I am setting up wso2 between office365 and a help desk app that uses SAML 2 for auth. the app expect username in NameID.wso2is identity providers sends guid-like id in the NameID field instead of the alias field which i need in my app.
I already did all the steps from this doc https://github.com/wso2-extensions/identity-outbound-auth-office365/blob/v1.0.4/docs/config.md in addition to defining an Alias claim and then in service provider added a custom mapping for NameID to alias nad specified subject uri to NameID claim
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">0cccccc-444444-45553-1111-92387492387#23423423-sdfs-3333-5555-222222222</saml2:NameID>
<saml2:AttributeStatement>
<saml2:Attribute Name="Alias"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>j.smith</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="DisplayName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>John Smith</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="Id"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>0cccccc-444444-45553-1111-92387492387#23423423-sdfs-3333-5555-222222222</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="#odata.context"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>https://outlook.office365.com/api/v2.0/$metadata#Me</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="EmailAddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>a#b.com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
I need NameID to be NameID to be j.smith from alias attribute
j.smith
Just select the required claim for the Subject Claim URI in the service provider claim configurations. Subject Claim URI defines the authenticated user identifier which will return with the authentication response to the service provider. This will be returned as the NameID in the SAML response.
You can refer this document for more info on service provider claim configuration.
Related
I have enabled AWS private link to access snowflake and there is no Issue with the Link, when Integrating with SSO using Jumpcloud, after login it just throws 400 Error
For Troubleshhot I have tried but they didn't work
https://support.snowflake.net/s/article/Error-400-Bad-Request-while-SSO-login-to-Snowflake
https://community.snowflake.com/s/article/Configuring-your-IDP-to-Snowflake-by-providing-required-properties-in-a-SAML-Response
This is JumpCloud SSO Setting
Here is complete SAML Response, but still getting 400 Error any Idea from snowflake troubleshooting will help to resolve this Issue
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://8GWIFI.ORG.SG.AP-SOUTHEAST-1.AWS.PRIVATELINK.snowflakecomputing.com/fed/login/"
ID="AUZZ04QP5VMGW46F5YJZROMK164PY2C1QQ6XNXJJ"
InResponseTo="id-6417485141254017599_-1"
IssueInstant="2020-05-13T07:59:21.927Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://8gwifi.org</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="OVOSTV678D3AU2SQM6PSUDG2YHNSQMN4HJR9SGI2"
IssueInstant="2020-05-13T07:59:21.927Z"
Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://8gwifi.org</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#OVOSTV678D3AU2SQM6PSUDG2YHNSQMN4HJR9SGI2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>nxftTo6YnJGZR+qhRSJlPoMuNMMFwoxftmNAX/YDQaI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
cvamdwGY/8VZ+n4gDoLoEt+z6fZCLmPuvv/u4qeYOZd/fMg28Jz7kt2FU27WDHbOkx21LEFJ/g2Mlt8X++MP8hhHNqqb8x42YZzyHTv4dmfz3xapSQ17iDJILlfsc2odr5xPjkScz+wNPxCTUsA8kCrfeTfnGJOyn7t6uq7zMh87uUmlIob04CYbV/1SZpD2Xz6Jij9UsBiP82QSbTWAs4gePDcnS0TKe0HGfkNYxhCQBlIR40tBrte4KRpxuoXo00aMXXR0f0qilfU2nvYWeZVnQFBLfFOKZmlKxuhRUyiEYr9iVTjI8uxLt9oJ/XFFC5cuZjRl1FlKExGwouGbcpHUt7Gx9XeCPlVD3z9bi33X4Hi8mwbD6uX0lcgcJQ82RbppIya+7Q0bTzSh5nCKAu+vIlTXNKlHnwM5ax7HNxfDJedcLgEpaJ0qntnH67TyjFQg/NPOb54wtjkOi9/qxnI/ND2EMnWP4O6jMlmwknLLEuW2iqgF9wBN0mM4EfmgniaUjixWVvr0aT2sFNcC7BalUkdBJWXCN6PYabm2exye4zYb2C9FyiDjzrsLYuctXCU19js1vhukIftYMG13ds+ZSL6enseFSHKqI1EYNWOogmGkgZJWOeH7BL5Xgeq5HhBn8teUvGc519p7J/2LkoGfEyJ4K0SPyTLoC1R5poA=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
M=........
.................
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">anish2good#yahoo.co.in</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="id-6417485141254017599_-1"
NotOnOrAfter="2020-05-13T08:04:21.927Z"
Recipient="https://8GWIFI.ORG.SG.AP-SOUTHEAST-1.AWS.PRIVATELINK.snowflakecomputing.com/fed/login/" /></saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2020-05-13T07:54:21.927Z"
NotOnOrAfter="2020-05-13T08:04:21.927Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://8GWIFI.ORG.SG.AP-SOUTHEAST-1.AWS.PRIVATELINK.snowflakecomputing.com/fed/login/</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2020-05-13T07:59:21.927Z"
SessionIndex="ed8df976-6c7d-458e-ad23-1657133d3a00">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
To get SSO to work with PrivateLink, you need to contact support.
By default you can configure SSO only on Public URL or Private URL. You cannot have SSO configured for both the URls.
Also SSO by default is enabled on the Public URL. You can check this out by using the Public URL in the JumpBox configuration and confirm if this works.
So if this works and you want to have SSO over Private URL, contact support and they will enable the SSO for the PrivateLink.
I'm building a IdP in my local and I configured the IdP in AWS IAM settings, now I'd like to start an IdP initial SSO from my local and login AWS, however the error always shows in AWS page:
Response has expired (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ExpiredTokenException; Request ID: 18fc7e20-97eb-11e9-97e4-0f55a663916e). Please try again.
error page screenshot
What should I do for this situation?
Any help would be appreciated.
Here is the SAML Response
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://signin.aws.amazon.com/saml"
ID="_9119012392457125943"
IssueInstant="2019-06-26T07:26:21.686Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>http://localhost/lighting/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_9119012392457125943">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>dcPz91uzrgFsoVvQafIH0erSoy9SsGQqs+NrEhEzpQ8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
J+U7AcD8QTXlgAvcGl4TIUrb5Q1CgJfJ/rP4VUEOeF67NvGQM12cA3HLzoFevMOxluwA4dleWuTd
I+Tsfc7QCuY6CZ9dsWCYhSP7jfpoAsbDwAGUqAiUf2sEC5jackNs5x1oobYac/9POzHesuelkQAF
Ld3zwxc7O+O3bH2pSC/FO0//b+mAZMdGVcYel2qyAgcW2Cwl41rl0YoSBv4zG435q17PqpIfh5tx
w/0UsYbuvdQIFcPE58okw8Q27XR8QdyD3b/9SGOm5s+v8JX/znapcf8KfeoNodvVu+hho9b/79i0
1H8aF/lTpOKq6xBL8zzK/m0Gqjjap8+Q7oR1xw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDFjCCAf6gAwIBAgIVANvOACsHPeGyNtU+z6lwITrQht8JMA0GCSqGSIb3DQEBCwUAMBgxFjAU
BgNVBAMMDTE5Mi4xNjguMi4yMzcwHhcNMTkwNjI1MDM0NDE1WhcNMzkwNjI1MDM0NDE1WjAYMRYw
FAYDVQQDDA0xOTIuMTY4LjIuMjM3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArgef
LeT3WJIXwsW4IkO6utW0C6ARGdd6p6Q6NyYqPvGKACxScl1hUjpKaUdMeTKme1gpsvz5ho33B6sx
uYVZwS+g9gA6VBcAguwnHViDAYrYL4meggBUXDgLv5YxgMtFoKzyvYHoZI6mU1LaOV4sFbk2/UBE
X0TajsgzRN+w7/9YJcvfEHArideYWPZtobTEv/JvLEg+10Tncpa6dW7m9Vqpkm0HWfiPMp+vvoPD
ebKgMWo6U79yHjqRayPkwccQfVuzyrynE90HdA1T4FIbznc++O+OY68nndTJqJz+BhbhZqoIqLLM
sHoRXcexc26usEk4bXSlAt2ZWHg6j2baKQIDAQABo1cwVTAdBgNVHQ4EFgQUhf/SjfLdHAsFiwqy
KEVHAyPmM3EwNAYDVR0RBC0wK4INMTkyLjE2OC4yLjIzN4YaMTkyLjE2OC4yLjIzNy9pZHAvbWV0
YWRhdGEwDQYJKoZIhvcNAQELBQADggEBABszuNtGLSrQHKOU35ucB58+Si84xbcFg2L9A7NSKCZp
KC1K8hf5/yBlWZeYANtbz9zBH+IE7HQfCqMmqYFRZIMV5bn1zz376iWOt/meUEIOTguDFBcE1d9P
1N08527e5VZZ8z4Quoar+UZsux2gRyftZCbiDPZ3jztWXZQH4kmjKfPfYnTHmAJyJ0BpZPGdItD/
cTUsFEO6aVi/q/dSnyuAIgifjv+GcsCLvr9mNgYqU1zbSNdfg/uE1brczOxdjX/dgKq8F9YV2X/k
W7f1+UDweMZ/jjY6wX7rGtMRI53y1AOexaT2m6qLjgykgr8mL10cA2zYFOY1IWdZaTtSmL4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
<saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
ID="_4072804912448579929"
IssueInstant="2019-06-26T07:25:33.546Z"
Version="2.0"
>
<saml2:Issuer>http://localhost/lighting/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_4072804912448579929">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>QE9YpUj05wSf69eoo/w+e3kcI458dSe/zfiFIGYJ9/s=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ddCEn8eKvZQlqPXTf6NIzY2Y2OE3EvXYjQxNrvlWHUy5mD0J/hMpA1BjE1vMVsPtYs9+b8hqNMQC
vO3dBomyZ4fxMVeidUmKOVVxD/657zGeHpwKWWacb8bpvVptfv12SoSlCwR5daJmchv1D5VBJ7xU
2o7WXEx4mBH8M4Hq4jiysrVaqgCjbU6q8toNhvIo3fJSLpMQNMZt2oGQkAD1t520WSl6u7hL+FqW
z6PD/UlR/tlhNoyrlhK6SIkqqHC/xrVGXi/JDLWEZm8n6QwiSus/IlPHKmn7nXjwx6hQjRC0HjNt
/G+GdhSd+9Rz8VEKcrNZ19Fh/yQRvJgREEaALQ==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDFjCCAf6gAwIBAgIVANvOACsHPeGyNtU+z6lwITrQht8JMA0GCSqGSIb3DQEBCwUAMBgxFjAU
BgNVBAMMDTE5Mi4xNjguMi4yMzcwHhcNMTkwNjI1MDM0NDE1WhcNMzkwNjI1MDM0NDE1WjAYMRYw
FAYDVQQDDA0xOTIuMTY4LjIuMjM3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArgef
LeT3WJIXwsW4IkO6utW0C6ARGdd6p6Q6NyYqPvGKACxScl1hUjpKaUdMeTKme1gpsvz5ho33B6sx
uYVZwS+g9gA6VBcAguwnHViDAYrYL4meggBUXDgLv5YxgMtFoKzyvYHoZI6mU1LaOV4sFbk2/UBE
X0TajsgzRN+w7/9YJcvfEHArideYWPZtobTEv/JvLEg+10Tncpa6dW7m9Vqpkm0HWfiPMp+vvoPD
ebKgMWo6U79yHjqRayPkwccQfVuzyrynE90HdA1T4FIbznc++O+OY68nndTJqJz+BhbhZqoIqLLM
sHoRXcexc26usEk4bXSlAt2ZWHg6j2baKQIDAQABo1cwVTAdBgNVHQ4EFgQUhf/SjfLdHAsFiwqy
KEVHAyPmM3EwNAYDVR0RBC0wK4INMTkyLjE2OC4yLjIzN4YaMTkyLjE2OC4yLjIzNy9pZHAvbWV0
YWRhdGEwDQYJKoZIhvcNAQELBQADggEBABszuNtGLSrQHKOU35ucB58+Si84xbcFg2L9A7NSKCZp
KC1K8hf5/yBlWZeYANtbz9zBH+IE7HQfCqMmqYFRZIMV5bn1zz376iWOt/meUEIOTguDFBcE1d9P
1N08527e5VZZ8z4Quoar+UZsux2gRyftZCbiDPZ3jztWXZQH4kmjKfPfYnTHmAJyJ0BpZPGdItD/
cTUsFEO6aVi/q/dSnyuAIgifjv+GcsCLvr9mNgYqU1zbSNdfg/uE1brczOxdjX/dgKq8F9YV2X/k
W7f1+UDweMZ/jjY6wX7rGtMRI53y1AOexaT2m6qLjgykgr8mL10cA2zYFOY1IWdZaTtSmL4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">fengAWS</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2019-06-26T07:25:28.267Z"
Recipient="https://signin.aws.amazon.com/saml"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-06-26T07:25:36.485Z"
NotOnOrAfter="2019-06-26T07:58:56.485Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:webservices</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-06-26T07:25:28.267Z"
SessionIndex="_320981710988786175"
>
<saml2:SubjectLocality Address="urn:amazon:webservices" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="isFromNewLogin"
Name="isFromNewLogin"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>false</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationDate"
Name="authenticationDate"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>2019-06-26T15:25:18.192+08:00[Asia/Shanghai]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationMethod"
Name="authenticationMethod"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>QueryDatabaseAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="successfulAuthenticationHandlers"
Name="successfulAuthenticationHandlers"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>QueryDatabaseAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>fengAWS</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed"
Name="longTermAuthenticationRequestTokenUsed"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>false</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="https://aws.amazon.com/SAML/Attributes/Role"
Name="https://aws.amazon.com/SAML/Attributes/Role"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::490595513456:role/ParaSSO,arn:aws:iam::490595513456:saml-provider/Para</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="username"
Name="username"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>fengAWS</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Question 1: I'm building a IdP in my local and I configured the IdP in AWS IAM settings, now I'd like to start an IdP initial SSO from my local and login AWS, however the error always shows in AWS page:
Response has expired (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ExpiredTokenException; Request ID: 18fc7e20-97eb-11e9-97e4-0f55a663916e). Please try again.
What should I do for this situation? Any help would be appreciated.
Answer:
This is a typical AWS-SAML IdP federated user error (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ExpiredTokenException).
SAML Response/Asserion/Token must be redeemed within 5 minutes of Issuance provided by your SAML IdP.
Resolution:
(I) Check whether your SAML IdP Server's time is synchronized with NTP server.
(II) After your SAML IdP Server's time has been synchronized with AWS server time zone (within 1 minute or less), restart your SAML IdP.
Question 2: error page screenshot
Here is the SAML Response
Answer:
Your error page screenshot indicates that your AWS role is MySSO, but your SAML response indicates that your AWS role is ParaSSO. This will cause another AWS-SAML IdP federated user error.
I have shared my Single Sign On (SSO) success experience on Shibboleth SAML IdP with Amazon AWS in another StackOverflow question Why is Cognito rejecting my SAML assertion?.
My SAML response for successful login to AWS is provided below for your reference.
<saml2p:Response Destination="https://signin.aws.amazon.com/saml"
ID="_fc89710799c4c2c540341e94bf7132d5"
IssueInstant="2019-06-11T18:49:38.300Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_91749d5ecb8512c0c5d658a77cb25928"
IssueInstant="2019-06-11T18:49:38.300Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer>https://idp.example.com/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_91749d5ecb8512c0c5d658a77cb25928">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>mDAgwb9ZJxc+01sC99lAlAIAOEoiTgzHVTm4F9bdn/0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
LWiL3+CdU6y86zBLx3vG6na1o46EUgiN7iV+b4J2lPvZK7+Oeu6XSenJlzo/cUMT19pYYrDMM652
3lDAJCuOKPx4zTRIcabGrgzTKgmen0SHqWPxeL7t23RB6+v5AUvVw02tXqQhlggKEe3H+1T1k5q0
cGc1xw5CQtI8zE6GK7nG1INnU7mo872H9x+zM1zy3yyvrWOkHHhVFqQQ1Tu+0ev4BIhTQaVgC+pM
/ZvpctNjDMl1q4RSt1qumC+KFsYZlbrsLG7AvGJuR39wt/HV7F8Je3AUGGwMtGjkpRDuN1lIHrMq
VzFf/5eKUv20rEk3aOxoV/sMfcuhWo27+NjE1g==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDPDCCAiSgAwIBAgIVALPPoC598LJ6ZJJJXCA2ESASlN4AMA0GCSqGSIb3DQEBCwUAMB8xHTAb
BgNVBAMMFGlkcXNhbWwuaWRxdWFudGEuY29tMB4XDTE3MDYwMjIxNDI0NloXDTM3MDYwMjIxNDI0
NlowHzEdMBsGA1UEAwwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAs4ml4G592b059YDgyD/MLWQKaKrc0/24Ufbl/JY7wOI1RpxW8DlbCvibzQge6Tu
/8LVy4GIDb8QLxmCfFKYn97HC68TgXVJ+m+sQm+e4SVg6V2q+JY94LLcoFVe8+78ZIYT23KLkTv2
RlHzes/sL1YaPSK4UuN+/ezppyX2t9BGNfuiUKA0KCf7wMFuQ07Fr65FTcGXQyxhPyaNrXjrNMJa
LqwpCaesVdVzoqPevYVN3+nzAvOWoEbi6IcwnF07D0FYren/GPRXPAk5sP6fF3X0rJCkSq+d5t5P
0gWONlvm9WlUrKadmeiibCtR2lGQ/dZGmyUzIILsuOwu4yp/EsI3AgMBAAGjbzBtMB0GA1UdDgQW
BBREpZrZlnm8YrbSFcl59WRR5IY2FTBMBgNVHREERTBDghRpZHFzYW1sLmlkcXVhbnRhLmNvbYYr
aHR0cHM6Ly9pZHFzYWQCV63ubc+tsfzCvL48k35RzLAD15DIdbS9pZHAvc2hpYmJvbGV0aDANBgk
AAOCAQEAEvrdnSvK2C2rcRr7kXn4Q/NaEovuUeqaNs1k/2+dSqs8rroM+m3Iq8RlBcmKnP/+mET3
wwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiLRXay9y1uJXyZx37RDkGu8SD7+zf8znM+TCsX/qAP
6Ve95WAeX4uB8Aeol3LULe1dePsRb/1RNpKsm8NomVzCwBXK9vyv8t3IVN40jZMaaTtR0YR22fTu
qTyIMarMPO0Eh0f1FHraYaXfyop1OJcYlISpYe+c4vNvAXwEtHkZD2Iu/2aEMGcvBo3uq6OYVDXO
fI3CvoB7sRtxURtj+vVSZKjDe6s7+lRcE1tpDkwOEEuDzA==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.example.com/idp/shibboleth"
SPNameQualifier="urn:amazon:webservices"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>AAdzZWNyZXQx/wu+MEcVaUwjGOXhDKAO/5KXLD2AcDGnu1DyoP2C4ztOF01Su6tTJDytykrsv7W2dSV4FkL42ORYDiipBEuwiRSbnvViKbFBkHYN4YUmQzttx3DPNW/w42tMjLrY2iyn7sAUgQSVNGRHyMAH</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="192.168.150.10"
NotOnOrAfter="2019-06-11T18:54:38.412Z"
Recipient="https://signin.aws.amazon.com/saml"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-06-11T18:49:38.300Z"
NotOnOrAfter="2019-06-11T18:54:38.300Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:webservices</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-06-11T18:49:38.041Z"
SessionIndex="_79ee919a4e3fcd2f6d13702b60bfd357"
>
<saml2:SubjectLocality Address="192.168.150.10" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="Role"
Name="https://aws.amazon.com/SAML/Attributes/Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="RoleSessionName"
Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>winston.hong#example.com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Follow-up Question 3: I changed the skewAllowance and the ExpiredTokenException has gone, but still got AccessDenied error, do you have some ideas?
Answer:
I extract SAML attribute "Role" from SAML assertion (as shown below). One can see that "Role" attribute consists of two values "role" and "saml-provider".
<saml2:Attribute FriendlyName="Role"
Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue>
</saml2:Attribute>
You need to ensure that both values of "Role" attribute (carried by SAML assertion/SAML response) should be exactly the same as you declare through Amazon AWS admin console. Example #1: ParaSSO and Para for your local IdP; Example #2: shibbolethidp and Shibboleth-IdP for my SAML IdP. Any slight difference will cause "Error Code: AccessDenied;".
Sub-question (3.a): I tried with okta/onelogin and it can SAML access my AWS successfully, and checked the saml response/aws iam configuration, didn't see many differences from my local IdP, I started my IdP server in internal network 192.168.2.237, is it because there is some AWS restriction on local address or something? Any help would be appreciated.
Response:
(I) There is NO AWS restriction on local address, as shown by my SAML response for successful login to AWS. I have also used the local Shibboleth IdP to log into Amazon AWS admin console successfully.
<saml2:SubjectLocality Address="192.168.150.10" />
(II) In addition to "Role" attribute and "RoleSessionName" attribute, you need to ensure that SAML IdP metadata of your local IdP contains the complete and accurate SAML authentication information required by Amazon AWS, at least public certificate/key for verifying the signed assertion and SAML IdP issuer.
(II.a) A typical Access Denied error is that your local IdP metadata provides the wrong public certificate/key for verifying the signed assertion to Amazon AWS.
(II.b) For your convenience, How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides a Shibboleth SAML IdP metadata "shibboleth-idp-dockerized/ext-conf/metadata/idp-metadata.xml" which has been validated with a successful SSO for Amazon AWS. This Shibboleth SAML IdP metadata consists of three signing certificates (sign Responses, sign Assertions, and encrypt Assertions).
(II.c) Amazon AWS will extract public certificate/key for sign Assertions from your SAML IdP metadata. In my Shibboleth IdP metadata "shibboleth-idp-dockerized/ext-conf/metadata/idp-metadata.xml" provided by the above link at GitHub repository, the 2nd public certificate/key (or signing certificate) is used by Amazon AWS to verify the signed assertion.
(III) For your convenience, I have made the 9th commit to upload the Amazon AWS SP metadata and corresponding SAML configuration to How to build and run Shibboleth SAML IdP and SP using Docker container.
Note that I have logged in to Amazon AWS account ("my-aws-id", e.g., 123456789012) with username "winston.hong#example.com" successfully using Shibboleth IdP running with Docker Container with the 9th commit.
By performing the Shibboleth SAML IdP configuration with reference to the 9th commit to How to build and run Shibboleth SAML IdP and SP using Docker container, you can log in to your Amazon AWS account ("my-aws-id", e.g., 123456789012) with your username (such as "winston.hong#your-company.com") federated by Shibboleth IdP.
(IV) I have shared my successful SAML configuration experience on Shibboleth IdP SSO for Amazon AWS at another StackOverflow question Why is Cognito rejecting my SAML assertion?.
I'm trying to send a message from BizTalk 2010 to a Java web service, that's managed by a vendor (i.e I have no control over this). I have BizTalk configured to use a WCF adapter. The WS-Security requirements for the Java web service require me to send a couple security elements in the header that I can't seem to produce at once through BizTalk no matter what binding I use. In particular, I'm trying to generate a Signature and UsernameToken together.
Here's how the SOAP request should look (generated using SOAP UI, private information hidden):
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-5C3CC030C4E11C6430144952223388427" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-REFERENCEID">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="java" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>DigestValue</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
SignatureValue
</ds:SignatureValue>
<ds:KeyInfo Id="KI-KEYID">
<wsse:SecurityTokenReference wsu:Id="STR-TOKENID">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
KeyIdentifier
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse:UsernameToken wsu:Id="UsernameToken-TOKENID">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">nonce</wsse:Nonce>
<wsu:Created>2015-12-07T21:03:53.876Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
I've seen a couple articles online where people have struggled with this but it seems like the bulk of those are from around 2012. Has anyone been able to solve this / does anyone have any tips to approaching this issue?
By default wso2 IDP returns the roles as following
manager,Internal/identity,Internal/everyone
Is it possible to configure the IDP to return the roles as separate attribute as shown below
<saml2:Attribute Name="http://wso2.org/claims/role">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">manager</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://wso2.org/claims/role">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Internal/identity</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://wso2.org/claims/role">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Internal/everyone</saml2:AttributeValue>
</saml2:Attribute>
Currently this cannot be done with WSO2 Identity Server. All the roles are returned as a comma separated list in the single "http://wso2.org/claims/role" attribute.
I created my app as J2EE app in JDeveloper 11g. It uses JSF 2.1, Spring-core 3.2.1 and Spring-data-jpa-1.4.4 among others Spring necesary modules. I've created a datasource in the integrated WebLogic server within the default domain. When I try to run the app the following error is showing up.
weblogic.application.ModuleException: :org.springframework.beans.factory.NoSuchBeanDefinitionException:No qualifying bean of type [javax.persistence.EntityManagerFactory] is defined: expected single bean but found 0:
at org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor.findDefaultEntityManagerFactory(PersistenceAnnotationBeanPostProcessor.java:538)
at org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor.findEntityManagerFactory(PersistenceAnnotationBeanPostProcessor.java:497)
at org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor$PersistenceElement.resolveEntityManager(PersistenceAnnotationBeanPostProcessor.java:659)
at org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor$PersistenceElement.getResourceToInject(PersistenceAnnotationBeanPostProcessor.java:632)
at org.springframework.beans.factory.annotation.InjectionMetadata$InjectedElement.inject(InjectionMetadata.java:159)
Truncated. see log file for complete stacktrace
My WEB-INF/web.xml has the configuration to setting up the JSF servlet and Spring listeners:
<?xml version = '1.0' encoding = 'windows-1252'?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<context-param>
<param-name>javax.faces.FACELETS_VIEW_MAPPINGS</param-name>
<param-value>*.jsf;*.xhtml</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
</web-app>
Then there is the WEB-INF/faces-config.xml with the Spring integration:
<?xml version="1.0" encoding="windows-1252"?>
<faces-config xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd"
version="2.0">
<application>
<el-resolver>org.springframework.web.jsf.el.SpringBeanFacesELResolver</el-resolver>
</application>
</faces-config>
Then there is WEB-INF/applicationContext.xml with the Spring config:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:jpa="http://www.springframework.org/schema/data/jpa" xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/data/jpa http://www.springframework.org/schema/data/jpa/spring-jpa-1.3.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.2.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd">
<context:annotation-config/>
<context:component-scan base-package="com.myapp.*"/>
<jpa:repositories base-package="com.myapp.repositories" />
<jee:jndi-lookup id="dataSource" jndi-name="MYJNDI"/>
<tx:annotation-driven transaction-manager="transactionManager"/>
<bean id="transactionManager" class="org.springframework.transaction.jta.WebLogicJtaTransactionManager"/>
</beans>
Then I created the persistence file under META-INF/persistence.xml
<?xml version="1.0" encoding="windows-1252" ?>
<persistence xmlns="http://java.sun.com/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd"
version="2.0">
<persistence-unit name="myPU" transaction-type="JTA">
<provider>org.eclipse.persistence.jpa.PersistenceProvider</provider>
<jta-data-source>MYJNDI</jta-data-source>
<class>org.eclipse.persistence.example.jpa.server.business.Cell</class>
<class>org.eclipse.persistence.example.jpa.server.business.CellAttribute</class>
<properties>
<property name="eclipselink.target-server" value="WebLogic 10"/>
</properties>
</persistence-unit>
</persistence>
My Entity and Repository classes looks like this:
... imports
#Entity
#Table(name = "CONTRIBUYENTE")
public class ContribuyenteEntity implements Serializable {
#SuppressWarnings("compatibility:-6161811794505268140")
private static final long serialVersionUID = 7000366567373058605L;
#Id
#GeneratedValue(strategy = GenerationType.AUTO)
#Column(name = "ID_CONTRB")
private Long idContrb;
... get and set methods
}
import org.springframework.data.repository.CrudRepository;
import org.springframework.stereotype.Repository;
-------------------------------------------------------------------------------------
#Repository
public interface ContribuyenteRepository extends CrudRepository<ContribuyenteEntity, Long>{
}
I've performed the extra configuration on the server as the Oracle docs indicates:
http://docs.oracle.com/middleware/1212/toplink/TLADG/tlandwls.htm#BABEDCEI
I don't really found out why the <jee:jndi-lookup id="dataSource" jndi-name="MYJNDI"/> is not registering the EntityManagerFactory bean within the context. I'd really appreciate any help you can provide. Regards!