Thanks Rajesh for helping me out for debugging this issue.
Answer to your questions:
There is no NTP server setup on ESXi, I can try adding NTP server.
Please go through the version table below. My ESXi is on 5 version, should I have to upgrade it to 5.1?
System | Version | Build Number |
---|---|---|
ESXi | 5.0.0 | 469512 - Enterprise Plus |
vCD | 5.1.0.0 (GA ) | 817173 - Eval license |
vCloud SDK API | 5.1.0 | |
vCenter | 5.1.0 | 799731 - Standard |
Thanks & Regards,
Avi
Hi,
Was this issue resolved? I am running into the exact same problem. I have setup org federation with an external SAML IDP. I am able to login to my org via the VCD UI but when I try to run the sample SSOLogin class I see -
com.vmware.vcloud.sdk.exception.UnauthorizedAccessException: Authentication Failed: Error validating SAML message
I have checked that time is synchronized between VCD and the IDP.
Thanks
I am assuming vSphere sample code is not working, which is failed to get correct SAML token using vSphere samples.jar which using sso-client.jar.
I created a vSphere plugin from vsphere-plugin samples, and got the SAML token by com.vmware.vise.vim.security.sso.SsoService injection. Once I got the SAML token, I can easily login into vCD using ssoLogin() method.
So, I am assuming this problem is with vSphere sample code (samples.jar) which is unable to fetch SAML token using sso url, username and password.
Using vSphere samples.jar, I got this null value when I print the SAML token
[saml2:Assertion: null]
Using vSphere plugin by injecting SsoService, I got this below SAML token xml
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns4="http://www.w3.org/2005/08/addressing" xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802" xmlns:ns8="http://www.rsa.com/names/2009/01/std-ext/WS-Trust1.3/Claims" xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_8490f18c-e0e5-491e-8b5a-fb1c0f4a003d" IssueInstant="2012-11-29T23:09:29.611Z" Version="2.0"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://10.7.85.90:7444/STS</saml2:Issuer><ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_8490f18c-e0e5-491e-8b5a-fb1c0f4a003d"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs xsi"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>mAF77PvBezx3KI63ycZvOw4lJ4pCEAjskvL6MoDIQPs=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>pmhuTjc2XySUwh4bUmk7TND/7iSInY4dP739XhAA2SnMC4MVlE+lwrXdTFXZjF1fKyUIfB9YF7SJhvZSdSTftXBJMbMUQjsM82lGBudToCSKUlxLj/v0pOkadxHbDLjuKJjfNHdiTm2G36mGCtYgDM9mJ4tNVsR3k3N6tjJGYTDqsMjtsc38PR6/iWgdaKCF6Dlr5lyY0B4Eq4Tbpzr5yxJGGUfXweCpNWP3ix0kzdZlLB3Fzd1EkVjgsOm8VLe1+g8XRfgnKf5bO/VyCBlBhgCIR4rEIUOeVeCxHc8wis8bbzHypVpzecZlyr22FpnTH2poClgyaWlzrcMBpC715A==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEoTCCA4mgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEVMBMGA1UEChMMVk13YXJlLCBJbmMuMScwJQYDVQQDEx5sb2NhbGhvc3QubG9jYWxkb20gQ0EgNDgxMWU5ZTUxKjAoBgkqhkiG9w0BCQEWG3NzbC1jZXJ0aWZpY2F0ZXNAdm13YXJlLmNvbTAeFw0xMjEwMDQyMjU3MDJaFw0yMjEwMDMyMjU3MDJaMIH9MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJUGFsbyBBbHRvMRUwEwYDVQQKEwxWTXdhcmUsIEluYy4xKjAoBgNVBAsTIVZNd2FyZSB2Q2VudGVyIFNlcnZlciBDZXJ0aWZpY2F0ZTEqMCgGCSqGSIb3DQEJARYbc3NsLWNlcnRpZmljYXRlc0B2bXdhcmUuY29tMRswGQYDVQQDExJsb2NhbGhvc3QubG9jYWxkb20xOTA3BgkqhkiG9w0BCQITKjEzNDk0Nzc4MjIsZWU4ZmExZDUsNTY0ZDc3NjE3MjY1MjA0OTZlNjMyZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKb02emaBwn5naFkwECU1vzIotAGOt6G7rB1SCPC38MWaDkkHubr5ntuG0kzj0ycYNk+VrmN7wcFZn0TbGrI575dUyjrlPHrK2v/BZ4ZyGAvQCwbylK0qVU8X+En/0GswIzbreSeSDHWScPz669o8aoU/Yab8qkSX3PujdqsiNJcKXiuOxtI3i40922wkf6DIjt3/G7GMXqvmHLA/nY7rogrAgvRvx4YFv/HdLl8pJdFxftkAjCgK6U0OrwxPxFxawLWLUqYMztfpWt9CJMnFITutisuHMUWyQhQd/DJq2qj5wemlH9O34sjAT/V6fauxg91/aGxdK1DzowN073NO6UCAwEAAaOBhDCBgTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDATBgNVHSUEDDAKBggrBgEFBQcDATBSBgNVHREESzBJghJsb2NhbGhvc3QubG9jYWxkb22CCWxvY2FsaG9zdIcECgdVWocQJiAAAAFwBwUCUFb//pdpTocQ/oAAAAAAAAACUFb//pdpTjANBgkqhkiG9w0BAQsFAAOCAQEApSrS0WD9e1At773s/1/LxqHiaPUkS1sGXaAbXUuwVytudwHqHyVsmq3YSUnWylCV9tr88h3HxomdXqZ4HOPSdZfOs2m1Iyw3ufscymizxxUYoyL9FaxLqZltZQJr27Ef//Jw9PRx92axFF1lpwNKHt/YHKdNCFehT+KRMYH3isErIzMyeRVNABCc8LOipP1PL8ie3oLbFFFWF0/fgohesDAttMWSu9bAm7hRPpTogN5VN1N5McKQSowOdgx7sHvJOuO0lvFoAN9IzALUeOOJyNIdOHnfwgW8VxUecGjryVCoGRaxNI+uqfyjuY8Jk6j5qjIe+NE6UZzXcXOdd7Md/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN">builder@DEVAVAMAR.COM</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType"><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDPzCCAicCBgE7TmsK6jANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJBVTEeMBwGA1UECgwVVk13YXJlIHZTcGhlcmUgQ2xpZW50MTQwMgYDVQQLDCtWTXdhcmUgdlNwaGVyZSBDbGllbnQgVGVtcG9yYXJ5IENlcnRpZmljYXRlMB4XDTExMTEzMDIzMDUzNloXDTEzMTEyOTIzMDUzNlowYzELMAkGA1UEBhMCQVUxHjAcBgNVBAoMFVZNd2FyZSB2U3BoZXJlIENsaWVudDE0MDIGA1UECwwrVk13YXJlIHZTcGhlcmUgQ2xpZW50IFRlbXBvcmFyeSBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI1Nt6lYred+im+TsEjRJabmROwjjJomIJ95A+bT4Y/sMUs6CTv8rSc0hLsmr8IKjyHg19+gAVMpKqqYdDlTowuYf7Itgfp5BBIUKs8BPKdQ26kOtz4CSx+vhyTeXgsOLAO5lBq2nMTIIW27+wOTeMCepraVLQW34OPIwC8xB+fvNIS1c5DK8oLpfeNDWMucizX6tt2DU9uLsbf8Viy3l1gmEjd7Q0iXSU/Vm20ZDMLxxm25tKEhxGXlrFKUnN6SC0TmyxpsSpoT6hO8q74Lm7+s/PWi60uFazZcBUlsOumDYSSm/bpkeBz48UwmMvrLPj/0ThZyasOdLNLbDk5m7ckCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEADTCAN3b8SO4fNWnk8Mb7sdsIdaWUwovaUU/B8tmojVu89U0Klfs2P0WWXUKnyMBLT6jmT2AANLAdFgMYGHt9HnM1EoFamxfgYJcQ01CcEdzlC9zcaUxCQqYv+teLbw0qoyHHDqTjmLXgTT1/p7CU//18QtzYxjOA4aWRji9Ac80/D/XBPL5ei/yuITx4Oesb0yobNS9DwjyyE5gxC7b9C82jps+A1pBvdRjNWb3P7uEXA1po6D5KhQs7LE1gN2EHtwVx/CCCUu3NN5Hotig+3ugVosQHSchImeruRH0g0OXZaJQC+Q62En4LGBkipdrxuB6I4psFO1mqlDgnDbUWDA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2012-11-29T23:09:27.679Z" NotOnOrAfter="2012-12-29T23:09:27.679Z"/><saml2:AuthnStatement AuthnInstant="2012-11-29T23:09:29.611Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName="Subject Type" Name="http://rsa.com/schemas/attr-names/2009/01/SubjectType" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:anyURI">http://www.rsa.com/names/2009/12/std-ext/SAML2.0/subjects/user</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="Group" Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">System-Domain\__LookupServiceAdministrators__</saml2:AttributeValue><saml2:AttributeValue xsi:type="xs:string">System-Domain\__Administrators__</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="First Name" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">builder</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="isSolution" Name="http://vmware.com/schemas/attr-names/2011/07/isSolution" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">false</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
Dear Sender:
Thank you for your email.
I will be out of office by Friday November 30th with limitedd access to phone and email, please expect a delay in my reponding. I will get back to you when return to the office by Monday.
Regards
GR
Hi,
I am wondering, if you got chance to look at it. Any comments, suggestions ?
Thank You
Avi
Message was edited by: kadnreddy
I would like to update this thread with solution so it may be helpful for others. The above standalone code works perfectly with vCD 5.1.2 version. I can able to login with SAML token.
Try to get the token with user certificate from your local keystore or default keystore. Below is the default keystore example
SecurityUtil userCert = SecurityUtil.generateKeyCertPair();
Element token = AcquireHoKTokenByUserCredentialSample.getToken(args, userCert.getPrivateKey(), userCert.getUserCert());
Note: It is still printing null value on token, but token details are shown correctly.
HOK Token received:[saml2:Assertion: null]
Token details:
AssertionId = _5cdf174a-7338-434f-a386-959c718c421c
Token type = Holder-Of-Key
Issued On = 2013-06-18T15:30:29.167Z
Now its a different issue. Sometimes login works but most of the time login fails :smileyangry: . Seeing similar behavior as below thread.
vCloud API multiple concurrent sso Federation Login session
When login fails, I am getting "Authentication Failed: Error validating SAML message" exception as shown in my previous post ( post 18).