Professional Documents
Culture Documents
Introduction
This document describes the procedure to enable a Trellis Proxy to work with Okta SSO. This document does not cover the creation of Okta login
accounts.
Prerequisites
Please have the following available before proceeding with the procedure:
1. Okta Account
2. Okta Admin account capable of adding new application
3. Trellis SSO Proxy installed in a Unix environment
4. Unix user with the read/write access privilege to the install directory of the Trellis Proxy.
5. Okta users are correlated with Trellis users using the Okta user IDs.
6. Important: Create self signed certificate for service provider, see SSO Keystore Generation
Change Log
Audience URI (SP Entity ID): https://tallgrassenergylp.trellisenergy.com/ptms/saml/metadata. This value is the entityID value of the
service provider metadata.
Download the Identity Profvider (IDP) metadata.
#-- needed by AzureAD to return the email address format for name ID
nameID=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
#-- AzureAD SAML token expiration time: 90 days x 24 hours x 60 minutes x 60 seconds
maxAuthenticationAge=7776000
Copy the IDP entity ID into the idp value like below:
Additional configuration to use file based IDP metadata. For now, this need to be done every time a new WAR file is deployed. The
reason is that we have a common WAR file for Azure and Okta.
Optional step if going through a reverse proxy or load balancer, edit :./webapps/ptms/WEB-INF/classes/security/samlSecurityContext.xml
:
vi /opt/tomcat/tomcat-proxy-sso-okta/conf/proxy/OktaMetadata.xml
:d20
:set paste
(shift+zz)
cp /etc/rc.d/init.d/tomcat-proxy-sso /etc/rc.d/init.d/tomcat-proxy-sso-okta
sed -i 's/tomcat-proxy-sso/tomcat-proxy-sso-okta' /etc/rc.d/init.d/tomcat-proxy-sso-okta
Q: How do I fix “org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation” in
/opt/tomcat/tomcat-proxy-sso-okta/logs/trellisAuth.log?
Common Issues
1. Unknown User
Exception:
org.json.JSONException: JSONObject["code"] not a string.
at org.json.JSONObject.getString(JSONObject.java:810)
at com.bstonetech.authservlet.authentication.RemoteAuthenticationResult.<init>(RemoteAuthenticationResult.java:37)
at
com.bstonetech.authservlet.authentication.RemoteAuthenticationContentHandler.getAuthenticationResult(RemoteAuthenticationContentHandler.
java:44)
at com.bstonetech.authservlet.authentication.RemoteAuthenticationServlet.addLoginEvent(RemoteAuthenticationServlet.java:54)
Solution:
The user attempting to authenticate isn't in the Trellis system
Exception:
org.opensaml.saml2.metadata.provider.MetadataProviderException: IDP doesn't contain any SingleLogout endpoints
at org.springframework.security.saml.util.SAMLUtil.getLogoutBinding(SAMLUtil.java:116)
at org.springframework.security.saml.websso.SingleLogoutProfileImpl.sendLogoutRequest(SingleLogoutProfileImpl.java:66)
at org.springframework.security.saml.SAMLLogoutFilter.processLogout(SAMLLogoutFilter.java:142)
at org.springframework.security.saml.SAMLLogoutFilter.doFilter(SAMLLogoutFilter.java:106)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManage
rIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
Solution:
Define the Single Logout URL like below. Value will look like this: https://tallgrassenergylp.trellisenergy.com/ptms/public/infopost/getInfoPostingH
ome.do. Make sure to copy the updated IDP metadata XML into the proxy IDP metadata file.