCCAicCBgE7TmsK6jANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJBVTEeMBwGA1UECgwVVk13YXJlIHZTcGhlcmUgQ2xpZW50MTQwMgYDVQQLDCtWTXdhcmUgdlNwaGVyZSBDbGllbnQgVGVtcG9yYXJ5IENlcnRpZmljYXRlMB4XDTExMTEzMDIzMDUzNloXDTEzMTEyOTIzMDUzNlowYzELMAkGA1UEBhMCQVUxHjAcBgNVBAoMFVZNd2FyZSB2U3BoZXJlIENsaWVudDE0MDIGA1UECwwrVk13YXJlIHZTcGhlcmUgQ2xpZW50IFRlbXBvcmFyeSBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI1Nt6lYred+im+TsEjRJabmROwjjJomIJ95A+bT4Y/sMUs6CTv8rSc0hLsmr8IKjyHg19+gAVMpKqqYdDlTowuYf7Itgfp5BBIUKs8BPKdQ26kOtz4CSx+vhyTeXgsOLAO5lBq2nMTIIW27+wOTeMCepraVLQW34OPIwC8xB+fvNIS1c5DK8oLpfeNDWMucizX6tt2DU9uLsbf8Viy3l1gmEjd7Q0iXSU/Vm20ZDMLxxm25tKEhxGXlrFKUnN6SC0TmyxpsSpoT6hO8q74Lm7+s/PWi60uFazZcBUlsOumDYSSm/bpkeBz48UwmMvrLPj/0ThZyasOdLNLbDk5m7ckCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEADTCAN3b8SO4fNWnk8Mb7sdsIdaWUwovaUU/B8tmojVu89U0Klfs2P0WWXUKnyMBLT6jmT2AANLAdFgMYGHt9HnM1EoFamxfgYJcQ01CcEdzlC9zcaUxCQqYv+teLbw0qoyHHDqTjmLXgTT1/p7CU//18QtzYxjOA4aWRji9Ac80/D/XBPL5ei/yuITx4Oesb0yobNS9DwjyyE5gxC7b9C82jps+A1pBvdRjNWb3P7uEXA1po6D5KhQs7LE1gN2EHtwVx/CCCUu3NN5Hotig+3ugVosQHSchImeruRH0g0OXZaJQC+Q62En4LGBkipdrxuB6I4psFO1mqlDgnDbUWDA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2012-11-29T23:09:27.679Z" NotOnOrAfter="2012-12-29T23:09:27.679Z"/><saml2:AuthnStatement AuthnInstant="2012-11-29T23:09:29.611Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName="Subject Type" Name="http://rsa.com/schemas/attr-names/2009/01/SubjectType" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:anyURI">http://www.rsa.com/names/2009/12/std-ext/SAML2.0/subjects/user</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="Group" Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">System-Domain\__LookupServiceAdministrators__</saml2:AttributeValue><saml2:AttributeValue xsi:type="xs:string">System-Domain\__Administrators__</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="First Name" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">builder</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="isSolution" Name="http://vmware.com/schemas/attr-names/2011/07/isSolution" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">false</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>

Reply
0 Kudos
guitzer
Contributor
Contributor
Jump to solution

Dear Sender:

Thank you for your email.

I will be out of office by Friday November 30th with limitedd access to phone and email, please expect a delay in my reponding. I will get back to you when return to the office by Monday.

Regards

GR

Reply
0 Kudos
kadnreddy
Enthusiast
Enthusiast
Jump to solution

Hi,

I am wondering, if you got chance to look at it. Any comments, suggestions ?

Thank You

Avi

Message was edited by: kadnreddy

Reply
0 Kudos
kadnreddy
Enthusiast
Enthusiast
Jump to solution

I would like to update this thread with solution so it may be helpful for others. The above standalone code works perfectly with vCD 5.1.2 version. I can able to login with SAML token.

Try to get the token with user certificate from your local keystore or default keystore. Below is the default keystore example

SecurityUtil userCert = SecurityUtil.generateKeyCertPair();

Element token = AcquireHoKTokenByUserCredentialSample.getToken(args, userCert.getPrivateKey(), userCert.getUserCert());

Note: It is still printing null value on token, but token details are shown correctly.

HOK Token received:[saml2:Assertion: null]

Token details:

  AssertionId = _5cdf174a-7338-434f-a386-959c718c421c

  Token type = Holder-Of-Key

  Issued On = 2013-06-18T15:30:29.167Z

Reply
0 Kudos
kadnreddy
Enthusiast
Enthusiast
Jump to solution

Now its a different issue. Sometimes login works but most of the time login fails :smileyangry: . Seeing similar behavior as below thread.

vCloud API multiple concurrent sso Federation Login session

When login fails, I am getting "Authentication Failed: Error validating SAML message" exception as shown in my previous post ( post 18).

Reply
0 Kudos