I am attempting to implement SSO in Liberty for the first time. I have an application in Liberty that I wish to be a service provider and using Azure as the Identity provider. For the moment I want to have SP initiate.
Following the 1st steps in the link below:
https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-configuring-saml-web-browser-sso-in
I have put samlWeb-2.0 And
into the server.xml and I see SAML initiate.
Then I was able to get the SP metadata from the ibm/saml20/defaultSP/samlmetadata url.
I got the IDP metadata from Azure and installed in resources/security/idpMetadata.xml.
So when I access my application it goes to the login page above, but I get the message:
AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding.
Which is true – there are no query parameters. What am I missing here ? Why wouldn’t Liberty be attempting to build an authorization request ?
Also, Azure wants me to install a certificate (either Base64 or Raw) and I assume it goes into security folder but shouldn’t I have to reference it ? I note there are X509Certificate tags in the iDp metadata so I’m not sure how the cer files come into play.
I’d be grateful if anyone can supply any guidance.
CodePudding user response:
AADSTS750054 SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding.
This error is due to incorrect idP login page URL is used for sso_1.sp.login.error.page property.
The SAML SSO you configured is idP-initiated SSO, and WebSphere does not support SAML Redirect binding. It only supports SAML POST binding. This document has more info about the error: https://www.ibm.com/support/pages/node/277989
Search for AADSTS750054
If you have sso_1.sp.login.error.page pointing to the one defined in azure as login page, that url is requiring a SAMLRequest being sent.
Try changing sso_1.sp.login.error.page to the value from Azure console "Azure > Properties > access URL" instead and test after that.
CodePudding user response:
LIberty supports HTTP POST binding. Looks like your Azure is configured to support HTTP redirect binding. Could you modify your Azure setup to enable HTTP POST binding?