Question

SAML error during login

0

Hi, We are using Mendix 7.18.0 and the SAML module from the app store. We we try to login we get the error below. I assume we have a mistake in our SAML configuration, but I can't find what it is. Has anybody else seen this before? Cheers, Ronald Solution The issue is solved now. I turned out that the JCE unlimited strength policy files where not installed in the Mendix JVM. For others running into this problem: Download the JCU unlimited strength policy files (Java 8): http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html. Replace the original files in the JVM here: C:\Program Files\Java\jdk1.8.0_144\jre\lib\security\ The issue is solved now. I turned out that the JCE unlimited strength policy files where not installed in the Mendix JVM. org.opensaml.common.SAMLException: org.opensaml.xml.validation.ValidationException: org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData at saml20.implementation.ArtifactHandler.handleSAMLResponse(ArtifactHandler.java:175) at saml20.implementation.ArtifactHandler.handleRequest(ArtifactHandler.java:33) at saml20.implementation.SAMLRequestHandler.processRequest(SAMLRequestHandler.java:167) at com.mendix.externalinterface.connector.RequestHandler.doProcessRequest(RequestHandler.java:40) at com.mendix.external.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:72) at com.mendix.external.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:69) at com.mendix.util.classloading.Runner.doRunUsingClassLoaderOf(Runner.java:32) at com.mendix.external.connector.MxRuntimeConnector.processRequest(MxRuntimeConnector.java:75) at com.mendix.basis.impl.MxRuntimeImpl.processRequest(MxRuntimeImpl.java:870) at com.mendix.m2ee.appcontainer.server.handler.RuntimeHandler.service(RuntimeHandler.java:42) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:561) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:334) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:104) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:243) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:679) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:597) at java.lang.Thread.run(Thread.java:748) Caused by: org.opensaml.xml.validation.ValidationException: org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData at saml20.implementation.wrapper.MxSAMLEncryptedAssertion.decryptAssertion(MxSAMLEncryptedAssertion.java:71) at saml20.implementation.wrapper.MxSAMLEncryptedAssertion.decryptAssertion(MxSAMLEncryptedAssertion.java:35) at saml20.implementation.wrapper.MxSAMLResponse.getAssertion(MxSAMLResponse.java:206) at saml20.implementation.ArtifactHandler.handleSAMLResponse(ArtifactHandler.java:58) at saml20.implementation.ArtifactHandler.handleRequest(ArtifactHandler.java:33) at saml20.implementation.SAMLRequestHandler.processRequest(SAMLRequestHandler.java:167) at com.mendix.externalinterface.connector.RequestHandler.doProcessRequest(RequestHandler.java:40) at com.mendix.external.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:72) at com.mendix.external.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:69) at com.mendix.util.classloading.Runner.doRunUsingClassLoaderOf(Runner.java:32) at com.mendix.external.connector.MxRuntimeConnector.processRequest(MxRuntimeConnector.java:75) at com.mendix.basis.impl.MxRuntimeImpl.processRequest(MxRuntimeImpl.java:870) at com.mendix.m2ee.appcontainer.server.handler.RuntimeHandler.service(RuntimeHandler.java:42) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:561) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:334) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:104) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:243) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:679) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:597) at java.lang.Thread.run(Thread.java:748) Caused by: org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:535) at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442) at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403) at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) at saml20.implementation.wrapper.MxSAMLEncryptedAssertion.decryptAssertion(MxSAMLEncryptedAssertion.java:61) at saml20.implementation.wrapper.MxSAMLEncryptedAssertion.decryptAssertion(MxSAMLEncryptedAssertion.java:35) at saml20.implementation.wrapper.MxSAMLResponse.getAssertion(MxSAMLResponse.java:206) at saml20.implementation.ArtifactHandler.handleSAMLResponse(ArtifactHandler.java:58) at saml20.implementation.ArtifactHandler.handleRequest(ArtifactHandler.java:33) at saml20.implementation.SAMLRequestHandler.processRequest(SAMLRequestHandler.java:167) at com.mendix.externalinterface.connector.RequestHandler.doProcessRequest(RequestHandler.java:40) at com.mendix.external.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:72) at com.mendix.external.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:69) at com.mendix.util.classloading.Runner.doRunUsingClassLoaderOf(Runner.java:32) at com.mendix.external.connector.MxRuntimeConnector.processRequest(MxRuntimeConnector.java:75) at com.mendix.basis.impl.MxRuntimeImpl.processRequest(MxRuntimeImpl.java:870) at com.mendix.m2ee.appcontainer.server.handler.RuntimeHandler.service(RuntimeHandler.java:42) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:561) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:334) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:104) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:243) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:679) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:597) at java.lang.Thread.run(Thread.java:748)

asked 2018-09-03

Ronald Burgman - First

6 answers

Ronald Burgman - First · Answer 1 · 2018-09-04

I got some progress on this. I decided to run this through the Eclipse debugger to see what was actually going on java level. Surprisingly the first authentication attempt immediately succeeded.

After some digging around I discovered that Eclipses by default uses a JRE version 1.8.0_171, while the Mendix Modeler uses a JDK version 1.8.0_144. When I reconfigure Eclipse to use the JDK from the Mendix Modeler, the issue also appears in Eclipse.

So it seems the issue is caused by something (I expect a configuration of some sort) in the Java runtime itself.

I got some progress on this. I decided to run this through the Eclipse debugger to see what was actually going on java level. Surprisingly the first authentication attempt immediately succeeded.

After some digging around I discovered that Eclipses by default uses a JRE version 1.8.0_171, while the Mendix Modeler uses a JDK version 1.8.0_144. When I reconfigure Eclipse to use the JDK from the Mendix Modeler, the issue also appears in Eclipse.

So it seems the issue is caused by something (I expect a configuration of some sort) in the Java runtime itself.

Ronald Burgman - First · Answer 2 · 2018-09-04

The issue is solved now. I turned out that the JCE unlimited strength policy files where not installed in the Mendix JVM.

For others running into this problem:

Download the JCU unlimited strength policy files (Java 8): http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html.
Replace the original files in the JVM here: C:\Program Files\Java\jdk1.8.0_144\jre\lib\security\
The issue is solved now. I turned out that the JCE unlimited strength policy files where not installed in the Mendix JVM.

Rapido · Answer 3 · 2018-09-03

Do you use SFTP module also in your app? I had an issue whereby in combination with SAML and SFTP module I had an Java issue whereby the parameters in Java needed to be renamed.

Ronald Burgman - First · Answer 4 · 2018-09-03

No, I currently have no other modules in my project (except for the model reflection dependency).

Ronald Catersels · Answer 5 · 2018-09-03

SInce the decryption has failed I would first double check your decryption key again. Did you change something there? You might try to recreate your setup.

Regards,

Ronald

Ronald Burgman - First · Answer 6 · 2018-09-03

How do I check if the encryption key is correct?

I have tried to recreate the setup in mendix, and the relying trust party in ADFS, but the error did not disappear. I checked that the serial number of the encryption key in the SAML response matches with the private key in the keystore generated by the SAML module.